Concerning Security

During Stream's recent visit to IoT Asia, I was invited to participate in a panel discussion titled "Demand and New Imperatives in the IoT Connectivity and Operating Landscape". It was a valuable discussion and I was happy to be given the opportunity to participate in it.

However, as the session was ending, I was dismayed to hear one of my fellow panelists make the statement that, "RF can't be hacked". Professional courtesy prevents me from identifying the individual, or the company that he or she represented, however I do feel obliged to write this post to set the record straight.

The statement was made in response to a question from an audience member who asked, "How do you secure your IoT network and data in the face of changing radio protocols and technology?" This is an entirely reasonable question, and it's one that I've been asked by customers before. From experience, I know that it requires a more sophisticated response than simply saying, "my network technology is secure".

RF (Radio Frequency) is a communications medium in which different protocols run. Examples of this are Radio, Television and Mobile phones. It is possible to create secure network solutions using RF and communications protocols but like most technologies it is also possible to create solutions that are not secure and can be intercepted.

In truth, while specific RF (Radio Frequency) network protocols may be secure now, there is no guarantee that it always will be. GSM (Global System for Mobile Communications) is the perfect example to illustrate this point. Twenty years ago, GSM was recognised as a secure technology but today it can be hacked using off the shelf hardware, such as a Raspberry Pi and a SDR (Software Defined Radio) module. This setup allows hackers to eavesdrop on any 2G connection. There are slightly more complicated methodologies for doing the same thing on 3G, which require the device to set up an unencrypted connection to a rogue femtocell. This is a classic man in the middle attack (MITM) where the unencrypted connection pretends to be the real base station to steal information. 4G remains relatively secure for consumers, however, even if 4G traffic is not compromised by a malicious external party, most carriers are subject to regulations such as RIPA (Regulation of Investigatory Powers Act 2000), which means that service providers are obliged to intercept your traffic if they are mandated to do so. While this is not technically related to security it does impact the privacy and likelihood that sensitive information can be intercepted.

Admittedly, modern RF protocols are more difficult to decode and hack than GSM, particularly as this requires specialised hardware. However, this is becoming easier, especially with cheap SDRs becoming available on the market. For example, in 2009 Wired reported that Shiite militants were able to intercept unencrypted U.S. military drone feeds using nothing more complex than a TV tuner. From this case alone, it's plain to see that RF is not a magical technology that is imperious to outside intrusion.

There are a variety of secure methods available for TCP/IP (Transmission Control Protocol/Internet Protocol) traffic. Stream support several these methods and frequently recommend them to clients. However these methods are solely related to TLS (Transport Layer Security) and do not address devices that:

  • Don't support TCP/IP.
  • Are messaged based.
  • Are connected to a LPWAN (Low-Power Wide-Area Network) network.
  • Don't have the processing power or entropy to support encryption.

From this, it's tempting to draw the conclusion that low-power, low-cost devices can only support low levels of security. However, this would be a false conclusion. There are a variety of ways in which security can be hardened for low-cost, low-power devices. Primarily, this involves harnessing the same technology that is used in SIM and credit cards.

This involves using Smart Cards, which are low-power CPUs, to store encryption keys. The encryption keys can be used to provide secure access to a network via identity management. They can also be used to encrypt the payload all the way to the application, meaning that the network provider never has visibility of the content. I'm a firm supporter of the latter. As a specialist communications service provider, who are focused purely on enabling IoT connectivity, Stream never want to have visibility of the data that we relay for our clients. This means that Stream cannot ever be asked to provide this data to a third party. Consequently, the customer's application is secure, without being tied to the network security model.

To conclude, history shows us that no matter how secure a data transit method is today, it's safe to assume that it will be compromised in the future. With this in mind, Stream advocate that our clients take control of their security model to ensure peace of mind for the future. Security is not an abstract concept, it's something that can be effectively dealt with today.

Join us at TM Forum Live 2017, 15 - 18th May, in Nice France to speak to some of our representatives in person. For more comment and news from Stream, follow us on Twitter, and 'Like' our Facebook page for more content. Connect with us on LinkedIn for all our business updates.