Cellular IoT device security–What challenges does its unique ecosystem pose? (Analyst Angle)
Nowadays, security and privacy are on everybody’s mind. Hardly a day goes by without the news of security breaches at major institutions. Most of the time, the reporting is focused on the cloud or network infrastructure, hardly ever on devices. However, when it comes to cellular IoT, devices are the most vulnerable, as I explained in my previous article. IoT devices, being very simple, are usually much easier to hack in to, and can compromise the whole system.
The IoT device ecosystem is unique and far different than that of smartphones, in many aspects. Because of that, security challenges are also different, and many of them are related to a unit called IoT module, which is at the heart of any IoT device. To really understand the scope and impact of these challenges, it is important to closely look at the market landscape of the entire cellular IoT ecosystem. It is even more relevant now, considering that today’s 4G LTE cellular IoT will evolve into 5G Massive IoT.
Unique device ecosystem, much different from smartphones
The cellular IoT device ecosystem has far different considerations, especially from the security and privacy perspectives. The ecosystem includes modem chipset providers, many of whom are the same as those of smartphones, as well as a few smaller players. Cellular IoT also has a different category of vendors, called module providers. They take the barebones chipsets and add their own software and hardware to develop modules with standard interfaces and such. Device vendors develop IoT devices largely based on these modules. Modules simplify the connectivity and operator certification-related complexity so that the device vendors concentrate on developing use case-specific devices. Essentially, modules are a key link in the value chain between chipset providers and IoT device vendors.
Chipset and device market landscape
In the device ecosystem, the chipset market is dominated by the same large and well-known smartphone modem vendors, such as Qualcomm, Intel, MediaTek, Huawei (HiSilicon), Sequans, Altair, and others. They provide a full range of solutions with varying degrees of advanced features, including single and multimode options for eMTC, NB-IoT, with support for 3G, 2G, GPS, onboard processing and so on. Apart from the advanced features, the overall cost is a major consideration for the industry.
The cellular IoT device ecosystem is very large and diverse. The vendors are usually small and possess expertise in specific use cases. They don’t necessarily have the skillset and scale to justify designing devices based off the IoT chipsets. That’s where module vendors come in. Traditionally, IoT vendors were mostly from the US and Europe. However, there has recently been a surge in vendors from China, who are completely unknown outside the country. Many of them have taken cues from and have duplicated device and module designs from traditional vendors. The proliferation of Chinese vendors is primarily due to the Chinese government’s concerted effort and heavy investment in IoT in the country. The Chinese government’s well-funded large IoT projects coupled with considerable subsidies provided by operators such as China Mobile and China Telecom has created an ideal environment for these companies to flourish. The recently awarded 5G contracts are a great example of how the Chinese government and operators support Chinese vendors. These companies, emboldened by their success in China, are now trying to pursue global opportunities. Since they are leveraging the investments and subsidies availed in China, they can be extremely price-competitive in global markets.
IoT module market landscape
IoT modules are the “bridge of trust” between the well-known chipset vendors and the unknown device vendors. Module vendors also work with the regulators and cellular operators for certification, which addresses a significant hurdle for device vendors. The certification ensures smooth and rapid deployment of these devices in the field. As evident, the selection of module vendors is key to ensure device and system security.
The module vendor market comprises of a mix of existing and emerging players. Some players such as Gemalto (Siemens M2M at the time), Sierra Wireless (+acquisition of Sony Ericsson M2M and Wavecom), Telit (+acquisition of Motorola M2M) have been around since the 2G days. Others such as U-Blox entered the market during 3G and early part of 4G, leveraging their mobile expertise. Finally, the emerging module vendors from China, who just like IoT device vendors in the country, have grown at a fast pace, with substantial government support and operator subsidies. There is a long list of such players. A few among them, such as Quectel, SIMCom, Longsung, Fibocom, and Norway, are eyeing global markets. Many others may be looking with watchful eyes at how the initial players fare in their endeavor, before stepping out themselves.
Anybody who has looked closely at the IoT market realizes that the biggest challenge is its relatively low margins across the board, be it chipsets, modules or devices. Considering that the module vendors are relatively small compared to the chipset, infrastructure, cloud, or application vendors, they don’t have a lot of leverage, resulting in an extreme margin squeeze. In such a situation, increasing market share becomes crucial, putting even more pressure on pricing. This is exactly where government-funded projects and operator subsidies that the Chinese vendors enjoy at home starts to matter and alter the landscape. Because of government support at home, their pricing can be artificially low, reaching predatory levels.
Speaking to some of the sources in the industry reveals that there is indeed a race to the bottom when it comes to module pricing. If it persists, there is a real danger of non-Chinese players becoming financially unviable. This is of grave concern, especially when we are getting ready to move to 5G. Supporting 5G will need huge upfront investments, and the pay off period could be very long. If these companies can’t earn enough profit, they can’t afford to invest in 5G, and potentially, in the worst case, exit the market.
What do these challenges mean for the cellular IoT Industry?
If you feel like you have seen this movie before, you are not wrong! If you examine the turn of events in the cellular infrastructure market during the late 90s and early 2000s, the situation is almost identical. During that time, major American and European cellular infrastructure vendors failed to anticipate such threat and were unable to compete with emerging Chinese rivals that were allegedly supported by their government. Many American and European vendors such as Motorola, Lucent, Siemens, Ericsson, Nokia, with decades of experience and successful existence had to perish, merge, or downsize. Chinese upstart vendors such as Huawei and ZTE found a ripe market and quickly took away market share, grew exponentially, and became dominant players.
Why is the comparison with the past relevant, and why is it a security concern? Well, IoT devices are the weakest link in the security of the overall system. The industry needs to be as concerned about the security of IoT vendors, as much as with the infrastructure vendors, if not more.
What happens if we don’t heed to the teachings of the past? What are the implications for the security and privacy of IoT networks? I will explore those questions in my next article. So, be on the lookout!