Telco’s M2M Services Need Defense Options Against Hacked IoT Devices

Subscribe To Download This Insight

1Q 2018 | IN-5013

Telcos have introduced machine-to-machine (M2M) rate plans to attract new Internet of things (IoT) applications based on low monthly fees around low per-node traffic expectations. However, a consequence of a targeted distributed denial of service (DDoS) attack being implemented on hacked IoT devices is that it can create a surge in message traffic that compromises both telcos’ capacity to support subscription clients and consumes the host victim device’s bandwidth. The typical IoT use case of a constrained device with a carefully designed power management for a long expected life cycle may have the battery drained in generating the hacker’s messages. So, the IoT device victim will face a compromised devices as well as potential service fees in addition to the disruption caused to the actual target victim.

Registered users can unlock up to five pieces of premium content each month.

Log in or register to unlock this Insight.

 

Hackers Targeting Vulnerable IoT Devices

NEWS


Telcos have introduced machine-to-machine (M2M) rate plans to attract new Internet of things (IoT) applications based on low monthly fees around low per-node traffic expectations. However, a consequence of a targeted distributed denial of service (DDoS) attack being implemented on hacked IoT devices  is that it can create a surge in message traffic that compromises both telcos’ capacity to support subscription clients and consumes the host victim device’s bandwidth. The typical IoT use case of a constrained device with a carefully designed power management for a long expected life cycle may have the battery drained in generating the hacker’s messages. So, the IoT device victim will face a compromised devices as well as potential service fees in addition to the disruption caused to the actual target victim.

Can IoT Device Security Be Tested and Certified?

IMPACT


The telcos have established significant test and certification processes for devices to be granted the coveted network approved certification. However, a device’s security vulnerabilities may be easy to express in theory but much harder to quantify in a test procedure. In any case, many security experts agree that security is a process and implementations will need to be updated as hackers develop new methods and techniques. 

IoT Device Bandwidth without the Costs of Patch and Update Overhead

COMMENTARY


A recent report from ABI Research (AN-2790) highlighted the anticipated growth over 23 key segments for IoT data traffic. However, IoT system designers also need to factor in a protocol and method of updates to the firmware of these IoT edge devices. Some systems rely on smart gateways to manage local device updates, while other implement a staged approach to roll out updates across the connected devices. One factor in determining the rate and frequency of updates will be the telco’s rate plans and the impact across the network. Since an update process may be much greater than the average message bandwidth it might be expected that this will affect the decisions regarding when or if an update will be implemented.

The telcos have a responsibility to encourage and define the best practices, and unlike the standards that operate over the unlicensed spectrum, the tecols have a standard of care to ensure all clients have access to the service. If they allow vulnerable devices to be compromised they also risk affecting the service availability to all users, thus the problem of a weak device could affect all users. In the same way that telcos operate throttling policies for smartphone data users, they need to manage the actions of a few for the good of the many.

A certification and test approach to ensure a sufficient security implementation may be a difficult concept to define and even harder to implement; a guideline document for developers would be a good start, and advice on update policies will always be seen as useful. But with the current rate-plans they actually discourage the implementation of frequent updates and patches. A unique approach that some telcos can include as part of the device management and cloud hosting services is to waive the data fees for update and patches. The best defense may be a proactive approach based on a simple concept that is easy to explain and implement.

Services