M2M presents new security risks that require new security solutions

AdaptiveMobile’s new report, Machine-to-machine: future threat? looks specifically at the emerging M2M market and the threats and opportunities it involves. For the purpose of the report, M2M is defined as communication over a mobile network, either from machine to human (or vice versa) or from machine to machine. The market is already huge and expected to grow dramatically – up to 5 billion M2M devices communicating over mobile networks could be in operation by 2020.

Major examples of current M2M usage discussed in the report include utilities (such as smart metering), automotive (such as automatic vehicle locking and the EU’s emerging eCall technology), advertising (such as automated control of billboards), and healthcare (such as automated health monitoring). But where there is a processor, programming and communications, there will also be hacking and malware. At the Mobile World Congress, currently under way in Barcelona, AdaptiveMobile is demonstrating the threat reality by remotely hacking into and unlocking a front door by mobile phone.

The report highlights five specific security threat points. Firstly, M2M, by its nature, is unchecked for long periods. “Many of these devices,” AdaptiveMobile security consultant Cathal McDaid told Infosecurity, “will see little human intervention for weeks or even months, so exploited vulnerabilities may go undetected for a considerable length of time, increasing their impact.” Secondly, there is no patch mentality involved. In healthcare, for example, the “roles these devices perform and the business models they work within are expressly long-life, creating little possibility of upgrade.” Thirdly, when the ‘mobile’ device is physically static, perhaps embedded, it is not easy to remove; and the cost of repair can be high. Fourthly, the unsophisticated single-task nature of many M2M devices will make it difficult to include security software. And lastly, the effect of an attack could be far more profound. While an attack against a bank account may be unpleasant, an attack against a heart monitor could be fatal.

The nature of the devices and the nature of the threat, says the report, means that 100% prevention must be the target – not the current ‘cure’ approach used in traditional computing. That means that new “dedicated security needs to be created specifically for M2M and delivered at a ‘network’ level.”

“With 86% of consumers stating that they see potential risks in M2M technologies, the general public is clearly aware of the challenges present in this new world of communications,” said McDaid. “To protect subscriber trust in these services, and the core technology, operators must protect them from any security flaws or exploitation from third parties. If operators secure the communications, then subscribers can rest assured that their protection is taken care of.”

What’s Hot on Infosecurity Magazine?