My presentation on IoT LPWAN network security (Sigfox and LoRaWAN)
Key takeaways:
* Overview of what LPWAN, Sigfox and LoRaWAN is, and why they are important
* What security mechanisms do they provide?
* Raise curiosity: How do I attack/inspect LPWAN traffic?
2. About Mikael Falkvidd
80+ published articles inChapter leader Core team member
Independent consultant,
Falkvidd Holding AB
Past positions:
Development Team Lead, OP5
IT Consultant, Accenture
Product Owner, Ericsson
Solution Architect, Ericsson
3. Key takeaways
● An overview of what LPWAN, Sigfox and LoRaWAN is and why they are
important
● What security mechanisms do they provide?
● Raise curiosity: How do I attack/inspect LPWAN traffic?
4. What is LPWAN? (1)
Low Power
● 25mW/14dBm RF output (wifi is 100mW/20 dBm, 3G is 2000mW/33 dBm )
● 2+ years on single lithium cell
● 10+ years on 2xAA
Wide Area
● 15-40 km radius per base station / gateway
● Sub-GHz ISM band (868/902/915 MHz depending on region)
Network
● This is where it get interesting from a security standpoint :-)
5. What is LPWAN? (2)
Message-oriented
● 1 uplink message every 10 minutes max*
● Message size max 12 bytes (Sigfox) or 51–255 bytes (LoRaWAN)**
Limited downlink
● No confirmation
● Downlink always initiated by uplink - no unsolicited traffic
● Sigfox: max 4 messages per 24h, max 8 bytes each
● LoRaWAN: 10 messages per 24h, max 51–255 bytes each
Low-cost: Sigfox connectivity costs 15 EUR per year and device for 1 device.
~1EUR per year and device for 50,000 devices (10%-1% of cost with Telia IoT)
6. Sigfox and LoRaWAN main
differences Sigfox LoRaWAN
Coverage - global 45 countries, 803M people 90+ countries
Coverage - Sweden 60% of population
Local (city-wide) networks
exist
Base stations / gateways Always owned by operator
Anyone can put up a
gateway, hardware cost from
~200EUR
Backend Owned by Sigfox
Local providers, TTN (partly
open source), open source,
DIY
7. Security areas
● Physical device
● Radio communication
● Base stations / gateways
● Gateway to backend system
● Backend system
● Backend to application
communication
● Application
8. Physical device attacks
● Destroy it
● Extract keys
● Modify firmware
LoRaWAN and Sigfox use per device keys, so compromisation of one device
impacts only that device and its data. The rest is your responsibility:
● Physical protection
● Use secure elements to protect keys
● Signed firmware updates* / verify firmware integrity
9. Radio communication - Sigfox
● Each Sigfox device is provisioned with a unique symmetrical authentication
key
● All messages to from the device are protected by a MAC using a key
derived from the symmetrical key, providing authenticity and integrity.
● All messages include a sequence counter, to prevent replay attacks
● Sigfox can provide confidentiality but does not require encryption. Device
makers can add Sigfox-provided encryption as part of certification, or add
their own flavor.
● Sigfox’s goal is to have each location covered by at least 3 base stations, to
increase availability / be more jamming-resistant.
11. Base stations - Sigfox
● All Sigfox base stations have a Trusted
Platform Module (TPM), which manages
encryption keys and verifies the base
station’s integrity.
● The operating system uses Secure Boot
● Communication with the backend
system is done through VPN. The VPN
key is stored in the TPM.
12. Sigfox backend and your application
● Sigfox data centers adhere to SSAE16/ISAE3402 SOC-1 Type II - ISO
27001 - PCI-DSS - FACT - ISO 9001-2008 - ISO 50001
● “State-of-the-art solutions have been deployed to ensure the integrity,
availability and confidentiality of [devices’ authentication keys as well as
traffic metadata.].” *
● Communication between the Sigfox backend and your application uses
HTTPS.
● Your application is (of course) your responsibility
14. LoRaWAN keys in TTN
Network session key (NwkSKey)
● used for interaction between the Node and the Network and routing
● check the validity of messages
Application session key (AppSKey)
● encryption and decryption of the payload
● payload is encrypted between the device and the Handler component of TTN, which
you will be able to run on your own server (LoRaWAN 1.1).
When dynamically activating a LoRaWAN device (OTAA), these keys are re-generated on
every activation. If you statically activate your device (ABP), these keys stay the same
until you change them.
16. Real-world examples
The city of Gothenburg received a 2.19 MSEK grant from Vinnova to use
LoRaWAN-based sensors for measuring air and water quality.
17. Getting your hands dirty
Wireshark
● Sigfox dissector for Wireshark (WIP)
● LoRaWAN dissector for Wireshark (Orange, docs
in French)
GNU radio
● GNU Radio scrapy for Sigfox
● Gr-lora for LoRa (LoRaWAN not yet supported)
Get your own radio module / device
Build/buy your own gateway (LoRaWAN)
18. Learn more
https://yadom.eu/reseaux-iot/sigfox/carte-breakout-sfm10r1.html Sigfox radio module, controlled by AT
commands on 9600bps serial 24 EUR
https://www.m.nu/pycom/lopy-with-headers Microcontroller that runs python with LoRa radio module 379kr
https://github.com/int0x191f2/wireshark-sigfox
https://github.com/ltn22/LoRaWAN-Wireshark-Dissector
https://bitbucket.org/cybertools/scapy-radio/overview Sigfox Gnu Radio Companion
https://github.com/BastilleResearch/gr-lora LoRa Gnu Radio Companion
https://github.com/matthijskooijman/arduino-lmic Arduino LoRaWAN library for devices
https://www.youtube.com/watch?v=-YNMRZC6v1s Matt Knight at GRCon16
https://www.youtube.com/watch?v=NoquBA7IMNc Matt Knight at CCC
https://github.com/rpp0/gr-lora another LoRa Gnu Radio Companion, not the same as the one by Bastille
20. Choose the right security level for
your application
● Example: Outdoor environmental data probably doesn’t need to be kept
confidential (temperature, rainfall, air humidity, barometric pressure, etc)
● In other cases, the fact that the device is communicating at all might reveal
sensitive information
● Know what the network provides for you, and what you need to take
responsibility for
23. Software defined radio
- LoRa (2)
● https://revspace.nl/DecodingLora
● Matt Knight - Reversing LoRa and his
presentation at the RSA conference
this year
Jag jobbar som IoT-konsult här i Göteborg
Tidigare varit på OP5, som gör en mjukvara för att övervaka servrar och nätverksprylar
Sitter i styrelsen för OWASP Göteborg. Ideell organisation med rötterna i USA som jobbar för att göra säkerhetsfrågor och -verktyg mer synliga.
Medlem i MySensors core-team. MySensors är ett projekt med öppen mjukvara och hårdvara för att göra egna Arduinobaserade IoT-enheter.
Skrivit över 80 artiklar i svenska tidningen Datormagazin, nu senast reportage från IoT-konferenser och hur du kan bygga egna IoT-enheter.
Vad är LPWAN, Sigfox och LoRaWAN och varför är de viktiga?
Vilka säkerhetsfunktioner finns?
Hur kan du få praktisk erfarenhet av LPWAN?
Låg strömförbrukning: 25% av wifi och 1,25% av 3G
Lång räckvidd: Engelska kanalen 250km. TTN LoRaWAN record: 702km väderballong.
0.1-10% duty cycle
* Sigfox: Depends on class, can be lower
** Depends on data rate / spreading factor. Will affect the number of messages allowed. Airtime calculator: https://docs.google.com/spreadsheets/d/1QvcKsGeTTPpr9icj4XkKXq4r2zTc2j0gsHLrnplzM3I/edit#gid=0
Telia’s starter package “IoT connect” is 99EUR per month for 10 devices.
LoRaWAN har en annan prismodell men brukar hamna på ungefär samma kostnad
Sigfox har nästan dubblat täckningen varje år.
LoRaWAN:
TTN 3 700 gateways
Comcast (US), KPN (NL), Proximus (BE), Orange (FR), SK telecom (SK), Tata Communications (IN) and more
Gothenburg:
Sigfox har bra utomhustäckning och ok inomhustäckning
Tele2 LoRaWAN testnätverka ungefär samma täckning som Sigfox men inte lätt att få tillgång till.
~5 TTN gateways i Göteborg. Kort räckvidd.
https://github.com/Lora-net open source code for node, gateway and packet forwarder
Jag visar var nätverket tar ansvar och var du måste ta ansvar
Sigfox does not provide a way to update firmware over the air, but radio modules with LTE-M or similar solutions can be used.
LoRaWAN: TTN has a working PoC together with ARM, plan is to get it into the LoRaWAN standard.
AES CTR mode
Hiding the fact that the device is communicating is tricky, especially with the low message rate allowed.
* This is unfortunately the way Sigfox presents its security. We all know this is marketing speech and usually means nothing. At least they didn’t put “military-grade” in there. To get more information you’ll need to sign a NDA, which usually is a bad sign.
You’ll need to decide if you trust Sigfox or not. If you don’t, add additional protection or use an alternative where you take end-to-end responsibility.
“Sigfox is continuously investing in security and partnering with research institutes and domain experts, working on advanced research topics such as machine learning, anomaly detection, and advanced cryptographic algorithms.”
Sizes are in bits
Source: Augustin, Aloÿs & Yi, Jiazi & Clausen, Thomas Heide & Mark Townsley, William. (2016). A Study of LoRa: Long Range & Low Power Networks for the Internet of Things. Sensors. 16. 1466. 10.3390/s16091466.
Different LoRaWAN implementations can use slight variations of this
More details: https://www.thethingsnetwork.org/wiki/Backend/Home and https://www.thethingsnetwork.org/wiki/LoRaWAN/Security
In the current implementation, TTN decrypts payload for you (just like Sigfox).
These devices and networks are already out there.
https://yadom.eu/reseaux-iot/sigfox/carte-breakout-sfm10r1.html 24 EUR
https://www.m.nu/pycom/lopy-with-headers 379kr
https://github.com/int0x191f2/wireshark-sigfox
https://github.com/ltn22/LoRaWAN-Wireshark-Dissector
https://bitbucket.org/cybertools/scapy-radio/overview
https://github.com/BastilleResearch/gr-lora
https://github.com/matthijskooijman/arduino-lmic Arduino LoRaWAN library for devices
https://www.youtube.com/watch?v=-YNMRZC6v1s Matt Knight at GRCon16
https://github.com/rpp0/gr-lora
https://www.youtube.com/watch?v=NoquBA7IMNc Matt Knight at CCC
Yes, LoRa can use 433MHz as well, but no LoRaWAN networks are using it (yet?)
https://revspace.nl/DecodingLora
Matt Knight - Reversing LoRa and his presentation at the RSA conference this year