Attacking and Defending LoRa systems. LoRa the Explorer 22/03/2016

Size: px

Start display at page:

Download "Attacking and Defending LoRa systems. LoRa the Explorer 22/03/2016"

Byron Williams
5 years ago
Views:

1 Attacking and Defending LoRa systems LoRa the Explorer 22/03/2016

2 LoRa the Explorer 1.What is LoRa / LoRaWAN? 2.LoRaWAN Security Features 3.How to test LoRa systems

3 Introduction Introductions

4 Introduction + Me + Security Consultant / MWR UK + Android Security + Head of OT Security practice

5 Why LoRa?

6 Why LoRa?

7 Why LoRa? + Protocols in use by industry

8 Why LoRa? + Protocols in use by industry + Assumptions:

9 Why LoRa? + Protocols in use by industry + Reality:???

10 Power usage Why LoRa? WiFi Cellular Satellite Bluetooth Z-Wave BTLE ZigBee LPWAN NFC <10 Meters Range 10s Kilometres+

11 Why LoRa? + LPWAN Low Power Wide Area Network + Low Power (for end nodes) + Range of many kilometres + Low bit rate + Possible using clever modulation + Cheap!

12 Why LoRa? + LPWAN What is it good for? + Infrastructure + Smart City + Logistics

13 Why LoRa? + Main LPWAN modulation technologies + UNB + NarrowBand (cellular) (NB-IoT/NB-CioT/LTE-IoT) + LoRa

14 Why LoRa? + Main LPWAN modulation technologies UNB Cellular NB LoRA NB-LTE NB-IoT NB-CioT

15 Why LoRa?

16 Why LoRa? + Main LPWAN semiconductor groups Sigfox(UNB) Cellular NB LoRaWAN

17 Why LoRa? + Main LPWAN Telcos Sigfox(UNB) Cellular NB LoRaWAN

18 Introduction + Why Research LoRa?

19 Why LoRa? + Why research LoRaWAN? + Open source specification + Already being rolled out in multiple countries + Planning to be used for a number of purposes: + Railway level crossings + Burglar alarms + Monitoring Industrial Control Systems (ICS)

20 Why LoRa? + Current LoRaWAN security information? From sales staff: It uses AES128bit encryption! Or from the official Spec:

21 Why LoRa? + Questions from clients? Is it safe enough to use for $SOLUTION? Which of these two LoRa vendors is more secure?

22 Why LoRa? + Research Goals 1. To find whether it is possible to use LoRaWAN securely 2. To identify key security controls that must be in place 3. To produce a list of tests that can assess these controls in a LoRaWAN system

23 Why LoRa? Review Specification Review Implementations Produce Security Paper Produce Tools to Fill the Gap

24 Introduction + What is LoRa and LoRaWAN?

25 What is LoRaWAN? + LoRa -> LoRaWAN LoRa = Proprietary modulation scheme (PHY layer) Patented by Semtech, licenced to others LoRaWAN = MAC layer Open standard maintained by LoRa Alliance

26 What is LoRaWAN? + LoRa Systems have: s Gateways Network Server

27 LoRaWAN network

28 LoRaWAN network Gateway Gateway

29 LoRaWAN network Application Server Gateway Network Server Application Server Gateway Application Server

30 LoRaWAN network Application Server Gateway Network Server Application Server Gateway Application Server

31 LoRaWAN network Application Server Gateway Network Server Application Server Gateway Application Server

32 LoRaWAN network Application Server Gateway Network Server Application Server Gateway Application Server

33 LoRaWAN network

34 LoRaWAN Security

35 LoRaWAN network Application Server Gateway Network Server Application Server Gateway Application Server

36 LoRaWAN Security

37 LoRaWAN network Application Server Gateway Network Server Application Server Gateway Application Server

38 LoRaWAN network Packet DATA Application Server Gateway Check Packet Sig. Decrypt DATA Network Application Server Server Gateway Application Server

39 LoRaWAN network Packet CMD Encrypt command Application Server Gateway Sign Packet Network Server Application Server Gateway Application Server

40 Joining a node to the network

41 LoRaWAN Security - Joining + Joining + Two options 1. Activation by personalisation: s are shipped with the network and application keys already configured

42 LoRaWAN Security - Joining + Joining + Two options 2. Over the Air Activation s are shipped with an application key, which is then used to derive the application session key and network session key

43 LoRaWAN Security - Joining + Over the Air Activation + Each node is shipped with a unique Application ID, device ID and application key

44 LoRaWAN Security - Joining Join-request ( AppEUI, DevEUI, DevNonce) signed with AppKey Server

45 LoRaWAN Security - Joining + Over the Air Activation Message: App ID, Device ID, Device Nonce Signed with the appkey (aes128_hmac)

46 LoRaWAN Security - Joining Generates AppNonce and then calculates AppSKey and NwkSKey Server

47 LoRaWAN Security - Joining + Over the Air Activation + Next step? Up to the server + It should retrieve the status for that node + Then get the application key + It should recreate the MIC + If successful then calculate and return the Network session and Application session keys (encrypted and signed with the app key)

48 LoRaWAN Security - Joining + Over the Air Activation NwkSKey = aes128_encrypt(appkey, 0x01 AppNonce NetID DevNonce pad16) AppSKey = aes128_encrypt(appkey, 0x02 AppNonce NetID DevNonce pad16)

49 LoRaWAN Security - Joining Join-accept (appnonce, NetID, DevAddr) encrypted and signed with AppKey Server

50 LoRaWAN Security - Joining Uses AppNonce to calculate AppSKey and NwkSKey Server

51 LoRaWAN Security - Joining Server

52 Messaging

53 LoRaWAN Security - Messaging + s use the NwkSKey and AppSKey to send messages + For application messages + Encrypt with AppSKey + Sign with NwkSKey

54 LoRaWAN Security - Messaging + s use the NwkSKey and AppSKey to send messages + For Network messages + Encrypt with NwkSKey + Sign with NwkSKey

55 LoRaWAN Security Application Messaging + Messaging Application messages + AES128 in Counter mode (CTR) + Uses counters (FCntUp and FCntDown) i = 1..k where k = ceil(len(frmpayload) / 16) A i = (0x01 (0x00 * 4) Dir DevAddr FCntUp or FCntDown 0x00 i) S i = aes128_encrypt(k,a i ), for i = 1..k S = S 1 S 2.. S k

56 LoRaWAN Security Application Messaging + + XOR message with keystream MAC Payload: FHDR Fport FRMPayload PHY Payload: MHDR MACPayload MIC

57 Class B LoRa systems

58 Class B system + How do Class B systems differ? + What if the nodes move? + What if the network server wants to initiate messages?

59 Class B systems + How do Class B systems differ? + Gateways provide simultaneous GPS/timestamp broadcasts + Used by nodes that need to update the network server with their location

60 Class B systems + How do Class B Systems differ? + s use these to create time windows to listen in + Allows multicast messages

61 But is it secure?

62 Complex systems = ~insecure systems

63 + Testing

64 LoRaWAN Security Application Messaging + Messaging - Tests Issue Decryption is performed before MIC is checked Effect Attacker could attempt to flip bits Decryption is performed before MIC is checked FCnt manipulation is possible leading to DoS Counters are not incremented AppSKeys / NwkSKeys are not unique Could XOR out the plain text If one node is compromised then all traffic can be read and spoofed

65 LoRaWAN Security Application Messaging Attacks +Decryption is performed before MIC is checked alter cipher-text { ID : 34, Temp : 24 } Encrypted produces: 750f7f9b6366b fb36fdbe51a3dcc1a85d463d70

66 LoRaWAN Security Application Messaging Attacks +Decryption is performed before MIC is checked alter cipher-text { ID : 34, Temp : 24 } Encrypted produces: 750f7f9b6366b fb36fdbe51a3dcc1a85d463d70 If we change 5d to 5a, then decrypt: { ID : 34, Temp : 54 }

67 LoRaWAN Security Application Messaging Attacks +FCnt manipulation + Messages contain FCntUp or FCntDown + Must be in sync, discarded if less than previous + Updates using most recent message

68 LoRaWAN Security Application Messaging Attacks +FCnt manipulation + So if the FCnt value is altered to maximum value? + Should be ignored when checking the MIC + Otherwise discard all future messages = bricked device

69 LoRaWAN Security Application Messaging Attacks +Counters are not incremented - Could XOR out the plain text + FCnt increments with each message + Used to keep keystream unique + If FCnt doesn t increment? + Or if we reset the FCnt?

70 LoRaWAN Security Application Messaging Attacks +Counters are not incremented - Could XOR out the plain text a b=c c b=a + So if the same keystream is used twice then we could try to derive the message

71 LoRaWAN Security Application Messaging Attacks +Duplicate keys in use - If one node is compromised then all traffic can be read and spoofed + Symmetric key issue

72 LoRaWAN Security + Messaging MAC Only data messages +MAC commands are used by network server for network administration +Use the NwkSKey for both encryption and signing

73 LoRaWAN Security + Messaging MAC Only data messages +Commands include: + Get Device status + Change data rate/transmit power/ channel + Change reception slot parameters + Modify the definition of a radio channel + Proprietary

74 LoRaWAN Security + Messaging MAC Only data messages + Why is this interesting? Network key / NwkSKey: a fixed network key for all The Things Network devices. It is 2B7E151628AED2A6ABF CF4F3C

75 LoRaWAN Security + Messaging MAC Only data messages +So an attacker can: + Get Device status + Change data rate/transmit power/ channel + Change reception slot parameters + Modify the definition of a radio channel + Proprietary

76 LoRaWAN Security - Joining + Over the Air Activation - Tests Issue The server does not check whether the node hasn t already Effect replay attacks would cause a DoS App keys can be guessed App keys can be guessed Replay attacks would cause a DoS to future devices MitM of join request would allow offline brute force of keys

77 + Key Management

78 LoRaWAN Security + Key Management servers + Simple enough problem + Network Server and Application Server need access to key database + Represents a single point of failure

79 LoRaWAN Security + Key Management servers - Tests Issue Server access is not restricted Effect Malicious employee/attacker can now decrypt and spoof messages Server access is not restricted Server runs on corporate IT network Malicious employee/attacker can encrypt/delete the database shutting down the whole system A second DHCP server? LoRa system stops functioning

80 LoRaWAN Security + Key Management in s + Physical attacks LoRa LoRaWAN I/O MCU UART Transceiver Antenna

81 Key Management in s + s store App and Nwk key + Should be unique per node

82 Key Management in s + Physical attacks RN2483 Transceiver Contains keys

83 Key Management in s + Physical attacks + Steal keys from a node + Steal firmware from the transceiver (parsing bugs?)

84 Key Management in s + Physical attacks Debug interfaces? + Can we just read data/program memory?

85 Key Management in s + Physical attacks Debug interfaces?

86 Key Management in s + Physical attacks Debug interfaces? PIC18LF MCU

87 Key Management in s + Physical attacks Debug interfaces?

88 Key Management in s + Physical attacks Debug interfaces?

89 Key Management in s + Physical attacks Debug interfaces?

90 Key Management in s + Physical attacks Side Channel? + Nothing mentioned in PIC18LF4xK22 datasheet + Could be protected using particular AES libraries

91 Key Management in s + Proxying data through Transceiver LoRa LoRaWAN I/O MCU UART Transceiver Antenna

92 Key Management in s + Proxying data through Transceiver LoRa Malicious LoRaWAN MCU UART Transceiver Antenna

93 LoRaWAN Security + Key Management nodes - Tests Issue Attacker has physical access to device Effect Attacker could recover keys Attacker has physical access to device Attacker could send their own data in place of regular data without affecting encryption/signing

94 Internet Facing Components

95 LoRaWAN Security +Traditional attacks + Internet facing components Gateway Network Server Gateway

96 LoRaWAN Security +Traditional attacks + Internet facing components Gateway 3G INTERNET WEB SERVICE Network Server Gateway 3G

97 LoRaWAN Security + Internet Facing Components - Tests Issue Network server s web services are Internet facing Effect DDoS could cause LoRa system to sending/ receiving data Network server s web services are Internet facing Malicious data can be sent by anyone Gateways are configured to be Internet facing Management services could be compromised

98 LoRaWAN Security + Network Server s web service + LoRaWAN messages are protected using encryption and signing + Remember we can affect the data (XOR attack)? + MIC is 4 bytes = 2^32 = ~4.3 billion attempts + Are you watching for errors?

99 LoRaWAN Security +Internet facing components protection + Private APN (creds + whitelisted IMSI) + VPN to ONLY web service Gateway 3G INTERNET WEB SERVICE Network Server Gateway 3G

100 Class B Specific Attacks

101 Class B Networks +Class B Networks - Tests Issue Shared Keys between s Effect Attacker could message to/from multiple s Shared Keys between s Key storage/distribution could be compromised Gateway Beacons are not secured Gateway Beacons are not secured Malicious Beacons with bad Time values could cause DoS against multiple hosts (DoDS?) Custom Network messages could be duplicated by attacker

102 Class B Networks The LoRaWAN Class B specification does not specify means to remotely setup such a multicast group or securely distribute the required multicast key material. They are not allowed to carry MAC commands, neither in the FOpt field, nor in the payload on port 0 because a multicast downlink does not have the same authentication robustness as a unicast frame

103 Class B Networks Class B = Be Careful

104 Class B Networks + Multicast Messages + If you only use shared keys + Compromised keys = Whole networks compromised + Need to switch over to shared keys during multicast window + Is this possible?

105 Class B Networks - Multicast Messages + Gateway Beacons + Contain GPS coordinates of the Gateway without encryption or signing - Can also send network specific broadcasts + Used by s for timing

106 In Summary

107 LoRaWAN - Summary + It is possible to build a secure LoRAWAN system + But not guaranteed

108 LoRaWAN - Summary

109 LoRaWAN - Summary

110 LoRaWAN - Summary

111 LoRaWAN - Summary

LORA / LORAWAN TUTORIAL 21

LORA / LORAWAN TUTORIAL 21 OTAA, ABP & LoRaWAN Security v1.0.0 INTRO In this tutorial I will explain how Over-The-Air-Activation (OTAA) and Activation-By- Personalisation (ABP) works. LORAWAN 1.0.2 SPECIFICATION