Soracom Air for Cellular

Soracom Air Security

Soracom IoT SIM cards take advantage of cellular communication's characteristics and the ability to use additional Soracom services to remain secure.

---

Preventing Unauthorized Use of IoT SIM Cards

Soracom provides two features that can prevent the unauthorized use of IoT SIMs: CHAP Authentication or IMEI Lock.

• CHAP Authentication allows you to add an extra layer of username and password authentication on top of SIM authentication. Using CHAP authentication can help prevent an IoT SIM from being removed and used in an unauthorized or tampered device, as the new device will be required to provide additional authentication credentials before it can establish a network connection.
• IMEI Lock provides a straightforward method for securing your IoT SIM, ensuring that in the case that your IoT SIM is stolen, it cannot be used inside another device, resulting in unwanted data usage charges.

---

Additional Security Features

• Soracom IoT SIMs are assigned private IP addresses, preventing potential attackers from directly accessing the device over the internet.

• When using Soracom IoT SIMs, communication from a device to a local cellular provider's base station and switching station is encrypted. In addition, the switching station and Soracom are connected via a closed network, reducing the risk of unauthorized access or eavesdropping by attackers.

• Soracom IoT SIMs contain a tamper resistant UICC (Universal Integrated Circuit Card) that stores the authentication and programming required to connect to the cellular network.

---

Security from Soracom Platform services

Data security between your IoT SIM-equipped device and backend can be further increased by leveraging the services described below.

Soracom Beam

Soracom Beam is a proxy service with several beneficial security features including:

• Protocol conversion from less secure protocols to TLS-encrypted protocols, offloading encryption workloads to the cloud and allowing you to integrate devices with protocol limitations.
• Cloud-side endpoint credentials storage, preventing attackers from obtaining security information from a device if it is compromised.
• Endpoint proxy, allowing for fleet-wide endpoint changes in the case that a server is compromised.

Virtual Private Gateway

Soracom's Virtual Private Gateway (VPG) service provides a private networking environment for your IoT SIMs and the ability to use additional services and security features:

• An Outbound Filter can be configured to restrict destinations that devices in the VPG can send data to.

• Two Fixed Global IP addresses can be assigned to your VPG. If enabled, all internet-bound traffic from the VPG will originate from one of the two addresses, allowing you to easily set up IP-based filtering in your firewall or security policies.

The following services can be used in combination with a VPG to securely connect your devices to a closed network:

• Soracom Canal directly connects Soracom VPGs to Amazon Web Services (AWS) Virtual Private Cloud networks through AWS Peering Connections or using AWS Transit Gateway.

• Soracom Door provides connectivity to customer systems using an Amazon Web Services virtual private network connection.

• Soracom Gate provides extended networking functionality for VPGs that enables device-to-device access via a LAN environment for your devices within VPG. Gate also allows for remote access to your devices via a VXLAN connection from your private network to the VPG.