Cathal McDaid, security consultant at AdaptiveMobile, discusses the security threats surrounding the M2M space.
Eurocomms.com: Why should operators be concerned about security threats to the M2M space currently?
Cathal McDaid: Currently, the majority of mobile networks are equipped with security protocols that have been specifically developed and refined to handle and protect human subscribers from threats generated by other human participants.
As threats have grown more complex and concentrated, so too have the standards of protection to counter them.
However, M2M is the exception. With tens of millions of low-cost, potentially unsecured devices added to the network, the level of threat has risen significantly.
As M2M develops, the threat becomes aggregated, presenting not only a bigger selection of access points for anyone with malicious intent, but also a magnified threat.
In 2011 alone we saw the rise of attacks ranging from the remote unlocking and starting of a car to the reverse engineering of a Zoombak GPS tracking device.
The main problem is that the mobile industry has typically not been treating M2M security as having separate requirements.
With the latest projection of 2.1 billion M2M devices by 2021, operators need to build in specific security now, addressing the unique characteristics of M2M devices, and not try to back-fit security at a later date.
In addition, our research shows that whilst awareness of M2M is high, so too is fear over security.
Ten percent of UK residents are already using M2M technology with 54 percent expecting their phone to talk to, unlock and start their car by 2015.
However, 86 percent showed concern for privacy and crime.
Specifically, what are the top security concerns affecting M2M communications?
Currently, both aggressive market growth and the diverse range of technology at play means it is difficult to accurately predict the level of risk that M2M presents.
However, there are four key security concerns that need to be considered:
1. M2M connections can go unchecked
The beauty of M2M is that it automates the sharing of data that would previously have needed human intervention. However, at the same time this autonomy presents a large security threat of its own.
Because M2M enabled devices can be left to function without human input, they can also be prime targets for malicious content and with no one monitoring performance, threats can go undetected for periods of time.
2. M2M devices don’t behave the same as human-controlled ones
When thinking about data transmitted via network operators, it can be all too easy to assume that every device doing so is acting the same as human-controlled mobile devices, and has the same short lifespan.
While it can be relatively easy to replace or treat compromised mobile phones, asking users to return them by post or to a store, the remote location and inherent inaccessibility of some M2M devices means that the cost of investigating and repairing on a case-by-case basis is likely to be much higher.
In addition, M2M devices are designed to have a much longer lifespan than human controlled phones, meaning that the “upgrade mentality” cannot be applied, and so preventive security must be applied from the start.
3. Less sophisticated devices need greater protection
The latest smartphones and tablets come with complex, high-end operating systems that can be protected and reinforced against even the most advanced mobile security threats.
Unfortunately, the same cannot be said of all of the devices that will be connected to the M2M-enabled the Internet of Things.
Without hard drives and with any processing power often devoted solely to performing the operation it was designed for, the limited nature of many M2M devices means there is less ability to embed security software.
4. Overall the risk is more profound
M2M doesn’t just present a more widespread threat to deal with - it also presents one that is greater in terms of both severity and repercussions for networks and their customers alike.
While an attack that affects human subscribers may be unpleasant for a network operator to deal with, the potential consequences of a similar attack on critical healthcare or utility grade equipment stretch far wider than personal details.
What do operators need to do to ensure their networks remain protected?
It is clear that the threat from M2M communication is only going to increase.
Operators need to work with dedicated security providers that can integrate with their existing network platforms and provide protection that bridges the gap between legacy human-to-human standards of protection and those required for M2M.
Applying a one-size-fits-all approach does not work within M2M, and so requires a security platform that can be configured to each individual service’s requirements by the M2M service provider.
Any standard of network protection within M2M should include threat prevention techniques such as malware detection, traffic analysis and identity controls, providing operators with the ability to protect the network platform as a whole.
European Communications is hosting a free-to-attend M2M seminar in London featuring a keynote by Vodafone. Click here to learn more