Upgrade to Pro — share decks privately, control downloads, hide ads and more …

From LoRaWAN 1.0 to 1.1, what are the security enhancements?

Renaud Lifchitz
January 31, 2019

From LoRaWAN 1.0 to 1.1, what are the security enhancements?

After a summary of our report on LoRaWAN 1.0 vulnerabilities, we'll have a functional and technical review of LoRaWAN 1.0.x versions with a major focus on LoRaWAN 1.1. What are the new security features ? Are there any new vulnerabilities? What are the residual risks? What are the best security practices to deal with LoRaWAN?

Renaud Lifchitz

January 31, 2019
Tweet

More Decks by Renaud Lifchitz

Other Decks in Research

Transcript

  1. The Things Conference 2019 – Amsterdam, The Netherlands – January 31 and February 1, 2019
    Renaud Lifchitz - [email protected]
    From LoRaWAN 1.0 to 1.1, what are the security enhancements?

    View full-size slide

  2. Outline
    Security of LoRaWAN 1.0
    Overview of LoRaWAN 1.1
    Security since LoRaWAN 1.0
    Conclusion & recommendations
    P. 2 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

    View full-size slide

  3. Speaker's bio
    French senior security engineer
    Main activities:
     Penetration testing & security audits
     Security research
     Security trainings
    Main interests:
     Security of protocols (authentication, cryptography,
    information leakage, reverse engineering...)
     Number theory (integer factorization, primality testing, ...)
    digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?
    P. 3

    View full-size slide

  4. About digital.security
    Company founded in 2015 by a group
    of experts with the support of Econocom Group
    Provides advanced services in security audit, consulting and support
    Our expertise combine traditional security for infrastructure and
    application, and skills oriented to the ecosystem of connected objects
    Created the CERT-DS, 1st European CERT™ expert in IoT security
    (https://iotsecuritywatch.com/en/ monitoring service)
    Has a laboratory for studying new technologies, protocols and specific
    operating systems
    digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?
    P. 4

    View full-size slide

  5. Security of LoRaWAN 1.0

    View full-size slide

  6. 4 important security topics for LoRaWAN
    Wireless communication security
    Application security (device firmware & backend applications)
    Infrastructure security (protocols & configuration)
    Device/hardware security
    Security of LoRaWAN 1.0
    P. 6 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

    View full-size slide

  7. Tools – our LoRaWAN framework (1/2)
    We have developed a (private) full LoRaWAN security
    framework that includes:
     Tools to capture OTA and network LoRaWAN messages
     A LoRaWAN dissector
     Crypto implementations
     Attack tools:
    packet injection, offline key bruteforcer, gateway & node spoofing…
    Security of LoRaWAN 1.0
    digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?
    P. 7

    View full-size slide

  8. Tools – our LoRaWAN framework (2/2)
    Security of LoRaWAN 1.0
    digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?
    P. 8
    Offline frame decryption using join handshake and AppKey

    View full-size slide

  9. Our 2016 security study in a nutshell (1/2)
    Presented at Hardwear.io conference:
    https://speakerdeck.com/rlifchitz/security-review-of-lorawan-networks
    Security of LoRaWAN 1.0
    P. 9 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

    View full-size slide

  10. Our 2016 security study in a nutshell (2/2)
    Wireless communication security:
     Various replay attacks
     Denial of Service (DoS) attacks
     Keystream reuse attacks
     Attacks on encryption using precomputed table
     Weak keys
    Application security:
     Weak random number generation (RNG)
    Infrastructure:
     Vulnerable backend protocols (spoofing, sniffing & DoS)
     Publicly accessible infrastructure
    Device/hardware security:
     Built-in commands to dump memory/secrets
     Debug ports enabled
     Side-Channel Analysis (Correlation Power Analysis) attacks
    Security of LoRaWAN 1.0
    P. 10 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

    View full-size slide

  11. Overview of LoRaWAN 1.1

    View full-size slide

  12. About LoRaWAN 1.1
    Released in October 2017
    Not directly backward compatible with 1.0.x
    Requires an additional stack in most devices
    Requires a major update on the servers
    Commercial deployment will probably not start
    before 2020
    LoRaWAN specification:
    https://lora-alliance.org/sites/default/files/2018-04/lorawantm_specification_-v1.1.pdf
    Overview of LoRaWAN 1.1
    P. 12 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

    View full-size slide

  13. LoRaWAN 1.1 new features
    Support for handover roaming (≠ passive roaming),
    allows transferring control of the end-device to
    another LoRaWAN network
    Bidirectional end-devices with scheduled receive
    slots (class B)
    Introduces LoRaWAN Backend Interfaces 1.0 (BEI)
    Better separation between the MAC and payload
    encryption
    Multicast features allows Firmware Updates Over
    The Air (FUOTA)
    Security enhancements
    Overview of LoRaWAN 1.1
    P. 13 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

    View full-size slide

  14. Security since LoRaWAN 1.0

    View full-size slide

  15. Important changes
    LoRaWAN 1.0.1:
     Minor changes
    LoRaWAN 1.0.2:
     Uplink frame counter (FCntUp) encrypted and included in confirmation
    messages (ACK downlinks)
     Device recognizes which of its messages has been confirmed by the NS
    Better protection against replay attacks
    LoRaWAN 1.0.3:
     Unicast and multicast support for class B devices
     Few backports from LoRaWAN 1.1 (like time synchronization feature)
    Security since LoRaWAN 1.0
    P. 15 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

    View full-size slide

  16. LoRaWAN 1.1 BEI
    Allows network & server decomposition:
     Join Server – JS
     Network Server – NS
     (Application Server – AS)
    instead of the former standalone NS
    End-devices credentials:
     can be managed by a 3rd party
     can be independent from the LoRaWAN network
    Better network segmentation
    Security since LoRaWAN 1.0
    P. 16 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

    View full-size slide

  17. LoRaWAN 1.1 keys & session security (1/4)
    Security since LoRaWAN 1.0
    P. 17 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?
    MAC commands are always encrypted
    Session security context splitted:
     Network management traffic secured by session keys
    derived from NwkKey
     Application traffic secured using AppKey
    Frame counters can never be reset
    (even in ABP mode)
    DevNonce is now a counter
    (no more a “random” value)
     protects against various forced keystream reuse attacks
    we exposed in 2016

    View full-size slide

  18. LoRaWAN 1.1 keys & session security (2/4)
    Security since LoRaWAN 1.0
    P. 18 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?
    LoRaWAN 1.1 device with LoRaWAN 1.0.x backend
    (AppKey not used)

    View full-size slide

  19. LoRaWAN 1.1 keys & session security (3/4)
    Security since LoRaWAN 1.0
    P. 19 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?
    LoRaWAN 1.1 device with LoRaWAN 1.1 backend

    View full-size slide

  20. LoRaWAN 1.1 keys & session security (4/4)
    Security since LoRaWAN 1.0
    P. 20 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?
    Network session context includes:
     FNwkSintKey
     SNwkSIntKey
     NwkSEncKey
     DevAddr
     FCntUp (uplink frame counter)
     NFCntDown (downlink frame counter for network context)
    Application session context includes:
     AppSkey
     FCntUp (uplink frame counter, same as network context)
     AFCntDown (application context downlink frame counter)
    Network session context is managed by the NS
    Application session context is managed by AS

    View full-size slide

  21. LoRaWAN 1.1 rejoin requests
    Security since LoRaWAN 1.0
    P. 21 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?
    An activated device may periodically transmit a Rejoin
    Request along with its normal application traffic
    Allows the backend to initialize a new session context for the
    device
    Ensures that frame counters never exhaust: rejoin freshens
    the session context along with the frame counters
    Feature can also be used to hand over traffic from one
    network to another

    View full-size slide

  22. Conclusion & recommendations
    digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?
    P. 22

    View full-size slide

  23. Conclusion
    LoRaWAN 1.1 has:
     Better availability:
    ↪ Better protection against active denial of service attacks
    ↪ Device reconfiguration during roaming (handover roaming)
    ↪ No more time drifts for class B devices
     Better confidentiality (avoids keystream reuses)
     Better authentication and confidentiality (3rd party JS)
    Still some weaknesses:
     Lacks a secure standard for backend networks
    (Semtech « Gateway to Server Interface Definition » v1.0 - July 2015 is very vulnerable)
     No message padding enforced
     Complex set of MAC commands prone to
    implementation errors & device DoS
    P. 23 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

    View full-size slide

  24. Conclusion - general recommendations
    Use latest 1.0.x or 1.1.x standard
    Prefer OTAA over ABP mode
    Actively monitor your gateways for active attacks
    (for private networks)
    Enforce the duty cycle
    Protect your infrastructure
    (no default configuration, strong protocols, strong passwords)
    Use binary messages instead of JSON
    Use constant length messages (use padding if necessary)
    Use different keys on every node
    Don’t use devices where private keys can be read using built-in commands
    If possible, use devices with a Secure Element
    Use a separate JS with a HSM
    For the best specific recommendations for your project, contact us! ☺
    P. 24 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

    View full-size slide

  25. References
    1) Lifchitz R., September 2016, "Security review of LoRaWAN networks",
    Hardwear.io conference: https://speakerdeck.com/rlifchitz/security-
    review-of-lorawan-networks
    2) LoRaWAN specifications:
    https://lora-alliance.org/resource-hub
    3) LoRa Alliance, August 2018, "Technical Recommendations for Preventing
    State Synchronization Issues around LoRaWAN™ 1.0.x Join Procedure":
    https://lora-alliance.org/sites/default/files/2018-08/lorawan-1.0.x-join-
    synch-issues-remedies-v1.0.0.pdf
    P. 25 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

    View full-size slide

  26. Thanks!
    Questions?
    IoT Security
    Contact:
    [email protected]
    P. 26 digital.security - January 2019 - From LoRaWAN 1.0 to 1.1, what are the security enhancements?

    View full-size slide