originate from M2M devices: Most of them aren’t built with the power to perform advanced encryption. By nature, M2M devices are designed to be cheap and produced in large volumes; one security researcher I spoke with for the March issue of Pipeline said the security in most current devices is weak and easy to crack.

It is critical that volatile data is encrypted and erased following a session, including authentication tokens, login procedures and session data. In order to prevent attackers from accessing and modifying EPROMs or sidejacking to view and exploit data transmission between a device and the network, devices should have some type of intrusion detection system that works even in sleep mode, not to mention an emergency policy control that removes the device from the authenticated network.

Luckily, there are several hardware solutions on the market. Gemalto has created a version of the SIM card specifically for M2M devices called the MIM, or machine identity module. Another option is the use of a coprocessor or modular hardware device to manage encryption and authentication, like Amphion devices from the Ei3 Corporation.

Network and gateway security

Devices in the M2M ecosystem can control mission-critical systems like power and public safety, so the network and gateway considerations are greater. Going beyond the traditional peer-to-peer connectivity of the Internet, secure connections to and from an M2M device are essential.

“We lock the solution down with a VPN [virtual private network] and an APN [access point name] into the carrier network,” explains John Horn. This is a good model for any operator interested in the growing M2M space; when you consider the applications of M2M, from retail sales enablement to portable healthcare monitoring devices, a secure VPN + APN connection is the best option.

Application security

Porting applications from the cellular or Wi-Fi environment to the M2M ecosystem is a quick way to play, but it’s also unwise. For all of the reasons we’ve already covered, M2M has a unique set of security issues. Applications in the M2M ecosystem must be written with M2M security needs in mind, and platform providers should audit their third-party developers to ensure there are no doors left open.

Opportunities for CSPs

CSPs stand at an advantageous spot on the M2M landscape because they have a proven ability to build and maintain secure networks. As Frederic Vanoosthuyze of MTS pointed out, “All mobile operators built a high level of security into their networks in order to achieve high levels of reliability.” This is especially true in CDMA technology.

Scott Swartz, CEO of MetraTech, outlined just how secure modern cellular connectivity can be: “3G and 4G already offer better security than GSM/GPRS networks, and if the device has the ability to encrypt the data, the connections are as secure as those that we use for online commerce and banking.”

Of course, most M2M devices aren’t running on 4G networks: this bandwidth has been reserved for high-ARPU services like mobile video. Instead, mobile operators are repurposing 2G spectrum, which is more penetrable by malicious attack. Therefore, in most instances the need for better device-side protocols is paramount. These include:

• Disabling debugging functions in M2M devices themselves.
• Encrypting the internal memory of the microcontroller in the device.
• Eliminating signal pathways that send unencrypted data over external buses (USB, etc.).
• Building in circuitry that detects tampering or intrusion.

Additionally, Denny Nunez, business development manager of M2M Security at Sprint, explained that security measures from partners must be examined. “SMS and Voice are rarely ever encrypted by third-party M2M solutions, and that is where a big security hole exists.”