UNCLASSIFIED//FOR OFFICIAL USE ONLY INDUSTRIAL CONTROL SYSTEMS CYBER EMERGENCY RESPONSE TEAM

Transcription

1 ADVISORY ICSA ZIGBEE PSEUDORANDOM NUMBER GENERATOR VULNERABILITY January 19, 2010 OVERVIEW On January 09, 2010, a security researcher published an attack on a ChipCon (CC) implementation of ZigBee used in the CC2430 series of chips running Z-Stack software that is commonly used in smart grid applications. 1 The problem comes from a weakness in its pseudorandom number generation routine. The results of a successful attack will allow the attacker to easily guess cryptographic keys and thereby join the ZigBee mesh network and decrypt the traffic. The ZigBee protocol is the most popular wireless protocol used in the Home Area Network (HAN) portion of the smart grid. It is used to link the power meter to thermostats, air conditioners, water heaters, gas meters, and other pieces of equipment in the home. Although access to the HAN gives the attacker more access to attack ZigBeeenabled devices in the home, properly designed advanced metering infrastructure (AMI) solutions do not trust the HAN, and control of the HAN should not give control of privileged functions on a meter such as remote disconnect. However, breaking the HAN does give the attackers more options for attacking the AMI system as a whole, which may lead to greater threats. The mitigations available include using a strong random number generator on another chip, using a stronger algorithm to generate random numbers, or seeding the hardware random number generator more often. For more information, see the Mitigation Strategies section of this document. BACKGROUND ZigBee is a protocol specification based on the IEEE standard that is used for wireless communication between devices. ZigBee makes use of common cryptographic primitives such as AES encryptions. The most popular hardware vendor of chips is ChipCon (CC), which was recently acquired by Texas Instruments (TI). TI makes the CC2430 chip that combines an Intel 8051 microcontroller with an antenna 1 Advisory Page 1 of 5

2 chip that sells for about seven dollars at the present time. The low cost and low power of the chip drives its popularity. TI supplies a reference implementation of the ZigBee protocol for its chips branded as Z-Stack. The material presented regarding this vulnerability suggests an insufficient level of randomness is present in cryptographic keys produced by the crypto implementation of the TI Z-Stack software on the CC2430 series microcontrollers. The lack of randomness would result in the ability to execute feasible brute force attacks against the resulting encryption. The vulnerability is similar to one found in OpenSSL packages distributed by Debian and Debian-based operating systems in ,3,4 VULNERABILITY CHARACTERIZATION DETAILS TECHNICAL OVERVIEW The CC2430 series chip using Z-Stack software for ZigBee implementation uses a hardware random number generator (RNG) to seed a 16-bit pseudorandom number generator (PRNG) that generates the session keys. The PRNG could possibly have 2 16 internal states but, because of improper implementation, it only has 2 8 internal states. According to the researcher, the end result is that only possible AES keys can be generated. The researcher also claims to have already built a rainbow table of all possible keys allowing him to crack the ZigBee implementation quickly. TECHNICAL CONCLUSIONS Based on the documentation and the research presented, the hardware RNG should be assumed to be weak until other data are available or an independent validation can be performed. The evidence is convincing, and in all likelihood the system will be shown to be weak. Not all ZigBee implementations use the CC2430 series chips, and not all CC2430 implementations use the Z-Stack software. Implementations will need to be evaluated on a case-by-case basis to determine potential weaknesses Advisory Page 2 of 5

3 The code pathways could only be traced from a weak RNG to a key generation routine for implementations using the elliptic curve cryptography algorithm. (This does not mean that the particular vendor did not use the weak RNG to generate keys. It also does not mean that vendors using the elliptic curve cryptography algorithms are calling the weak RNG.) MITIGATION STRATEGIES TECHNICAL At this time, there are no known fixes for this vulnerability available to the end user. End users will need to talk with their vendors and apply patches as necessary. The following solutions are available to vendors. USE A STRONG RANDOM NUMBER GENERATOR ON ANOTHER CHIP Strong RNGs are available in hardware form. They are often built-in features of other chips. If a board is being (re)designed, a strong RNG could be added to the design. If a strong random number source is available on one of the other chips, a software fix may be possible that uses the strong source instead of the onboard RNG. USE A STRONGER ALGORITHM TO GENERATE RANDOM NUMBERS Strong RNG algorithms are also available in software. The software could be updated to use a stronger RNG. A cryptographer should be consulted when choosing an algorithm to make sure that all the assumptions of the algorithm are met and properly implemented. SEED THE HARDWARE RANDOM NUMBER GENERATOR MORE FREQUENTLY If the hardware is seeded with random data more frequently, the randomness of the RNG output will improve. In this particular case, the generator would need to be seeded during key creation to guarantee a sufficiently random output. A cryptographer should be consulted to make sure the output is sufficiently random. PROCEDURAL Consult with appropriate vendors to determine availability and preferred procedure for applying patches. Patch availability has not been determined. HUMAN FACTORS End users of ZigBee products may be vulnerable to attack and should contact their product vendor to see if they use the affected hardware and software and if necessary, apply a patch. Advisory Page 3 of 5

4 Vendors of ZigBee products need to determine if they are using a CC2430 series chip. If so, they should determine if they are using the hardware RNG to generate cryptographic keys. (If so, consult with the manufacturer to determine availability of a patch or apply one of the mitigations listed above.) Advisory Page 4 of 5

5 CONTACT : For any questions related to this report, please contact at: ics-cert@dhs.gov Toll Free: For Control System Security Program Information and Incident Reporting: systems/ DOCUMENT FAQ What is an Advisory? An Advisory is intended to provide awareness or solicit feedback from critical infrastructure owners and operators concerning ongoing cyber events or activity with the potential to impact critical infrastructure computing networks. Can I edit this document to include additional information? This document may not be edited or modified in any way by recipients, nor may any markings be removed. It may not be posted on public Web sites. All comments or questions related to this document should be directed to the at ics-cert@dhs.gov. Advisory Page 5 of 5