Since connected objects often suffer from physical security weaknesses, they tend to be the gateway of choice for hackers. All it takes is buying a connected object, like a bike or camera, for example, or even finding one on the street and physically connecting to the object’s memory to be able to look for security flaws that will reveal the secrets of the entire series. Manufacturers need to be convinced to make the financial investments required to allow passwords to be stored on a device securely. Instead, they tend to pull these costs down to make items as cheap as possible as quickly as possible. As a result, the IoT (Internet of Things) lags behind when it comes to security.
SIM cards: secure by design
If there is one element that does not suffer from this type of weakness, it is the SIM card. As Leïla de Charette, security expert at Orange Innovation and Orange representative to GSMA, explains, “the subject has long been on the agenda, with three decades of research and standardization behind it. SIM cards and eSIMs (a more recent development) are designed to be resistant. They boast increased hardware protections and authentication processes, so extracting information from them is very difficult. They have a similar level of security as bank card chips. So, why increase the security of the connected object itself, if it already contains a part designed to be secure?” The IoT SAFE (IoT SIM Applet for Secure End-2-End Communication) project therefore uses the secure-by-design eSIM to store the security keys needed for the object to function. This method of securing objects connected to the cellular network is expected to be used six billion times by 2025.
A secure key safe
The IoT SAFE solution is built on four technical pillars. A software component is installed inside the device and used as a safe to house data encryption keys. This applet is linked directly to the SIM card and manages the new secure communication interface. Part of the software of the object itself must be modified to connect to this new interface using “glue” or “device middleware.” The data to be sent is then securely transferred to a cloud. Finally, the object is protected by the IoT SAFE server. Since security is provided by the SIM, the carrier is the guarantor, meaning it can dynamically request keys, revoke them if security has been compromised, and even disconnect the object from the network.
Embedding the entire IoT ecosystem
IoT SAFE is a standardized innovation designed by GSMA, a global association of mobile operators and manufacturers. Several industry actors are involved in its development. As Fabrice Fontaine, security expert at Orange Innovation specializing in connected object audits, explains, “for our display at SIDO, we will use the Orange Live Booster connected object, the applet was designed by our partner Thales, and the data travels through Orange’s cloud-based Live Object dedicated to the IoT. Middleware designed to integrate IoT SAFE into the object was developed by us as part of this project. The result of this work is available in open source in the IoT SAFE Library. Open source is a clear way to guarantee that as many connected object manufacturers as possible comply with this new standard.”
For Orange Innovation’s two security experts, securing the IoT requires the implementation of a comprehensive ecosystem, of which IoT SAFE is an excellent example. And the interest already shown in the project suggests that many GSMA actors share this vision.