Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secure insight 2018-05-08)

2,960 views

Published on

My presentation on IoT LPWAN network security (Sigfox and LoRaWAN)
Key takeaways:
* Overview of what LPWAN, Sigfox and LoRaWAN is, and why they are important
* What security mechanisms do they provide?
* Raise curiosity: How do I attack/inspect LPWAN traffic?

Published in: Technology
  • Be the first to comment

IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secure insight 2018-05-08)

  1. 1. IoT LPWAN security Sigfox & LoRaWAN Mikael Falkvidd KnowIT Secure Insight 2018-05-08
  2. 2. About Mikael Falkvidd 80+ published articles inChapter leader Core team member Independent consultant, Falkvidd Holding AB Past positions: Development Team Lead, OP5 IT Consultant, Accenture Product Owner, Ericsson Solution Architect, Ericsson
  3. 3. Key takeaways ● An overview of what LPWAN, Sigfox and LoRaWAN is and why they are important ● What security mechanisms do they provide? ● Raise curiosity: How do I attack/inspect LPWAN traffic?
  4. 4. What is LPWAN? (1) Low Power ● 25mW/14dBm RF output (wifi is 100mW/20 dBm, 3G is 2000mW/33 dBm ) ● 2+ years on single lithium cell ● 10+ years on 2xAA Wide Area ● 15-40 km radius per base station / gateway ● Sub-GHz ISM band (868/902/915 MHz depending on region) Network ● This is where it get interesting from a security standpoint :-)
  5. 5. What is LPWAN? (2) Message-oriented ● 1 uplink message every 10 minutes max* ● Message size max 12 bytes (Sigfox) or 51–255 bytes (LoRaWAN)** Limited downlink ● No confirmation ● Downlink always initiated by uplink - no unsolicited traffic ● Sigfox: max 4 messages per 24h, max 8 bytes each ● LoRaWAN: 10 messages per 24h, max 51–255 bytes each Low-cost: Sigfox connectivity costs 15 EUR per year and device for 1 device. ~1EUR per year and device for 50,000 devices (10%-1% of cost with Telia IoT)
  6. 6. Sigfox and LoRaWAN main differences Sigfox LoRaWAN Coverage - global 45 countries, 803M people 90+ countries Coverage - Sweden 60% of population Local (city-wide) networks exist Base stations / gateways Always owned by operator Anyone can put up a gateway, hardware cost from ~200EUR Backend Owned by Sigfox Local providers, TTN (partly open source), open source, DIY
  7. 7. Security areas ● Physical device ● Radio communication ● Base stations / gateways ● Gateway to backend system ● Backend system ● Backend to application communication ● Application
  8. 8. Physical device attacks ● Destroy it ● Extract keys ● Modify firmware LoRaWAN and Sigfox use per device keys, so compromisation of one device impacts only that device and its data. The rest is your responsibility: ● Physical protection ● Use secure elements to protect keys ● Signed firmware updates* / verify firmware integrity
  9. 9. Radio communication - Sigfox ● Each Sigfox device is provisioned with a unique symmetrical authentication key ● All messages to from the device are protected by a MAC using a key derived from the symmetrical key, providing authenticity and integrity. ● All messages include a sequence counter, to prevent replay attacks ● Sigfox can provide confidentiality but does not require encryption. Device makers can add Sigfox-provided encryption as part of certification, or add their own flavor. ● Sigfox’s goal is to have each location covered by at least 3 base stations, to increase availability / be more jamming-resistant.
  10. 10. Radio packet format - Sigfox +--------+--------+--------+------------------+-------------+-----+ |Preamble| Frame | Dev ID | Payload |Msg Auth Code| FCS | | | Sync | | | | | +--------+--------+--------+------------------+-------------+-----+ ● Preamble: 19 bits ● Frame sync and header: 29 bits ● Device ID: 32 bits ● Payload: 0-96 bits ● Authentication: 16-40 bits ● Frame check sequence: 16 bits (CRC)
  11. 11. Base stations - Sigfox ● All Sigfox base stations have a Trusted Platform Module (TPM), which manages encryption keys and verifies the base station’s integrity. ● The operating system uses Secure Boot ● Communication with the backend system is done through VPN. The VPN key is stored in the TPM.
  12. 12. Sigfox backend and your application ● Sigfox data centers adhere to SSAE16/ISAE3402 SOC-1 Type II - ISO 27001 - PCI-DSS - FACT - ISO 9001-2008 - ISO 50001 ● “State-of-the-art solutions have been deployed to ensure the integrity, availability and confidentiality of [devices’ authentication keys as well as traffic metadata.].” * ● Communication between the Sigfox backend and your application uses HTTPS. ● Your application is (of course) your responsibility
  13. 13. Radio packet format - LoRaWAN
  14. 14. LoRaWAN keys in TTN Network session key (NwkSKey) ● used for interaction between the Node and the Network and routing ● check the validity of messages Application session key (AppSKey) ● encryption and decryption of the payload ● payload is encrypted between the device and the Handler component of TTN, which you will be able to run on your own server (LoRaWAN 1.1). When dynamically activating a LoRaWAN device (OTAA), these keys are re-generated on every activation. If you statically activate your device (ABP), these keys stay the same until you change them.
  15. 15. Real-world examples Securitas Direct uses a Sigfox device to report GSM jamming attacks. They have deployed more than 1.6M units.
  16. 16. Real-world examples The city of Gothenburg received a 2.19 MSEK grant from Vinnova to use LoRaWAN-based sensors for measuring air and water quality.
  17. 17. Getting your hands dirty Wireshark ● Sigfox dissector for Wireshark (WIP) ● LoRaWAN dissector for Wireshark (Orange, docs in French) GNU radio ● GNU Radio scrapy for Sigfox ● Gr-lora for LoRa (LoRaWAN not yet supported) Get your own radio module / device Build/buy your own gateway (LoRaWAN)
  18. 18. Learn more https://yadom.eu/reseaux-iot/sigfox/carte-breakout-sfm10r1.html Sigfox radio module, controlled by AT commands on 9600bps serial 24 EUR https://www.m.nu/pycom/lopy-with-headers Microcontroller that runs python with LoRa radio module 379kr https://github.com/int0x191f2/wireshark-sigfox https://github.com/ltn22/LoRaWAN-Wireshark-Dissector https://bitbucket.org/cybertools/scapy-radio/overview Sigfox Gnu Radio Companion https://github.com/BastilleResearch/gr-lora LoRa Gnu Radio Companion https://github.com/matthijskooijman/arduino-lmic Arduino LoRaWAN library for devices https://www.youtube.com/watch?v=-YNMRZC6v1s Matt Knight at GRCon16 https://www.youtube.com/watch?v=NoquBA7IMNc Matt Knight at CCC https://github.com/rpp0/gr-lora another LoRa Gnu Radio Companion, not the same as the one by Bastille
  19. 19. Backup slides
  20. 20. Choose the right security level for your application ● Example: Outdoor environmental data probably doesn’t need to be kept confidential (temperature, rainfall, air humidity, barometric pressure, etc) ● In other cases, the fact that the device is communicating at all might reveal sensitive information ● Know what the network provides for you, and what you need to take responsibility for
  21. 21. Software defined radio - Sigfox
  22. 22. Software defined radio - LoRa (1)
  23. 23. Software defined radio - LoRa (2) ● https://revspace.nl/DecodingLora ● Matt Knight - Reversing LoRa and his presentation at the RSA conference this year
  24. 24. Cisco industrial LoRaWAN router
  25. 25. TTN kickstarter gateway
  26. 26. Sigfox Sweden coverage
  27. 27. TTN Europe gateway locations

×