skip to Main Content

Securing Cellular IoT: Standards and SIM Are Not Enough

Vincent van der Leest, Director Product Marketing |

Billions of devices are being connected to the Internet of Things (IoT) through a range of connectivity standards. Some, such as Bluetooth and Wi-Fi, are for short ranges, while others, such as Low Power Wide Area Network (LPWAN), apply to long distances. Other standards, such as cellular (e.g. NB-IoT/LTE-M/4G/5G), address the licensed spectra, while still others, such as LoRa and Sigfox, serve unlicensed bands. All have their distinct pros and cons which make them suitable for specific use cases, so it is not necessarily an arms race among them to become the de facto approach for IoT connectivity. More likely is that multiple specifications will prevail, each covering specific segments or use cases of the enormous IoT market.

There is, however, one thing they all have in common: merely upholding these standards does not ensure the desired security for IoT device manufacturers and their customers. Their focus is on connectivity – connecting devices to the internet and to each other – not on helping OEMs address the many security hazards that accompany connecting billions of devices to a network. When using several of these standards, data is transmitted only in encrypted form, which is a good place to start when protecting the IoT. But to guarantee end-to-end security and privacy for its customers, an OEM must look beyond how data is physically transmitted to how cryptographic keys are generated, used and stored at the higher layers of the network stack.

Take the case of a SIM card. It’s a broadly accepted method for securing connections in the licensed cellular spectrum. But it’s often forgotten that SIM’s primary purpose is to authorize and authenticate devices to a network, to make sure that every connection is traceable and billable. The connections are encrypted to protect the data, but this protection ends as soon as the data arrives at the first cell tower, where it is decrypted. From that point on the protection provided by SIM ends, while data still has a long way to go before reaching its destination, such as a cloud service. In other words, there is no end-to-end encryption for data, leaving possibilities for eavesdropping and data alteration by malicious entities. This shortcoming of SIM is depicted in the first figure.

IoT service configuration for cellular networks

Figure 1: IoT service configuration for cellular networks
Source: “Solutions to Enhance IoT Authentication Using SIM Cards (UICC),” GSMA

Figure 1 shows how the communication layer authentication (C1) between the device and the cellular network is managed by the Mobile Network Operator (MNO). However, the main challenge for the IoT service provider is how to provision, protect and manage the application layer security (A1) to create end-to-end security for the IoT data. If this is not taken care of, the data can be eavesdropped upon or altered as it traverses the cellular network. Service providers do not want data from IoT devices to be susceptible to these kinds of attacks, and also do not want to have different levels of security depending on which type of connectivity each device uses. Therefore, devices need a low-cost and widely deployable solution that provides end-to-end security for the application layer (A1), regardless of the connectivity standard used in a product. This way the IoT device maker will no longer depend on SIM (or any other standard) for its security, but rather take matters into its own hands.

Setting Up a Secure Channel

Figure 2: Setting Up a Secure Channel

Intrinsic ID has a broad suite of solutions specifically tailored to low-resource IoT devices to protect data from the moment of conception on an edge device, to the data’s ultimate destination, whether somewhere in the IoT or a cloud. The most important solution in this scenario is based on a combination of Intrinsic ID’s patented SRAM PUF technology and a TLS library to set up a secure channel between an IoT device and the cloud service that is used to store and analyze the data (see Figure 2). The SRAM PUF creates the robust keys and credentials needed for the TLS connection, anchored by an unclonable identity for every individual device.

By combining TLS with SRAM PUF, the secure channel between device and cloud gets rooted in the hardware of the device. This way the solution guarantees security and authenticity of the transmitted data, as well as providing strong authentication for the IoT based on the unclonable identity the SRAM PUF provides.

Intrinsic ID’s solutions are available in software, specifically targeted for low-cost IoT, and do not require any additional hardware to be added to devices, while giving great flexibility to manage the cryptographic keys that are required to keep valuable assets safe in the cellular network.


Vincen van der LeestVincent van der Leest is Director Product Marketing at Intrinsic ID. In his 9 years at Intrinsic ID, Vincent’s roles within the organization have included business development and managing the company’s portfolio of European-funded projects. Vincent is author or co-author of a number of scientific papers on Intrinsic ID’s core technology, as well as several of the company’s patents. He holds a master’s degree in Electrical Engineering from Eindhoven University of Technology and worked for ASML and Philips before joining Intrinsic ID.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top