Email a colleague    

July 2011

Is the M2M Device in Your Refrigerator a Telecom Fraud Threat?

Is the M2M Device in Your Refrigerator a Telecom Fraud Threat?

Machine-to-machine (M2M) technology is riding the wave of Smart Grid popularity.

M2M’s primary use is in the wireless transmission of telemetry data, capturing remote data, updating software, transmitting pictures, and has thousands of other uses.

The market is in its very early stages, yet plenty of pilots are underway in Smart Metering.  For instance, Vodafone in the U.K. is conducting an extensive trial on collecting data from utility meters on consumption, then analyzing rates to help consumers and power industry players optimize electricity use or save money.

Another promising use is in medical care.  A person wearing a pacemaker could have an M2M device transmit heart monitoring data back to her doctor.  Auto insurers are fascinated with the idea of monitoring car-driving habits remotely and adjusting a client’s auto insurance premiums accordingly.

But excitement aside, there are substantial security and control issues around M2M, and that greatly concerns Simon Collins, vice president at Praesidium, the risk and controls consulting arm of WeDo Technologies.  In fact, Simon has authored an insightful industry paper on this issue entitled, “Embedded Mobile (M2M) — Telecoms Fraud & Security Management.“ Here are edited excerpts from my interview with Simon.

Dan Baker: Simon, before we get into the control aspects of M2M, I’m curious, what’s driving the M2M market?  And if you plug a home device into a fixed network, does that qualify as M2M?

Simon Collins: Dan, I think a wireline connection would certainly qualify as M2M.  However, the real push behind M2M is coming from within the GSMA.  As mobile phone penetration is exceeding 100 percent in many markets, the GSMA members are looking for new growth opportunities, and M2M is one of them.  The other driver is that several industries are hoping that M2M will drive greater services revenue and enable a firm to differentiate its products in terms of better customer service.

From a telecom’s viewpoint, I’m not sure an M2M service can command much of a premium.  It’s not a personal device like a handset.  In some ways, it’s like the portable GPS we have in our cars.  You pay an upfront fee to buy the GPS receiver and the satellite connection is bundled in as a free service after that.

True, a one-time fee will certainly be one way to pay for M2M.  Where the amount of M2M data traffic matters, it will also be billed by data consumption.  I would agree that it’s hard to see many uses for premium pricing, such as a high QoS service.  Though medical-device monitoring and remote photos transmitted for physical security are a couple of examples where reliable connectivity should demand higher fees.

So where do we stand in terms of M2M controls?  What revenue assurance and fraud issues do telecoms need to be concerned about today?

Dan, the revenue assurance issues are the first ones that can and should be addressed.  Do you actually know which machines are included in a particular tariff or group plan?  That’s also a provisioning-assurance matter — you need to determine which devices belong to which billing group.

The other and far more troublesome problem is technical security.  While GSM and 3G services are fundamentally secure in their own right, the SIM/USIM device which M2M relies on is not secure in most cases.  There’s a famous, almost humorous, case in South Africa where people stole the SIM cards from traffic lights and plugged them in elsewhere to use the bandwidth for other purposes.

So the question is: How do you verify that the device is where it’s supposed to be?

SIM cloning has been relatively common in GSM.  And WeDo and others have fraud systems in place to detect that.  However, detecting GSM fraud is usually a matter of analyzing the behaviors of people — the phone numbers people called and the time of day.  When people talk to other people, you can collect biometric data, plus lots of other data can be used for analysis.  Do they send text messages?  Do they call home or work on a regular basis?  If they don‘t, it might be suspicious.

But much of that intelligence is not available in a machine-to-machine environment where the device is sending a standard message every 30 minutes or hour.

So, what’s needed to detect M2M fraud?

We need some form of certificate from the actual device that is unique.  Ideally this would be something hardcoded so that it cannot be copied or produced anywhere else.  This is not the case in GSM today because many of the algorithms in the phone can be broken though the fundamental security aspects of SIM/USIM are still good.

This sort of solution will emerge over time.  When that day arrives, we no longer will need to wonder whether we’re talking to the SIM card in the expected traffic light location in downtown London or the same SIM card fraudulently deployed in Malaysia where it’s pumping out free voice minutes.

By the way, femtocells, the devices you put in your home to increase your coverage back to a broadband link, are already shown to be vulnerable.  The Vodafone network in the U.K. has been cracked, for instance.

The other troublesome point is that as M2M evolves, you’ll have all sorts of low cost devices deployed — on washing machines or refrigerators smart meters.  It’s useful because it will alert the customer or the manufacturer that the appliance needs a part replacement, but nobody is quite sure of the risks around having millions of unsecure devices hanging off the network.

In other words, how the SIM/USIM device is deployed today is of secondary importance to where it could be deployed later.  The SIM card on your washing machine could be the channel for perpetrating fraud.

Absolutely.  This is the worrying point: You don’t know the original identity of the device it was attached to.  The data goes through network elements, but we haven‘t really designed the network to be looking for M2M devices.  We need to verify where the device lives, what sort of data it’s transmitting, and how it is being used.

It’s taken the industry some time to provide good security for the IMEI number, the mobile identity number in a wireless phone.  Today, the IMEI will usually be secure for the first six months to a year after it is manufactured.  But sooner or later, a hacker can break that device.  Smartphones can be cracked relatively easily.  So it begins to look like the malware game in personal computers.  The fraudsters penetrate the defenses and you wait for Apple to write a patch that protects you on their next release.

Simon, in conclusion, how to do you see the telecom industry dealing with M2M related fraud and RA problems in the next few years?

Dan, in the near term, carriers will turn to companies like WeDo to help manage M2M revenue-assurance problems.  Are we billing correctly for the consumption and the provision of that service?  Those solutions can also detect the fraud issues around the administration of a telecom’s M2M program.

Yet regardless of how big and popular M2M ultimately becomes, the technical security issue looms large and is unsolved.  Considerable work and investment is required to solve that issue, yet our industry first needs to acknowledge that it’s a major vulnerability.  Once we recognize that fact, we can begin to make M2M as secure from fraud threats as possible.

This article first appeared in Billing and OSS World.

Copyright 2011 Black Swan Telecom Journal

Simon Collins

Simon Collins

Simon Collins is WeDo Technologies‘ vice president for Business Consulting division, Praesidium.  Simon is responsible for all of Praesidium’s technical risk consultancy services supplied to more than 100 operator clients worldwide.

Black Swan Solution Guides & Papers

Related Articles