Sigfox presentation [Sep 2016]
Your SlideShare is downloading.
×
Check these out next
More Related Content
Slideshows for you (20)
Similar to IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secure insight 2018-05-08) (20)
Recently uploaded (20)
IoT LPWAN network security: Sigfox and LoRaWAN (Mikael Falkvidd @ Knowit secure insight 2018-05-08)
- 1. IoT LPWAN security Sigfox & LoRaWAN Mikael Falkvidd KnowIT Secure Insight 2018-05-08
- 2. About Mikael Falkvidd 80+ published articles inChapter leader Core team member Independent consultant, Falkvidd Holding AB Past positions: Development Team Lead, OP5 IT Consultant, Accenture Product Owner, Ericsson Solution Architect, Ericsson
- 3. Key takeaways ● An overview of what LPWAN, Sigfox and LoRaWAN is and why they are important ● What security mechanisms do they provide? ● Raise curiosity: How do I attack/inspect LPWAN traffic?
- 4. What is LPWAN? (1) Low Power ● 25mW/14dBm RF output (wifi is 100mW/20 dBm, 3G is 2000mW/33 dBm ) ● 2+ years on single lithium cell ● 10+ years on 2xAA Wide Area ● 15-40 km radius per base station / gateway ● Sub-GHz ISM band (868/902/915 MHz depending on region) Network ● This is where it get interesting from a security standpoint :-)
- 5. What is LPWAN? (2) Message-oriented ● 1 uplink message every 10 minutes max* ● Message size max 12 bytes (Sigfox) or 51–255 bytes (LoRaWAN)** Limited downlink ● No confirmation ● Downlink always initiated by uplink - no unsolicited traffic ● Sigfox: max 4 messages per 24h, max 8 bytes each ● LoRaWAN: 10 messages per 24h, max 51–255 bytes each Low-cost: Sigfox connectivity costs 15 EUR per year and device for 1 device. ~1EUR per year and device for 50,000 devices (10%-1% of cost with Telia IoT)
- 6. Sigfox and LoRaWAN main differences Sigfox LoRaWAN Coverage - global 45 countries, 803M people 90+ countries Coverage - Sweden 60% of population Local (city-wide) networks exist Base stations / gateways Always owned by operator Anyone can put up a gateway, hardware cost from ~200EUR Backend Owned by Sigfox Local providers, TTN (partly open source), open source, DIY
- 7. Security areas ● Physical device ● Radio communication ● Base stations / gateways ● Gateway to backend system ● Backend system ● Backend to application communication ● Application
- 8. Physical device attacks ● Destroy it ● Extract keys ● Modify firmware LoRaWAN and Sigfox use per device keys, so compromisation of one device impacts only that device and its data. The rest is your responsibility: ● Physical protection ● Use secure elements to protect keys ● Signed firmware updates* / verify firmware integrity
- 9. Radio communication - Sigfox ● Each Sigfox device is provisioned with a unique symmetrical authentication key ● All messages to from the device are protected by a MAC using a key derived from the symmetrical key, providing authenticity and integrity. ● All messages include a sequence counter, to prevent replay attacks ● Sigfox can provide confidentiality but does not require encryption. Device makers can add Sigfox-provided encryption as part of certification, or add their own flavor. ● Sigfox’s goal is to have each location covered by at least 3 base stations, to increase availability / be more jamming-resistant.
- 10. Radio packet format - Sigfox +--------+--------+--------+------------------+-------------+-----+ |Preamble| Frame | Dev ID | Payload |Msg Auth Code| FCS | | | Sync | | | | | +--------+--------+--------+------------------+-------------+-----+ ● Preamble: 19 bits ● Frame sync and header: 29 bits ● Device ID: 32 bits ● Payload: 0-96 bits ● Authentication: 16-40 bits ● Frame check sequence: 16 bits (CRC)
- 11. Base stations - Sigfox ● All Sigfox base stations have a Trusted Platform Module (TPM), which manages encryption keys and verifies the base station’s integrity. ● The operating system uses Secure Boot ● Communication with the backend system is done through VPN. The VPN key is stored in the TPM.
- 12. Sigfox backend and your application ● Sigfox data centers adhere to SSAE16/ISAE3402 SOC-1 Type II - ISO 27001 - PCI-DSS - FACT - ISO 9001-2008 - ISO 50001 ● “State-of-the-art solutions have been deployed to ensure the integrity, availability and confidentiality of [devices’ authentication keys as well as traffic metadata.].” * ● Communication between the Sigfox backend and your application uses HTTPS. ● Your application is (of course) your responsibility
- 13. Radio packet format - LoRaWAN
- 14. LoRaWAN keys in TTN Network session key (NwkSKey) ● used for interaction between the Node and the Network and routing ● check the validity of messages Application session key (AppSKey) ● encryption and decryption of the payload ● payload is encrypted between the device and the Handler component of TTN, which you will be able to run on your own server (LoRaWAN 1.1). When dynamically activating a LoRaWAN device (OTAA), these keys are re-generated on every activation. If you statically activate your device (ABP), these keys stay the same until you change them.
- 15. Real-world examples Securitas Direct uses a Sigfox device to report GSM jamming attacks. They have deployed more than 1.6M units.
- 16. Real-world examples The city of Gothenburg received a 2.19 MSEK grant from Vinnova to use LoRaWAN-based sensors for measuring air and water quality.
- 17. Getting your hands dirty Wireshark ● Sigfox dissector for Wireshark (WIP) ● LoRaWAN dissector for Wireshark (Orange, docs in French) GNU radio ● GNU Radio scrapy for Sigfox ● Gr-lora for LoRa (LoRaWAN not yet supported) Get your own radio module / device Build/buy your own gateway (LoRaWAN)
- 18. Learn more https://yadom.eu/reseaux-iot/sigfox/carte-breakout-sfm10r1.html Sigfox radio module, controlled by AT commands on 9600bps serial 24 EUR https://www.m.nu/pycom/lopy-with-headers Microcontroller that runs python with LoRa radio module 379kr https://github.com/int0x191f2/wireshark-sigfox https://github.com/ltn22/LoRaWAN-Wireshark-Dissector https://bitbucket.org/cybertools/scapy-radio/overview Sigfox Gnu Radio Companion https://github.com/BastilleResearch/gr-lora LoRa Gnu Radio Companion https://github.com/matthijskooijman/arduino-lmic Arduino LoRaWAN library for devices https://www.youtube.com/watch?v=-YNMRZC6v1s Matt Knight at GRCon16 https://www.youtube.com/watch?v=NoquBA7IMNc Matt Knight at CCC https://github.com/rpp0/gr-lora another LoRa Gnu Radio Companion, not the same as the one by Bastille
- 19. Backup slides
- 20. Choose the right security level for your application ● Example: Outdoor environmental data probably doesn’t need to be kept confidential (temperature, rainfall, air humidity, barometric pressure, etc) ● In other cases, the fact that the device is communicating at all might reveal sensitive information ● Know what the network provides for you, and what you need to take responsibility for
- 21. Software defined radio - Sigfox
- 22. Software defined radio - LoRa (1)
- 23. Software defined radio - LoRa (2) ● https://revspace.nl/DecodingLora ● Matt Knight - Reversing LoRa and his presentation at the RSA conference this year
- 24. Cisco industrial LoRaWAN router
- 25. TTN kickstarter gateway
- 26. Sigfox Sweden coverage
- 27. TTN Europe gateway locations
