Secure M2M on the SIM
By Michel Zwijnenberg, Vice President ASPIDERM2M
ASPIDER has developed a true end-to-end security solution for M2M communications that employs state-of-the-art cryptography technology.
Cryptography is the foundation of data security and it is employed in e-commerce activities such as online shopping, stock trading, and banking. The current version supports symmetric-key cryptography; public-key asymmetric cryptography will be enabled at a later date. As far as we know, Aspider is the first company to employ this robust technology for M2M security.
The security keys that ASPIDER generates, using an ultra-secure process, are stored in transparent files that are embedded in the SIMs. One subset of the security keys is open and accessible; another is only accessible using a PIN code. The M2M modem retrieves keys from the SIM, sends encrypted data to the server, which decrypts the data using the same key. The same encryption/description process is also used to send data to the modem.
Ultimately the solution provides four security levels when using symmetric cryptography. (1) The Advanced Encryption Standard (AES) is employed for encryption. (2) The Message Authentication Code (MAC) enables data integrity to be secured. (3) Additional authentication can be provided by verifying the identity of the communicating entities. And (4) Adding Session Data (SD) ensures that messages are secured and cannot be reused by an attacker at a later date. All four are required in order to ensure end-to-end security.
In asymmetric public key cryptography (PKI) one key is used to encrypt the information and a second key decrypts the information. A user can encrypt a short-lived session key using the communicating party’s public key and simply send out the encrypted key. PKC ensures that only the holder of the corresponding private key can decrypt and obtain the session key.
Encrypting data at the application level is an up-coming development. This enables the protection of sensitive data and the control of access to be provided in a fine-grained way. The application is the obvious place to encrypt and decrypt data because the application knows exactly which data is sensitive and can apply protection selectively.
Earlier this year ASPIDER M2M became part of the Wyless Group. Wyless is the global leader in M2M managed services and as such the company employs a comprehensive portfolio of security mechanisms, which include private IP addresses, IPsec tunnels, the Point-to-Point Tunneling Protocol plus client-server and IPsec site- to- site VPNs.
Currently the company has agreements with 19 leading MNOs and a single Wyless SIM provides global connectivity. Therefore customers will now be able to add even more security by employing ASPIDER’s end-to-end cryptographysolution. However, I should like to emphasize that our solution delivers ultra-robust security in its own right and it is decoupled from the parent company’s managed services offer.
At one time M2M solutions were thought to be secure because they were obscure, but M2M has moved on. The Heartbleed security vulnerability issue, for example, allows any sensitive data that would normally be protected by the SSL/TLS encryption, even private keys, to be stolen. Heartbleed did not impact any Wyless technical resources, but it did indicate that any device, host, or resource could, eventually, be exposed to a zero-day vulnerability. Security is a moving target — one that’s always in our sights,
Making M2M Safe and Secure
Interview with Steve Boyd, Director of Network Engineering, Wyless
IN SECURITY:There used to be a time when M2M solutions were thought to be secure because they were obscure. Hackers didn’t bother with them. However M2M has moved into enterprise and other key environments, so what is Wyless doing to make them really safe and secure?
STEVE BOYD: We’ve moved on and now nothing is too obscure for the hackers, but besides putting everything behind a firewall we can implement IP whitelisting. What this does is to allow data from the wireless device to only reach customer-allowed destinations and it blocks any IP addresses that are not specified on the list. In addition we can employ default-gateway IPsec tunnels as well as general routing encapsulation on the traditional IPsec tunnels in order to direct all device-initiated traffic towards the company’s network. This enables companies to use their own network filtering and protocols, which effectively brings the device behind the protection they already afford their core network. This protection is in place no matter what somebody does to the device in the field. It either routes all traffic to and from the company’s network, or it doesn’t route any traffic over any cellular network at all.
IN SECURITY: When you build a secure wall around a business environment how do you enable remote access by authorized users?
STEVE BOYD: Well, it’s kind of obvious that we do need to provide a way for authorized users and services to access the devices remotely over the Internet. We’ve done that by employing two data communications technologies. PPTP (Point-to-Point Tunneling Protocol) client-server and IPsec site-to-site VPNs (Virtual Private Networks). With PPTP individual users can initiate a VPN and establish traffic to the devices on the fly, and with IPsec one or more sites can be linked to the devices over a private, permanent connection. I’d like to add that it is not necessary to have public IP addresses and they should be avoided wherever possible.
IN SECURITY: How and why does Wyless implement connectivity via the cloud?
STEVE BOYD: Enterprises are employing virtual pools of computing resources that operate very efficiently in private and public clouds and a key benefit is the flexibility it brings to their operation. M2M solutions are also moving to the cloud, either stand-alone or integrated, and of course this is something we anticipated and our response was to implement our own complementary cloud connectivity solution. This means that we can deliver secure network connectivity between our global MNO sites and both Amazon AWS and Microsoft’s Azure platform and several customers are already using this service.
IN SECURITY: What security developments do you expect to see later this year and in 2015?
STEVE BOYD: Going forward, as M2M and IOT take-up accelerates, I think the leading edge will be in comprehensive traffic analysis. We’re getting beyond putting up walls and into scanning traffic for unauthorized or malicious characteristics and blocking it as appropriate. The additional security benefits of that approach will be substantial for anyone investing in it, and I’m confident that Wyless will be at the forefront.