Author Archive

Solving IoT Security – A Mixture of Innovative Technology and Sound Network Design


Ericsson predict that IoT devices will outnumber mobile devices this year in their IoT Forecast report. Furthermore they predict that the number of IoT devices will continue to grow at an annual compound rate of 21% to 2022 resulting in 18 billion IoT devices worldwide, 1.5 billion on mobile networks.

By then IoT devices will reside in every part of 21st century infrastructure with sensors in everything from critical infrastructure such as power stations, healthcare monitoring solutions, automobiles to your central heating. The sheer volume of devices, range of applications and the ever increasing need to deliver faster, better devices to stay ahead of the competition is causing a lot of people in the tech industry to scratch their heads with worry over security. So is this concern justified, or is it simply industry noise from technology vendors PRing their way to the next gravy train?

On 21st October 2016 the Mirai botnet was unleashed on an unsuspecting world. It exploited the processing power of 10’s of millions of internet connected devices, routers, IP cameras, printers, baby monitors etc worldwide to launch multiple Dedicated Denial of Service (DDoS) attacks on a company called Dyn, a DNS (Domain Name Services) provider in the US. Simply put DNS converts a website URL to an actual IP address so your browser can find websites. The result was that it blocked users from accessing websites for companies including Amazon, Paypal, Netflix, Airbnb, Spotify, Visa and many more. There’s little need to spell out the potential loss of revenue associated with this kind of breach, let alone reputation.

The IoT devices that were exploited by the Mirai botnet attack continue to be compromised. They are used daily to launch other, albeit less spectacular, attacks. The nature and complexity of cyber attacks continue to evolve, perceived weaknesses are constantly probed and methods of attacks orchestrated. As the IoT industry develops and number of devices increases we all have a right, not to mention good reason to be concerned with the security surrounding the Internet of Things.

Here we look at some of the security technologies and methodologies currently being deployed, developed and discussed in reference to IoT security…

Encryption, identification and integrity.
Any discussion on security will inevitably talk about encryption. IoT devices as a whole break down into two sub-categories “massive” and “critical”. Massive encompasses things like sensors that will be deployed on a massive scale, require low power, low bandwidth and be produced at low cost. These devices will have limited processing power and so will have limited capacity for encryption. The encryption industry as a whole has responded with the development of new “light weight” encryption algorithms. The US National Institute of Standards and Technology (NIST) is on version 3 of its light weight SHA (Secure Hash Algorithm). Mobile networks meanwhile, always constrained by bandwidth concerns if not processor capacities is in the process of adopting the underlying encryption technologies in their LTE networks that deliver the 3GPP based radio technology, NB-IoT (Narrow Band IoT).

At the critical end of the market the requirements are ultra-reliability, availability, low latency and high data throughput. The main focus is the integrity of the payload data not just its privacy. There are many technologies being muted to aid with this including PKI (Public Key Infrastructure), GBA (General Bootstrap Architecture), Blockchain, OAuth and OpenId. The one that’s making all the press, not least because it’s the technology behind Bitcoin is Blockchain.

Authenticating Blockchain
Blockchain can best be thought of as a ledger, where additions can be made at any point in time, and once added provides a permanent record of the transaction. This ledger is physically delivered over a distributed database. Take the example of an IoT device being used in the healthcare sector, perhaps to monitor patients blood pressure, temperature etc where this sensitive data is then fed back into a central monitoring system accessed by healthcare professionals. By using blockchain technology it’s possible to record at the IoT device level not only the sensitive information, but a time stamped signature for the device itself. This ensures the central monitoring application is able to authenticate the integrity of the payload by only accepting data from an officially recognised signatory as opposed to a rogue IoT device.

The Immune System & Healthcare Services
The constantly evolving nature of security threats and the unyielding pressure of staying ahead of the competition mean that devices are being constantly updated or patched. ARM, one of the leading semiconductor manufacturers are working with industry groups like the IETF to standardise firmware over-the-air (FOTA) to insure that updates are signed and only accepted from the vendor.

ARM go much further than this with their IoT Security Manifesto. They advocate modelling IoT Security on the way a biological virus outbreak is dealt with. Our immune systems react to a virus with an automatic, localised and targeted response. Stopping the spread of a virus to the rest of the population is a problem for healthcare services offering people ways to treat the virus faster and more effectively than the body can do alone. They advocate that IoT networks mimic the immune response with detection at the network edge nodes with sensors for unusual behaviour that can then block or quarantine nefarious traffic. The healthcare services are analogous to a large network monitoring system constantly looking for patterns and unusual behaviour. It would create alerts for any issues found resulting in human intervention or automatic quarantine and updates being applied.

Sounds familiar?
Hang on, this is very familiar… Telco networks are from first principle designed to deliver a network topology analogous to the “immune system” design. First and foremost, unlike all-IP networks the Telco networks are designed with the control plane distinctly separate from the payload. The control plane signalling is “out-of-band” meaning decisions on the delivery of the payload can be made prior to any payload being delivered. This way any nefarious payload is intrinsically kept at the edge of the network. Border controllers (Session Border Controller’s, Diameter Edge Agents, gateways) are the point of entry for all traffic on a Telco network. They guard against hostile attacks, hide the internal network topology, smooth and normalise traffic anomalies to ease subsequent processing by internal functions. If the connecting device appears “compliant” it is then immediately authenticated against the home networks device / subscriber database to establish if it is allowed on the network.

Monitoring and Big Data
Telco networks of any size always have network monitoring tools in place. Probes and collectors through the network collect data and statistics on everything from throughput and resource status to transaction records. Sat on top are sophisticated analytics platforms allowing operators to collate this information triggering calls-to-action on identification of problems. The application of Big Data and AI to this field is allowing more sophisticated pattern matching and early identification of issues, which in turn allow more pro-active, pre-emptive solutions to be deployed.

The major mobile carriers are already poised to take their share of the IoT market. They are not only offering the network but the massive and critical IoT devices themselves all nicely wrapped up with user centric management systems. Talking recently with a European operator it was interesting to learn how they have launched their IoT network by basically taking a copy of their IMS core, (with a little help from their recently deployed virtual network platform), through-which they plan to run this in isolation to gauge take up, safe in the network knowledge they can orchestrate resources should it become a run away success. Longer term they were thinking they might integrate back into their core network but the jury on that is still out.

Conclusions
The point is the IoT opportunity is here, and the press is abound with articles purporting the benefits applications utilising IoT will bring to us all. But, and it’s a big but, sentiment will turn and reputations will be lost if there’s case-after-case of damaging security breaches. The maxim we hear time and again from seasoned network security professionals is “keep it simple”. Sure providers have to take advantage of the latest advancements on offer in the fields of authentication and cryptology, but take a step back first and get the fundamental design of the network right. To this end IP-only IoT application providers should study and adopt the IMS network topology for their core network design.

Integrating an OCS Platform to Facilitate 4G to 3G Roaming

Diameter Signalling

With DIAMETER signalling becoming the key interface for next generation networks and increasingly being driven by the growth of LTE, IoT, autonomous vehicles and VoLTE, it is crucial that operators are able to seamlessly communicate with subscribers as they traverse between legacy networks and IMS.

As a mobile operator deploys a state-of-the-art online charging system (OCS) in their 4G network, the platform needs to overcome inter-op challenges with subscribers as they roam into 3G networks.

An OCS platform typically supports a range of interface technologies – XML, HTML, JSON, DIAMETER etc. The charging functions in 3G networks are handled over the legacy SS7 CAMEL protocol. Furthermore in some 3G networks pre-pay subscribers are dynamically credit checked by the network over  Unstructured Supplementary Service Data (USSD), a legacy protocol commonly used for billing, location based services, mobile money and menu based information services.

To deliver end-to-end  3G <-> 4G Roaming you need to provide both CAMEL to DIAMETER and DIAMETER to USSD functionality.

 

THE SOLUTION
In order to manage the flexibility of DIAMETER and the forecasted volumes of signalling data the industry has developed a set of standard DIAMETER based network products. Included in this product set is the  Inter-Working Function (IWF)  which provides 3GPP specified DIAMETER to  SS7 CAMEL, MAP and RADIUS interworking and is obviously the primary product interface to the OCS.

 

 

At Squire Technologies our SVI_IWF product is tightly integrated with our Telephony Application Server (SVI_TAS) which provides a set of flexible API’s to allow for the rapid deployment of new interfaces, in this instance used to provide USSD to DIAMETER. The operator then went one step further and delivered a separate USSD application. They decided the interface to the OCS would optimally be performed over HTTP. It was a straightforward task to manipulate the HTTP API on the SVI_TAS to deliver this extended functionality.

 

The IWF is deployed and embedded in a pair of DIAMETER Routing Agent’s (DRA’s) that provide resiliency through redundancy, load sharing and balancing via sophisticated on-board routing.

Full support for session binding insures correct online credit control is being performed when multiple simultaneous services are being billed for a single subscriber.

 

 

This solution provides both flexibility and scalability for the operator. As network demand increases new instances of the OCS platform can be launched and configured to point its DIAMETER interface at the pair of DRA’s which will automatically route messages to and from the appropriate OCS. This model allows for ease of deployment in a cloud based NFV network allowing OCS resources to be easily deployed or removed as network demand dictates.

 

 

Call +44 (0)1305 757314
enquiries@squire-technologies.com