Explanations & Tutorials

An Introduction to Cellular IoT Security

Those considering deploying LPWAN networks must do so with eyes open to the serious security threats these devices pose.

Matthew Gifford

LPWAN devices present a unique security challenge. As connected devices, they face the normal array of internet threats. They have the potential to expose sensitive data, send maliciously altered data, or suffer costly shutdowns due to vulnerable code or weak security.

As high range devices, they are typically deployed in remote or hard to reach locations, making them difficult to access and update. As lower power devices, they are severely resource constrained, putting tools like sophisticated cryptography beyond their reach.

This combination of modern threats and modest defenses warrants careful consideration. Even brief security failures can be costly. And, as these devices begin to comprise or provide data to systems like fire alarms or street lighting, breaches pose the risk of physical harm.

This article provides a brief overview of LPWAN technologies, the threat landscape and the state-of-the-art in threat mitigation. My goal is to enable decision makers to ask better questions about device security as the world ramps up to a predicted 31 billion connected devices by 2020. A note of caution: this is new technology, and standards and best practices for security are in nascent stages.

LPWANs: The Basics

The low-power wide-area network (LPWAN) label refers to a category of wireless communications networks providing long-range connectivity with low power demands. LPWAN technologies achieve this at the cost of bit rate and bandwidth. The fastest current LPWAN technologies have peak data rates below 250 kbps, about 150 times slower than the 4G connection your smartphone enjoys.

Because of these promises and limitations, the market for LPWAN technologies consists in applications requiring small, remote, and relatively simple devices. And such applications are multitude. LPWANs have been recruited to support applications including bicycle tracking, municipal trash can monitoring, irrigation system monitoring, and determining parking space availability.

LPWAN: The Technologies

Several technologies compete for this market. The most prominent are LoRa and Sigfox, which operate in the unlicensed (that is, freely available) spectrum, and the relatively new Narrowband IoT (NB-IoT), EC-GSM-IoT, and LTE-M (or LTE-MTC) technologies which operate over cellular networks.

Standardized in 2015, LoRa networks consist of end-node devices and a gateway, which connects to a source that provides the ultimate connection to the internet. Since they operate in the license free wireless spectrum, the cost after deployment can be kept relatively low--there’s no requirement for each end-node device to be registered with an internet provider and pay per byte of data sent. This makes LoRa an attractive option for applications that require many devices spread over a wide but contained area (a farm, for example).

Sigfox predates LoRa by almost six years, but operates on the same basic principle: devices connect to a gateway that then connects to the internet. It offers lower bitrate than LoRa (100 bps compared to 300 bps-50 kbps) but greater range (40km compared to 20km).

The major difference between LoRa and Sigfox, however, lies in their business models. Sigfox owns all of the software technology and licenses it to network operators who control the base stations. LoRa, by contrast, allows anyone to build and deploy hardware that conforms to their standard (though the only manufacturer for LoRa compliant radios is Semtech). In practice, this means that you can only deploy a Sigfox project where there is a Sigfox network, but you can build your own LoRa network just about anywhere at a relatively low cost.

Cellular is the newest player in the LPWAN arena, fielding three not-exactly-competing and not-exactly-complimentary technologies, the aforementioned NB-IoT, EC-GSM-IoT, and LTE-M. All are standardized by 3GPP. NB-IoT and LTE-M are both being rolled out by each of the major cellular companies (including very recently AT&T). 

EC-GSM-IoT stands out only in that no one seems to care about it. The GSMA--a primarily European trade group representing cell operators--sets out a list of nearly identical use cases for both NB-IoT and LTE-M (with, notably, precious little to say about EC-GSM-IoT). And even the 3GPP struggles to meaningfully differentiate them, claiming that each technology boasts secure communications, wide coverage, energy efficiency and low device complexity--mentioning LTE-M relative speed as the single distinguishing feature:

EC-GSM-IoT… is competitive in the MTC market through its low device cost and global presence … [and] adds improved coverage ..., LTE-grade security, power efficient operation and even further reduced device complexity…

LTE-M was originally designed to reduce the device complexity…  it does support secure communication, ubiquitous coverage, and high system capacity… [and offers] services of lower latency and higher throughput than EC-GSM-IoT and NB-IoT…

NB-IoT… gives an unmatched spectrum flexibility and system capacity which in combination with qualities such as energy efficient operation, ultra-low device complexity and ubiquities coverage…

From a consumer perspective, speed certainly is the most notable difference. LTE-M supports up to 1 Mbps--enough to carry voice--compared to NB-IoT’s 250 kbps capacity. LTE-M is also a lower latency connection, under 20ms versus NB-IoT’s 1.6 to 10s, making it the only of these technologies capable of supporting real-time data.

Perhaps more important, however, is how the networks are deployed. Unlike LTE-M, NB-IoT does not operate on the existing LTE network, requiring base stations to support connectivity--similar to LoRa and Sigfox. This could make NB-IoT more attractive in areas without existing LTE coverage, if NB-IoT base stations prove to be less expensive than LTE infrastructure.

NB-IoT devices are reputed to cost less than LTE-M devices ($5 - $10 compared to $10 - 15), but these are early days, and as some authors have noted, the chipsets used by each is virtually the same, so device-level differences may or may not amount to anything as manufacturers ramp up production.

Surprisingly, LTE-M devices can outperform NB-IoT in power consumption in certain situations, according to some reports. This is because they have a higher data throughput, and so need to be active for less time when receiving data. This advantage would disappear in cases requiring less data, but again, the technology is in early stages, and as hardware evolves relative power use is likely to change.

Versus NB-IoT, LTE-M seems to be a dominant choice. LoRa still offers an attractive option in areas where cellular technology is unavailable if you are looking to have more control over the network itself, and don’t need mobile connectivity (if, for example, you are building a network of smart streetlights on a college campus).

If LTE-M is not available, NB-IoT could offer an attractive alternative to LoRa. It has faster response times and can guarantee better coverage. It also directly links your devices to the internet, which may or may not be an advantage depending on your use case. But LoRa is cheaper to deploy, and doesn’t come with the burden of network subscription costs.

Sigfox still has limited availability. Coupled with its lower performance, and the entrance of major telecoms into the LPWAN market, the technology will struggle to stay relevant in the coming years.

Security Threats

While all internet connected devices--from servers to phones--are susceptible to malicious interference, LPWAN devices’ resource constraints leave them particularly exposed. Of special concern to these devices are attacks based on vulnerable code or weak authentication.

The largest and most well known attack to date exploited vulnerable code. On October 12, 2016, the Mirai botnet took down Dyn’s internet infrastructure services, crippling portions of the internet. The hackers behind the attack took control of over 600,000 devices by finding open telnet ports and trying common username and password combinations.

For typical connected devices, the response is to update software and patch out the problem. For LPWAN devices this is at best extremely difficult. There are bandwidth constraints, for one. LPWAN networks cannot send enough data to provide firmware updates (though LTE-M may be an exception). The devices themselves are remote and may be widespread, making manual updates expensive. And since many devices are expected to stay in the field for 10 or more years, it is likely that many will be lost or forgotten. Manufacturers have little incentive to continue writing software patches for devices many generations old.

It remains to be seen how the industry can counter this threat. The “Software Updates for Internet of Things” working group, recently chartered to tackle exactly this problem, may come up with standards for deployment. But thousands of devices are already in the field. A possible solution--though one unlikely to meet an enthusiastic reception--would be to adopt a cradle-to-grave policy like those regulating hazardous waste. Under such a policy, companies would legally responsible for the devices they manufacture or deploy, until they are (properly) disposed of.

Authentication presents a special challenge for LPWAN device networks. Weak authentication leaves open the possibility that hackers could read or spoof data from devices. Well-established cryptographic algorithms like public-key cryptography are computationally expensive. Even if a low-powered device had the CPU and memory resources to encode/decode cryptographically signed messages, doing so may introduce delays that undermine the device’s purpose in low latency applications.

In their comprehensive look at the state-of-the-art in IoT security, the Network Working Group (NTWG) discusses how the large packets required by security protocols become fragmented and require frequent reassembly in LPWAN networks, leading to resource exhaustion--devices that simply don’t have enough spare CPU/memory/power to perform their given tasks. And, they say, layered protocols that may split up the packet size might increase the number of messages exchanged, clogging limited network bandwidth.

NTWG suggests that more efficient cryptographic algorithms (like ChaCha) can go some way towards addressing these worries, but cautions that these are only first steps, and it remains to be seen whether there are other ways to provide secure end-to-end communications in LPWAN environments.

LPWAN technologies open up exciting possibilities for building a more connected world. Manufacturers, service providers, and those considering deploying LPWAN networks must do so, however, with eyes open to the serious security threats these devices pose. At a minimum, stakeholders should have a plan for the entire lifecycle of deployed devices, and how they will deal with compromised devices.

Matthew Gifford

Staff Software Engineer

Matt integrates IoT data with intuitive UIs as a product engineer at Leverege. He is curious about all things mind and machines, and wrote a PhD on the computational structure of thought.

View Profile

More From the Blog