Exploring Possible Vulnerabilities of 868MHz Communication Systems: A Step-By-Step Framework

Transcription

1 Exploring Possible Vulnerabilities of 868MHz Communication Systems: A Step-By-Step Framework Joost Jansen University of Twente P.O. Box 217, 7500AE Enschede The Netherlands j.jansen-3@student.utwente.nl ABSTRACT This paper presents the outcomes of the theoretical and practical analysis on 868Mhz communication, as well as a framework giving a detailed, step-by-step approach for analyzing this level of security. This paper contributes to the investigation of wireless security, not only due to the framework, but also by explaining the social consequences. Furthermore, the paper provides a brief overview of the security threats concerning the Z-Wave communication protocol. Keywords 868mhz, wireless, security, communication 1. INTRODUCTION 1.1 Motivation The initial drive for this research is the possession of ventilation systems by two members of the DACS group and the apparent ease to extend the range of these systems. Ventilation systems are defined as systems which control the flow of air in a house, by e.g. monitoring CO2 values and adapting the air flow to these values [21]. Since these systems are build-in by default in new houses, they are particularly interesting for research. The supplier of the specific system in this research is Zehnder, which operates not only in the Netherlands, but in almost all European countries, the United States, parts of Asia and parts of South-America as well [22][23]. A lot of research has been done to the 2.4Ghz (Wi-Fi) communication security, but 868Mhz communication seems to lack this amount of research. The 868Mhz band is license-free, making it usable for all kinds of systems, including thermostats, fire systems and other home systems. The members of the DACS group suspect that the security of these systems is inadequate, since previous systems working on the 433Mhz band, e.g. KlikAanKlikUit [9], were also considered insecure after revealing that the system was sending unencrypted signals. KlikAanKlikUit is a system which uses radio frequency (RF) signals to control lights and other devices inside a house. There is the suspicion that the ventilation system supplier, and perhaps other smart device suppliers as well, do not see the security of these systems as a high priority, so a similar situation as with the KlikAanKlikUit Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. 23 th Twente Student Conference on IT, June 22 st, 2015, Enschede, The Netherlands. Copyright 2015, University of Twente, Faculty of Electrical Engineering, Mathematics and Computer Science. system is expected. The fact that the ventilation system supplier claimed that it was possible to extend the range, just by adding an 868Mhz transceiver, was interesting. The supplier is providing a range extender itself, which confirms the fact that the signal can be intercepted with the correct hardware. This means that in theory, everyone with a wireless transceiver which is strong enough to capture the signal is capable of intercepting this data. The fact that this data might be freely available in the air and the suspicion of lacking security are the drives for this research. The specific ventilation system contained a Nordic Semiconductor nrf905 RF chip [12], which can transmit and receive on the 433Mhz, 868Mhz and 915Mhz band. The company revealed that it operated on the 868Mhz band, but wasn t keen to reveal further details of the communication between their systems. 1.2 Research questions The main research question is: Is it possible to control your neighbor s ventilation system and what are the consequences? This main research question will be answered by the subquestions: 1) How can 868Mhz communication be captured? 2) How can 868Mhz communication be manipulated? 3) Is it possible to intercept and manipulate the specific ventilation system? 4) What social and technical consequences do the findings have? 1.3 Research approach The research questions will be answered with both a literature study and a practical study. The literature study will answer the topics covering the functioning of 868Mhz communication, RF chips, methods to manipulate and/or copy signals and so on. The literature study will also incorporate non-scientific literature, because a lot of work on several parts of the research has already been done by hobbyists, who provide useful tips on the internet. The practical study will cover the proof of concept and the corresponding work to get the proof of concept working. The Experimental Telecommunications Group Drienerlo (ETGD) of the University of Twente is willing to help with this proof of concept, as they are very experienced with radio communication [5]. The proof of concept will be made using Arduino s, nrf905 modules and a RTL-SDR receiver [1][10][19]. The RTL-SDR receiver will be used to capture and decode the wireless traffic coming from the ventilation system. Based on the information captured, the protocol can be analyzed. When the information necessary for manipulating the ventilation system is available, an Arduino with an nrf905 1

2 module will be used to send this information to the ventilation system. If, however, it is not possible to successfully construct a working proof of concept, a plan B is conducted. The practical study will partly be replaced by a theoretical framework on how to manipulate an 868Mhz communication system. Also, an overview of the security issues with the Z-Wave protocol will be made. Sub-question 3 will then consist of a practical study with the progress that has been made so far and the theoretical framework, giving a detailed, step-by-step approach on how to manipulate for example this Zehnder system. Sub-questions 1, 2 and 4 will remain unchanged. When plan B is applied, a succeeding research can be conducted, based on this paper. 1.4 Paper organization The paper is divided into several chapters. Chapter 2 will discuss the theory behind this research. It will clarify the details of the system, as well as the protocol which is used and the methods to intercept and manipulate data. It will also provide the information for answering sub-questions 1 and 2. Chapter 3 will discuss the practical study. This concerns the construction of a prototype and the steps followed. It will provide information to answer sub-question 3. Chapter 4 will discuss the framework. The framework will be designed using the information from chapter 2 and 3. Chapter 5 gives a brief overview of Z-Wave protocol and its corresponding security issues. Finally, chapter 6 will discuss the outcomes of the research and chapter 7 presents a concluding section of the paper. 2. THEORETICAL ANALYSIS 2.1 Chip and protocol The protocol that is used in combination with the nrf905 chip is described in the product specification [15]. A complete data package is showed in Table 1. Preamble 10 bits Table 1. An nrf905 package Address 8 or 32 bits Payload 8 to 256 bits CRC 0 to 16 bits The preamble is a predefined bit sequence used to adjust the receiver for optimal performance [15]. The address field represents the destination address. The nrf905 chip features an Address Match function, where it only accepts packets with an identical address to its own. Thus, to receive or intercept data packets with an nrf905 chip, knowing the address is a must. The payload is a trivial part of the package, one can insert any bit string from 8 to 256 bits in here. Finally, an optional CRC is added to the package so the transmission can be verified. As showed in the above section, the length of an nrf905 package is variable. The length of the address, payload, and presence of a CRC can be adjusted with several digital inputs on the chip. The chip has a data rate of 100kbps and uses GFSK modulation. Because the chip internally Manchester encodes and decodes the data, the effective data rate of the chip is 50kbps. [12]. The chip is often sold as an integrated circuit module, with all the electronic components already connected to it. Most of these modules are made for usage on the 433Mhz band, with electronics optimized for this frequency. Further details of the chip can be found at [15]. 2.2 Capturing 868Mhz data The most trivial way to capture data is by using an nrf905 module to capture the packets. However, due to the Address 2 Match function, one can t simply scan for nrf905 data packets in the air. The chip will notice the data packet, but discards it as soon as it detects a faulty address. In order to intercept 868Mhz data, it is necessary to know the destination address. There are several ways to gain knowledge about the destination address. The first option is to use a logical analyzer. This tiny device can analyze the most-used protocols used (I2C, SPI etc.), when wired to an interface. Using logical analyzer software[11], binary output can be printed to the screen so the actual data from the chip to the antenna can be sniffed. This reveals a raw bit string, which can be analyzed using the nrf905 protocol. However, for the purpose of this research, this may not be the best way. If, for example, someone wants to hack a wireless ventilation system, it s not likely that the person has physical access to the ventilation system. However, when a hacker has a similar system at home, he can analyze his own system and gain knowledge about the address, payload and CRC sizes. This information can then be used to set up a receiving nrf905 module listening to packets that size. The hacker however, still needs the destination address. As said, addresses are 8 or 32 bits, so the hacker needs to try either 2^8 or 2^32 combinations. The 8 bit address will be cracked in reasonable time, the 32 bit will take much longer to crack. Assuming that for the purpose of modern-day systems, 8 bit addresses are not long enough, this method of capturing data is not optimal for this research. The second way to capture data is by using a RTL-SDR USB dongle.[18]. This device, originally designed for digital TV streaming purposes, can capture signals on a wide frequency range. This device can be set up for a lot of things. First, the device visualizes the radio signals, so one can detect the frequency and channel on which the ventilation system operates. Secondly, using specialized software, the device can capture and record the actual radio waves on a given frequency. Knowing this, a hacker can scan for the right frequency and then tune the RTL-SDR in on that frequency. He is then able to capture radio waves, which he can decode using specialized software. Compared to the logical analyzer, this method doesn t need to know the destination address, which is a huge advantage. When decoded, one can also obtain a raw bit string of the packet, which then can be analyzed using the nrf905 protocol. Eventually, the payload of the packet is available, which is needed in order to manipulate the data. 2.3 Manipulate 868Mhz data In order to manipulate 868Mhz data, one needs to know about the application protocol between the two devices, which is located in the payload section of the physical packet. Since the chip in this research is part of a ventilation system, there probably will be a manufacturer-built communication protocol on top of the nrf905 protocol. It is this protocol that is assumed to be unencrypted and insecure. To gain knowledge about this communication protocol, the payload of the data packet must be analyzed. Manipulating 868Mhz data can be interpreted in two ways: 1) Send new constructed data packets 2) Copy existing data packets The simplest option is to turn the bit string into readable text characters, to check if the communication protocol is unencrypted. Decoding the protocol then is a trivial task, having knowledge of the actions of the ventilation system and the corresponding payload text. For example, if a CO2 sensor is manually triggered to a high value (e.g. by breathing into it),

3 and a payload converted to ASCII reveals: SENSOR 3 HIGH, analyzing the protocol isn t that hard. It becomes a bit harder when the payload bit string consists of non-readable text. A possible outcome would be a protocol analyzer[16], which can reveal the protocol used. There is also a possibility that the payload is encrypted. There are decryption tools that can analyze the type of encryption and try to decrypt the message.[4] Having knowledge about the nrf905 packet layout and the communication protocol, new data packets can be constructed manually. These newly-constructed packets can be transmitted to the ventilation system directly with an nrf905 setup. When the communication protocol cannot be successfully decoded, there still is another way to which could manipulate the data. Since the complete data packet is captured, one can retransmit it at a later point in time, creating the same effect at the ventilation system. If, for example, the bit string represents Turn on ventilation sent by Sensor 1, the same effect can be triggered later. This, of course, only works when the bit string doesn t change in time. 3. PRACTICAL ANALYSIS To prove the correctness of the theoretical analysis, a proof of concept was to be constructed. The following attributes were used for the proof of concept: 2 x Arduino UNO R3, 2 x nrf905 transceiver module, 2 x breadboard, 1 x RTL-SDR USB Dongle, see Figure 1. First, the Arduino s were wired to nrf905 modules using the breadboards, with an extra LED to blink on a successful transmission, see Appendix A for the wiring table. Next, the correct libraries for the nrf905 chip were loaded on the Arduino[1]. The Arduino s were set up to communicate on the 433Mhz band, using a 32-bit address and a 16-bit CRC. The reason the 433Mhz band was used in this setup, is that the nrf905 modules were originally built for using 433Mhz, not 868Mhz, which are unfortunately hard to find on the internet. Using test files, the first transmission between the two Arduinos successfully took place. Afterwards, the RTL-SDR dongle was installed on both a Windows 8.1 and an Ubuntu environment. This, because Windows supports the popular SDR# software[20] for scanning frequencies and Ubuntu supports more nrf905 decoding software. After firing up the SDR# software, there were clear signs of the 433Mhz band test transmissions, as seen in Figure 2. Next, the physical frames needed to be decoded. A C-program was used for this [17] on Ubuntu. With this program, 433Mhz data is printed in hexadecimal form on the terminal, see Figure 3. This data was converted to binary data, as shown in Figure 4. This exposed a full nrf905 packet. The preamble, address, payload and CRC can all be distinguished. In the test setting, the text Test 146 was transmitted in ASCII-format. Converting the payload, yellow-colored in Figure 4, to ASCIIformat showed that the physical frame indeed contained this text. So, at this point, 433Mhz data can be intercepted and viewed when not encrypted. Unfortunately, due to the time limit, the decoding process of the 868Mhz band did not succeed. Due to that, the sniffing and manipulating of the real ventilation system was not possible. Chapter four describes a framework on how to investigate, sniff and manipulate an 868Mhz communication system. Figure 1. An overview of the setup Figure 2. Visible communication on the 433Mhz band. root@joost-thinkpad-l530:~# sudo rtl_fm -f s 1600k -g 0./nrf905_decoder - Found 1 device(s): 0: Realtek, RTL2838UHIDIR, SN: Using device 0: Generic RTL2832U OEM Tuned to Hz... faac a32b9ba10189a1b d9f30 Figure 3. Receiving data Figure 4. Decoding a frame 3

4 4. FRAMEWORK Figure 5. Framework Following the theoretical and practical sections, a framework is constructed to represent a clear overview of the steps and methods used. This framework is showed in Figure 5. When one follows the steps in the framework, he is able to check whether the connection can be manipulated or not. The framework is divided into two segments: one for the capturing stage and one for the manipulation stage. The individual steps of both segments will now be further discussed in detail. Identify chip: To start with the investigation of the system, it is crucial to identify which transceiver chip the system uses. This can be done by physically opening a similar system and look for the transceiver chip. Another option is using the internet to find out which chip is embedded into the system. Some manufacturers do provide complete datasheets for their products[3][15]. This step is important because a lot of the proceeding work will be based on the chip chat is used. Collect info about chip: When the chip is recognized, it is necessary to collect as much possible information about it. In the practical study of this research, a complete product specification was available. For several other chips used for home-automation, product specifications are also available. With this information, one can look up specifications and features of the chip, to gain better understanding of the transmission mechanism. Set up test environment: Combining all information gained about the chip, a test setup has to be made. The simplest option is to hook up two pre-manufactured modules containing the specific chip with an Arduino. The internet can be used to find the corresponding Arduino libraries and wiring schemes. In most cases, a test receive and transmit file is available, otherwise they have to be written manually. Decode test text: With a function test environment, the next step is to decode the signals coming from the modules. Also in this case, the simplest option is to use an RTL-SDR USB dongle, as described in chapter 2 and 3. If possible, grabbing a decoding program from the internet is a good way to start. Otherwise a program has to be written, which can be quite a tricky process. Eventually, after this step, a bit string of zeroes and ones coming from the test transmission is available. Set up capturing environment: Now, the test environment can be adapted to capture real data from a system. With the RTL- SDR, the actual operating frequency of the system can be retrieved. Change the frequency of the RTL-SDR to the actual frequency. Capture real data: Using the decoding program from the previous step and the actual frequency, capture the data coming from the system. After this step, a bit string of the real system transmission is available. Decrypt payload: The payload of the bit string which is known by now can be encrypted. When the payload converted to ASCII is readable, this step can be skipped. When encryption is used, one can try to use a protocol analyzer[16] or decryption software[4]. After this step, readable and understandable text or patterns are visible. Also, possible destination addresses and preambles can be read from the output. Protocol analysis: The readable text or patterns have to be related to actions of the system. For example, if corresponds to the switch-off action of the system, this has to be recorded. All of these actions can be observed and saved, so a protocol analysis can be made. Set up transmitting environment: The next step is setting up a transmitting environment with the chip-module and an Arduino. This will probably be a small modification of the original test environment. Construct or copy packages: In the transmitting environment, one can construct a completely new packet using the protocol analysis. The data from the test environment will be replaced with the new data coming from the real system. One could also copy a complete captured data packet into a new packet, when decrypting and a protocol analysis failed. Manipulate system: Send the newly-constructed or copied packet to the system and watch how it reacts. When the system reacts as expected, it proves that the system is insecure and can be hacked! If not, one can try different packets or start all over again by capturing new real data and following the subsequent steps. The framework can be used for all kinds of systems which operate not only on the 868Mhz band, but also on the 433Mhz and 915Mhz band. 4

5 5. THE Z-WAVE PROTOCOL Despite the fact that the specific ventilation system protocol did not come out of the practical analysis, the Z-Wave protocol is reviewed in this section. Z-wave is a wireless communication protocol that is implemented in a broad range of household applications, such as lights and doors. It uses low-powered transceiver modules to control these applications. Z-wave operates on the ISM band and uses multiple layers upon the physical layer, providing a transport, routing and application layer. There are many similarities between the specifications of the ventilation system and the Z-Wave specifications, the modulation, frequency and transmitting speed are equal. Also, the nrf905 chip can be used to transmit Z-Wave signals[13]. When following the framework, this can be discovered in the decrypt payload section with a protocol analyzer. When this is the case, further research on the Zehnder ventilation system could move more into the direction of a Z-Wave capture and manipulate research. As stated in [24], due to an implementation vulnerability, researchers were able to gain full access over a door, by exploiting this vulnerability. They have also written their own Z-Wave interception and injection tool, Z-Force, which has managed to successfully take ownership of a door lock! See the full presentation at [8]. Another possible attack on a Z-Wave system is a Denial of Service Attack. When a device continuously floods the air with noise on the same operating frequency as Z-Wave, systems will no longer work properly [14]. Another option is brute-forcing the Home ID that is used in the Z-Wave protocol for identification. In practice however, it would take hundreds of hours to crack a 32-bit key. Concluding, Z-Wave is quite a secure protocol when implemented correctly and with encryption enabled. 6. DISCUSSION 6.1 Social consequences The first interesting point is that ventilation systems like the one used in this research are built-in by default in new houses. Of course, they are very useful for controlling the climate inside a house, but people often don t think about the security issues that come along with it. Assuming that the framework is followed, and a hacker is able to intercept and manipulate ventilation data, several unwanted scenarios can occur. In the first situation, a burglar equipped with an RTL-SDR dongle and decoding software can read the signals sent inside a house. Combining the RTL-SDR with a Raspberry Pi, a portable and easy to hide device can be constructed. Assuming the burglar knows the application protocol, he can e.g. scan for signals indicating "NOBODY HOME or VENTILATION LOW data. Of course, this information can then be used to commit burglary. For example, when a burglar detects a NOBODY HOME signal at a house for three consecutive days, it is likely that there is nobody home. This state information can also be misused by other persons. One can observe house activity for commercial and/or personal interests, raising questions about privacy. Another potential issue is the health of the inhabitants. Ventilation systems like the one in this research regulate CO2 levels inside a house. When the amount of CO2 is too high, the ventilation systems comes into action. However, if someone is able to manipulate the ventilation system, it is possible to deactivate this process and bring the CO2 level to unhealthy heights! [2][6][7] 6.2 Ease of information gaining Another point of interest is the ease of information gaining about this subject. Nowadays, one doesn t need to be an electrical engineer in order to construct a hacking device. The tutorials followed in this research were written by hobbyists, explaining in detail how to wire up the devices and how to decode signals. Also, for this specific nrf905 chip, a full product specification was available, explaining all possible details of the chip. Furthermore, there were multiple tutorials available on how to intercept and decode data with this chip using an RTL-SDR. There were multiple Arduino libraries available for the nrf905 chip, as well as an nrf905 decoding C-program. As long as one is interested and willing to hack a specific system, the internet nowadays provides plenty of information to construct a hacking device. Also, the materials used in this research were not expensive, approximately 40 euros, so a hacker doesn t need to be rich to hack! 7. CONCLUSION 868Mhz communication can be captured by using a logical analyzer or an RLT-SDR USB dongle, preferring the last option. By using the right software, tuning to the right frequency and using a specialized decoding program, 868Mhz radio waves can be decoded to a string of bits. 868Mhz systems can then be manipulated in several ways. The first way is to construct new packages and transmit them to the ventilation system. This requires knowledge of the application protocol. Without this knowledge, one can still manipulate the ventilation system by copying a previously captured payload section, which corresponding actions are known. Combining the theoretical, practical and discussion parts, some other interesting conclusions can be made. First of all, it is not hard and expensive to construct a working signal capturing device without any electrical engineering knowledge. The internet provides plenty of libraries and tutorials, as well as suggestions for hacking home automation systems[8][18]. Knowing this, the threshold for people to develop such systems is low, making these devices accessible for anyone with wrong intentions. Since these ventilation systems will be deployed more and more in new-built houses, it is extremely important for manufacturers to review their wireless communication protocols in order to prevent security issues. When looking at the social consequences, it is clear that a lack of security can lead to privacy and health issues, and even a new way for burglars to scan for activity! When following the framework described in this paper, one can systematically analyze the level of security of a ventilation system, and probably several other home automation systems. Is it possible to control your neighbor s ventilation system and what are the consequences? Probably, yes, though it has not been proven with a proof of concept, when following the framework one could answer this question for sure. 8. REFERENCES [1] Arduino nrf905 Library Driver. Retrieved March 3, 2015, from [2] Bennett, D., Apte, M., Wu, X., Trout, A., Faulkner, D., Maddalena, R. Ventilation and indoor air quality in 40 small and medium sized commercial buildings in California: Indoor air quality methods and findings. In 12 th International Conference on Indoor Air Quality and 5

6 Climate, pages , DOI = doi.org/ /01.ede e9 [3] Datasheet CC1101 Chip. Retrieved June 9, 2015 from [4] Decryption Tool. Retrieved June 5, 2015, from [5] Experimental Telecommunications Group Drienerlo. Retrieved March 25, 2015, from [6] Ghosh, J., Wilhelm, M.; Ritz, B. Effects of Residential Indoor Air Quality and Household Ventilation on Preterm Birth and Term Low Birth Weight in Los Angeles County, California. In American Journal of Public Health, page 686, 2013 DOI= doi.org/ /ajph [7] Hellgren, U. Perceived indoor air quality, air-related symptoms and ventilation in Finnish hospitals. In International Journal of Occupational Medicine and Environmental Health, pages 48-56, 2011 DOI= doi.org/ /s [8] Honey, I m Home Research On Z-Wave. Retrieved June 9, 2015, from [9] KlikAanKlikUit. Retrieved March 30, 2015, from [10] Linux Software For RTL2832U SDR. Retrieved, March 20, 2015, from [11] Logical Analyzing Software. Retrieved, June 4, 2015, from [12] Nordic nrf905 Product Page. Retrieved, March 3, 2015, from GHz-RF/nRF905 [13] nrf905 Z-Wave Manual. Retrieved June 9, 2015, from ve%20module/arduino%20zwave%20wireless%20modu le%20guid.pdf [14] Potential Z-Wave Attacks. Retrieved June 9, 2015, from [15] Product Specification nrf905. Retrieved June 8, 2015, from /file/Product_Specification_nRF905_v1.5.pdf [16] Protocol Analyzer Software. Retrieved June 7, 2015, from [17] RTL-SDR nrf905 Decoding Tutorial. Retrieved June 9, 2015, from [18] RTL-SDR Retrieve Data From 868Mhz Band. Retrieved March 10, 2015, from [19] RTL-SDR Website. Retrieved, 30 March 30, 2015, from [20] SDR# Software for RTL-SDR. Retrieved, March 30, 2015, from [21] Ventilation In Modern Homes. Retrieved March 31, 2015, from [22] Zehnder International Group. Retrieved March 30, 2015, from [23] Zehnder Ventilation System. Retrieved March 24, 2015, from [24] Z-Force Z-Wave Injection Software. Retrieved June 9, 2015, from APPENDIX A. ARDUINO WIRING TABLE Arduino pin 3.3V VCC 7 CE 1 9 TXE 1 8 PWR 1 2 CD 3 DR 12 SO 11 SI 1 13 SCK 1 10 CSN 1 GND nrf905-module pin GND 1 A 4K7 resistor has to be placed in between. 6