M2M and the Internet of Things: How secure is it?

Summary:Machine-to-machine technology looks set to take off, but are businesses running to it without considering the security aspects? We spoke to the industry about what security implications exist and how serious they are.

Security barriers to M2M adoption

With the 30 billion to 50 billion devices predicted for 2020, a large part of the problem will be the management of each individual end point, and the complexity that comes with that.

"There needs to be new business models, new ways of managing."

Verizon Business' vice-president for Strategy and Development in the Asia-Pacific region, Robert Le Busque, pointed to policy as still being critically important, regardless of what is being connected to the network.

"If it has an IP address, regardless of whether it's fixed or mobile or a device, it needs a security protocol, and that security policy should be in line with the fully blown policy that the enterprise has," Le Busque said.

He also pointed to reducing the complexity of managing a huge number of devices as being an issue that the industry would need to solve.

"As an enterprise, or as an organisation that looks to use M2M, how do you scale appropriately to be able to manage that away? Under that management is not just security; it's how do you manage the lifecycle, and then how do you manage your diagnostics.

"There needs to be new business models, new ways of managing that completely. Ultimately, it's about trying to make protocols and technology simpler and repeatable."

King took a different view, however, and conceded the fight to secure every device. He said that while the approach of securing the end point may have worked in the desktop era, it is near impossible to do so for the millions of devices that might need to be managed.

"In the old days, you could do device-based security, because all those devices were the same. Now you've got iOS, Android, Microsoft on the mobile device. You've got Apple, Linux, Microsoft on the desktop or laptop device. This device proliferation just highlights the fact that attempting to do any of this stuff on the device if you are a corporate entity is extremely difficult."

King said that the one thing these devices have in common is the network they are on, and, as such, the network would be a bottleneck for preventing widespread use of M2M, unless it were used as the place to implement security.

"The place to exercise security in the internet of things is on the internet, not the things. That may be the only thing you've got control over."

However, networks continue to be characterised as security weak points, with Abramovich pointing out that the slow transition from IPv4 networks to IPv6 could harm M2M uptake.

With IPv4 addresses nearing exhaustion, networks simply won't have enough addresses to assign to the explosion of devices unless they transition to IPv6. Abramovich said that in some circumstances, this limitation could be circumvented by using private IPv4 address spaces, but create more complex problems when attempting to connect the private network to the rest of the internet and subsequently route traffic.

Abramovich also said that IPv6's limited use, compared to IPv4, means that it could have further vulnerabilities that haven't been discovered, unlike IPv4, which has stood up to hackers for a significantly longer period.

"The place to exercise security in the internet of things is on the internet, not the things."

"When IPv6 was first introduced, we have seen cases where there were vulnerabilities and issues that were already long gone, extinct from IPv4-based networking, reintroduced in IPv6. The IPv4 IP stack in most modern equipment [and] modern operating systems is fairly strong. With IPv6, there are still a lot of holes that hackers will discover over time [and] once hackers sink their teeth into it, they'll probably find a lot more things that could potentially go wrong," Abramovich said.

Yip also highlighted that the issue with attempting to secure each end point is that certificate management will become a serious issue as they are updated or revoked.

"A core part of security working, specifically for confidentiality, to ensure secure communications ... that's all based on encryption certificates and that sort of thing. The management of certificates is going to become an issue when it comes to that many devices, because certificates expire and then you've got to restore them or refresh them, and there's all sorts of trust relationships that you have to re-establish," Yip said.

"It's nothing new. Anyone that's tried to manage certificates in a [public key infrastructure]-type environment knows what the issues are, but they're not going away anytime soon if we're talking about M2M."

Other barriers to entry will be less technical and more about the applications that M2M technology will be used in. According to Yip, some industry sectors will be slower to adopt M2M technologies than others. He said that the first to use such technology would continue to be utilities, while manufacturers for white goods could follow, but emphasised that any vendor entering the market will need to have a very strong business case.

"If you can actually measure a business case or business saving in putting these kind of things in, then that's where management will sign up and say, 'sure,' but if it's just for us, as consumers, to have an easier way to check out, then it may be hard to fund."

Another security issue that could bring M2M to a halt is the lack of skilled, experienced implementers when it comes to rolling out a fleet of M2M devices. King said that because it is such a relatively new area for certain businesses, those that are currently doing it haven't learned the important lessons from the failures of SCADA systems in the utilities space.

"They are not the folks that have earned their scars, if you'll permit the analogy, in network security in the first place," he said.

Counsel agreed.

"It really is about having people who have been there, seen the problem, [and have] experienced the scars on their back. If you bring someone who is inexperienced in this, who hasn't had the background working with companies that don't have the background in this area, I think you're going to hit those same issues and repeat problems," he said. Getting advice from organisations that are looking at related areas can be the key to success.

Read more on M2M:

Topics: Big Data, CXO, Data Management, Hardware, Hewlett-Packard, Mobility, Networking, Oracle, Security, Innovation


A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.