November 16, Gildas Avoine Loïc Ferreira. Rescuing LoRaWAN 1.0. Workshop CRYPTACUS

Similar documents
IoT connectivity made easier STM32 MCUs & LoRa

LoRa - LoRaWAN - LRSC. Wireless Long Range Network for M2M Communication

Attacking and Defending LoRa systems. LoRa the Explorer 22/03/2016

Eclipse IOT day April 3016 LoRa Overview. Wyres SAS 2016

Semtech Alliance T. Melly - 24th November 2015

What is LoRa & LoRaWAN

RAK811 LoRa / LoRAWAN module (based on SX1276) 868/915MHz up to 3km range

Test Report LoRa Alliance End Device Certification Requirements

Low Power Wide Area Network (LPWAN) Presented By: Dr. Hafiz Yasar Lateef Director, Telxperts Pty Ltd.

NOTICE OF USE AND DISCLOSURE Copyright LoRa Alliance, Inc. (2017). All Rights Reserved.

Lora-A Revolutionary Technology for IOT LPWAN. Tony Li Vice President of China Sales and Marketing, Semtech Corporation

Seminar: Mobile Systems. Krzysztof Dabkowski Supervisor: Fabio Hecht

Sensor-to-cloud connectivity using Sub-1 GHz and

RWC5020A LoRaWAN Tester

WiMAX Security: Problems & Solutions

The Things Industries announces a $69 LoRaWAN indoor gateway and $399 4G industrial gateway

Emerging Wireless Bearers for Mission Critical SCADA

Test Report on. Bridge. Test Report Reference: MDE_HR_1801_03. Date: Place linked footer document here.

Meters and More. Dr. Robert Denda Chairman of the Technical Committee for Protocol Specifications

Smart test and certification of wireless IoT devices

Resilient, crowd-sourced LPWAN infrastructure using blockchain

Jean-Pierre Desbenoit, Vice Chair ZigBee Alliance Mark Walters, VP Strategic Development ZigBee Alliance ZigBee Alliance. All rights reserved.

ETSI STANDARDS FOR THE SMART HOME: DECT ULTRA LOW ENERGY Standard overview and future standarization needs Angel Bóveda

Automotive Security An Overview of Standardization in AUTOSAR

WiMOD LoRaWAN EndNode Modem HCI Specification

Test Report on. Globalsat LM-130H1. Test Report Reference: MDE_BVADT_1705_01. Date:

05 - WLAN Encryption and Data Integrity Protocols

Internet of Things: connecting everything

Specifications of Cryptographic Algorithm Implementation Testing Message Authentication

Authenticated Encryption

Revision History Revision 0 (T10/06-225r0): Posted to the T10 web site on 4 May 2006.

ResIOT LoRaWAN Network Server and IoT Platform v (01/04/2019)

show crypto group summary, page 1 show crypto ikev2-ikesa security-associations summary spi, page 2

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

DYNAMIC SMART WIRELESS

Sensor Networks. Xueying Zhang, Howard M. Heys, and Cheng Li. Electrical and Computer Engineering. Faculty of Engineering and Applied Science

DECT ULTRA LOW ENERGY (ULE) Technology Overview The ETSI Approach to a Mid-range Wireless Technology for IoT

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

ZIGBEE. Erkan Ünal CSE 401 SPECIAL TOPICS IN COMPUTER NETWORKS

I-GREENHOUSE Aquaponics connected greenhouse

Message authentication codes

ECE 646 Lecture 8. Modes of operation of block ciphers

Chapter 24 Wireless Network Security

Revision History Revision 0 (T10/06-225r0): Posted to the T10 web site on 4 May 2006.

IoT Smart & Connected Facilities 2017

Authenticated Encryption

Internet of Things: Latest Technology Development and Applications

Wireless Best Kept Secret For Now

LoRaWAN : The Standard for IoT

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

The IPsec protocols. Overview

RAPIDLY EXPANDING LPWA NETWORKS TO DRIVE IOT BUSINESS

CM868LRxx & CMUS915LRxx Magnetic contact Programming manual

Improved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018

Igniting Industrial IoT from Technology Innovation to Business Transformation. Nicolas JORDAN, SVP Enterprise Operation Co founder

Davide Quaglia Assistant CS depart University of Verona, Italy

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017

Block Ciphers Tutorial. c Eli Biham - May 3, Block Ciphers Tutorial (5)

IP Security. Cunsheng Ding HKUST, Kong Kong, China

Wireless LAN Security. Gabriel Clothier

LoRa APPLICATIONS METOVA

IoT Security Fundamentals That Must Be Solved. Fredrik Beckman CEO Apptimate AB Engagement Manager Combitech AB September 2016

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Energy Fraud and Orchestrated Blackouts Issues with Wireless Metering Protocols (wm-bus)

Olaf Nill Stuttgart-Feuerbach Germany. BOSCH Asset Tracing Tag / LoRa Alliance End Device testing EU 868 MHz

MAKING BUSINESSES SMARTER AND SIMPLER MONITORING MORE EFFECTIVELY REAPING THE BENEFITS OF IOT CONNECTIVITY

M2M spectrum management in China. LI Bo Senior Engineer

IR868LR - IRUS915LR Programming manual

IOT BREDE, ANTOINE, GUILLAUME, ADRIEN

UNDERSTANDING SENETAS LAYER 2 ENCRYPTION TECHNICAL-PAPER

Plaintext Recovery Attacks Against WPA/TKIP

Lecture 13 Page 1. Lecture 13 Page 3

Introduction to RWC5020A LoRa Tester

SINERGIA. Symbiotic Convergence of M2M Wireless Communications and the 5G. Convergencia de las comunicaciones inalámbricas M2M y la 5G

Auftrags-Nr.: Seite 1 von _001. Auftragsdatum :

Encryption in high-speed optical networks

Auftrags-Nr.: Seite 1 von Auftragsdatum :

Real-world LoRaWAN Network Capacity for Electrical Metering Applications

ECE 646 Lecture 7. Modes of Operation of Block Ciphers. Modes of Operation. Required Reading:

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Some Aspects of Block Ciphers

Contribution to Envri+ Workshop on SMART Cable Systems. Secure Data Communication Protocol For Large Number of Distributed Sensors

Premier Wireless Solutions Provider for IoT. LoRa / LoRaWAN Solution Selection Manual.

CIS 700/002 : Special Topics : Secure MQTT for IoT

BEING A DECT FORUM MEMBER DECT Forum, the globally acting industry association of the wireless home and enterprise communication industry.

Wi SUN Technology and Certification Phil Beecher, President and CEO March 2018

AWS IoT Getting Started Guide for STM32F7 Discovery

8, multi-tenant 1.7 M. Numerex Is An IoT Leader. $94 Mn. cloud IoT platform. over. over. Commercial customers. patents issued & pending

OVERVIEW OF ETSI IoT ACTIVITIES

Wireless Data Communication Market Research Report - Global Forecast till 2023

DASH7, PASSIVE RFID AND LPWAN PROF. MAARTEN WEYN - MICHAEL ANDRE PUBLIC

Angelo Gentili Head of Business Development, EMEA Region, PartnerNET

Zigbee 3.0 and Dotdot Connecting the IoT. Jean-Pierre Desbenoit Schneider Electric Bruno Vulcano Legrand

Misuse-resistant crypto for JOSE/JWT

Cisco LoRaWAN Technical Overview

Unit 8 Review. Secure your network! CS144, Stanford University

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Mobile App Development Market Research Report- Global Forecast to 2022

Dumb Crypto in Smart Grids

Transcription:

November 16, 2017 Gildas Avoine Loïc Ferreira Rescuing LoRaWAN 1.0 Workshop CRYPTACUS 1

Internet of Things 20 billion internet-connected things by 2020 [Gartner] Main domains smart home (Zigbee, Z-Wave, BLE, DECT ULE, Thread, etc.) ehealth industrial IoT => allegedly the largest volume of things the most sensitive use cases 2

Internet of Things 20 billion internet-connected things by 2020 [Gartner] Main domains smart home (Zigbee, Z-Wave, BLE, DECT ULE, Thread, etc.) ehealth industrial IoT => allegedly the largest volume of things the most sensitive use cases source: http://iot.semtech.com, 17/05/17 A proposal for industrial IoT: LoRa (communication layer) & LoRaWAN (security layer) Originally conceived by Semtech (Cycleo). Now promoted by LoRa Alliance. Deployed in more than 50 countries worldwide: USA (100 cities), Japan, China (300 million people), India (400 million people), France, Netherlands, South Africa, etc. Use cases: temperature monitoring, presence detection, remote device on/off switch, etc. Current deployed version: v1.0 (this talk). 3 Ascoel, IR868LR - IRUS915LR nke Watteco, Sens O nke Watteco, Smart Plug

Architecture End-devices Gateway Network Server Application Server 4

Key exchange End-device (MK) req ans Network Server (MK) Application Server 5

Key exchange End-device (MK) req ans Network Server (MK) Application Server 1. rnd C {0,1} 16 2. τ C = MAC MK (id AS id C rnd C ) 3. req = id AS id C rnd C τ C 6

Key exchange End-device (MK) req ans Network Server (MK) Application Server 1. rnd C {0,1} 16 2. τ C = MAC MK (id AS id C rnd C ) 3. req = id AS id C rnd C τ C 4. check req 5. rnd S {0,1} 24 8. check ans 6. τ S = MAC MK (rnd S id S addr prms) 7. ans = AES -1 MK(rnd S id S addr prms τ S ) 7

Key exchange End-device (MK) req ans Network Server (MK) Application Server 1. rnd C {0,1} 16 2. τ C = MAC MK (id AS id C rnd C ) 3. req = id AS id C rnd C τ C 4. check req 5. rnd S {0,1} 24 8. check ans 6. τ S = MAC MK (rnd S id S addr prms) 7. ans = AES -1 MK(rnd S id S addr prms τ S ) 8 Data encryption key Ke = ENC MK (01 v) Data integrity key Ki = ENC MK (02 v) with v = rnd S id S rnd C 00..00

Secure channel End-device (MK) data confidentiality (Ke) data integrity (Ki) Network Server (MK) Application Server Ke, Ki Ke, Ki Ke Application frame Ki hdr [pld] Ke τ Network frame Ki hdr [pld] Ki τ 9

Secure channel End-device (MK) data confidentiality (Ke) data integrity (Ki) Network Server (MK) Application Server Ke, Ki Ke, Ki Ke Encryption: based on AES CCM A j (16) = 01 00 00 dir addr (4) cnt (4) 00 j (1) S j = AES K (A j ) with K = ctxt = pld (S 0.. S n-1 ) Ke if application data Ki if network data Application frame Ki hdr [pld] Ke τ Network frame Ki hdr [pld] Ki τ 10

Secure channel End-device (MK) data confidentiality (Ke) data integrity (Ki) Network Server (MK) Application Server Ke, Ki Ke, Ki Ke 11 Encryption: based on AES CCM A j (16) = 01 00 00 dir addr (4) cnt (4) 00 j (1) S j = AES K (A j ) with K = ctxt = pld (S 0.. S n-1 ) MAC: AES CMAC B 0 (16) = 49 00 00 dir addr (4) cnt (4) 00 len (1) τ = MAC Ki (B 0 hdr ctxt) Message: hdr [pld] K τ Ke if application data Ki if network data Application frame Ki hdr [pld] Ke τ Network frame Ki hdr [pld] Ki τ

Attack: end-device disconnection End-device (MK) Network Server (MK) rnd C = x rnd S = y* rnd C = x rnd S = y Ke* = ENC MK (01 v*) Ki* = ENC MK (02 v*) with v* = y* id S x 00..00 Ke = ENC MK (01 v) Ki = ENC MK (02 v) with v = y id S x 00..00 12

Attack: end-device disconnection End-device (MK) Network Server (MK) rnd C = x rnd S = y* rnd C = x rnd S = y Ke* = ENC MK (01 v*) Ki* = ENC MK (02 v*) with v* = y* id S x 00..00 Ke = ENC MK (01 v) Ki = ENC MK (02 v) with v = y id S x 00..00 13 The end-device is disconnected. The NS cannot initiate a new session. The end-device may not expect replies from the NS. LoRaWAN 1.0.2 specification, 4.3.1.1, p. 17

Attack: replay or decrypt Ke = ENC MK (01 v) Ki = ENC MK (02 v) with v = rnd S id S rnd C 00..00 A j (16) = 01 00 00 dir addr (4) cnt (4) 00 j (1) S j = AES K (A j ) ctxt = pld (S 0.. S n-1 ) B 0 (16) = 49 00 00 dir addr (4) cnt (4) 00 len (1) τ = MAC Ki (B 0 hdr ctxt) 1. Replay of ans = AES -1 MK(rnd S id S addr prms τ S ) 2. Reuse of rnd C => Reuse of Ke, Ki, A j, B 0 14

Attack: replay or decrypt Consequences (downlink) frame replay (uplink) frame decryption: ctxt = pld S ctxt = pld S ctxt ctxt = pld pld 15

Attack: replay or decrypt Consequences (downlink) frame replay (uplink) frame decryption: ctxt = pld S ctxt = pld S ctxt ctxt = pld pld Pr[hit] = 2-16 With n previous ans messages, Pr[hit] n.2-16 = p The attacker iterates k times: Pr[success] = 1 (1 p) k k.p Complexity: k 2 16 /n to get Pr[success] 1 8 s/key exchange => 9.1 hours (with n = 16) End-device (MK) rnd C = x 0, x 1,, x k rnd S = *, *,, y k 16

Attack: replay or decrypt Consequences (downlink) frame replay (uplink) frame decryption: ctxt = pld S ctxt = pld S ctxt ctxt = pld pld Pr[hit] = 2-16 With n previous ans messages, Pr[hit] n.2-16 = p The attacker iterates k times: Pr[success] = 1 (1 p) k k.p Complexity: k 2 16 /n to get Pr[success] 1 8 s/key exchange => 9.1 hours (with n = 16) Remark on the duty cycle Not a security mechanism Not applied in all countries Not verified through the LoRa Alliance certification process End-device (MK) rnd C = x 0, x 1,, x k rnd S = *, *,, y k LoRa Alliance End Device Certification Requirements for EU 868MHz ISM Band Devices, D. Hunt, N. Jouko, M. Ridder, v1.2, 2016 17

Attack: targetting the NS Disconnection and replay or decrypt doable against the NS. Disconnection The NS must keep track of a certain number of previous req messages. => Use of forgotten or unknown req messages. Replay or decrypt rnd S = 24 bits => Pr[hit] 2-24 addr is arbitrarily generated => Pr[hit] 2-49 The attacker chooses rnd C first (then the NS replies). Use of n req messages: Pr[success] n/2 24 (if addr is unchanged) Consequences (uplink) frame replay (downlin) frame decryption req ans [matches with req?] Network Server (MK) 18

Lack of data integrity End-device Network Server MQTT server Application Server data confidentiality data integrity no data integrity no data integrity Encryption in CTR mode Change plaintext by flipping ciphertext bits => end-device or AS is deceived Truncate encrypted payload => hide information from end-device or AS Possible payload decryption under assumptions (easier in uplink direction) 19

Recommendations Constraints: keep interoperability between patched and unmodified equipment rnd S replaced with 24-bit counter (1 counter per end-device) addr = H(rnd C rnd S id C ) Key confirmation by NS (using an existing LoRaWAN command) Provide end-to-end data integrity (application layer) 20

Conclusion Low cost security => low power attacks LoRaWAN 1.0 published without security analysis Upcoming version: v1.1 (includes some recommendations related to v1.0) LoRa Alliance: call for a public review of LoRaWAN 1.1 from the academic community 21

Thank you 22

References [LoRaWAN1.0] N. Sornin, M. Luis, T. Eirich, T. Kramp, O. Hersent. LoRaWAN Specification (Jul 2016), LoRa Alliance, version 1.0.2 [Gartner] Mark Hung (ed.). Leading the IoT Gartner Insights on How to Lead in a Connected World, Gartner, 2017. https://www.gartner.com/imagesrv/books/iot/iotebook_digital.pdf 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback