Successfully reported this slideshow.

IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secure insight 2018-05-08)

2

Share

Loading in …3
×
1 of 29
1 of 29

IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secure insight 2018-05-08)

2

Share

Download to read offline

My presentation on IoT LPWAN network security (Sigfox and LoRaWAN)
Key takeaways:
* Overview of what LPWAN, Sigfox and LoRaWAN is, and why they are important
* What security mechanisms do they provide?
* Raise curiosity: How do I attack/inspect LPWAN traffic?

My presentation on IoT LPWAN network security (Sigfox and LoRaWAN)
Key takeaways:
* Overview of what LPWAN, Sigfox and LoRaWAN is, and why they are important
* What security mechanisms do they provide?
* Raise curiosity: How do I attack/inspect LPWAN traffic?

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secure insight 2018-05-08)

  1. 1. IoT LPWAN security Sigfox & LoRaWAN Mikael Falkvidd KnowIT Secure Insight 2018-05-08
  2. 2. About Mikael Falkvidd 80+ published articles inChapter leader Core team member Independent consultant, Falkvidd Holding AB Past positions: Development Team Lead, OP5 IT Consultant, Accenture Product Owner, Ericsson Solution Architect, Ericsson
  3. 3. Key takeaways ● An overview of what LPWAN, Sigfox and LoRaWAN is and why they are important ● What security mechanisms do they provide? ● Raise curiosity: How do I attack/inspect LPWAN traffic?
  4. 4. What is LPWAN? (1) Low Power ● 25mW/14dBm RF output (wifi is 100mW/20 dBm, 3G is 2000mW/33 dBm ) ● 2+ years on single lithium cell ● 10+ years on 2xAA Wide Area ● 15-40 km radius per base station / gateway ● Sub-GHz ISM band (868/902/915 MHz depending on region) Network ● This is where it get interesting from a security standpoint :-)
  5. 5. What is LPWAN? (2) Message-oriented ● 1 uplink message every 10 minutes max* ● Message size max 12 bytes (Sigfox) or 51–255 bytes (LoRaWAN)** Limited downlink ● No confirmation ● Downlink always initiated by uplink - no unsolicited traffic ● Sigfox: max 4 messages per 24h, max 8 bytes each ● LoRaWAN: 10 messages per 24h, max 51–255 bytes each Low-cost: Sigfox connectivity costs 15 EUR per year and device for 1 device. ~1EUR per year and device for 50,000 devices (10%-1% of cost with Telia IoT)
  6. 6. Sigfox and LoRaWAN main differences Sigfox LoRaWAN Coverage - global 45 countries, 803M people 90+ countries Coverage - Sweden 60% of population Local (city-wide) networks exist Base stations / gateways Always owned by operator Anyone can put up a gateway, hardware cost from ~200EUR Backend Owned by Sigfox Local providers, TTN (partly open source), open source, DIY
  7. 7. Security areas ● Physical device ● Radio communication ● Base stations / gateways ● Gateway to backend system ● Backend system ● Backend to application communication ● Application
  8. 8. Physical device attacks ● Destroy it ● Extract keys ● Modify firmware LoRaWAN and Sigfox use per device keys, so compromisation of one device impacts only that device and its data. The rest is your responsibility: ● Physical protection ● Use secure elements to protect keys ● Signed firmware updates* / verify firmware integrity
  9. 9. Radio communication - Sigfox ● Each Sigfox device is provisioned with a unique symmetrical authentication key ● All messages to from the device are protected by a MAC using a key derived from the symmetrical key, providing authenticity and integrity. ● All messages include a sequence counter, to prevent replay attacks ● Sigfox can provide confidentiality but does not require encryption. Device makers can add Sigfox-provided encryption as part of certification, or add their own flavor. ● Sigfox’s goal is to have each location covered by at least 3 base stations, to increase availability / be more jamming-resistant.
  10. 10. Radio packet format - Sigfox +--------+--------+--------+------------------+-------------+-----+ |Preamble| Frame | Dev ID | Payload |Msg Auth Code| FCS | | | Sync | | | | | +--------+--------+--------+------------------+-------------+-----+ ● Preamble: 19 bits ● Frame sync and header: 29 bits ● Device ID: 32 bits ● Payload: 0-96 bits ● Authentication: 16-40 bits ● Frame check sequence: 16 bits (CRC)
  11. 11. Base stations - Sigfox ● All Sigfox base stations have a Trusted Platform Module (TPM), which manages encryption keys and verifies the base station’s integrity. ● The operating system uses Secure Boot ● Communication with the backend system is done through VPN. The VPN key is stored in the TPM.
  12. 12. Sigfox backend and your application ● Sigfox data centers adhere to SSAE16/ISAE3402 SOC-1 Type II - ISO 27001 - PCI-DSS - FACT - ISO 9001-2008 - ISO 50001 ● “State-of-the-art solutions have been deployed to ensure the integrity, availability and confidentiality of [devices’ authentication keys as well as traffic metadata.].” * ● Communication between the Sigfox backend and your application uses HTTPS. ● Your application is (of course) your responsibility
  13. 13. Radio packet format - LoRaWAN
  14. 14. LoRaWAN keys in TTN Network session key (NwkSKey) ● used for interaction between the Node and the Network and routing ● check the validity of messages Application session key (AppSKey) ● encryption and decryption of the payload ● payload is encrypted between the device and the Handler component of TTN, which you will be able to run on your own server (LoRaWAN 1.1). When dynamically activating a LoRaWAN device (OTAA), these keys are re-generated on every activation. If you statically activate your device (ABP), these keys stay the same until you change them.
  15. 15. Real-world examples Securitas Direct uses a Sigfox device to report GSM jamming attacks. They have deployed more than 1.6M units.
  16. 16. Real-world examples The city of Gothenburg received a 2.19 MSEK grant from Vinnova to use LoRaWAN-based sensors for measuring air and water quality.
  17. 17. Getting your hands dirty Wireshark ● Sigfox dissector for Wireshark (WIP) ● LoRaWAN dissector for Wireshark (Orange, docs in French) GNU radio ● GNU Radio scrapy for Sigfox ● Gr-lora for LoRa (LoRaWAN not yet supported) Get your own radio module / device Build/buy your own gateway (LoRaWAN)
  18. 18. Learn more https://yadom.eu/reseaux-iot/sigfox/carte-breakout-sfm10r1.html Sigfox radio module, controlled by AT commands on 9600bps serial 24 EUR https://www.m.nu/pycom/lopy-with-headers Microcontroller that runs python with LoRa radio module 379kr https://github.com/int0x191f2/wireshark-sigfox https://github.com/ltn22/LoRaWAN-Wireshark-Dissector https://bitbucket.org/cybertools/scapy-radio/overview Sigfox Gnu Radio Companion https://github.com/BastilleResearch/gr-lora LoRa Gnu Radio Companion https://github.com/matthijskooijman/arduino-lmic Arduino LoRaWAN library for devices https://www.youtube.com/watch?v=-YNMRZC6v1s Matt Knight at GRCon16 https://www.youtube.com/watch?v=NoquBA7IMNc Matt Knight at CCC https://github.com/rpp0/gr-lora another LoRa Gnu Radio Companion, not the same as the one by Bastille
  19. 19. Backup slides
  20. 20. Choose the right security level for your application ● Example: Outdoor environmental data probably doesn’t need to be kept confidential (temperature, rainfall, air humidity, barometric pressure, etc) ● In other cases, the fact that the device is communicating at all might reveal sensitive information ● Know what the network provides for you, and what you need to take responsibility for
  21. 21. Software defined radio - Sigfox
  22. 22. Software defined radio - LoRa (1)
  23. 23. Software defined radio - LoRa (2) ● https://revspace.nl/DecodingLora ● Matt Knight - Reversing LoRa and his presentation at the RSA conference this year
  24. 24. Cisco industrial LoRaWAN router
  25. 25. TTN kickstarter gateway
  26. 26. Sigfox Sweden coverage
  27. 27. TTN Europe gateway locations

Editor's Notes

  • How many know what LPWAN is? Sigfox? LoRaWAN?
  • Jag jobbar som IoT-konsult här i Göteborg
    Tidigare varit på OP5, som gör en mjukvara för att övervaka servrar och nätverksprylar
    Sitter i styrelsen för OWASP Göteborg. Ideell organisation med rötterna i USA som jobbar för att göra säkerhetsfrågor och -verktyg mer synliga.
    Medlem i MySensors core-team. MySensors är ett projekt med öppen mjukvara och hårdvara för att göra egna Arduinobaserade IoT-enheter.
    Skrivit över 80 artiklar i svenska tidningen Datormagazin, nu senast reportage från IoT-konferenser och hur du kan bygga egna IoT-enheter.


  • Vad är LPWAN, Sigfox och LoRaWAN och varför är de viktiga?
    Vilka säkerhetsfunktioner finns?
    Hur kan du få praktisk erfarenhet av LPWAN?
  • Låg strömförbrukning: 25% av wifi och 1,25% av 3G
    Lång räckvidd: Engelska kanalen 250km. TTN LoRaWAN record: 702km väderballong.
    0.1-10% duty cycle
  • * Sigfox: Depends on class, can be lower
    ** Depends on data rate / spreading factor. Will affect the number of messages allowed. Airtime calculator: https://docs.google.com/spreadsheets/d/1QvcKsGeTTPpr9icj4XkKXq4r2zTc2j0gsHLrnplzM3I/edit#gid=0
    Telia’s starter package “IoT connect” is 99EUR per month for 10 devices.
    LoRaWAN har en annan prismodell men brukar hamna på ungefär samma kostnad
  • Sigfox har nästan dubblat täckningen varje år.
    LoRaWAN:
    TTN 3 700 gateways
    Comcast (US), KPN (NL), Proximus (BE), Orange (FR), SK telecom (SK), Tata Communications (IN) and more
    Gothenburg:
    Sigfox har bra utomhustäckning och ok inomhustäckning
    Tele2 LoRaWAN testnätverka ungefär samma täckning som Sigfox men inte lätt att få tillgång till.
    ~5 TTN gateways i Göteborg. Kort räckvidd.

    https://github.com/Lora-net open source code for node, gateway and packet forwarder
  • Jag visar var nätverket tar ansvar och var du måste ta ansvar
  • Sigfox does not provide a way to update firmware over the air, but radio modules with LTE-M or similar solutions can be used.
    LoRaWAN: TTN has a working PoC together with ARM, plan is to get it into the LoRaWAN standard.
  • AES CTR mode
    Hiding the fact that the device is communicating is tricky, especially with the low message rate allowed.
  • * This is unfortunately the way Sigfox presents its security. We all know this is marketing speech and usually means nothing. At least they didn’t put “military-grade” in there. To get more information you’ll need to sign a NDA, which usually is a bad sign.
    You’ll need to decide if you trust Sigfox or not. If you don’t, add additional protection or use an alternative where you take end-to-end responsibility.

    “Sigfox is continuously investing in security and partnering with research institutes and domain experts, working on advanced research topics such as machine learning, anomaly detection, and advanced cryptographic algorithms.”
  • Sizes are in bits
    Source: Augustin, Aloÿs & Yi, Jiazi & Clausen, Thomas Heide & Mark Townsley, William. (2016). A Study of LoRa: Long Range & Low Power Networks for the Internet of Things. Sensors. 16. 1466. 10.3390/s16091466.
  • Different LoRaWAN implementations can use slight variations of this
    More details: https://www.thethingsnetwork.org/wiki/Backend/Home and https://www.thethingsnetwork.org/wiki/LoRaWAN/Security
    In the current implementation, TTN decrypts payload for you (just like Sigfox).
  • These devices and networks are already out there.
  • https://yadom.eu/reseaux-iot/sigfox/carte-breakout-sfm10r1.html 24 EUR
    https://www.m.nu/pycom/lopy-with-headers 379kr
    https://github.com/int0x191f2/wireshark-sigfox
    https://github.com/ltn22/LoRaWAN-Wireshark-Dissector
    https://bitbucket.org/cybertools/scapy-radio/overview
    https://github.com/BastilleResearch/gr-lora
    https://github.com/matthijskooijman/arduino-lmic Arduino LoRaWAN library for devices
    https://www.youtube.com/watch?v=-YNMRZC6v1s Matt Knight at GRCon16
    https://github.com/rpp0/gr-lora
    https://www.youtube.com/watch?v=NoquBA7IMNc Matt Knight at CCC
  • Yes, LoRa can use 433MHz as well, but no LoRaWAN networks are using it (yet?)
  • https://revspace.nl/DecodingLora
    Matt Knight - Reversing LoRa and his presentation at the RSA conference this year
  • ×