Security in Machine-to-Machine Communication: The role of the Telecommunication Operator

Transcription

1 Security in Machine-to-Machine Communication: The role of the Telecommunication Operator Cinterion Wireless Modules GmbH 2012, All rights reserved

2 Internet of Things = Increasing need for M2M security Threats in the internet today = Threats in M2M tomorrow Increased Security Threats M2M vulnerabilities Billions of targets online Security breaches in software Decreasing cost of attacks Internet as source of attacks More devices & value Weak embedded Devices OS Connectivity/Availability Internet connected devices We need to prepare today What will be the costs of failed / compromised systems? Please adjust your paranoia level now! Page 2 8 th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013

3 Examples of M2M attacks Lack of user authentication: Zoombak tracking device (GPS/GPRS): Can be identified and tracked by non-authorized persons Can even be impersonated! Luxury car stolen in 3 minutes using security loophole: No authentication required to duplicate electronic key! Home automation: garage doors, etc. SIM stolen from South Africa s traffic lights: Not paired to the device, and usable for voice phone calls Weak device security with Internet access: Discovergy Smart Meter: Hacked to transmit meter readings (up to every 2 seconds) via HTTP, unencrypted, without authentication! Internet exposure of dutch water pumps: Could be operated by anyone from a home computer! Unprotected local wireless links: Jamming attacks e.g. preventing remote activation of alarm systems Insulin pump hack Over The Air: Uses unencrypted local radio link Could deliver fatal dosage! Heart monitor hacking: Can be turned off or forced to deliver impulse! Page 3 8 th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013

4 Different types of M2M security risks Privacy (e.g. Discovergy Smart Meter Hack): Personal data, relating to an individual, should be accessible only to authorized parties (lawful purpose or user consent) Ensure identification and authentication of involved parties Local processing by devices reduces exposure (e.g. send anonymous data) Fraud (e.g. South African Traffic lights): Unattended devices deployed in unsecured environments are open to attackers Restrict access and services to essential channels only, configure APN Do not transmit ID, password or APN on unprotected channels Use physical or logical pairing between M2M device and SIM/MIM (cf. ETSI TS ) Critical Infrastructure exposure (e.g. Dutch water pump) Resources of attackers can be commensurate to potential damages! Clearly assess liabilities with all actors Minimize risks with adequate security measures at organizational and technical levels Do not forget human factor, and remember that one weak link compromises the whole chain! Page 4 8 th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013

5 The network operator in the M2M security ecosystem The main M2M security risks rarely originate from the communication network: Weak application design or unprotected device hardware are most common causes Most M2M applications come from industrial fields which still lack ICT expertize: e.g. energy, automotive, healthcare Yet Telecommunication Operators reputation may be at stake, as affected final users may not make the difference! Play a role in developing the security awareness of M2M customers! Telecommunication Operators have opportunities and tools to assist M2M customers in securing their applications: Monitor connections using keep-alive messages Correlate location data with e.g. GPS tracking Leverage on existing trust provisioning chain (SIM) to deploy applicative security credentials Enable applications to leverage on deployed authentication and identification infrastructures Use OTA remote management for secure deployment of applications, firmware upgrades, etc. Page 5 8 th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013

6 How to make a M2M system secure enough Risk Analysis Attack Probability Cost of attack Potential Damage Defense Analysis Detection possible? Prevention possible? Cost of prevention? Physical device tamper-resistance Embedded Secure Element, e.g. SIM Modem security Application communication (e.g. encryption) Network security Application backend server security Page 6 8 th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013

7 How secure are elements of M2M communication systems? What makes an application secure? Communication Networks Connected Devices Communication components Security is a chain => all the links must be secured Page 7 8 th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013

8 How secure are the networks? Cellular Networks? There are numerous security measures built within cellular networks: User identity is obscured Traffic is encrypted Use of SIM as secure element protecting secrets used for authentication Yes, but... Internet? No security by default! Use e.g. TLS encryption Credentials must be adequately protected (tamper resistance / security certification) > Depends on MNO settings (some 2G algorithms are weak) > Beware of SMS in particular!!! (use encryption and signature) Page 8 8 th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013

9 How secure are connected devices? Cost of Attack Security demand Security demand = Attack probability * Potential damage Page 9 8 th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013

10 Examples of device security improvements Goal: increase cost of attacks that are most likely to happen Security Measures Cost of Attack Tamper-resistant enclosure $ $ $ Authenticate via certificates $ $ $ SSL/TLS* encryption Authenticate SMS $ $ $ $ $ $ $ $ $ Protocol & data encryption $ $ $ *SSL = Secure Socket Layer TLS = Transport Layer Security Page 10 8 th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013

11 What is modem security? Modem must be secured against manipulation (e.g. firmware reflashing) against reverse engineering (e.g. through diagnostics port) Secure communication between modem and application external interfaces (serial, USB) are vulnerable against tracing / reverse engineering encryption may be an option (but key must be stored securely) Internal application (e.g. Java) Java midlet must be protected against manipulation & reverse engineering Midlet update must be secured File system access must be protected as well Rely on tamper-resistant storage/execution environment, e.g. in SIM/MIM Page 11 8 th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013

12 How does a GSM module contribute to application security? Cinterion Module Java Security API Transport Layer Security Jamming Detection Lock SIM, Module, Cell 3GPP Security Firmware & IMEI protection Page 12 8 th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013

13 Some frequent M2M threats Attack complexity Attack likelihood Attack Impact Characteristics Countermeasure Application snooping low med/high med Application-level encryption AT Command encryption Lawful interception N/A med med Legal implications Impossible to detect or prevent Application-level encryption Jamming low high med Easy to detect, impossible to prevent Jamming status detection (radio link monitoring) Air interface Interception and decryption med med high Mostly on 2G networks Application-level encryption Encryption status display/check Fake networks ( IMSI Catcher fake BTS) med med high Works in 2G mode only Equipment now affordable Possible to detect & evade Scan frequency spectrum to detect Encryption status display/check Fake networks GSM Layer 3 attacks high low high Device stack dependent May enable code injection! Protocol stack hardening Fake network avoidance Malformed SMS SMS-of-death low med med May crash some devices! SMS application hardening Page 13 8 th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013

14 The contribution of standards M2M security is addressed in standardization at several levels Communication Network: euicc work in ETSI SCP for remote change of subscriptions 3GPP SA3 Machine Type Communication enhancements ETSI TISPAN (E2NA) work on Privacy protection M2M Service/Application level: Deployed standards today are by verticals Smart Metering: IEC (consolidation under EC M/441 standardization mandate), Smart Grids: IEC (extensions under EC M/490 mandate) Electric vehicle to Grid communication: ISO (developments under EC M/468 mandate) Industrial Control Systems: IEC Tomorrow vision: Horizontal service platform for M2M application deployments Transport network agnostic concept, developed by ETSI TC M2M since 2009 Requirements (TS ), Architecture (TS ) and Protocols (TS ) Release 1 & 2 provide security on the Gateway to Infrastructure interface Credential Bootstrapping (provisioning or PKI-based) Authentication, Confidentiality, Integrity of M2M connections Diversity of M2M applications (security/cost trade off, possibility to leverage on Access Network features) results in multiple security options (GBA, EAP, TLS based) Now migrating into worldwide onem2m partnership (3GPP partners+ TIA) Will provide bootstrapping and end-to-end security services for M2M applications? Page 14 8 th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013

15 Remember Security is about prevention, not cure. Number of attacks on M2M systems will increase, Secure communication design is the insurance M2M operators should educate M2M customers about security risks, as their reputation is at stake M2M device suppliers should raise cost of attacks by simple and cost effective measures. M2M Application owners should use existing expertise and proper consulting Page 15 8 th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013

16 Page 16 8 th ETSI Security Workshop, Sophia Antipolis, 16-17/01/2013