Security online continues to dominate the headlines. Only a few weeks ago ransomware wreaked havoc on over 230,000 computers and spread its tentacles to over 150 countries. Prior to that it was the Mirai botnet that spread fear. The list of malware goes on and on, and businesses are trying their best to stay one step ahead of cybercriminals. No wonder a recent study found that 80% of IT teams have had to increase the amount of time they spend dealing with security issues and three out of four teams spend up to 10 hours a week on security threats. With around 80 new IoT things coming online every second, managing security is only going to become more complex. Especially due to the relatively “dumb” nature of some of the things that need protection from threats. One industry is on the frontline of the cybersecurity war, the mobile network operators (MNOs) whose cellular infrastructure IoT depends on.
Cellular networks use one of the strongest forms of security by employing SIM cards. A SIM card acts like a hardware token to authenticate the device to the mobile network and the technology. The algorithms and processes used for the lifecycle of these tokens make it extremely hard, if not impossible, to compromise its authentication. However, this layer of security is limited to connecting only the device to the network. Applications that sit on these devices need to authenticate separately to the application server into order to identify themselves. The authentication that takes place on the application level typically uses usernames/passwords or client-ID/secret pair (credentials) or a certificate.
The weakest link: Securing the layers
You would be forgiven for thinking that two-layer authentication was suitable to deliver strong security. Not so. There is hardly any coordination between the network and application during the authentication and there has been no mechanism to link these two. Application-level security is the weak point. The existing username/password mechanisms were created to authenticate users to the application servers and were considered an acceptable approach at that time as people were supposed to remember their identifiers. However, when the same mechanisms are extended to IoT devices to authenticate themselves to application servers, it creates a very weak end-to-end security link as these identifiers have to be stored on IoT devices. They are susceptible to theft and difficult to update.
By extending network authentication to application authentication, the industry can create a highly secure end-to end-security environment for IoT devices to connect and communicate with the application servers. MNOs are in a unique position to extend the network identity or network-based authentication mechanism to IoT application servers to create two-factor authentication for IoT devices. The benefits of extending network identity to IoT applications also give cellular IoT an edge over other non-cellular IoT technologies.
Playing it forward
IoT is a burgeoning industry, yet security fears worry consumers. A recent study found that one in two people distrust online security — and if consumers lack confidence, they won’t participate in the IoT ecosystem. To instill consumer confidence and secure IoT, the industry needs a new robust layer of end-to-end security for connected devices.
Some operators have taken the IoT bull by the horns and others have had to sit on the sidelines. Ultimately, the decision to play a proactive role within the IoT ecosystem will come down to the operator’s strategy it wants to pursue in its market. MNOs can play a vital role in securing IoT devices and applications. It is a win-win-win for consumers, operators and for the key players within the IoT ecosystem who require secure, reliable connectivity.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.