Cyber Security Threats and Device Management
Cyber-attacks and security threats are a part of the daily routine for every service provider. With the emerging number of cyber attacks on various services and the rapid expansion of the Internet of Things (IoT) adaptations, remote work, various connected home devices, streaming, gaming, and cloud services, the customer premise equipment (CPE)/device becomes the main target for cybercriminals.
Device management platforms are transforming from the traditional role of provisioning and basic device management into a multi-service gateway management platform (MSG-M), offering the ability to manage various services on a single residential gateway. The services include parental controls, wi-fi management, home security, streaming services, IoT-related devices, and others.
Service providers spend a lot of effort protecting the core infrastructure and networking elements. However, the residential gateway becomes the main target in a variety of cyberattacks, including malware and malicious file transfers to connected devices, which can cause:
- Denial of access for connected devices
- Retrieval of information from connected devices
- Disruption of device behavior
- Man-in-the-Middle (MitM) attacks
An attacker can intercept the communication between the residential gateway/device and collect, insert, and manipulate data sent from the residential gateway. This type of attack usually exploits security vulnerabilities with device configuration or network settings. It is very hard to identify and detect, particularly as the end-user is unaware that the information is being intercepted until it is too late and the data has already been leaked.
Denial Of Service Attack
A denial of service attack is carried by flooding the device with traffic overload. This will cause service degradation by consuming device resources and bandwidth, which will then affect device provisioning and management. The device will be unable to process any legitimate request, as it will be occupied with the malicious traffic. This attack could also be distributed denial of service (DDoS), which is harder to mitigate.
Internet of Things Attacks
IoT brings forward new challenges for service providers to mitigate. These include:
- Securing the service layer and the variety of connected devices behind the residential gateway.
- Avoiding data leakage, including securing customers’ private information and maintaining privacy.
- Monitoring and mitigating potential exploits.
With the rapid expansion of IoT devices, IoT attacks are becoming more popular. This is mainly due to:
- Only low priority is given to IoT devices and their operating environment.
- Lack of efficient solutions for event detection and response (EDR) related to IoT devices.
- Use of constrained IoT units and MCUs, which prevent additional client execution.
- The variety of standard, non-standard, and proprietary protocols that are used with IoT devices. These become a challenge with application-layer security, as done with traditional security solutions.
Security is the main aspect when managing and maintaining a variety of devices from access gateways, smart home sensors, and IoT devices. Security threats are constantly growing, with the rapid expansion of devices per subscriber. A typical consumer has access to as many as 15 connected devices in their household with additional OTT services.
The challenge to maintain a secured ecosystem, while maintaining a high level of operational efficiency, is the main goal that drives our security solutions.
Friendly Technologies’ Device Management Platform (DMP) is a unified, open standards, device management platform, which supports cross-platform deployments. The platform’s unique advantage offers scalability and adaptability, being able to manage and control a variety of devices using a unified platform.
The Unified DMP (UDMP) is agnostic in its ability to access networks and infrastructure, which allows for any type of IoT device to be managed over various access networks, including:
- Cellular LPWANs: NB-IoT (CAT-NB1), CAT-M1
- RF LPWANs: LoRaWAN, Weightless, and Sigfox – discussed in variety supported IoT Networks paragraph.
- Cellular networks: 3G, 4G, 5G
- Fixed-line networks: LAN, WAN
- Fixed-line broadband: xDSL, FTTx
- Wireless networks: Wi-Fi, Bluetooth
- and many others …
Friendly Technologies implements a multi-layered security approach combining access control to validate data confidentiality, integrity, and availability, a secured architecture design, secured device management protocols, platform hardening, and secured northbound interfaces.
Authentication and authorization are two distinct security processes that are a part of Identity Access Management (IAM) solutions. Authentication confirms that the users are who they say they are and authorization gives the permission to access system configuration and maintenance resources.
Authentication and authorization mechanisms are supported by Friendly DMP, including MFA, LDAP integration, SSO (using SAML 2.0 or Oauth2.0), and REST using JWT.
Authorization is maintained by delegating various levels of user and group permissions being managed by the platform.
Friendly DMP is designed to allow a high degree of security in the interaction between the end device and the management platform. Each of the available DMP protocols is designed to have a security suite to maintain a secured and reliable connection for TR-069/USP
The CPE WAN Management Protocol (CWMP) is designed to prevent tampering with the transactions that take place between a device and the serving ACS, provide confidentiality for these transactions, and allow various levels of authentication.
The protocol supports the use of TLS for communications transport between a device and the ACS. This provides transaction confidentiality, data integrity, and certificate-based authentication between a CPE and the ACS.
USP contains its own security mechanisms for Authentication & Authorization and Encryption. Encryption can be provided at the MTP layer, USP layer, or both.
MTP encryption may be sufficient to provide secured message exchange when the termination point of the MTP and USP message is the same, but when using a different termination point (as with a proxy or other intermediate device) than a higher layer of USP Secure Message Exchange is required.
USP contains rigorous access control and authentication mechanisms to ensure that data is only used by those that have been enabled by the user to assure privacy control. USP supports TLS and DTLS which both have handshake mechanisms that allow for the exchange of certificate information.
Platform security, API, and data encryption are all a part of Friendly U-DMP offering a robust and secured solution for a service provider to increase residential gateways security policy while still maintain a high level of operational efficiency.