M2M and GSM: An Unhealthy Marriage?
One of the biggest security issues facing M2M is the predominant network technology used to send M2M messaging is still GSM, which has considerable security flaws, compared to CDMA. Denny Nunez, Business Development Manager, Sprint, elucidated this threat. “The voice security hole has been exploited dozens of times over the years on GSM. Today eavesdropping over the GSM voice channel is done with relative ease and with under $100 in equipment costs. SMS has also been exploited in GSM M2M modules.”
In fact, both examples at the beginning of this article were exploits of GSM networks.
“None of these examples have ever been successfully done on CDMA,” continued Nunez. “This is thanks to the higher encryption level native in CDMA vs. GSM, and the spread spectrum technology inherent in its design.”
Scott Swartz, CEO of MetraTech, agrees. “3G and 4G already offer better security than GSM/GPRS networks and if the device has the ability to encrypt the data, the connections are as secure as those that we use for online commerce and banking.”
Although M2M will certainly evolve to communicate over 3G and 4G networks, today most M2M communication requires very little bandwidth and is still delivered over GSM networks. But that doesn’t mean we’re doomed until the next M2M network upgrade–there are security holes that can be closed.
Let’s Get Physical
There are two points of attack on M2M communications: over the network, or physical attacks on the device. As I pointed out, M2M devices, by nature, are unattended, making physical attacks fairly easy. Also, many devices switch to sleeping mode in order to conserve energy, making detection of an attack difficult. Sadly, M2M devices aren’t very well equipped to deal with physical attacks.
According to security experts, the security technology employed in the embedded hardware in most M2M devices is “from the 80s”—in other words, very easy to hack. This is based on simple market dynamics: M2M devices must be cheap, highly available, and consume little power. In order to create a “trusted” connection, the devices contain authentication information. However, unencrypted flash memory in the devices themselves easily exposes the “secret keys” to an intruder.
Security researcher Hunz outlined the ease with which M2M devices can be physically attacked in a recent presentation. Hunz bought an asset tracking M2M device from eBay. When he looked inside, he found a PIN-protected SIM card. However, the device sent the PIN to the SIM card when it was powering up, making the PIN easy to “sniff” using SIMTrace. Hunz took the compromised SIM card from the device and put it in a cellphone that had the firmware patched to the IMEI of the M2M module. He began making phone calls. The SIM remained active.
If it ended here, this would be an example of SIM-fraud via M2M module. This is surprisingly quite common—recently an Australian woman was jailed for racking up nearly $200,000 on a SIM card she pulled from her smart meter. In Africa, a network of thieves pulled SIM cards from traffic lights to make thousands of dollars worth of calls. However, free calls and SIM-fraud is only one exploit; Hunz dug deeper.
