Data security in M2M environments

Paul Boughton

High-tech car thieves were able to exploit features of a car’s diagnostic tool and then cloned the keyless remote system. Hackers showed how to make wireless insulin pumps deliver fatal dosages to trusting patients, and heating systems allowed unauthorized manipulation via the internet.

Requirements for reliability, security, safety and non-repudiation (ie, ensuring that data has undeniably been sent and received) definitely play a role in M2M.

Many rules and regulations that touch M2M service processes already exist. They cover data security in general and the security of (wireless) networks, devices and communications technologies. Data protection rules exist in many countries and interception of personal data transmitted via telecommunications networks is forbidden. IT processes should adhere to ISO security standards.

Industry interest groups (eg, GSMA, Bluetooth SIG) have extra standards concerning technology implementation. So-called 'vertical markets' have additional rules (eg, HIPAA Standards for Health Care in USA, EU Automotive EMC Directive, Smart Metering Protection Profile in Germany). M2M networks, devices and services must already adhere to many security rules. Do we really need more to ensure 'end to end' security?

End-to-end security implies that an M2M service chain has a beginning and an end. 7Layers, a group engaged in wireless device and service certification, is involved in developing an M2M telematics process. 7Layers describes the M2M service environment differently to better reflect complex M2M processes and security issues:In our example, the service originator is the owner of a car park. The service deliverer (a machine), opens and closes the car park barrier (in this case the application). The data processor stores, analyses and provides data about the usage of the car park which can be allocated to an individual user (the driver). The user has a contract with the service provider allowing him to use car parks that belong to the system. The service provider receives the user’s parking duration data from the data processor and bills the user, subsequently transferring part of the income to the service originator.

This does not sound too complicated, provided the allocation processes work properly. Further complications arise if the driver uses different vehicles, or the User belongs to a user group (eg, with a service provider corporate contract). It is also possible that services belonging to other service originators (eg, car-cleaning) are part of the 'M2M telematics service environment'. In addition to telematics services, Users may also be using other applications from completely different M2M environments. In all such cases, applications must not interfere with each other and it must be provable which applications have been used by whom and to what extent. Data transfer, data storage and data processing must be protected so that only authorized parties are capable of identifying the user.

Such complex processes are not sufficiently covered by existing rules and regulations. The one M2M initiative is therefore developing a universally acceptable, horizontal M2M Business Platform architecture comprising application and data transport security plus reliable registration processes enabling the handling of access rights, authentication, authorization, accounting and non-repudiation. Personal user IDs in combination with so-called trusted elements on the devices, data processors and service deliverers can help solve these problems. 7Layers is member of the oneM2M initiative and therefore in a prime position to follow the latest developments and advising our clients accordingly.

Currently we see many proprietary standards in M2M. In a world that is really 'smart', large and small service originators from all corners of the world can quickly attach their services to already established business platforms. Devices with integrated wireless technologies from various manufacturers connect to these platforms fully automatically or exchange data directly with one another. Interoperability between devices, technologies and services (eg, applications) is ensured whilst at the same time, the required level of reliability, data security, safety and non-repudiation can be reached.

Security guidelines based on standardisation should give Users of M2M services a greater feeling of security without making them too expensive or complicated. This would imply different security levels depending on the cruciality of a service. The challenge is to develop such standards quickly enough for an impatient, fast-developing market and make them acceptable for all regions and all vertical market segments.

For more information, visit