How “Secure by Design” Mobile IoT Networks are Protecting the IoT

As the Internet of Things becomes an increasingly common part of our daily lives, attention will naturally turn ever more frequently to the security of IoT solutions. The question for many will be how the many exciting capabilities made possible by the IoT can be enjoyed without opening up a whole raft of security liabilities – and many will understandably think first of selecting the most secure devices. In many cases, however, developers of IoT solutions should be thinking first of how they are connecting those devices and where the security of the connectivity itself can be maximised.

This is where Mobile IoT, the family of technologies encompassing LTE-M and NB-IoT, comes into its own.  Mobile IoT networks are secure by design – unlike some alternative forms of connectivity, including unlicensed spectrum solutions, they are carefully managed and safeguarded by the mobile operators. Under the terms of the licenses issued to operators by regulators, Mobile IoT networks use dedicated spectrum bands, meaning interference from other radio technologies is minimised. Mobile networks are also often classed as critical national infrastructure which brings additional regulatory oversight.  As a result, mobile operators can offer secure communication channels, ensuring encryption of user data. Where data is traversing a less secure environment such as the Internet, operators can implement secure connections using virtual private networks (VPNs), or access point names (APNs) dedicated to a specific customer to keep their data isolated from other traffic.

For most IoT solutions, however, the connected device only needs to communicate with specific servers – a smart meter for instance will generally only need to report readings to a central hub, and occasionally download an update from a different server. It therefore makes sense to limit communication to just those servers, in case security of the hardware is compromised, using a whitelist or equivalent. This managed communications approach is used by Vodafone: “it is very effective because all customer traffic is totally logically separated from other traffic,” explains Martin Bell, IoT Technologist at Vodafone Global Enterprise. “We never have any chance of one customer seeing another customer’s traffic. It’s like a private network – it is completely isolated, at almost no cost to the customer.”

Vodafone also enables customers to use traffic management tools to set thresholds that will trigger alerts – by setting their own business rules, the customer can help Vodafone distinguish expected traffic patterns from suspicious traffic patterns. “[…]we might see a customer generating an awful lot of traffic to a small set of devices, which could suggest they have been compromised and being used in a DDOS attack, whereas in actual fact, they are doing firmware updates as part of a scheduled campaign.” Intelligent security solutions that leverage insight from both the customer and mobile operator enable smart connectivity solutions that are flexible enough to enable a raft of IoT services whilst at the same time safeguarding these services with security policies that prevent malicious activities.

Another security innovation of the Mobile IoT era is ‘Data over NAS’, or DoNAS. Where traditionally data has been transmitted through networks via a mechanism known as ‘IP over User Plane’, a mode well suited to transporting larger quantities of data, the much smaller amounts of data transmission typically required by Mobile IoT solutions rendered this inefficient in many cases. The mobile industry’s solution to this has been to devise DoNAS, an approach which allows networks to transport user data within signalling messages, meaning it is encrypted and its integrity protected using the same measures used for network signalling, ensuring the same high levels of security. This is achieved alongside the efficiency gains enabled by reducing the signalling overhead needed to enable sleeping devices to transition from idle to connected mode and send data, which improves the efficiency of both transmission volumes and battery lives. Combined with a private APN, this provides an end-to-end security solution.

Deutsche Telekom provides its NB-IoT customers with DoNAS by default. Mona Parsa, Product Manager for New Access Technologies at Deutsche Telekom, explains that “we are providing integrity protection by default – whereas with alternative technologies, it needs to be done in the application layer.” In fact, Deutsche Telekom stresses the security advantages of NB-IoT across its marketing materials, seminars and workshops: “To our customers, we emphasise the security features which are a clear differentiator between our services and those operating in unlicensed spectrum – NB-IoT uses longer encryption keys and secure key management and storage, which increases the security level.”

The immense and diverse nature of the IoT means, of course, that the risk of tampering or interference with connected devices can never be eliminated entirely. But as usage of Mobile IoT grows, security of the IoT as a whole will improve by default, with fewer openings made available to cybercriminals by virtue of the connectivity used. Indeed, cellular networks of any kind are inherently secure where compared to alternatives, due to the use of SIM technology, which uses highly secure integrated circuits to authenticate the devices accessing the networks associated with them.

Additionally, mobile operators are hard at work devising new ways to limit the potential for malign use of connected devices. Non-IP Data Delivery (or NIDD), for example, allows IoT services to bypass the use of Internet protocols entirely by transmitting data to IoT devices without the allocation of an IP address, meaning even the theoretical points of attack are brought down to an absolute minimum.

If you’d like to know about the ways the mobile industry is keeping its customers safe in this hyper-connected age – with intelligent security measures implemented via their LTE-M and NB-IoT networks into every device they connect – please click here to download the Mobile IoT Security Report.