Security Features of LTE M and NB IoT Networks
Security Features of LTE M and NB IoT Networks
Security Features of LTE M and NB IoT Networks
www.gsma.com/IoTSecurity
Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
Contents
1 Executive Summary 1
2 Introduction 2
3 Mobile IoT Security Features 3
4 Conclusions 9
Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
1. Executive Summary
1 Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
2. Introduction
Delivering low power wide area (LPWA) connectiv- Building on the rollout and usage of LTE-M and NB-IoT
ity using licensed spectrum, Mobile IoT technologies connectivity, this report considers the security capabili-
are driving a major expansion of the Internet of Things ties of Mobile IoT networks. It describes the security
(IoT) around the world. These versatile technologies are features being deployed by mobile operators, highlight-
designed to connect everything from sensors monitoring ing how the ‘secure by design’ characteristics of these
the environment and smart meters to asset trackers and technologies differentiates them from alternative tech-
digital locks. Standardised by 3GPP, the two main Mobile nologies reliant on unlicensed spectrum.
IoT technologies – LTE-M and NB-IoT – are supported by
large numbers of mobile operators and equipment sup- To help explain the key security features of Mobile IoT
pliers, enabling the ecosystem to benefit from economies networks and how they can be employed in practice, the
of scale and low production and deployment costs. As of report includes commentary from leading mobile opera-
August 2019, 118 Mobile IoT networks had been deployed tors Deutsche Telekom and Vodafone that have imple-
around the world, while more than 100 Mobile IoT mod- mented these features. The GSMA interviewed these
ules supporting LTE-M, NB-IoT or both technologies are operators to gauge the commercial availability of these
available from vendors. features, how effective they are in enhancing security and
how IoT service providers can benefit from using them.
Unlike some forms of connectivity, Mobile IoT networks
are carefully managed and secured by mobile operators. To be distributed worldwide by the GSMA, this report will
As such, the growing usage of NB-IoT and LTE-M will raise awareness of the security capabilities of Mobile IoT
help to counter security threats to the IoT, such as the technologies among mobile operators, their partners and
hijacking of devices by botnets and the hacking of sensi- the broader IoT ecosystem. By highlighting the value of
tive data belonging to individuals or organisations. By various security features, it aims to encourage their use
supporting an array of security features and safeguards, by both mobile operators and service providers, helping
Mobile IoT networks are set to play a pivotal role in build- to safeguard the integrity of the IoT.
ing trust in the Internet of Things, while giving enterprises
the confidence they need to bring mission-critical assets
online, so they can be remotely monitored and controlled.
2 Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
3.1 Use of Licensed Spectrum, to the standards. The end result is a network that is typi-
cally far more secure than a network based on propri-
SIMs and Security Standards
etary technologies developed by a single company and
using unlicensed spectrum.
3 Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
Mobile operators can also provide private networks in which the customer uses a dedicated communication channel
to ensure that none of their data traverses a public network, such as the Internet. The operator can do this by using a
physical private connection, such as dedicated MPLS (multiprotocol label switching) links, between the mobile operator’s
public infrastructure egress point and the enterprise network (see diagram).
Radio Core NW
Enterprise
MPLS Server
Physical private connection
Enterprise
L2TP or IPsec Server
Virtual private connection
Enterprise
TLS or BEST
Server
End-to-end secure channel
These methods can be used in conjunction with secure without failover – it’s the customer’s decision. We have
private access point names (APNs) dedicated for a spe- a collection of building blocks they can choose from.” If
cific customer’s use to ensure isolation of the customer’s necessary, Vodafone can offer a private APN that makes
data communications. For example, the combination of use of its own backhaul network, keeping the customer’s
customer-specific private APNs and an IPSec-based VPN traffic away from the public Internet.
produces an additional layer of security: the secure APN
segregates the customer’s traffic, which is also encrypted For customers employing Vodafone’s Mobile IoT con-
over the Internet. nectivity, private APNs are the default option. “With low
power wide area networks, a lot of the power saving
features, such as high latency communications and eDRX
Secure Communication Channels: the Mobile (extended discontinuous reception), only really come into
Operator Perspective their own with private APNs,” explains Tim Snape. “You
actually need that much safer environment of a private
For Vodafone, security is an integral part of its connectiv- APN. Private APNs provide better usability and security.”
ity proposition and is designed into any IoT solution from For Vodafone, the end-goal is to provide customers with
the beginning. To that end, it offers all of its IoT custom- the optimum combination of simplicity, speed and trust.
ers the opportunity to use secure communications chan- “It’s in everybody’s blood at Vodafone that trust is a re-
nels, providing a menu of options. “We aim to give the ally, really important thing,” notes Tim Snape. “It is part of
customer the optimal solution for their requirements that Vodafone’s DNA.”
maximises their security controls,” says Tim Snape, Head
of IoT Security at Vodafone Group Enterprise & Technol-
ogy. “So maybe they want to use IPsec with failover or
4 Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
5 Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
But Vodafone only gives customers so much flexibility, volume of data needs to be transmitted, it can be
generally forbidding any requests that could leave an inefficient when transporting the small amounts of
IoT solution dangerously exposed. “Sometimes we lose data required for Mobile IoT solutions.
business because of it,” notes Tim Snape, Head of IoT
Security at Vodafone Group Enterprise & Technology. Data over NAS (DoNAS) is a control plane cellular IoT
“If a customer wants something that, in our view, optimisation that allows the network to transport user
presents a major security risk, such as direct peer-to-peer data within signalling messages. This feature transports
connectivity between devices, we will generally not allow user data or SMS messages via the MME (mobility man-
that because one device can be used to attack another agement entity) by encapsulating them in NAS (non-ac-
device. What we can do instead is to provide the same cess stratum) signalling. DoNAS can be used to transport
capability, but using the core network to secure both IP and non-IP traffic. One key security benefit of
the traffic.” this feature is that the customer/user data is encrypted
and its integrity protected using the same mechanism
reserved for network signalling, thus ensuring similar
levels of protection.
3.4 Data over NAS (DoNAS)
The diagram below shows the data path for DoNAS and
contrasts it with the traditional data path for IP over user
Information has traditionally been transported over a plane.
network via a “IP over User Plane’ mechanism. Although
User Plane IP data transport works well when a large
Mobility Management
Entity (MME)
Customer’s
Network
IoT Evolved NodeB
Device (eNB) Packet Gateway
(P-GW)
6 Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
As well as strengthening security, DoNAS offers other workshops. “Being based on LTE technology stan-
benefits. Employing the control plane to transmit user dardised by 3GPP, NB-IoT leverages the same security
data significantly reduces the signalling overhead needed features as LTE,” explains Mona Parsa. “Data transmitted
to allow a sleeping device to transition from idle mode over the air interface is encrypted using standard LTE
to connected mode and send the data. That improves encryption and we use IPSec tunnelling between our
the network efficiency. The device battery life is also core network and customer’s network, making the device
improved because the amount of signalling required and inaccessible from the Internet. Towards our customers
the “air time” is reduced. This feature works well for short we emphasise the security features which are a clear
data transactions, for example with UDP (user datagram differentiator between our services and those operating
protocol) traffic, where only a few packets are sent per in unlicensed spectrum i.e. NB-IoT uses longer encryption
connection. keys (128-256 bits) and a secure key management and
storage which increases the security level.”
Customer’s
Network
IoT Evolved NodeB
Device (eNB)
7 Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
NIDD is used in conjunction with DoNAS to allow a device NIDD: the Mobile Operator Perspective
to send data to the network without an IP stack, without
an IP address, and without an IP header or transport Deutsche Telekom’s NB-IoT network supports NIDD,
header. enabling customers to exercise tight control over the
volume of communications with their IoT devices, ex-
NIDD can be supported by the network in two different plains Saher Salem, Senior Product Manager for NB-IoT
ways: at Deutsche Telekom. “We use NIDD for customers who
want to shrink down the data transmitted over the air,
1. Transport data using a point-to-point (PtP) SG inter- it removes the IP addresses and protocol between the
face tunnel to the application server. This means that device and IoT core, which shrinks the header, lowers the
the device can only communicate with the pre-defined payload and reduces the traffic and energy consump-
application server, making the communications link more tion”. Saher Salem further explains, “In this way the
secure by restricting the destination, as discussed in the amount of attack scenarios is further reduced because
Managed Connectivity section. there is no IP and TCP/UDP layer”.
2. Transport data using the service capability exposure Larger enterprises are showing interest in NIDD because
function (SCEF). The SCEF provides a means to securely of the significant benefits in lower power consumption
expose service and network capabilities through network and payload transmission. Application servers can still
application programming interfaces (APIs). In this way, communicate with IP protocols, whilst on the air interface
access to the IoT devices are restricted to application less data is transferred.”
servers that have been authenticated and authorised to
access the IoT devices.
8 Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
4. Conclusions
Beyond the inherent security built into mobile networks reassurance, as compared with connectivity providers
using the 3GPP standards, mobile operators are provid- using unlicensed spectrum, which have almost zero over-
ing Mobile IoT customers with an array of additional sight and with which local regulatory authorities have
security features. As a result, Mobile IoT networks can almost zero control.”
provide both consumers and companies with connectiv-
ity that is far better protected than networks that make Of course, it is almost impossible to eliminate every risk.
use of unlicensed spectrum. The distributed nature of the Internet of Things means
many connected devices, such as environmental moni-
As regulated entities with spectrum licensees, mobile op- tors or smart lighting, will be vulnerable to vandalism or
erators also have to comply with a range of requirements theft. But mobile operators are taking measures to ensure
established by the regulatory authorities in the markets in that Mobile IoT devices are very difficult to repurpose
which they operate. In most countries, mobile operators or tamper with. “We have hard-to-spot SIMs that are
now have long track records of keeping their networks difficult to remove from the board,” explains Tim Snape.
secure, building trust among regulators, governments “We also have tamper-resistant SIMs and SIM locking. If
and policymakers. “You have got the national regula- you take one SIM out of device and put it in another, the
tory oversight,” notes Tim Snape, Head of IoT Security at hardware can’t be hijacked. The SIM is actually inside the
Vodafone Group Enterprise & Technology. “You’ve got NB-IoT device, so if it gets stolen, it is quite hard to do
regulatory authority oversight in terms of the behaviour anything with it.”
of operators in each and every country. That gives them
9 Security Features of LTE-M and NB-IoT Networks | Mobile IoT Security Report
For more information please visit:
www.gsma.com/IoT