The present invention, in some embodiments thereof, relates to a system and method for data security for devices that form part of the Internet of things (IoT) and, more particularly, but not exclusively, to data security for those IoT devices whose connections pass at least partially via the cellular network.
The development of the IoT (Internet of Things) and M2M (Machine to Machine) is imposing new challenges for the cyber industry in general, and for mobile operators in particular. By machine-to-machine we refer to devices which communicate principally with other devices, including for example smart utility meters, health-care devices, monitoring devices, vehicles, networked security monitors and alarms, traffic management devices, domestic appliances, monitors and alarms belonging to building management systems, and monitors, alarms and other components belonging to smart home systems and networked devices in general. By IoT we mainly, but not exclusively, refer to M2M devices which are connected via the internet. Not all IoT devices communicate solely with other machines. Many such devices have profiles that allow users to interface with them and a device that is mainly an M2M device may also have a user interface, generally to allow for updates, reprogramming, bug identification and the like, although day to day communication and reporting would be machine to machine. Many IoT devices do report to end users, and thus these definitions are not limiting.
The present disclosure relates to devices, generally but not exclusively other than those for communication between people such as telephones, which are networked via a mobile network, having a SIM card or like network authentication system and use an IMSI or like cellular network number, as the entity of identification. An international mobile subscriber identity (IMSI) is a unique number, usually fifteen digits long, associated with the Global System for Mobile Communications (GSM) and Universal Mobile Telecommunications System (UMTS) and LTE (4G) and 5G cellular network types, as well as other networks such as NB-IoT and LTE-M which are designed for IoT/M2M devices specifically. The IMSI is a unique number identifying a GSM subscriber and corresponding numbers may be used in non-GSM networks. In some cases a particular device can be both an IoT device and a device for communication between people. For example a mobile telephone may include a health tracker feature that reports to a medical center.
The challenge for IoT devices in terms of security is tremendous, because hackers can get into a device and carry out significant damage. For example a health care device may apply timed pulses to the heart, or an IoT device may operate the brakes in a vehicle, and outsiders have made attempts to hack such devices. Another example is a temperature sensor in a data center, whose output is used to control the air conditioning. The temperature sensors can be hacked to indicate that the temperature is very low, thus switching off the air conditioning. The data center is thus caused to overheat very quickly and considerable data can be lost.
There is considerable research taking place today to prevent intrusion and hacking into IoT devices, and from the devices into other machines or data centers or other entities connected to the Internet.
The mobile operator has a specific role in the security scenario, because it controls the pipe for all mobile devices served by the cellular network. The cellular network may refer to GSM, CDMA, 2G, 3G, 4G, 5G, LTE, LTE+, and successors thereof, and indeed any other wireless networks operated as a mobile network, including local and citywide wifi and the like. The mobile operator thus provides services for the business entities (the verticals) that are the service providers of the health-care devices, or the vehicles, or any other devices and may be considered to have security responsibility.
Today, a mobile network usually provides the same level of security to all mobile devices being served by the network, whether communication devices, IoT devices or anything else. The network authorizes the SIM card via the GSM/2G/3G/4G authentication mechanism. The network may be secured by firewalls and other security gateways installed at the network borders, monitoring the data traffic going between the mobile network and the internet, and/or between the mobile network and other networks or signaling carriers.
However the IoT (Internet of Things) industry imposes new security requirements both for the internet and for the mobile network. Security is a crucial component in IoT services, since these are physical devices and machines, and hacking such devices may cause direct physical damage to the machines or the environment in which they serve, and the humans being served by those machines, as already mentioned in the above.
IoT devices are generally autonomous, which means there is no human to notice that something is wrong, and the devices have small processors and limited computing resources. The IoT devices are themselves protected by a SIM card but are generally connected to an IP-based server at the other end so that SIM card security does not authenticate the other end of the communication. Internet firewalls generally look for viruses and check for suspicious packets, but the type of packets the firewalls look for are based on general computing devices and networking. To identify a suspicious packet in the context of a particular IoT device the firewall would have to know what the device is and what it is supposed and not supposed to do. Generally the only information available to the firewall to make such an identification is a dynamically assigned mobile network IP address, which does not identify anything to the firewall.
Thus what is essentially happening is that although both cellular and Internet parts of the route are in themselves secure, a gap exists between the two parts of the route that a hacker is able to exploit.
One application of IoT devices relates to devices in a particularly identified local area, such as an airport, seaport, a campus, or a smart city. The IoT service providers of such a “smart area”, (area being served by IoT devices, such as smart meters, cameras etc., usually named “Smart”), need to be in control of all traffic going to and from the IoT devices which compose the service, and are installed in the area being served.
Thus for example an attempt to hack a seaport and take over say the cranes could lead to dangerous havoc. An attempt to hack a city and take over the traffic lights could likewise lead to dangerous havoc.
The service providers may also require to track mobile devices, say vehicles, entering the area, and even personal mobile subscribers that penetrate the area under the service, and may be a threat.
As of today, a mobile network cannot isolate a specific geographical zone from the entire mobile network, as indicated in the above.