Mobile security

M2M Creates Major New Security Challenge

The Internet of Things is being touted as the ultimate in convenience but it also could be the ultimate in loss of privacy and security, and even lead to a more dangerous world.

Picture, for a moment, a connected car with remote start features being turned off remotely by an unauthorized individual, or a clever burglar accessing home sensor information to determine the best time to break in.

The reality of those scenarios has enterprises planning M2M apps with integrated security features from day one, something that hasn't always happened previously in the development of apps and services, says Johan Sys, managing principal, Identity & Access Management, at Verizon Enterprise Solutions , which today unveiled a cloud-based security program aimed at the M2M market. (See Verizon Intros Cloud-Based Security for M2M.)

Due in large part to regulatory compliance issues around M2M, enterprises looking to smart meters, home monitoring services, and connected cars for their future services are taking into account the myriad possibilities for potential monetary damage, loss-of-privacy and general mayhem that can ensue when so many things get networked and thus become vulnerable, he says.

That doesn't mean these enterprises are willing to invest heavily up front in hardware and software to bake in the security they know they need, however, and thus Verizon's approach to securing M2M is a cloud-based Managed Certificate Services offer that lets enterprises pay as they go for the ability to authenticate the objects and machines they are connecting.

"We are looking at anything that gets Internet connectivity -- everything needs to be authenticated because you don't want to be able to introduce a spoofed device" that can connect into the M2M network, Sys says.

Traditionally, this authentication was handled with what are called PKI (public key infrastructure) processes, but those require substantial hardware and software with significant upfront costs. What Verizon has done is create a managed cloud-based service that can authenticate devices to the same degree as PKI solutions but in a scalable manner that does not come with a massive expense upfront.

There are different ways of enabling this approach, depending on the application. For example, to prevent piracy of connected set-top boxes or intrusion into smart meters, the public-private key combination can be baked in via software during the manufacturing process or it can be part of the installation process of the client device in the home. There are also software protections that can be added later to devices.

What is important, adds Sys, is that every part of the M2M value chain be protected, including protection of the networks and devices themselves, the the securing of both physical and logical access credentials, protection of the communications among devices, and securing of the applications themselves and of the portals used for access.

The integrity of data received from the devices must be guaranteed and things such as firmware upgrades must also be authenticated to ensure no malware is introduced, he says.

There are country-specific regulatory guidelines that Verizon is addressing in its Managed Certificate Service as well. Organizations such as the National Institute for Science and Technology (NIST) in the US are already creating rules by which M2M must play.

That is ultimately a good thing, Sys says, because many of the efforts to layer on security after the fact prove less thorough.

Heavy Reading Senior Analyst Patrick Donegan will be discussing more ways to gain insight into mobile security and prevent malicious attacks at the upcoming Mobile Network Security Strategies (see below).

— Carol Wilson, Editor-at-Large, Light Reading

Interested in learning more on this topic? Then come to Mobile Network Security Strategies, a Light Reading Live event that takes place on December 5, 2013 at the Westin Times Square Hotel in New York City. For more information, or to register, click

Sarah Thomas 11/20/2013 | 1:23:10 PM
Re: Network security Ah yes, that's probably true, but they ought to.
Carol Wilson 11/20/2013 | 1:12:21 PM
Re: Network security As you might have deducted from the conversation below, I wonder if consumers think about security at all until something goes wrong.
Sarah Thomas 11/20/2013 | 1:10:42 PM
Re: Network security That's good, and a good route for a quad-play operator to take. I was just thinking of consumers' percceptions. They might prefer to connect over broadband or perceive LTE as more secure than WiFi. If they're working just through Verizon, it may matter less.
Carol Wilson 11/20/2013 | 1:06:37 PM
Re: Network security As I understand it, the cloud-based solution that Verizon is talking about isn't dependent on what network is connecting the device to the Internet. If it has a connection, it is supposed to get a digital certificate.
Sarah Thomas 11/20/2013 | 1:01:34 PM
Network security I wonder how these security issues will play into the network debate. Especially for in-home M2M, there are solutions being pitched that rely on LTE, WiFi, Bluetooth, broadband, and many different protocols. Security, or just perceived security, will influence what network wins out.
Carol Wilson 11/20/2013 | 11:42:25 AM
Re: Big Bang I would agree that publicly demonstrating the vulnerability of M2M systems is a public service -- assuming of course that the demonstration itself has a benign impact. 

As for people willingly opting in, if you are only sold the benefits and then offered bland reassuances about the security, most folks don't know to be afraid, be very    afraid.  
mendyk 11/20/2013 | 8:53:15 AM
Re: Big Bang One disturbing part of all this is it will be almost impossible for individuals to opt out of the M2M ecosystem. Maybe more disturbing is the fact that many people are willingly and whole-heartedly opting in. Organizations like Anonymous are doing a public service by showing how vulnerable all these systems are. My opinion, of course.
Carol Wilson 11/19/2013 | 7:34:49 PM
Re: Big Bang I think that's why there is already attention being paid by regulators and others. The stakes are really high when you start talking about being able to hack into home automation, telemedicine and connected car apps and services. 
mendyk 11/19/2013 | 3:41:15 PM
Big Bang M2M opens up an enormous wealth of opportunity for hackers. Let the games begin.
Sign In