The Things Conference 2019 – Amsterdam, The Netherlands – January 31 and February 1, 2019 Renaud Lifchitz - renaud.lifchitz@digital.security From LoRaWAN 1.0 to 1.1, what are the security enhancements?

Outline Security of LoRaWAN 1.0 Overview of LoRaWAN 1.1 Security since LoRaWAN 1.0 Conclusion & recommendations P. 2 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

Speaker's bio French senior security engineer Main activities:  Penetration testing & security audits  Security research  Security trainings Main interests:  Security of protocols (authentication, cryptography, information leakage, reverse engineering...)  Number theory (integer factorization, primality testing, ...) digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements? P. 3

About digital.security Company founded in 2015 by a group of experts with the support of Econocom Group Provides advanced services in security audit, consulting and support Our expertise combine traditional security for infrastructure and application, and skills oriented to the ecosystem of connected objects Created the CERT-DS, 1st European CERT™ expert in IoT security (https://iotsecuritywatch.com/en/ monitoring service) Has a laboratory for studying new technologies, protocols and specific operating systems digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements? P. 4

Security of LoRaWAN 1.0

4 important security topics for LoRaWAN Wireless communication security Application security (device firmware & backend applications) Infrastructure security (protocols & configuration) Device/hardware security Security of LoRaWAN 1.0 P. 6 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

Tools – our LoRaWAN framework (1/2) We have developed a (private) full LoRaWAN security framework that includes:  Tools to capture OTA and network LoRaWAN messages  A LoRaWAN dissector  Crypto implementations  Attack tools: packet injection, offline key bruteforcer, gateway & node spoofing… Security of LoRaWAN 1.0 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements? P. 7

Tools – our LoRaWAN framework (2/2) Security of LoRaWAN 1.0 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements? P. 8 Offline frame decryption using join handshake and AppKey

Our 2016 security study in a nutshell (1/2) Presented at Hardwear.io conference: https://speakerdeck.com/rlifchitz/security-review-of-lorawan-networks Security of LoRaWAN 1.0 P. 9 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

Our 2016 security study in a nutshell (2/2) Wireless communication security:  Various replay attacks  Denial of Service (DoS) attacks  Keystream reuse attacks  Attacks on encryption using precomputed table  Weak keys Application security:  Weak random number generation (RNG) Infrastructure:  Vulnerable backend protocols (spoofing, sniffing & DoS)  Publicly accessible infrastructure Device/hardware security:  Built-in commands to dump memory/secrets  Debug ports enabled  Side-Channel Analysis (Correlation Power Analysis) attacks Security of LoRaWAN 1.0 P. 10 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

Overview of LoRaWAN 1.1

About LoRaWAN 1.1 Released in October 2017 Not directly backward compatible with 1.0.x Requires an additional stack in most devices Requires a major update on the servers Commercial deployment will probably not start before 2020 LoRaWAN specification: https://lora-alliance.org/sites/default/files/2018-04/lorawantm_specification_-v1.1.pdf Overview of LoRaWAN 1.1 P. 12 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

LoRaWAN 1.1 new features Support for handover roaming (≠ passive roaming), allows transferring control of the end-device to another LoRaWAN network Bidirectional end-devices with scheduled receive slots (class B) Introduces LoRaWAN Backend Interfaces 1.0 (BEI) Better separation between the MAC and payload encryption Multicast features allows Firmware Updates Over The Air (FUOTA) Security enhancements Overview of LoRaWAN 1.1 P. 13 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

Security since LoRaWAN 1.0

Important changes LoRaWAN 1.0.1:  Minor changes LoRaWAN 1.0.2:  Uplink frame counter (FCntUp) encrypted and included in confirmation messages (ACK downlinks)  Device recognizes which of its messages has been confirmed by the NS Better protection against replay attacks LoRaWAN 1.0.3:  Unicast and multicast support for class B devices  Few backports from LoRaWAN 1.1 (like time synchronization feature) Security since LoRaWAN 1.0 P. 15 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

LoRaWAN 1.1 BEI Allows network & server decomposition:  Join Server – JS  Network Server – NS  (Application Server – AS) instead of the former standalone NS End-devices credentials:  can be managed by a 3rd party  can be independent from the LoRaWAN network Better network segmentation Security since LoRaWAN 1.0 P. 16 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

LoRaWAN 1.1 keys & session security (1/4) Security since LoRaWAN 1.0 P. 17 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements? MAC commands are always encrypted Session security context splitted:  Network management traffic secured by session keys derived from NwkKey  Application traffic secured using AppKey Frame counters can never be reset (even in ABP mode) DevNonce is now a counter (no more a “random” value)  protects against various forced keystream reuse attacks we exposed in 2016

LoRaWAN 1.1 keys & session security (2/4) Security since LoRaWAN 1.0 P. 18 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements? LoRaWAN 1.1 device with LoRaWAN 1.0.x backend (AppKey not used)

LoRaWAN 1.1 keys & session security (3/4) Security since LoRaWAN 1.0 P. 19 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements? LoRaWAN 1.1 device with LoRaWAN 1.1 backend

LoRaWAN 1.1 keys & session security (4/4) Security since LoRaWAN 1.0 P. 20 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements? Network session context includes:  FNwkSintKey  SNwkSIntKey  NwkSEncKey  DevAddr  FCntUp (uplink frame counter)  NFCntDown (downlink frame counter for network context) Application session context includes:  AppSkey  FCntUp (uplink frame counter, same as network context)  AFCntDown (application context downlink frame counter) Network session context is managed by the NS Application session context is managed by AS

LoRaWAN 1.1 rejoin requests Security since LoRaWAN 1.0 P. 21 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements? An activated device may periodically transmit a Rejoin Request along with its normal application traffic Allows the backend to initialize a new session context for the device Ensures that frame counters never exhaust: rejoin freshens the session context along with the frame counters Feature can also be used to hand over traffic from one network to another

Conclusion & recommendations digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements? P. 22

Conclusion LoRaWAN 1.1 has:  Better availability: ↪ Better protection against active denial of service attacks ↪ Device reconfiguration during roaming (handover roaming) ↪ No more time drifts for class B devices  Better confidentiality (avoids keystream reuses)  Better authentication and confidentiality (3rd party JS) Still some weaknesses:  Lacks a secure standard for backend networks (Semtech « Gateway to Server Interface Definition » v1.0 - July 2015 is very vulnerable)  No message padding enforced  Complex set of MAC commands prone to implementation errors & device DoS P. 23 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

Conclusion - general recommendations Use latest 1.0.x or 1.1.x standard Prefer OTAA over ABP mode Actively monitor your gateways for active attacks (for private networks) Enforce the duty cycle Protect your infrastructure (no default configuration, strong protocols, strong passwords) Use binary messages instead of JSON Use constant length messages (use padding if necessary) Use different keys on every node Don’t use devices where private keys can be read using built-in commands If possible, use devices with a Secure Element Use a separate JS with a HSM For the best specific recommendations for your project, contact us! ☺ P. 24 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

References 1) Lifchitz R., September 2016, "Security review of LoRaWAN networks", Hardwear.io conference: https://speakerdeck.com/rlifchitz/security- review-of-lorawan-networks 2) LoRaWAN specifications: https://lora-alliance.org/resource-hub 3) LoRa Alliance, August 2018, "Technical Recommendations for Preventing State Synchronization Issues around LoRaWAN™ 1.0.x Join Procedure": https://lora-alliance.org/sites/default/files/2018-08/lorawan-1.0.x-join- synch-issues-remedies-v1.0.0.pdf P. 25 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

Thanks! Questions? IoT Security Contact: renaud.lifchitz@digital.security P. 26 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?