Attacking and Defending LoRa systems. LoRa the Explorer 22/03/2016
|
|
- Byron Williams
- 5 years ago
- Views:
Transcription
1 Attacking and Defending LoRa systems LoRa the Explorer 22/03/2016
2 LoRa the Explorer 1.What is LoRa / LoRaWAN? 2.LoRaWAN Security Features 3.How to test LoRa systems
3 Introduction Introductions
4 Introduction + Me + Security Consultant / MWR UK + Android Security + Head of OT Security practice
5 Why LoRa?
6 Why LoRa?
7 Why LoRa? + Protocols in use by industry
8 Why LoRa? + Protocols in use by industry + Assumptions:
9 Why LoRa? + Protocols in use by industry + Reality:???
10 Power usage Why LoRa? WiFi Cellular Satellite Bluetooth Z-Wave BTLE ZigBee LPWAN NFC <10 Meters Range 10s Kilometres+
11 Why LoRa? + LPWAN Low Power Wide Area Network + Low Power (for end nodes) + Range of many kilometres + Low bit rate + Possible using clever modulation + Cheap!
12 Why LoRa? + LPWAN What is it good for? + Infrastructure + Smart City + Logistics
13 Why LoRa? + Main LPWAN modulation technologies + UNB + NarrowBand (cellular) (NB-IoT/NB-CioT/LTE-IoT) + LoRa
14 Why LoRa? + Main LPWAN modulation technologies UNB Cellular NB LoRA NB-LTE NB-IoT NB-CioT
15 Why LoRa?
16 Why LoRa? + Main LPWAN semiconductor groups Sigfox(UNB) Cellular NB LoRaWAN
17 Why LoRa? + Main LPWAN Telcos Sigfox(UNB) Cellular NB LoRaWAN
18 Introduction + Why Research LoRa?
19 Why LoRa? + Why research LoRaWAN? + Open source specification + Already being rolled out in multiple countries + Planning to be used for a number of purposes: + Railway level crossings + Burglar alarms + Monitoring Industrial Control Systems (ICS)
20 Why LoRa? + Current LoRaWAN security information? From sales staff: It uses AES128bit encryption! Or from the official Spec:
21 Why LoRa? + Questions from clients? Is it safe enough to use for $SOLUTION? Which of these two LoRa vendors is more secure?
22 Why LoRa? + Research Goals 1. To find whether it is possible to use LoRaWAN securely 2. To identify key security controls that must be in place 3. To produce a list of tests that can assess these controls in a LoRaWAN system
23 Why LoRa? Review Specification Review Implementations Produce Security Paper Produce Tools to Fill the Gap
24 Introduction + What is LoRa and LoRaWAN?
25 What is LoRaWAN? + LoRa -> LoRaWAN LoRa = Proprietary modulation scheme (PHY layer) Patented by Semtech, licenced to others LoRaWAN = MAC layer Open standard maintained by LoRa Alliance
26 What is LoRaWAN? + LoRa Systems have: s Gateways Network Server
27 LoRaWAN network
28 LoRaWAN network Gateway Gateway
29 LoRaWAN network Application Server Gateway Network Server Application Server Gateway Application Server
30 LoRaWAN network Application Server Gateway Network Server Application Server Gateway Application Server
31 LoRaWAN network Application Server Gateway Network Server Application Server Gateway Application Server
32 LoRaWAN network Application Server Gateway Network Server Application Server Gateway Application Server
33 LoRaWAN network
34 LoRaWAN Security
35 LoRaWAN network Application Server Gateway Network Server Application Server Gateway Application Server
36 LoRaWAN Security
37 LoRaWAN network Application Server Gateway Network Server Application Server Gateway Application Server
38 LoRaWAN network Packet DATA Application Server Gateway Check Packet Sig. Decrypt DATA Network Application Server Server Gateway Application Server
39 LoRaWAN network Packet CMD Encrypt command Application Server Gateway Sign Packet Network Server Application Server Gateway Application Server
40 Joining a node to the network
41 LoRaWAN Security - Joining + Joining + Two options 1. Activation by personalisation: s are shipped with the network and application keys already configured
42 LoRaWAN Security - Joining + Joining + Two options 2. Over the Air Activation s are shipped with an application key, which is then used to derive the application session key and network session key
43 LoRaWAN Security - Joining + Over the Air Activation + Each node is shipped with a unique Application ID, device ID and application key
44 LoRaWAN Security - Joining Join-request ( AppEUI, DevEUI, DevNonce) signed with AppKey Server
45 LoRaWAN Security - Joining + Over the Air Activation Message: App ID, Device ID, Device Nonce Signed with the appkey (aes128_hmac)
46 LoRaWAN Security - Joining Generates AppNonce and then calculates AppSKey and NwkSKey Server
47 LoRaWAN Security - Joining + Over the Air Activation + Next step? Up to the server + It should retrieve the status for that node + Then get the application key + It should recreate the MIC + If successful then calculate and return the Network session and Application session keys (encrypted and signed with the app key)
48 LoRaWAN Security - Joining + Over the Air Activation NwkSKey = aes128_encrypt(appkey, 0x01 AppNonce NetID DevNonce pad16) AppSKey = aes128_encrypt(appkey, 0x02 AppNonce NetID DevNonce pad16)
49 LoRaWAN Security - Joining Join-accept (appnonce, NetID, DevAddr) encrypted and signed with AppKey Server
50 LoRaWAN Security - Joining Uses AppNonce to calculate AppSKey and NwkSKey Server
51 LoRaWAN Security - Joining Server
52 Messaging
53 LoRaWAN Security - Messaging + s use the NwkSKey and AppSKey to send messages + For application messages + Encrypt with AppSKey + Sign with NwkSKey
54 LoRaWAN Security - Messaging + s use the NwkSKey and AppSKey to send messages + For Network messages + Encrypt with NwkSKey + Sign with NwkSKey
55 LoRaWAN Security Application Messaging + Messaging Application messages + AES128 in Counter mode (CTR) + Uses counters (FCntUp and FCntDown) i = 1..k where k = ceil(len(frmpayload) / 16) A i = (0x01 (0x00 * 4) Dir DevAddr FCntUp or FCntDown 0x00 i) S i = aes128_encrypt(k,a i ), for i = 1..k S = S 1 S 2.. S k
56 LoRaWAN Security Application Messaging + + XOR message with keystream MAC Payload: FHDR Fport FRMPayload PHY Payload: MHDR MACPayload MIC
57 Class B LoRa systems
58 Class B system + How do Class B systems differ? + What if the nodes move? + What if the network server wants to initiate messages?
59 Class B systems + How do Class B systems differ? + Gateways provide simultaneous GPS/timestamp broadcasts + Used by nodes that need to update the network server with their location
60 Class B systems + How do Class B Systems differ? + s use these to create time windows to listen in + Allows multicast messages
61 But is it secure?
62 Complex systems = ~insecure systems
63 + Testing
64 LoRaWAN Security Application Messaging + Messaging - Tests Issue Decryption is performed before MIC is checked Effect Attacker could attempt to flip bits Decryption is performed before MIC is checked FCnt manipulation is possible leading to DoS Counters are not incremented AppSKeys / NwkSKeys are not unique Could XOR out the plain text If one node is compromised then all traffic can be read and spoofed
65 LoRaWAN Security Application Messaging Attacks +Decryption is performed before MIC is checked alter cipher-text { ID : 34, Temp : 24 } Encrypted produces: 750f7f9b6366b fb36fdbe51a3dcc1a85d463d70
66 LoRaWAN Security Application Messaging Attacks +Decryption is performed before MIC is checked alter cipher-text { ID : 34, Temp : 24 } Encrypted produces: 750f7f9b6366b fb36fdbe51a3dcc1a85d463d70 If we change 5d to 5a, then decrypt: { ID : 34, Temp : 54 }
67 LoRaWAN Security Application Messaging Attacks +FCnt manipulation + Messages contain FCntUp or FCntDown + Must be in sync, discarded if less than previous + Updates using most recent message
68 LoRaWAN Security Application Messaging Attacks +FCnt manipulation + So if the FCnt value is altered to maximum value? + Should be ignored when checking the MIC + Otherwise discard all future messages = bricked device
69 LoRaWAN Security Application Messaging Attacks +Counters are not incremented - Could XOR out the plain text + FCnt increments with each message + Used to keep keystream unique + If FCnt doesn t increment? + Or if we reset the FCnt?
70 LoRaWAN Security Application Messaging Attacks +Counters are not incremented - Could XOR out the plain text a b=c c b=a + So if the same keystream is used twice then we could try to derive the message
71 LoRaWAN Security Application Messaging Attacks +Duplicate keys in use - If one node is compromised then all traffic can be read and spoofed + Symmetric key issue
72 LoRaWAN Security + Messaging MAC Only data messages +MAC commands are used by network server for network administration +Use the NwkSKey for both encryption and signing
73 LoRaWAN Security + Messaging MAC Only data messages +Commands include: + Get Device status + Change data rate/transmit power/ channel + Change reception slot parameters + Modify the definition of a radio channel + Proprietary
74 LoRaWAN Security + Messaging MAC Only data messages + Why is this interesting? Network key / NwkSKey: a fixed network key for all The Things Network devices. It is 2B7E151628AED2A6ABF CF4F3C
75 LoRaWAN Security + Messaging MAC Only data messages +So an attacker can: + Get Device status + Change data rate/transmit power/ channel + Change reception slot parameters + Modify the definition of a radio channel + Proprietary
76 LoRaWAN Security - Joining + Over the Air Activation - Tests Issue The server does not check whether the node hasn t already Effect replay attacks would cause a DoS App keys can be guessed App keys can be guessed Replay attacks would cause a DoS to future devices MitM of join request would allow offline brute force of keys
77 + Key Management
78 LoRaWAN Security + Key Management servers + Simple enough problem + Network Server and Application Server need access to key database + Represents a single point of failure
79 LoRaWAN Security + Key Management servers - Tests Issue Server access is not restricted Effect Malicious employee/attacker can now decrypt and spoof messages Server access is not restricted Server runs on corporate IT network Malicious employee/attacker can encrypt/delete the database shutting down the whole system A second DHCP server? LoRa system stops functioning
80 LoRaWAN Security + Key Management in s + Physical attacks LoRa LoRaWAN I/O MCU UART Transceiver Antenna
81 Key Management in s + s store App and Nwk key + Should be unique per node
82 Key Management in s + Physical attacks RN2483 Transceiver Contains keys
83 Key Management in s + Physical attacks + Steal keys from a node + Steal firmware from the transceiver (parsing bugs?)
84 Key Management in s + Physical attacks Debug interfaces? + Can we just read data/program memory?
85 Key Management in s + Physical attacks Debug interfaces?
86 Key Management in s + Physical attacks Debug interfaces? PIC18LF MCU
87 Key Management in s + Physical attacks Debug interfaces?
88 Key Management in s + Physical attacks Debug interfaces?
89 Key Management in s + Physical attacks Debug interfaces?
90 Key Management in s + Physical attacks Side Channel? + Nothing mentioned in PIC18LF4xK22 datasheet + Could be protected using particular AES libraries
91 Key Management in s + Proxying data through Transceiver LoRa LoRaWAN I/O MCU UART Transceiver Antenna
92 Key Management in s + Proxying data through Transceiver LoRa Malicious LoRaWAN MCU UART Transceiver Antenna
93 LoRaWAN Security + Key Management nodes - Tests Issue Attacker has physical access to device Effect Attacker could recover keys Attacker has physical access to device Attacker could send their own data in place of regular data without affecting encryption/signing
94 Internet Facing Components
95 LoRaWAN Security +Traditional attacks + Internet facing components Gateway Network Server Gateway
96 LoRaWAN Security +Traditional attacks + Internet facing components Gateway 3G INTERNET WEB SERVICE Network Server Gateway 3G
97 LoRaWAN Security + Internet Facing Components - Tests Issue Network server s web services are Internet facing Effect DDoS could cause LoRa system to sending/ receiving data Network server s web services are Internet facing Malicious data can be sent by anyone Gateways are configured to be Internet facing Management services could be compromised
98 LoRaWAN Security + Network Server s web service + LoRaWAN messages are protected using encryption and signing + Remember we can affect the data (XOR attack)? + MIC is 4 bytes = 2^32 = ~4.3 billion attempts + Are you watching for errors?
99 LoRaWAN Security +Internet facing components protection + Private APN (creds + whitelisted IMSI) + VPN to ONLY web service Gateway 3G INTERNET WEB SERVICE Network Server Gateway 3G
100 Class B Specific Attacks
101 Class B Networks +Class B Networks - Tests Issue Shared Keys between s Effect Attacker could message to/from multiple s Shared Keys between s Key storage/distribution could be compromised Gateway Beacons are not secured Gateway Beacons are not secured Malicious Beacons with bad Time values could cause DoS against multiple hosts (DoDS?) Custom Network messages could be duplicated by attacker
102 Class B Networks The LoRaWAN Class B specification does not specify means to remotely setup such a multicast group or securely distribute the required multicast key material. They are not allowed to carry MAC commands, neither in the FOpt field, nor in the payload on port 0 because a multicast downlink does not have the same authentication robustness as a unicast frame
103 Class B Networks Class B = Be Careful
104 Class B Networks + Multicast Messages + If you only use shared keys + Compromised keys = Whole networks compromised + Need to switch over to shared keys during multicast window + Is this possible?
105 Class B Networks - Multicast Messages + Gateway Beacons + Contain GPS coordinates of the Gateway without encryption or signing - Can also send network specific broadcasts + Used by s for timing
106 In Summary
107 LoRaWAN - Summary + It is possible to build a secure LoRAWAN system + But not guaranteed
108 LoRaWAN - Summary
109 LoRaWAN - Summary
110 LoRaWAN - Summary
111 LoRaWAN - Summary
LORA / LORAWAN TUTORIAL 21
LORA / LORAWAN TUTORIAL 21 OTAA, ABP & LoRaWAN Security v1.0.0 INTRO In this tutorial I will explain how Over-The-Air-Activation (OTAA) and Activation-By- Personalisation (ABP) works. LORAWAN 1.0.2 SPECIFICATION
More informationIoT connectivity made easier STM32 MCUs & LoRa
IoT connectivity made easier STM32 MCUs & LoRa Summary 2 1. What is IoT? 2. Communication technologies Overview 3. LPWAN 4. LoRa and LoRa Alliance 5. LoRa technology modulation and LoRaWAN network protocol
More informationManual Nexus LoRaWAN
Manual Nexus LoRaWAN Date: 13-04-2017 Version: 2.0 Title: Manual Nexus LoRaWAN 1 Revision history Version Date Changes 1.0 16-02-2017 First release 2.0 13-04-2017 Added OTAA for TTN 1.1 Contact Ideetron
More informationPRELIMINARY embit s.r.l.
Embit Binary Interface - LoRa TM -specific Documentation PRELIMINARY embit s.r.l. Document information Versions & Revisions Revision Date Author Comments 0.9l 2015-10-29 Embit Preliminary 0.9m 2015-12-17
More informationNOTICE OF USE AND DISCLOSURE Copyright LoRa Alliance, Inc. (2017). All Rights Reserved.
0 0 0 0 Technical Recommendations for Preventing State Synchronization Issues around LoRaWAN.0.x Join Procedure Copyright 0 LoRa Alliance, Inc. All rights reserved. NOTICE OF USE AND DISCLOSURE Copyright
More informationWhat is LoRa & LoRaWAN
LORA / LORAWAN TUTORIAL 2 What is LoRa & LoRaWAN v1.0.0 INTRO In this tutorial I will explain what the difference is between LoRa and LoRaWAN. Several products will be shown in this video. They are not
More informationFinal Test Report on. Module LoRaWAN 915 (ARF8133A) Test Report Reference: MDE_ADEUNIS_1801_01. Date: Place linked footer document here.
Final Test Report on Module LoRaWAN 915 (ARF8133A) Test Report Reference: MDE_ADEUNIS_1801_01 Date: 2018-05-18 Place linked footer document here. Table of Contents 1 Administrative Data 3 1.1 Project Information
More informationFinal Test Report on WSL02-A0. Test Report Reference: MDE_FRIEND_1802_02. Date: Place linked footer document here.
Final Test Report on WSL02-A0 Test Report Reference: MDE_FRIEND_1802_02 Date: 2018-07-11 Place linked footer document here. Table of Contents 1 Administrative Data 3 1.1 Project Information 3 1.2 Applicant
More informationINTEGRATION OF LORA WIDE AREA NETWORK WITH THE 5G TEST NETWORK
DEGREE PROGRAMME IN WIRELESS COMMUNICATIONS ENGINEERING MASTER S THESIS INTEGRATION OF LORA WIDE AREA NETWORK WITH THE 5G TEST NETWORK Author Supervisor Second Examiner Technical Advisor Rumana Yasmin
More informationLow Power Wide Area Network (LPWAN) Presented By: Dr. Hafiz Yasar Lateef Director, Telxperts Pty Ltd.
Low Power Wide Area Network (LPWAN) Presented By: Dr. Hafiz Yasar Lateef Director, Telxperts Pty Ltd. Low Power Wide Area Network (LPWAN) q Low-Power WAN Technologies are designed for machine-to-machine
More informationOutline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.
Outline 18-759: Wireless Networks Lecture 10: 802.11 Management Peter Steenkiste Departments of Computer Science and Electrical and Computer Engineering Spring Semester 2016 http://www.cs.cmu.edu/~prs/wirelesss16/
More informationLoRa APPLICATIONS METOVA
LoRa APPLICATIONS LoRa NETWORK End Nodes Concentrator/Gateway Application Server pet tracking smoke alarm Network Server water meter trash container 3G / Ethernet Backhaul vending machine gas monitoring
More informationGIoT Femto Cell User Guide
Document Number GIoT Femto Cell User Guide Table of Contents TABLE OF CONTENTS... 1 GIOT FEMTO CELL - PRODUCT INTRODUCTION... 5 PRODUCT DESIGN... 5 PRODUCT FEATURES... 5 PRODUCT DETAILS... 6 LED Indicators...
More informationUsing Blockchain Technology to Build Trust in Sharing LoRaWAN IoT
Using Blockchain Technology to Build Trust in Sharing LoRaWAN IoT Jun Lin The Joint NTU-UBC Research Centre of Excellence in Active Living for the Elderly Nanyang Technological University Singapore junlin@ntu.edu.sg
More informationTest Report LoRa Alliance End Device Certification Requirements
Test report No: NIE: Test Report LoRa Alliance End Device Certification Requirements Identification of item tested... : Trademark... : DUT... : Model or type reference... : LoRa module ewbm Co., Ltd. 420150600_DLS76_01K41
More informationTest Report on. Bridge. Test Report Reference: MDE_HR_1801_03. Date: Place linked footer document here.
Test Report on Bridge Test Report Reference: MDE_HR_1801_03 Date: 2018-05-24 Place linked footer document here. Table of Contents 1 Administrative Data 3 1.1 Project Information 3 1.2 Applicant Information
More informationLoRa Device Developer Guide
LoRa Device Developer Guide Discover all Orange IoT solutions for developers & device-makers In collaboration with Credits This LoRa Device Developer Guide is an initiative by developed in collaboration
More informationMobile and Wireless Compu2ng CITS4419 Week 4: LoRa
Mobile and Wireless Compu2ng CITS4419 Week 4: LoRa Associate Professor Rachel Cardell-Oliver School of Computer Science & So;ware Engineering semester-2 2018 Low Power Wide Area Networks LPWAN Short range
More informationIntended status: Standards Track Expires: July 22, 2016 January 19, 2016
Network Working Group M. Boucadair Internet-Draft C. Jacquenet Intended status: Standards Track Orange Expires: July 22, 2016 January 19, 2016 Abstract RADIUS Extensions for Network-Assisted Multipath
More informationMobile Security Fall 2013
Mobile Security 14-829 Fall 2013 Patrick Tague Class #6 More WiFi Security & Privacy Issues WiFi Security Issues A Scenario Internet Open AP SSID Network X Open OpenAP AP SSID Attacker Network X LaptopLaptop
More informationNOTICE OF USE AND DISCLOSURE Copyright LoRa Alliance, Inc. (2018). All Rights Reserved.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 LoRaWAN Application Layer Clock Synchronization Specification v1.0.0 Copyright 2018 LoRa Alliance,
More informationEclipse IOT day April 3016 LoRa Overview. Wyres SAS 2016
Eclipse IOT day April 3016 LoRa Overview brian.wyld@wyres.fr www.wyres.eu Wyres SAS 2016 Contents LoRa objectives LoRa PHY overview Licenses / State regulation LoRa MAC : LoRaWAN Other MAC protocols Technology
More informationCisco LoRaWAN Technical Overview
BRKIOT-1291 Cisco LoRaWAN Technical Overview Patrick Grossetete, Technical Marketing Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in
More informationNovember 16, Gildas Avoine Loïc Ferreira. Rescuing LoRaWAN 1.0. Workshop CRYPTACUS
November 16, 2017 Gildas Avoine Loïc Ferreira Rescuing LoRaWAN 1.0 Workshop CRYPTACUS 1 Internet of Things 20 billion internet-connected things by 2020 [Gartner] Main domains smart home (Zigbee, Z-Wave,
More informationNetwork Encryption 3 4/20/17
The Network Layer Network Encryption 3 CSC362, Information Security most of the security mechanisms we have surveyed were developed for application- specific needs electronic mail: PGP, S/MIME client/server
More informationRAK811 TrackerBoard User Manual V1.0
RAK811 TrackerBoard User Manual V1.0 2017 Rakwireless all rights reserved. Mentioned in this document, the actual company and product names, trademarks are their respective owners. After update the new
More informationWelcome to my presentation: Message Denial and Alteration on IEEE Low- Power Radio Networks.
Welcome to my presentation: Message Denial and Alteration on IEEE 802.15.4 Low- Power Radio Networks. This presentation discusses the susceptibility of IEEE 802.15.4 radio networks to several different
More informationSmart IoT Wireless Sensor Node using XMEGA AU MCU and LoRa Technology
Smart IoT Wireless Sensor Node using XMEGA AU MCU and LoRa Technology Introduction When we talk about the Internet of Things, it s all about embedding intelligence, so things become smarter and do more
More informationRHF Ai-Thinker. How To Use Ai-Thinker s LoRaWAN Modem. Document information. Ho To Use LoRaWAN Modem V0.1. Keywords
RHF76-052 How To Use Ai-Thinker s LoRaWAN Modem V0.1 Document information Info Keywords Abstract Content LoRaWAN, IoT, Point to Point, Custom, full-duplex RHF76-052 This document shows customer how to
More informationSensor-to-cloud connectivity using Sub-1 GHz and
Sensor-to-cloud connectivity using Sub-1 GHz and 802.15.4 Nick Lethaby, IoT, Ecosystem Manager, Texas Instruments Agenda Key design considerations for a connected IoT sensor Overview of the Sub-1 GHz band
More information05 - WLAN Encryption and Data Integrity Protocols
05 - WLAN Encryption and Data Integrity Protocols Introduction 802.11i adds new encryption and data integrity methods. includes encryption algorithms to protect the data, cryptographic integrity checks
More informationHow Insecure is Wireless LAN?
Page 1 of 7 How Insecure is Wireless LAN? Abstract Wireless LAN has gained popularity in the last few years due to its enormous benefits such as scalability, mobile access of the network, and reduced cost
More informationTOBIAS ZILLNER ZIGBEE EXPLOITED THE GOOD, THE BAD AND THE UGLY
TOBIAS ZILLNER ZIGBEE EXPLOITED THE GOOD, THE BAD AND THE UGLY TOBIAS ZILLNER ABOUT ME Senior IS Auditor @ Cognosec in Vienna Penetration Testing, Security Audits & Consulting IoT Security Research, Playing
More informationI-GREENHOUSE Aquaponics connected greenhouse
April, 2018 I-GREENHOUSE Aquaponics connected greenhouse Project carried out by SURIER GAROFALO Aurélien FERREIRA Joffrey OZENDA Thomas Tutored by PALIX Nicolas Summary Introduction I - Project bases 1
More informationKRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Chaos Communication Congress (CCC), 27 December 2017 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure that
More informationztrack Pro LoRaWAN GPS Tracker User Guide
ztrack Pro LoRaWAN GPS Tracker User Guide Introduction ztrack Pro is a revolutionally small LoRaWAN based GPS tracking device. The device is widely used to track pets, children, bicycles, elderly people,
More informationImproved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018
Improved KRACK Attacks Against WPA2 Implementations Mathy Vanhoef @vanhoefm OPCDE, Dubai, 7 April 2018 Overview Key reinstalls in 4-way handshake New KRACKs Practical impact Lessons learned 2 Overview
More informationConfiguring WEP and WEP Features
CHAPTER 9 This chapter describes how to configure Wired Equivalent Privacy (WEP), Message Integrity Check (MIC), and Temporal Key Integrity Protocol (TKIP). This chapter contains these sections: Understanding
More informationWireless Network Security Spring 2015
Wireless Network Security Spring 2015 Patrick Tague Class #7 More WiFi Security 2015 Patrick Tague 1 Class #7 Continuation of WiFi security 2015 Patrick Tague 2 Device Private WiFi Networks AP Local AAA
More informationKRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018
KRACKing WPA2 by Forcing Nonce Reuse Mathy Vanhoef @vanhoefm Nullcon, 2 March 2018 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure that s secure? Seems so! No attacks
More informationAuftrags-Nr.: Seite 1 von Auftragsdatum :
Prüfbericht-Nr.: Auftrags-Nr.: Seite 1 von 8 16093001 001 89210788 Test Report No.: Order No.: Page 1 of 8 Kunden Referenz-Nr.: 24095126 Auftragsdatum : 20-11-2016 Client Reference No.: Order date: Auftraggeber:
More informationh.usriot.com WH-L100 User Manual
WH-L100 User Manual File Version: V1.0.0.01 1 Contents WH-L100 User Manual... 1 Features... 4 1.Get Start... 5 1.1.Product introduction... 5 1.2.Basic parameters... 5 1.3.Dimension... 5 2.Configure module
More informationTable of Contents 1 WLAN Security Configuration Commands 1-1
Table of Contents 1 WLAN Security Configuration Commands 1-1 authentication-method 1-1 cipher-suite 1-2 gtk-rekey client-offline enable 1-2 gtk-rekey enable 1-3 gtk-rekey method 1-4 ptk-lifetime 1-5 security-ie
More informationLoRa - LoRaWAN - LRSC. Wireless Long Range Network for M2M Communication
Marcus Oestreicher oes@zurich.ibm.com LoRa - LoRaWAN - LRSC Wireless Long Range Network for M2M Communication Overview Introduction LoRa LoRaWAN LRSC Use Cases Introduction IBM Research Zurich BlueZ Business
More informationHAI Network Communication Protocol Description
Home Automation, Inc. HAI Network Communication Protocol Description This document contains the intellectual property of Home Automation, Inc. (HAI). HAI authorizes the use of this information for the
More informationTest Report on. Globalsat LM-130H1. Test Report Reference: MDE_BVADT_1705_01. Date:
Test Report on Globalsat LM-130H1 Test Report Reference: MDE_BVADT_1705_01 Date: 2017-12-07 Test Laboratory: 7layers GmbH Borsigstraße 11 40880 Ratingen Germany Note: The following test results relate
More informationAnalysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner
Analysis of 802.11 Security or Wired Equivalent Privacy Isn t Nikita Borisov, Ian Goldberg, and David Wagner WEP Protocol Wired Equivalent Privacy Part of the 802.11 Link-layer security protocol Security
More informationSemtech Alliance T. Melly - 24th November 2015
Semtech Alliance T. Melly - 24th November 2015 IoT Segment Trade-offs LAN Short Range Communicating Devices LPWAN Long Range w/ Battery Internet of Objects Cellular Long Range w/power Traditional M2M Well
More informationKey Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 Mathy Vanhoef @vanhoefm CCS 2017, 1 October 2017 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned 2 Overview
More informationZIGBEE. Erkan Ünal CSE 401 SPECIAL TOPICS IN COMPUTER NETWORKS
ZIGBEE Erkan Ünal CSE 401 SPECIAL TOPICS IN COMPUTER NETWORKS OUTLINE ZIGBEE AND APPLICATIONS IEEE 802.15.4 PROTOCOL ZIGBEE PROTOCOL ZIGBEE ALLIANCE ZIGBEE APPLICATIONS PHYSICAL LAYER MAC LAYER ZIGBEE
More informationWireless Network Security Spring 2016
Wireless Network Security Spring 2016 Patrick Tague Class #7 WiFi Security 1 Announcements Please do HW#2 in using the stable OMNET++ 4.6, not the beta version. Porting has proven difficult... Form project
More informationOSS-7 AN OPEN SOURCE DASH7 STACK
OSS-7 AN OPEN SOURCE DASH7 STACK GLENN ERGEERTS glenn.ergeerts@uantwerpen.be UNIVERSITY OF ANTWERP IMEC IDLAB http://idlab.technology http://idlab.uantwerpen.be DASH7 ALLIANCE PROTOCOL WHEN ACTIVE RFID
More informationWireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities
Wireless Security Comp Sci 3600 Security Outline 1 2 3 Wired versus wireless Endpoint Access point Figure 24.1 Wireless Networking Components Locations and types of attack Outline 1 2 3 Wired Equivalent
More informationAdvanced WiFi Attacks Using Commodity Hardware
Advanced WiFi Attacks Using Commodity Hardware Mathy Vanhoef and Frank Piessens (KU Leuven) ACSAC 2014 Background WiFi assumes each station acts fairly With special hardware this isn t the case Continuous
More informationAdversary Models. CPEN 442 Introduction to Computer Security. Konstantin Beznosov
Adversary Models CPEN 442 Introduction to Computer Security Konstantin Beznosov why we need adversary models? attacks and countermeasures are meaningless without 2 elements of an adversary model objectives
More informationAuftrags-Nr.:
Prüfbericht-Nr.: Auftrags-Nr.: 31763075.002 Test Report No.: Order No.: 152357 Kunden Referenz-Nr.: Auftragsdatum: 09-06-2017 50016473 Client Reference No.: Order date: (mm-dd-yyyy) Auftraggeber: Microchip
More informationBLE Mesh Application Level Overview
A v1.0 INTRODUCTION In July of 2017, the Bluetooth SIG released Mesh Profile Specification v1.0 which describes a Mesh Profile running on top of any device which is v4.0 or newer. The goal of this document
More informationLow Throughput Networks: an approach to IoT connectivity ETSI IoT workshop October 2017
Low Throughput Networks: an approach to IoT connectivity ETSI IoT workshop 24-26 October 2017 R. Agarwal, S. Beck, Sony Semiconductor Solutions J. Bernhard, Fraunhofer IIS J. Nickalls, Telensa Limited
More information\ \ IQRF is a mature wireless technology, which can be easily integrated into any electronic product by ready-to-use transceiver modules, dramatically shortening time-to-market. Devices talking by the
More informationKRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018
KRACKing WPA2 in Practice Using Key Reinstallation Attacks Mathy Vanhoef @vanhoefm BlueHat IL, 24 January 2018 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Lessons learned
More informationTinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri
TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof, Naveen Sastry,, David Wagner Presented by Paul Ruggieri 1 Introduction What is TinySec? Link-layer security architecture
More informationSecurity in IEEE Networks
Security in IEEE 802.11 Networks Mário Nunes, Rui Silva, António Grilo March 2013 Sumário 1 Introduction to the Security Services 2 Basic security mechanisms in IEEE 802.11 2.1 Hidden SSID (Service Set
More informationSmart test and certification of wireless IoT devices
Smart test and certification of wireless IoT devices Joerg Koepp IoT Market Segment Manager COMPANY REST RICT ED Connecting Billions of Devices to the Internet of Things (IoT) short range WWAN other Wireless
More informationProduct Brief. Model: TLM922S-P01A. Ver.1.0
Product Brief Model: TLM922S-P01A Ver.1.0 1 Index 1. Overview... 3 2. Product Features... 3 3. Application... 4 4. Product Specifications... 4 5. PIN Definition... 6 6. PCB Dimension... 7 7. Pin Configuration...
More informationAuftrags-Nr.: Seite 1 von _001. Auftragsdatum :
Prüfbericht-Nr.: Auftrags-Nr.: Seite 1 von 8 17121804_001 89212868 Test Report No.: Order No.: Page 1 of 8 Kunden Referenz-Nr.: 24097922 Auftragsdatum : 17-12-2017 Client Reference No.: Order date: Auftraggeber:
More informationLora-A Revolutionary Technology for IOT LPWAN. Tony Li Vice President of China Sales and Marketing, Semtech Corporation
Lora-A Revolutionary Technology for IOT LPWAN Tony Li Vice President of China Sales and Marketing, Semtech Corporation IoT Connected Device Opportunity Ericsson Gartner 28B 21B Source:Ericsson. Ericsson
More informationResilient, crowd-sourced LPWAN infrastructure using blockchain
Resilient, crowd-sourced LPWAN infrastructure using blockchain CryBlock 18, Munich, Germany Arnaud Durand Pascal Gremaud Jacques Pasquier
More informationArm Mbed Edge. Nick Zhou Senior Technical Account Manager. Arm Tech Symposia Arm Limited
Arm Mbed Edge Nick Zhou Senior Technical Account Manager Arm Tech Symposia 2017 IoT increasing efficiency, yield, and convenience Commercial buildings Better energy & space utilization Precision farming
More information3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some
3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption
More informationLibelium Cloud Hive. Technical Guide
Libelium Cloud Hive Technical Guide Index Document version: v7.0-12/2018 Libelium Comunicaciones Distribuidas S.L. INDEX 1. General and information... 4 1.1. Introduction...4 1.1.1. Overview...4 1.2. Data
More informationSecurity Setup CHAPTER
CHAPTER 8 This chapter describes how to set up your bridge s security features. This chapter contains the following sections: Security Overview, page 8-2 Setting Up WEP, page 8-7 Enabling Additional WEP
More informationOpenSSH. 24th February ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) 1 / 12
OpenSSH ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) http://www.csrrt.org/ 24th February 2006 1 / 12 SSH - History 1995 Tatu Ylonen releases ssh-1.0.0 (Forms SSH Communications
More informationAchieving a legacy cellular security level. Sonia CORRARD Avnet Silica Romain Tesnière Avnet Silica
Achieving a legacy cellular security level Sonia CORRARD Avnet Silica Romain Tesnière Avnet Silica The IoT Opportunity - Highest Growth in Industrial Building & Home Automation Industrial Automation Fire
More informationRN2483_Silica Documentation
RN2483_Silica Documentation Release 0 Silica Mar 24, 2017 Contents 1 Microchip s Long Range Low Power End Node solution 3 2 INTRODUCTION 5 2.1 Developement tools...........................................
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Midterm 2 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that any academic misconduct will be reported
More informationManaging and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer
Managing and Securing Computer Networks Guy Leduc Chapter 7: Securing LANs Computer Networking: A Top Down Approach, 7 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2016. (section 8.8) Also
More informationBluetooth Smart: The Good, The Bad, The Ugly... and The Fix
Bluetooth Smart: The Good, The Bad, The Ugly... and The Fix Mike Ryan isec Partners Black Hat USA Aug 01, 2013 1 Why Bluetooth Smart? Because it's appearing EVERYWHERE 2 Why Bluetooth Smart? (2) 186% YoY
More informationGuide to Wireless Communications, 3 rd Edition. Objectives
Guide to Wireless Communications, 3 rd Edition Chapter 5 Wireless Personal Area Networks Objectives Describe a wireless personal area network (WPAN) List the different WPAN standards and their applications
More informationConfiguring Cipher Suites and WEP
10 CHAPTER This chapter describes how to configure the cipher suites required to use WPA authenticated key management, Wired Equivalent Privacy (WEP), Temporal Key Integrity Protocol (TKIP), and broadcast
More informationPulseway Security White Paper
Pulseway Security White Paper Table of Contents 1. Introduction 2. Encryption 2.1 Transport Encryption 2.2 Message Encryption 3. Brute-Force Protection 4. DigiCert Code Signing Certificate 5. Datacenter
More informationmbed OS Update Sam Grove Technical Lead, mbed OS June 2017 ARM 2017
mbed OS Update Sam Grove Technical Lead, mbed OS June 2017 ARM mbed: Connecting chip to cloud Device software Device services Third-party cloud services IoT device application mbed Cloud Update IoT cloud
More informationINTERNET OF THINGS. Eerst denken, dan doen! ELECTRONIC COMPONENT SOLUTIONS LIGHTING
INTERNET OF THINGS Eerst denken, dan doen! WIRELESS & NETWORKING DISPLAY & TOUCH LED & SOLID STATE EMBEDDED COMPUTING POWER & EMC 1 LIGHTING Alcom Electronics Independent technical distributor 35+ years
More informationCYBER ATTACKS EXPLAINED: WIRELESS ATTACKS
CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS Wireless networks are everywhere, from the home to corporate data centres. They make our lives easier by avoiding bulky cables and related problems. But with these
More informationProduct Brief. Model: TLM922S-P01A. Ver.1.4
Product Brief Model: TLM922S-P01A Ver.1.4 1 Index 1. Overview... 3 2. Product Features... 3 3. Application... 4 4. Product Specifications... 4 5. PIN Definition... 5 6. PCB Dimension... 6 7. Pin Configuration...
More informationViewing Status and Statistics
CHAPTER 7 This chapter explains how to use ADU to view the client adapter s status and its transmit and receive statistics. The following topics are covered in this chapter: Overview of ADU and Statistics
More informationPwning KNX & ZigBee Networks
Pwning KNX & ZigBee Networks About US HuiYu Wu (Nicky) Bug Hunter Winner of GeekPwn 2015 Speaker of POC2017 http://www.droidsec.cn YuXiang Li (Xbalien) Major experience is in Mobile Security and found
More informationCS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis
CS-435 spring semester 2016 Network Technology & Programming Laboratory University of Crete Computer Science Department Stefanos Papadakis & Manolis Spanakis CS-435 Lecture preview 802.11 Security IEEE
More informationUsing Network Analyzer Tool to Monitor Bluetooth Mesh Traffic
Using Network Analyzer Tool to Monitor Bluetooth Mesh Traffic KEY FEATURES This training demonstrates the usage of the Network Analyzer tool provided by Silicon Labs, and applies it to monitor Bluetooth
More informationDrone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created
Drone - 2 04/12/2018 Threat Model Description Threats Threat Source Risk Status Date Created Mobile Phone: Sensitive Data Leakage Smart Devices Mobile Phone: Session Hijacking Smart Devices Mobile Phone:
More informationMost Common Security Threats (cont.)
Most Common Security Threats (cont.) Denial of service (DoS) attack Distributed denial of service (DDoS) attack Insider attacks. Any examples? Poorly designed software What is a zero-day vulnerability?
More informationOutline. TWR Module. Different Wireless Protocols. Section 7. Wireless Communication. Wireless Communication with
Section 7. Wireless Communication Outline Wireless Communication with 802.15.4/Zigbee Protocol Introduction to Freescale MC12311 802.15.4/Zigbee Protocol TWR-12311 Module TWR-MC12311 Smart Radio Features
More informationVirtual Private Networks.
Virtual Private Networks thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/ Content Virtual Private Networks VPN Basics Protocols (IPSec, PPTP, L2TP) Objectives of VPNs Earlier Companies
More informationChapter 24 Wireless Network Security
Chapter 24 Wireless Network Security Wireless Security Key factors contributing to higher security risk of wireless networks compared to wired networks include: o Channel Wireless networking typically
More informationUM2084 User manual. Getting started with the ultra-low-power STM32 and LoRa Nucleo pack. Introduction
User manual Getting started with the ultra-low-power STM32 and LoRa Nucleo pack Introduction The ultra-low-power STM32 and LoRa Nucleo pack (P-NUCLEO-LRWAN1) is a kit based on a NUCLEO-L073RZ board and
More informationDECT ULTRA LOW ENERGY (ULE) Technology Overview The ETSI Approach to a Mid-range Wireless Technology for IoT
DECT ULTRA LOW ENERGY (ULE) Technology Overview The ETSI Approach to a Mid-range Wireless Technology for IoT Angel Bóveda CEO, Wireless Partners S.L. ETSI Board member, co-leader of the IoT strategic group
More informationAd-hoc network possibilities inside LoRaWAN
Ad-hoc network possibilities inside LoRaWAN DANIEL LUNDELL MASTER S THESIS DEPARTMENT OF ELECTRICAL AND INFORMATION TECHNOLOGY FACULTY OF ENGINEERING LTH LUND UNIVERSITY Ad-hoc network possibilities inside
More informationA Configuration Protocol for Embedded Devices on Secure Wireless Networks
A Configuration Protocol for Embedded Devices on Secure Wireless Networks Larry Sanders lsanders@ittc.ku.edu 6 May 2003 Introduction Wi-Fi Alliance Formally Wireless Ethernet Compatibility Alliance (WECA)
More informationArm Mbed Edge. Shiv Ramamurthi Arm. Arm Tech Symposia Arm Limited
Arm Mbed Edge Shiv Ramamurthi Arm Arm Tech Symposia 2017 IoT increasing efficiency, yield, and convenience Commercial buildings Better energy & space utilization Precision farming and connected sites Increased
More informationOnboardICNg: a Secure Protocol for On-boarding IoT Devices in ICN
OnboardICNg: a Secure Protocol for On-boarding IoT Devices in ICN Alberto Compagno 1,3, Mauro Conti 2 and Ralph Droms 3 1 Sapienza University of Rome 2 University of Padua 3 Cisco Systems 3rd ACM Conference
More informationZigBee Security Specification Overview
Wireless Control That Simply Works ZigBee Security Specification Overview Copyright 2005 ZigBee TM Alliance. All Rights Reserved. Agenda ZigBee Security Overview Residential Applications Guidelines Typical
More information