Firewalls don’t stop £1000 bills

Firewalls don’t stop £1000 bills

Simon Earthrowl is one of Eseye’s network security experts. His knowledge covers everything from devices to data centres. This knowledge has been gathered from working in networking and IT for over 35 years.

As the current predictions for the number of connected devices by 2020 ranges from Gartner’s 26 billion to CISCO’s 50 billion there is one agreement among IoT users and IoT manufacturers: security is key and no one wants to have unpleasant costly surprises due to security breaches. Simon talks through his current thoughts to avoiding the doomsday scenarios and how to avoid getting unexpected bills related to hacking, spamming or other security breaches.

1. What is your take on the recent network security breaches at large companies?

The security related to using cellular connected M2M applications can be split into two sections, with one being the data protected by the service provider companies and two being the data protected by the Mobile Network Operators. Both face the same issues, hackers and a lack of unlimited security resources.

The recent newsworthy security breaches, from Talk Talk to Target, while shocking should be viewed through the prism of a constant state of war between companies and those intent on gaining access. As no security system is impenetrable it has to be relevant to the level of importance and intrinsic value of the data it is protecting. In my opinion, if a few teenage hackers are able to gain access and have the potential to release payment information, then the company clearly does not have good enough security wrapped around its services. But I consider it understandable that GCHQ could, if they so desired, access most of the data globally.

2. What do you consider to be the biggest threat to IoT devices?

“Screwdrivers” he says with a smile.

As IoT devices are predominantly left alone for long periods to monitor, sense or collect data, the largest threat is in the physical security.

With most IoT devices containing SIM cards, a malicious person could decide to take the SIM card and then use it for their personal use. This is also compounded by the majority of SIM cards in IoT being set up for very low data and international roaming, in a way similar to using your personal phone when you travel. As a result of this set up the malicious downloading of for instance a video could result in huge bills. Eseye have had a few new customers take up our services while smarting from an unexpected bill of over, £3000 from a previous supplier. This is more of a risk in my opinion than potentially losing a packet of data that, if not lost, would have told you that your connected lawnmower has finished.

3. If a screwdriver is such a risk to a device, should developers be building secure boxes around the devices?

No, it is not worthwhile making a secure box for the majority of IoT devices. It would be too costly and it simply doesn’t make sense to build a big and strong box to protect devices if they are going to be left unattended and unseen (read exposed) for years. If someone has the desire to break into and steal from a device, they eventually will. Whether the device has almost no physical security and a screwdriver will suffice or a hugely secure box that needs an angle grinder to gain entry.

4. If secure boxes aren’t the answer, how should IoT device developers avoid unexpectedly large bills?

Eseye has a portfolio of solutions that cannot prevent anyone from physically breaking a device, but will ensure that breaking the device is a fruitless endeavour. As a result devices are protected from repeat attacks.

For devices that are using bespoke hardware and the Eseye AnyNet SIM cards it is recommended that customers use the embedded SIMs. These SIMs can be soldered on to the circuit board and look just like all of the other components that are inside the device. This prevents an intruder from being able to identify, remove and use the SIM card.

If bespoke hardware is not being used, and it rarely is for the first design of an IoT device, then Eseye have a number of ways to protect the recognisable SIM card from being used maliciously thus costing the customer money.

When connecting to the internet through a SIM card the device has to use an APN (access point name) to send and receive data. The APN works as a gatekeeper, with only authorised requests being permitted and unauthorised ones rejected. Eseye’s SIM cards are programmed to use only Eseye’s private APNs. This allows Eseye to manage all data flowing to and from the device. Using this data flow information Eseye proactively monitors SIM cards and should a sudden anomaly or spike in data usage occur Eseye can either notify the customer or automatically suspend the SIM card. This would be compared to someone using the SIM card and discovery it happening at the receipt of next month’s bill, possibly allowing a month of costly high data web browsing as a result.

All Eseye SIM cards can be used for the sending and receiving of data, voice calls and SMSs and as gatekeeper to the network Eseye offer the opportunity to disable the unnecessary or unwanted services. This option will prevent SIM cards being abused through the other options. An authorised person can easily and remotely enable and disable the services available on a SIM card to prevent the need for replacements, should the type of communication required alter. For instance, disallowing voice calls or SMS ensures that a SIM cannot be used for that.

All devices that use a SIM card have a modem, and every modem has a unique International Mobile Equipment Identifier (IMEI) number. Eseye offers a soft locking service that enables customers to limit a SIM card to only be usable in one device with one particular modem. This lock can be changed from one device to another to allow the SIM to be safe as devices are replaced or upgraded.

To protect data over the network we also offer a secure Virtual Private Network (VPN) service to our customers. This option adds security against unauthorised access or hostile viewing of the data while in transit. It’s inexpensive and most of our customers use this service as a matter of course.

So if all of these steps are taken, I am confident that any malicious intruder will be prevented from running up unexpectedly large bills for an Eseye customer

5. Are there any ways to reduce the cost of a standard bill?

There are a couple of ways that a customer can easily reduce the cost of a standard bill. Although it sounds simple this all comes down to reducing the amount of data sent over the mobile networks. We offer assistance with this through our design consultancy and often have great success in reducing the amount of data by more than 50%.

We can reduce in several ways. Here are a few examples: As a device connects to a mobile network it has to authenticate, this involves the SIM card telling a mast its details. The details include the IMEI number, username and password. This authentication is known as a ‘handshake’ and is sent to Eseye. From this information we can identify the device. This means that the data packets sent from this device do not need to include information identifying the device. Which reduces size and therefore cost of the transferred data packets.

The second way in lowering the amount of data being used is through simplifying the data format. Many designers start writing code to be sent over the networks in XML or SOAP. These are unnecessarily heavy protocols to and so we recommend using binary encoded as that is up to 100 times smaller. If customers are reluctant we can repackage and translate the data so that minimal bytes are sent over the mobile networks.

The battery life of the device is affected by the size of the data packets as shorter time on the network sending or receiving data will lengthen the battery life. As an example Eseye have made a temperature sensor device running off three AA batteries with a battery life of a year or more. This device is fully optimised and considering the amount of times we all have to charge our smartphones I think that’s quite an achievement.

mautic is open source marketing automation