IoT ecosystems should shift to cellular connectivity for security – report

It is time to move on from relying on WiFi connectivity and router passwords to connect and secure large IoT ecosystems, according to the authors of a recently published report.

In their report, “Securing the mobile IoT”, authors Michael Moorfield, head of technology and innovation, Truphone, and Ruud Derwig, senior staff engineer, Synopsys, argue that although WiFi connectivity for IoT devices has provided some reliability and security, managing large IoT ecosystems relies on each device user acting as their own network manager, regularly updating their router passwords and all their devices to maintain security.

“No one enterprise, no one network operator, no one cloud platform in their entirety can tie together the various ecosystems required to securely connect devices in a simple way that the average user can really get on board with,” the report argues. “If the current fragmented value chain continues to abound, we will begin to see real-world risk with real-world consequences.”

Their alternative is a shift to the ‘mobile IoT’, in which a combination of SIM technology and emerging cellular network standards, such as 5G, NB-IoT and LTE-M, are used to securely manage and activate large ecosystems of IoT devices.

The report opens by outlining the way that SIMs, and the security and authentication support that they enable, are currently implemented. This tends to be in three discrete blocks: the removable SIM card itself, a cellular modem module, and a microcontroller to orchestrate the work of the other two. This approach is inflexible (SIMs tend to be bound to one operator), demands high design-in skills, and limits integration by using several packaged devices.

SIM technology is evolving to address these issues, with removable SIMs giving way to embedded SIMs (eSIMs), and eventually integrated SIMs (iSIMs) in which the SIM functionality becomes part of a larger SoC. This iSIM approach integrates the cellular modem, application microcontroller and, in some cases, flash memory in an  SoC. This enables the overall design to be simplified, for example by no longer needing UARTs to communicate between the key functional blocks.

The report goes on to lay out five key characteristics of an iSIM device, including: a secure execution environment; support for a variety of cryptographic algorithms; persistent, secure storage for data such as network credentials; highly integrated and pre-verified hardware/software; security that is as good or better than a discrete SIM solution.

There are also details of three approaches to activating devices that use an iSIM, and the key process steps needed to ensure that activation is done securely. This can be a complex process, dependent on factors including the device distribution channel, the connectivity suppliers, geography and any exclusivity agreements. The report argues that supporting these multiple scenarios with a simple activation flow demands a single remotely managed platform.

The report goes on to discuss the common standards used for provisioning SIMs, and the interoperability advantages of iSIMs. It then proposes an integrated hardware, software, security and management platform approach to using iSIMs to provide security and connectivity for IoT devices, as well as details of remote SIM provisioning strategies and approaches to giving each device a unique ID.

The report concludes by reiterating its argument that it is time to move on from relying on WiFi connectivity and router passwords to connect and secure large IoT ecosystems, and instead to take advantage of the security infrastructure that has been developed for the cellular networks over the past 30 years by using iSIMs and well thought-out management platforms.

The report is available here.