About time: the GSM Association has released a bunch of guidelines to try and address the chronic insecurity of the Internet of Things.
The significance of the initiative is that it’s been agreed to by a collective of major carriers – the organisation’s announcement lists AT&T, China Telecom, Etisalat, KDDI, NTT DOCOMO, Orange, Telefónica, Telenor and Verizon but there are plenty of others.
With a common set of security recommendations, carriers will also have a stick they can wave at vendors that don’t care: do it right, or we won’t connect your stuff.
The group has put together documents for the three key segments (as it sees the IoT market anyhow): telecommunication carriers, service operators, and device manufacturers.
The GSMA says different industries are kidding themselves that their security considerations are unique – and that attitude helps make things insecure.
“Almost all IoT services are built using endpoint device and service platform components that contain similar technologies to many other communications, computing and IT solutions. In addition to this, the threats these different services face, and the potential solutions to mitigate these threats, are usually very similar, even if the attacker’s motivation and the impact of successful security breaches may vary,” the guidelines observe.
The Register doesn’t propose reviewing the whole suite of documents, but it’s gratifying to see that the GSMA has noticed critical issues such as orphaned devices.
Hence in addition to obvious requirements like crafting a trusted computing model and a root of trust for IoT kit, it reckons businesses running the services devices connect to need to include a sunsetting model.
Device makers are given the kind of list that’s all-too-often ignored by thing-makers, to date. Good cryptography, APIs to the security model, perfect forward secrecy, application rollback and signed application images are among the requirements the GSMA sets out.
Network operators are called on to protect the security and privacy not just of the IoT devices and services, but also end users.
The full pack of documents is available here. ®
Building secure multi-factor authentication