Telematics, M2M and end-to-end security

Telematics, M2M and end-to-end security

As an increasing number of machines and devices communicate with one another, end-to-end security becomes an increasingly essential component of these systems. Security is “something that usually comes late in the design,” says Rémi Demerlé, director of global partnerships for Telenor Connexion. “From the beginning, it is not always considered a priority, except for companies having critical business.” Systems designed for banking and payment transactions, as well as home security systems, usually have proprietary security and privacy features built in by the manufacturer, he explains.

But as security becomes more of a priority, it also becomes more complex. Telenor Connexion provides machine-to-machine (M2M) connectivity to a variety of businesses and services, and Demerlé notes that at least some of their customers are “very confused about the problem of M2M security.”

And if business players in M2M communications are confused, imagine how consumers feel. “There is a strong role for a trusted third party” in M2M security, reports Jim Morrish, director of London-based Machina Research. “This is such a complex space that the average consumer can’t hope to understand the issues. Sixty privacy settings for Facebook is just the start of a much more complex future world.” (For more on M2M, see Industry insight: Telematics and machine-to-machine communications.)

Securing information

“The security of the connections is not so much the issue as the security of the information carried,” says Morrish. In some cases, security can be provided via the way data is transmitted. The data sent over a wireless network does not become information until it is interpreted by a particular application and linked with the appropriate customer or client ID, Morrish notes.

He cites Qualcomm’s 2Net platform, supported by Orange in Europe: “Orange just sees a demand for data, and 2Net just sees a health reading of some form with a unique identifier, which is meaningless to anyone other than the clinician for whom the data is intended.”

Demerlé reports a number of hardware-based approaches to M2M security, which include making sure a SIM card works only with a particular modem (if it’s removed and placed in another device, it won’t work) and restricting a SIM card’s phone book to a single number (no others can be dialed).

Additional security can be added by choosing a soldered-in SIM card rather than a plastic one, which makes it more difficult to remove. Another option would be choosing a modem with an embedded SIM card. “It simplifies the logistics and security of the connection and is tested and fully embedded by the manufacturer,” says Demerlé.

This approach brings cost savings and less risk and has proven successful for Telenor Connexion customers, such as Renault, which has opted for embedded connectivity in its vehicles.

Internet protocols

Beyond these hardware solutions, Demerlé suggests GSM traffic monitoring as another helpful means of ensuring security. Anomalies such as a surge in data consumption or the different use a SIM card (such as roaming in another country) would trigger an alert to be passed along to the customer or start an automated reaction.

Many companies currently offer hardware security features, Demerlé says, but triggered alerts are more challenging because of the chain of events and consecutive actions that must be defined.

Although many look to Internet protocols for M2M security inspiration, what works on the Internet is not necessarily good for M2M, says Demerlé: “You can’t have good communication if every time you send a message you need to re-authenticate and encipher with a heavy mechanism like RSM keys.”

M2M security is usually created in layers, Demerlé says: a hardware layer, SIM card layer, and then software layer with the terminal application. Each layer supports some aspect of security, which means there are a number of potential weaknesses including hijacked SMS or corrupt GPRS transmissions.

But a more secure approach looks at communication (and security) seamlessly from end to end, leaving less vulnerability. To this end, Telenor Connexion now offers customers an embedded connectivity application framework (eCAF) and a security enabled communication system (eSEC), reports Demerlé. These cloud-based services are designed to provide secure, streamlined platforms for the transfer and retrieval of data on which a variety of M2M services, using all sorts of hardware, can then be built. (For more on the M2M market, see Machine-to-machine telematics: Ready to grow, part I and Machine-to-machine telematics: Ready to grow, part II.)

Privacy considerations

Along with the straightforward concept of keeping transmitted data secure, there’s also the much “softer concept” of privacy, says Machina Research’s Morrish. This is much more subjective and can vary widely by context in terms of who might be accessing “private” information and for what purpose, and it has yet to present a significant challenge to the world of M2M communication.

Although “more sophisticated consumers are concerned about privacy already,” Morrish believes regulators will likely act first on this issue: “Most consumers seem to be amazingly willing to put all kinds of information about themselves in the public domain.”

Demerlé agrees that privacy is not currently an obstructing issue from the customer perspective on M2M deployment. He cites the success of UBI programs like Progressive’s as an example of public comfort. When end users are interviewed, they indicate that they’ve accepted the terms and understand that GPS tracking is not involved. Progressive has been clear about what they do with the data, and customers appreciate that. (For more on UBI, see Industry insight: Insurance telematics.)

In the European Union, Demerlé adds, privacy articles require M2M businesses to provide customers with the personal data collected from telematics devices anytime they ask. If the customer requests that his or her personal data history be erased, companies must comply.

To ensure that consumers feel comfortable, he says, M2M service providers “must give [them] some flexibility and possibility to choose.” Even the mandatory eCall in-vehicle system requires the capability for the end user to deactivate it, he notes.

However, having the ability to make choices and clearly understanding what those choices and their implications are may be two different things. Morrish envisions a future in which consumers are aided in navigating the security of their M2M communications by a “trusted third party operating in much the same way that anti-virus software works today.”

This service would distill any number of complicated questions about what consumers feel comfortable allowing their computers to do into a few basic options, perhaps even just high, medium, or low security.

Jessica Royer Ocken is a regular contributor to TU.

For more on M2M, see Industry insight: Telematics and machine-to-machine communications.

For the latest on M2M, check out Data Business for Connected Vehicles Japan 2013 on May 15-16 in Tokyo.

For all the latest telematics trends, visit Telematics India and South Asia 2013 on April 17-18 in Bangalore, Insurance Telematics Europe 2013 on May 7-8 in London, Telematics Detroit 2013 on June 5-6, Content & Apps for Automotive Europe 2013 on June 18-19 in Munich, V2V & V2I for Auto Safety USA 2013 on July 9-10 in Novi, MI, Insurance Telematics USA 2013 on September 4-5 in Chicago, Telematics Russia 2013 on September 9-10 in Moscow and Telematics Munich 2013 on November 11-12.

For exclusive telematics business analysis and insight, check out TU’s reports: In-Vehicle Smartphone Integration Report, Human Machine Interface Technologies and Smart Vehicle Technology: The Future of Insurance Telematics.

Leave a comment

Your email address will not be published. Required fields are marked *