Carriers are pushing a new kind of SIM card these days: the so-called M2M (Machine-to-Machine) SIM cards. They can be used in IoT (Internet of Things) devices so that these devices can communicate together over a (sometime) dedicated cellular network.

One big advantage of these M2M SIM cards is that the devices are all in the same “Internal” network : they can be physically distant and however communicate together as if they were in the Enterpise LAN. They can also communicate with services in the company’s network, e.g. a server collecting data from sensors.

I’ve seen recently M2M SIM cards being misused on tablets like iPads. This presents a real danger for companies that don’t take serious precautions.

I would see the following dangers (confirmed by a nice discussion with a Swiss Carrier)

• The iPad is directly connected to the company network. No compliance check is done, the M2M gateway does not check if the device is jailbroken or if dangerous apps are installed.
• Any application installed on the tablet will have access to the internal network
• The SIM card can be used on any device and an unofficial device could have access to the company’s network
• The device does not need to be managed to access the network

This is a dream for an attacker. They could just steal a SIM card and be connected in the internal network.

The risks can be minimized by applying the following measures:

1. Create a dedicated IoT network zone (some kind of DMZ) which is clearly separated from the LAN and other company’s subnets. Firewall rules are crucial and they should follow the DENY-ALL principle
2. Register your device in a UEM solution so that the compliance is checked regularly. If possible deploy a MTD solution (Mobile Threat defense)
3. Deploy a cellular (APN) configuration from the UEM – the UEM will be able to remove the configuration if the device is NOT compliant and block the access to the network
4. Define SIM-changed alerts, make sure your administrator reads the notifications and automatically block unknown devices. The SIM-changed events can be defined in the M2M management Portal and in the UEM
5. If possible use a NAC solution (Network access control) in conjunction to your favorite UEM so that only managed devices can be connected to your internal network

In spite of these measures, I would not recommend the use of M2M SIM cards on smartphones or tablets. This is far too dangerous.

IoT is definitely the next goldmine for hackers – protecting the network access is by far the most important step towards a better security for IoT devices. Carriers have found a nice way to reuse the 3G-4G network for the IoT and companies should be careful before deploying these revolutionary M2M SIM cards!