The ubiquity of the Internet of Things and the countless billions of connected devices across the globe raises the possibility of an increase in hacking and security breaches. If insecure devices are allowed to proliferate in the market we run the risk of damaging consumer confidence in IoT services limiting its potential to grow and deliver compelling new services.
To be secure, the GSMA IoT Security Guidelines and ETSI Technical Specification 103 645 state that IoT devices must securely store their private cryptographic keys, cryptographic algorithms and identities based on a secure hardware ‘Root of Trust’. An IoT service provider therefore faces a potentially daunting task of trying to secure millions of devices each with their own unique security credentials, which can be cost and resource intensive. These credentials need to be provisioned (on a production line or in-field) before the IoT devices can be used and then, after deployment, they often need to be updated over the air, for example when devices change ownership or there is a change in service provider.
There are several proprietary hardware-based Root of Trust solutions for the IoT market today that attempt to address these challenges, but this creates the issue of market fragmentation. Many secure element manufacturers have their own proprietary solutions which are all distinctly different, making it difficult for IoT service providers and device vendors to scale their services and forcing them to adapt for different secure element solutions and proprietary provisioning processes.
The mobile industry has a critical role to play in ensuring security within IoT devices. All cellular based IoT devices use a SIM (or embedded SIM) which is a secure element based on open industry standards which are extremely difficult to hack or clone. SIMs also come with a standards-based ecosystem enabling remote over-the-air provisioning and management making the SIM perfectly suited to act as a Root of Trust for IoT services. To that end, the GSMA and its partners have defined a new capability for the SIM called “IoT SAFE” (IoT SIM Applet For Secure End-2-End Communication) which adds new IoT security services to the SIM. These new services enable an end-to-end security layer between an IoT device and the cloud using standard internet protocols – ensuring mutual authentication between device and server and the secure encryption of data.
“SIMs are already deployed to ensure trusted connectivity across the IoT ecosystem,” comments Remy Cricco, Chairman of the SIMalliance Board. “SIMalliance’s partnership with GSMA on IoT SAFE enables all ecosystem players to leverage the advanced features of the SIM and supporting infrastructure to deliver enhanced security at scale, increasing flexibility and maximising investments.”
By defining a common interface for these new SIM IoT security services, the mobile industry removes the issue of market fragmentation by enabling device manufacturers and service providers to use a common API across all SIM suppliers – meaning the solution is scalable and easy to use.
“It has become imperative that we work towards a common set of open industry standards where connectivity and security become synonymous,” says Alfred Baghouzian, Vice President, Emerging Mobile Technologies and Solutions at TELUS. “Over the last 25 years, the mobile industry has consistently demonstrated the value of having an open standards-based approach, which ultimately resulted in reducing fragmentation and ensuring a healthy and diverse Secure-by-Design IoT device ecosystem. TELUS is committed to working towards a standards-based approach to SIM as IoT Root of Trust based on the GSMA IoT SAFE solution.”
By working collaboratively, the mobile industry can ensure the security of IoT services giving users the confidence that their products and services are secure.