Swisscom raises spectre of IoT threats derailing rewards

alarm

The seemingly endless attempt to connect everything has created lots of excitement for Internet of Things players, but concern among the more security conscious.

A recent report from Swisscom said the IoT was the most pressing security threat telcos face, because of the volume of devices and multi-faceted nature of the network.

Manuel Häfliger, Swisscom Security Officer for IT, Network and Infrastructure, tells Mobile Europe: “The rapid increase in the number of new objects forming part of the IoT and the vast number of IP addresses/security tags allocated to them means that network teams need to identify precisely and check what and who is on the network at any one time.

“Telcos with responsibility for parts of the communications path of the low powered IoT network are also responsible for the security of the communication right up to the endpoint.”

A failure to do so means networks open themselves up to the likes of massive DDoS scenarios.

Häfliger argues that vulnerability within the IoT comes from one of its strengths – the simple nature of the connected device. He says: “As the performance of IoT devices is limited, they generally lack such security functions as robust authentication and the capacity to hotfix vulnerabilities, so the range of attack scenarios is extended.”

Other problems emerge from the wealth of different organisations, standards and technologies that telcos have to play with. He says: “Bug bounty [where users are compensated for identifying vulnerabilities] and close cooperation with the suppliers of telco equipment help to enable customers and end users to use products and services that have been checked for vulnerabilities and secured against them.”

But beyond a lack of robust security functions, he says there is also a more worrying concern. “There is a lack of experience in the field that would indicate how and to what extent security has to be enhanced as a trade-off with functionality.”

He argues identification of risks and standardisation bodies working to improve the robustness of IoT security must be a priority to mitigate risk. Operators need to devote greater resources to security and also ensure their teams have the best knowledge to deal with threats. 

Häfliger is pragmatic enough to argue that absolute security is an aspiration rather than a goal, but he said if the IoT is highly vulnerable it could derail all of the promised revenues and new business models telcos are so excited about. He says: “Disregard for security on the grounds of costs or functionality makes risk scenarios more likely but can, on the other hand, make application and business cases uneconomic.”

Other potential areas of risk identified in Swisscom’s recent security report are 5G and voice over IP. Häfliger says the problem with 5G is the uncertainty surrounding what it will be, how it will work and what protection can be built into that.

With VoIP, the picture is clearer. Similar to fixed-line telephony, communication via IP is not encrypted, opening it up to new threat scenarios, Häfliger says. One of these is spoofing, where is a user is impersonated by a hacker to launch attacks on the network.

He says: “Swisscom has independent control of its network infrastructure in Switzerland. In this way, it protects itself and its customers as best it can against generalised, non-specific and permanent bugging attempts as long as both communicating parties are in Switzerland.

“International communications networks (both the internet and telephony) are inherently insecure and so can be bugged by third parties unless reliable encryption technologies are used.”

Telcos’ enthusiasm for the IoT is beyond doubt. It is clear, from what Swisscom argues, that it needs to be as focused on risk as it does on the reward.