GSMA's IoT security guidelines overview

Filter by category:

October 15, 2016 by Christophe Baland
In February 2016, the GSM Association (GSMA, association that represents 850 mobile operators across 218 countries of the world) published a series of documents explaining its safety recommendations for the Internet of Things, called IoT Security Guidelines1. Through this guide, the association hopes to rise awarness among stakeholders of the IoT to improve its security. The following recommendations are taken from the list of critical and high priority recommendations developed in the documents of the GSMA. They are sometimes supplemented by the average and low priority recommendations.


Recommendations for mobile devices

For mobile devices, the recommendations are:
  • Implement an Endpoint Trusted Computing Base. It is responsible for enforcing security policies of the computer system. A TCB is a suite composed of hardware, software and protocols that ensures the integrity of the endpoint, performs mutual authentication with network peers, and manages communications and application security. The trusted certificate can store and process the cryptographic secrets such as Pre Shared Keys (PSK) or asymmetric keys. Not implementing a trusted base would impact all the IoT architecture.
  • Manage terminals passwords. Devices that incorporate user interfaces must be capable of managing passwords effectively. To do this, it should be ensured not to use default or hard-coded passwords, but it must be required from the user to pick one. If passwords must be stored, they must be stored encrypted. The user identification information display on the connection interfaces must be avoided in order not to disclose information enabling authentication by a third party.
  • Use a trusted certificate. The device must be able to verify the integrity of its own platform and to authenticate the identity of its peers. Thus, it is recommended that terminals incorporate a trusted certificate embedded in a secure computing base (Secure Element, e.g.). A trusted certificate is a material element, like a separate physical chip or a secure kernel inside the CPU, which is capable of storing and safely treating cryptographic secrets. Not using a Secure Element can enable the risk of cloning devices identity and deploying unauthorized updates.
  • Detecting anomalies. Modelling endpoint behaviour is an imperative part of IoT security. To detect compromised terminals, abnormal changes in behavior of a device must be logged. These deviant behavior can be unpredictable reboots, malformed messages sent from the terminal or connections to service terminal services at inappropriate times. If the normal behavior of a terminal is logged by the service provider, the organization will be able to identify abnormal one.
  • Use of components resistant to attack. Unlike conventional information systems, connected objects can be released into the environment and therefore are easily accessible to potential attackers. It must be ensured the robustness of the connected object, both for the chips and the internal access. It must strengthened to the maximum by the use of solid materials, welds, silicone, etc. The implementation of components that detect an intrusion and alert the user (sensors, safety fuses, etc.) is recommended. These methods limit the ability of an attacker to commit a physical attack and steal information.
  • Ensure secure communications. The easiest way to compromise a terminal is through the manipulation of its communication channel. Therefore, terminal designers should ensure communication security through authentication of peer networks, data confidentiality and message integrity. Communications security is essential because it allows in particular to prevent identity theft.


Recommendations for mobile services

For mobile services, the recommendations are:
  • Develop a public systems safety. Services with public access should be especially secured, to ensure their availability, confidentiality and integrity. To this end, it is important to ensure the implementation of infrastructure resistant to DDoS attacks, redundant and protected by firewalls. These examples of measures should apply to all protocols used for communication with the service. Furthermore, the filtering must be done in input as in output in order to avoid attacks and intrusion attempts as well as lateral movement in the system and exfiltration of sensitive data.
  • Set a incident response model. In case of an attack, it is not enough to isolate the servers or targeted computers, but it is necessary to know how to react and fight the threat. For this, the organization has to know how to diagnose the source of the attack, fix the system and deploy patches across the entire infrastructure. The team in charge of these tasks must be able to recover data in order to allow a thorough analysis of the reasons of the attack and the vulnerabilities exploited. An organization without incident response plan will use much more time to react in case of an attack, which will increase the risk of compromising the whole system, and significantly slow down the efforts necessary to fix the infrastructure vulnerabilities.
  • Establish a clear authorization model. The authorization model allows to define the actions that can implement third parties, as well as the data they can collect regarding the user. It defines the access allowed to the different third parties to the devices and data generated. Control of such access must be clearly defined, in order to limit to the minimum necessary the possibilities for a third party to change the user's system. This model should prevent any unauthorized intrusion that could lead to malicious actions. The lack of a clear authorization policy potentially allows open access to systems.
  • Manage the cryptographic architecture. All units involved in the Internet of Things have to make use of encryption, regardless of their function or criticality. To ensure the security and stability of the encryption architecture, certain points need to be monitored, including the use of encryption standard algorithms instead of "home" algorithms, the hash of every password, even if transmitted over a secure channel, and the use of a strong random number generator. These recommendations are intended to avoid security flaws that could reveal the secrets used by the user or terminal in the services ecosystem, secrets that could be used in a data steal or other malicious actions.
  • Define a communication model. Above all, no platform must be accessible to anonymous users. To ensure the integrity, confidentiality and availability of communications, it is recommended to set up a centralized certificate authority to create a certificate of trust between the different parties. It is also recommended to create ephemeral encryption keys in order not to compromise the communications encryption in case of a broken certificate, even if it takes place in the future. The key exchange must be secured (with Diffie-Hellman e.g.). These problems may become critical in systems incorporating devices related to the health or industrial control, for example.
  • Prepare the servers. Preparing servers include the definition, configuration, customization and deployment of servers in a production environment. The objective of this procedure is to deploy secure servers, ready to ward off possible attacks. To this end, it is recommended to properly ensure the services that will be needed on the machine, with their access policies, to ensure an update policy, at both for the operating system and applications level, taking into account any problems that may arise following an update. The servers preparation will secure all IoT services on which they rely in order to avoid data loss or malfunction of services.


Recommendations for networks

For network security, the recommendations are:
  • Ensure identification and authentication. The entities involved in the IoT (gateways, devices, terminals, home networks, roaming networks, service platforms) must be clearly identified as identity plays a crucial role in the authentication process. It is therefore essential that the identities (IMSI, IMEI or ICCID, e.g.) made and used in an IoT services are well protected against any unauthorized changes or theft. Network operators can provide services so that users, applications, devices, or services platforms associated with IoT services are authenticated safely.
  • Protect data and communications. Security and confidentiality of information maintained in the network for the IoT service must be secured. The processes and mechanisms that guarantee the availability of network resources and protects against attacks (e.g. by deploying an appropriate firewall, prevention technologies and data filtering) have to be deployed. If appropriate, network operators can provide and manage secure connections to corporate networks via virtual private networks (VPN) and encrypted Internet connections. Network operators can offer their customers private networks where dedicated communication channels are provided for the use of a single customer. These private networks can be created using a tunneling protocol such as Layer Two Tunneling Protocol (L2TP) and using secure protocols such as Internet Protocol Security (IPsec), or by creating a network dedicated to IoT services by deploying a separate instance of the core network with the shared radio network.

These recommendations are designed to maintain a high level of security in the ecosystem of connected objects, trying to establish a repository of best practices for each object of the IoT architecture. Readers are encouraged to refer to the original documents for further information.