Cyber Security Alliance conference, Switzerland – November 1st-3rd, 2016 Renaud Lifchitz (renaud.lifchitz@digitalsecurity.fr) IoT & Sigfox security

Outline Presentation of the speaker and the company Study context Presentation of the Sigfox technology Physical characteristics of Sigfox communications Sigfox security functions: redundancy, authentication, encryption and anti-replay Recommendations for development and integration P. 2 IoT & Sigfox security - Digital Security

Speaker's bio French senior security engineer Main activities:  Penetration testing & security audits  Security research  Security trainings Main interests:  Security of protocols (authentication, cryptography, information leakage, reverse engineering...)  Number theory (integer factorization, primality testing, ...) IoT & Sigfox security - Digital Security P. 3

About Digital Security Company founded in 2015 by a group of experts with the support of Econocom Group Provides advanced services in security audit, consulting and support Our expertise combine traditional security for infrastructure and application, and skills oriented to the ecosystem of connected objects Has created the CERT-UBIK, first European CERT™ specialized on IoT security (OSIDO monitoring service) Has a laboratory for studying new technologies, protocols and specific operating systems IoT & Sigfox security - Digital Security P. 4

First IoT hacks IoT & Sigfox security - Digital Security P. 5

Study context

Study context A lot of questions and requests from our customers on the Sigfox security Partial release of more general specifications (LTN) after Sigfox deployment, no public security specification (ETSI GS LTN 001-003 V1.1.1 2014/09) Independent study in 2 steps for the complete understanding of the protocol:  The radio protocol  A device firmware P. 7 IoT & Sigfox security - Digital Security

Radio protocol analysis (1/4) Transmission & radio capture of several frames with known payloads Use of several binary patterns in the transmissions:  « 00 » repeated bits, hexadecimal pattern: 0x00000000  « 01 » repeated bits, hexadecimal pattern: 0x55555555  « 10 » repeated bits, hexadecimal pattern: 0xaaaaaaaa  « 11 » repeated bits, hexadecimal pattern: 0xffffffff Full analysis in SDR (Software Defined Radio) P. 8 IoT & Sigfox security - Digital Security

Radio protocol analysis (2/4) Software defined radio basics:  Software reconfigurable radiocommunication system (in frequency, modulation and protocol)  SDR (« Software Defined Radio »)  Benefits: no need to use different devices for different protocols, easy to update protocol implementations  In practice, all the signal processing is done on the computer side (raw reception of I/Q data)  Growing sector: radio amateurism, mobile radio, space exploration, military, radar and electronic war P. 9 IoT & Sigfox security - Digital Security

Radio protocol analysis (3/4) Software defined radio, hardware platform:  USB key with Realtek RTL2832U chipset, designed to receive TV/DVB  Technical details: ↪ Radio reception only ↪ 8 bits I/Q ↪ Bandwidth: 3,2 MHz with 3,2 MSPS ↪ Frequency range: 50 MHz to 2,2 GHz (Elonics E4000, may vary)  About 15€  Project RTL-SDR & compatible devices: http://sdr.osmocom.org/trac/wiki/rtl-sdr P. 10 IoT & Sigfox security - Digital Security

Radio protocol analysis (4/4) Software defined radio, software plateform:  GNU Radio : ↪ Complete open source framework for SDR development ↪ Support for most SDR devices ↪ Building blocks in C++ and Python ↪ A lot of filters available ↪ GUI wizard to design SDR circuits: GNU Radio Companion ↪ Project: http://gnuradio.org/redmine/proj ects/gnuradio/wiki P. 11 IoT & Sigfox security - Digital Security

Firmware analysis « Arduino-like » Sigfox development kit with a SOC and Si4461 radio module Hardware interface :  UART USB dongle USB UART to send commands to the card (AT commands, frames transmission)  SWD USB dongle USB SWD for SWD debugging (128 KB of flash memory & 16 KB of RAM extraction) Software interface :  Recent OpenOCD (>= 0.9) with SWD & ARM Cortex-M3 support  Development header files for memory ranges et data structures  IDA Pro debugger P. 12 IoT & Sigfox security - Digital Security

Presentation of the Sigfox technology & physical characteristics of Sigfox communications

Presentation of the Sigfox technology « Ultra Narrow Band » (UNB) protocol on the 868 MHz ISM band in Europe (different in Asia and USA) Initially unidirectional (Sigfox version 1), bidirectional on demand Low consumption, long range, low throughput for IoT 20 kms typical range (up to 300 kms in ideal conditions) Operating partners in every covered country (SNO : « Sigfox Network Operators ») All received messages are collected on the Sigfox backend (web interface), business callbacks are available Standard usage: 1 message every 10 minutes, subscription costs about 10€/year/device for individuals P. 14 IoT & Sigfox security - Digital Security

Sigfox use cases Energy, Security, Industry, Agriculture, Transports, Infrastructures, … Some use cases in France:  Smart Metering : water consumption  Smart City : failures on advertisement panels, bike geolocation  Smart Home : fire detection P. 15 IoT & Sigfox security - Digital Security

Sigfox network coverage About 1500 antennas in France Covered countries:  France, Spain, Netherlands, Portugal  Being covered: Belgium, Czech Republic, Denmark, Ireland, Italy, Luxembourg, Maurice, USA Several significant big cities in the world Be careful, coverage is quite different between indoor and outdoor (Current coverage in january 2016, according to http://www.sigfox.com/en/coverage ) P. 16 IoT & Sigfox security - Digital Security

A Sigfox message transmission (SDR capture, waterfall view) A message transmission: 3 successive frames on 3 different frequencies P. 17 IoT & Sigfox security - Digital Security

A Sigfox message transmission Transmission of 3 successive frames with different codings Frame 1 Frame 2 Frame 3 P. 18 IoT & Sigfox security - Digital Security

A Sigfox message transmission Zoom on a single Sigfox frame • Modulation: modified BPSK • Coding rate: 100 bits/s. P. 19 IoT & Sigfox security - Digital Security

Sigfox frame format (uplink) • Preamble 1 : bytes 0xAAAA, alternation of 0 and 1 • Preamble 2 : length-dependent preamble (table lookup) • Counter: frame sequence number • Sigfox device serial number • Payload: up to 12 bytes (8 bytes for downlink) • MAC : Message Authentication Code (authentication code) • FCS : Frame Check Sequence (error detection code) Preamble 1 Preamble 2 Flags + Counter Serial number Payload MAC FCS 2 bytes 2 bytes 2 bytes 4 bytes 0 to 12 bytes 2 bytes 2 bytes P. 20 IoT & Sigfox security - Digital Security

Some sniffed Sigfox frames Preamble 1 Preamble 2 Counter Serial number Payload MAC FCS aaaa a94c 000c 61870000 aaaaaaaaaaa aaaaaaaaaaa aa c913 8fef aaaa a94c 002a 61870000 ffffffff7ffffffff fffffff f008 de0a aaaa a94c 002d 61870000 ffffffff7ffffffff fffffff 558e f7d0 P. 21 IoT & Sigfox security - Digital Security

Sigfox security features

Redundancy & noise resistance To avoid voluntary or involuntary jamming:  3 transmissions of the same message,  with 3 differents frequencies,  with 3 differents codings Certified Sigfox hardware with good sensitivity: about -125 dbM (our test device) Good resilience of Sigfox messages P. 23 IoT & Sigfox security - Digital Security

Integrity Using bruteforce on the FCS, we were able to find the used error detection code: 16 bits CRC based on the polynomial X16+X12+X5+1 (CRC CCITT / XMODEM with init value 0x0000 and no XOR after) Good detection of frame corruption P. 24 IoT & Sigfox security - Digital Security

Encryption Sigfox doesn’t provide any encryption Payload is always sent plaintext, and can be sniffed and decoded within the radio range No encryption on the Sigfox network P. 25 IoT & Sigfox security - Digital Security

Anti-replay feature Frame counter on 12 bits MAC on 2 bytes including this frame counter Existing anti-replay feature P. 26 IoT & Sigfox security - Digital Security

Authentication (1/2) Sigfox device serial number is sent plaintext in every frame Serial number on 4 bytes → only 4,3 billions devices? A unique 128 bits key is set up in every Sigfox device for the HMAC algorithm Signature and message can be reused every 212 = 4096 frames Sigfox device can be identified in every frame P. 27 IoT & Sigfox security - Digital Security

Authentication (2/2) HMAC algorithm: First two bytes of the last encrypted block in AES-128- CBC, using the 128 bits unique key of the device Authentication key can be extracted using SWD debugging Sigfox devices can be spoofed P. 28 IoT & Sigfox security - Digital Security

Security study conclusions Main strong points:  Frame resilience  Corruption detection  Anti-replay feature Main weak points:  No builtin encryption, no easy way to implement it for developers  Sigfox devices can be identified  Sigfox devices can be spoofed at will because of a one-time physical access  Signatures and messages can be reused cyclically P. 29 IoT & Sigfox security - Digital Security

Recommendations for development & integration

Development & integration Adapt your security level depending on your usage If the data is sensitive (confidentiality or availability): add encryption, redundancy and anti-replay mechanisms at application level Alternatives to encryption:  Use of devices with Secure Element for keys (doesn’t exist for the moment)  External HSM use (lower and expensive security)  XOR encryption (very small payload) using for instance PBKDF2 key derivation The use of cloud services add some risks Feel free to ask us for specific needs! P. 31 IoT & Sigfox security - Digital Security

Contact Experts in Internet of Things security info@digitalsecurity.fr Renaud LIFCHITZ IoT expert renaud.lifchitz@digitalsecurity.fr + 33 1 70 83 85 72 P. 32 IoT & Sigfox security - Digital Security