M2M and the Internet of Things: How secure is it?

Summary:Machine-to-machine technology looks set to take off, but are businesses running to it without considering the security aspects? We spoke to the industry about what security implications exist and how serious they are.

New attacks and challenges

With the introduction of new devices and technology, the type of attacks that businesses will experience are also going to change. One of the new challenges that businesses will have to face is the need to increase their focus on physical attacks on devices, such as those in remote locations.

"If companies have ruled out security upfront, I'd really question the maturity of those organisations."

Counsel said that businesses would have to look at physical security to prevent unauthorised access to devices left out in the field, but that access considerations still need to be considered in the event that physical measures also fail.

"You don't want to have that machine compromised, and have a whole bunch of spurious messages coming in," he said, highlighting that these considerations need to be thought of in advance, rather than after security is compromised.

"Every architecture I've ever seen, security must be designed upfront and considered. If companies have ruled out security upfront, I'd really question the maturity of those organisations [and] whether they are ready for the M2M story.

"It's a complete risk perspective. It'll be the remote location management house handling the office. I can see convergence of authentication, GPS technology, and M2M. The next evolution."

Traditional disruptive attacks like denial of service (DoS) could have new consequences, Yip said. Many field-based devices will be powered from batteries.

"It's even easier when power is at a premium, because of the fact that something needs to respond to a request, be it legitimate or not, [and that] takes power."

Yip said that DoS attacks could be designed to increase processor usage, thus draining a device's battery prematurely and ensuring that it stays offline or out of contact. Previously, attackers needed to keep up their attack, limiting the number of targets that they could simultaneously force offline, or find an exploit that would cause a specific service to crash. But when the device runs off batteries, attackers don't need to do anything particularly technical, and get the added bonus of forcing all services on the device offline.

Encrypting information also tends to be a processor-intensive task, meaning that devices may need to be selective as to what they encrypt, as opposed to the web's trend toward full end-to-end encryption.

"You have to minimise power usage, which also means you can't waste too much of it screwing around with encryption. That's actually one of the main challenges. If your processor and [thus] battery is doing all of this encryption activity all the time, pretty soon your device will have no power to do anything," he said.

"Unless nanotechnology and battery manufacturing increases as per Moore's Law, it's going to be a huge issue."

Counsel stressed that the problem existing in the bring-your-own-device (BYOD) and asset-management spheres — remotely wiping lost or stolen hardware — will also carry over to M2M devices if they are physically compromised. This may lead certain businesses to adopt a "mission impossible" policy, where once a device has performed its task, it may need to destroy the data it contains.

"Unless nanotechnology and battery manufacturing increases as per Moore's Law, it's going to be a huge issue."

"You don't want to have devices with any kind of identification left lying around, so you need to have effective disposal or self-disposal processes built in to those protocols. As soon as they're decommissioned or powered on without have being turned on for some period of time, they'll need to actually effectively cater for their own security remotely."

This could include M2M devices using their sensors as a method of determining when it has been stolen, assuming that false data is not being fed back to its owners.

"It might be the device starts off by saying, 'I know I'm being configured to be in location so much northern, eastern, and height.' It gets locked in and configured, and when it first starts up or it changes location, it sends an alert by the same mechanism so if it physically changes location, unless it has been configured to, it actually broadcasts both the GPS location, plus the M2M diagnosis process," Counsel said.

Topics: Big Data, CXO, Data Management, Hardware, Hewlett-Packard, Mobility, Networking, Oracle, Security, Innovation


A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.