LoRa the Explorer - Attacking and Defending LoRa Systems

thanks everyone hear me okay yeah nodding heads that's cool okay um I want to talk today about um Laura it's a radio protocol that's actually taken a lot of interest and a lot of investment recently so I wanted to just talk about a little bit just to introduce it to you and also just to understand it from a security point of view so if you were to run into it or consider it what you need to actually think about so first of all just OB need to explain what on Earth this is um talk a little bit about the security features of it and then actually try and look at okay if we understand the security

features how do we attack this system or you know how do we build a A system that can withstand attack um introductions for myself first um I've been with MWR since 2011 you've probably seen me here a couple years ago I've done a lot of work on Android um so it's awesome to be moving on and talking about something new uh I run the company's uh operational technology practice where we're looking at embedded systems Industrial Systems and radio technology another quick Pro tip uh if you're considering starting a research project uh make sure there's a hilarious talk title you can get from it um Laura the Explorer is the obvious choice but it can be really really difficult when

you've got a presentation and you can't come up with a title for it so best do the other way so back in 2015 in the Autumn um we decided to go to a conference that's not a security conference we tried to sort of Branch out and we went to a utilities conference and this was a European utility week this this is massive this is kind of like an info SEC for the utilities area so everyone from Seaman right through to um small sort of Chinese startups selling um sort of smart metering and things like that everything in this space all the new technologies and we were there to just talk to people to understand okay what

new kit are you bringing up what new Protocols are you using and we had to obviously brush up on the kind of protocols we expected them to use um so we we kind of have these kind of assumptions okay well we're going to go to this conference so let's make sure we really understand zigby security that okay if they're using btle that we totally get that um so we got there and on the on on the first day we um we actually found I think maybe two vendors using any of those all the others were using completely different radio technology which was quite awkward but also really exciting so the first evening we went back to our rooms and just sort of

reading as much as we can so we could have a conversation with them the next day so why is this happened have we not already kind of solved radio there not already protocols out there why have everyone now jumped in this sector at least to different ones and you can break it down fairly quickly like this so if we have sort of the range of the protocol at the bottom the power usage at the top okay if we want to send things long range if we need this to work over kilometers okay we'll probably use a cellular network we'll probably maybe need two Satellite if it's you know there's no cells Towers nearby if we're a little bit closer to

home and we maybe want to improve the bandwidth a bit okay great we have Wi-Fi we have Bluetooth very established Technologies nice and easy more recently we've seen this area solved and this is okay what about sort of personal range or sort of within a small building that's very very low power so this kind of home automation side of things that now you don't need to Trail power cables all through your house because you know it's all Wireless this thing runs on a battery for years which is great the Gap is obviously here and for utilities for transport this is a really exciting area if you could solve it could you come up with a radio protocol that works

over many many kilometers but doesn't have the the sort of drawback of needing a lot of power you know constantly going out to replace batteries needing some kind of Main's connection it just doesn't work all the time and this is LP W so lp1 is low power wide area network this is sort of the the sort of brand name given to a whole bunch of technologies that essentially have these kind of these uh features that's the battery life and it is Extreme battery life should be able to run on a AAA battery for 10 years that's and these for the end notes range has to be we're talking across cities across you know hold wide areas bit rate we're not

actually worried about we'll sacrifice that we're only going to be sending metrics small information small commands so we're not worried about bandwidth this has become possible using one of several modulations which I'll go into in a sec the other factor is it must be cheap that these chips these transceivers these whole devices we're going to build we're probably going to want hundreds of them the kind of typical Solutions we'll go through in a second need these remote nodes to just be across a city and if one gets run over by a car who cares that's just a few pounds if it you know you can imagine it gets very very expensive very quickly otherwise and I mentioned a couple areas

already Smart City you know if you can actually measure pressure on the water pipes if you can get um any sort of critical infrastructure that you don't want to run cables across that you don't want to plug into your network well now you could just have a node that just reports back metrics to you uh I live in Reading one area that Laur is already being used for is to measure um River flood levels so these things are distributed around the river when they sort of obviously measure that the water level's up to a certain they then report back actually Logistics is another one that's kind of interesting I didn't think of until I was talking to people

in the in the area um but there's a lot imagine if you've got like the containers like reefers so they're actually refrigerated units um and you know they're being carried on a ship they're a truck they're across the city but you actually want to know what the temperature is well either you're going to have to have a lot of power drawer or you can just have these small devices now that are using lp1 so there's a few modulation Technologies um it's pretty much at the moment between uh Ultra narrow band unb and Laura uh Laura is actually a spread Spectrum so Ultra wide and then you have Ultra narrow they're sort of the two competing

modulations narrow band is just coming in and we'll have a look at sort of who's investing in what in just a second but the idea of narrow band is could we use existing cellular infrastructure to offer this kind of lp1 solution a little bit more theoretical not as mature um as as the top and the bottom one there we're looking at companies um weightless is the UK company ultr araban Sig Fox is pretty much the sort of big player in Ultra narrow band there a couple of others that are using it as well uh cellular comes across as a whole bunch of different names so narrow band LT Rand iot uh companies like Huawei are

getting super invested in this great idea we can offer iot um you know Solutions using our existing infrastructure great Laura is pretty much solely owned by the Laura Alliance they're the they're the organization that are already really pushing this uh link labs are also doing something using similar modulation so we have at the moment this kind of situation of this VHS versus betamax kind of thing uh the big two players are Laura lauran and sigf fox they are the ones that are grabbing all the headlines getting huge amounts of investment um but ultimately if one of them was to become the mature one then everyone would just jump to that and the other one might die off so the big

difference with sigfox is sigfox build you the network they have a uh build it and they will come kind of um idea that you that they will go to say London install all the sort of cell towers or the equivalent for sigfox have all the backend all done and then just offer you the customer the ability to buy a node buy a license and access web services so you kind of access either end of it great because now you don't need to worry about installing all that middle kit uh they do it all for you big argument against it though is what happens if they go out of business tomorrow well all my kits going to stop

working so they got to worry about that Laura is the kind of a bit more open source I use that phrase carefully um the Laura modular like the fire layer is actually licensed by sech but the layer above it loads of companies are doing this kind of middle um kind of the cell towers the servers and the services so it's a bit more you kind of own that but obviously you need to make the investment big players in the area you can kind of see how it's a little bit split up but uh a lot of companies are announcing they are siding with one or the other um in terms of semiconductor manufacturers also the Telos are super

interested in this because it can offer a whole new service you've already got all this networking infrastructure how about you can now offer an iot service on top of it so a lot of companies are either kind of signing up as alliance members or actually investing orange weirdly if you see they're actually doing both they invested something like 60 million EUR into lauran to install it in several cities in France but they've publicly said we're only doing this until our NBI gets off the ground so there's a lot of companies kind of hedging their bet generally Laura Wan AP from Meco Telecom is very European based uh cellular m is kind of pushed by the Americans um and

Sig Fox is also Europe but spreading through to Asia so that's the idea of this kind of LP W so why choose Laura there's there's a whole bunch here why not go look at Sig fox or or one of the mbots well there's there's a few advantages first of all uh Laura onean the the Mac layer and the app layer are open source anyone can go on their website today I think you have to type in your email address but then you can download uh the full specification so for a research point of view that's awesome it's not a theoretical thing it's had a huge amount of investment um in a lot of cities in Europe including

London um so it's it's not just a theoretical thing there's actually sort of value in in helping people at this stage or so it's not just turning off your lights and I've seen talks on that before and it's great turn off your lights That's mildly annoying Laura and Laura has already been talked about being used for actually quite safety critical things so there's already been a paper produced of how you would use this to uh automate Railway level Crossings how you and I've looked at one system um that was being demoed at the European utilities conference uh that was a burglar alarm based on this and Al a lot of people saying this is great you can put this

into your CR um your National infrastructure critical infrastructure and you don't have to run wires isn't that brilliant well yes potentially yes but we need to know about the security of it so walking around the conference um obviously you start trying to dig but just like going to infos SEC you can't really talk Tech to the people on the stands normally because it's mostly sales stuff um so when I was asking about like L this this is great what's what's the security oh yeah it's fully secured how how does it do that oh it uses aes128 right that yeah okay um so I started going to them and saying okay apart from using as1 128 how does the security work

and just the stunned looks that obviously stolen their only tagline they were using so at the moment there's nothing really out there um and as I say you can just download the spec but that's pretty heavy going if you just need to be able to advise someone within five minutes if it's good or not as a consultant I kind of have to also expect this kind of questioning I'm going to have someone ask me we want to use it for X is that fine would it work is it safe or alternatively we got two we're going to use two gateways we want to use which one should we use due diligence if we want to look at the security of these

products which one's better so this is the presentation on the research from sort of October till now um to say the following to say whether it's even possible to use it securely to find out if you are going to use it what's your key controls and then to actually try and say okay here is a white paper with a list of tests in it you can actually go and use um to look at a system so that's how we work we looked at the specification had a look at anyone who's actually released the stuff yet see how they've done it produce paper and then actually see if we actually need to produce any tools to be

able to test it properly and that's what we've done so I keep using the word Laura and Laura onean um Laura is the uh the file layer that's just the modulation proprietary licensed by sech sech Will um license it out Laura Wan is the bit I'm actually more interested in at this point this is the the layer with the security on it this is sort of the Mac layer and above and that's an open standard so we can tear that one apart okay let's say we actually want to build a Laura system now we sort of talked about these various components there's only going to be three according to specification you have nodes you have

gateways you have network servers nodes are these small devices I've got one here um of course it's all cabled up um very very cheap um this one's made by microchip um there these end nodes are going to be the things that you distribute around they're going to be things with sort of real world IO kind of control they're going to be monitoring stuff they're going to be taking commands and maybe you know flipping servers whatever they report back to the gateways this is a example Gateway and they're going to be using uh Laura lauran to actually transmit messages back and forth to the gateways gateways there's going to be far fewer of them they're going to be powered uh and

they're going to then report back to the network server the network server is your typical it infrastructure at this point some kind of interface that the Gateway can talk to how you want to design that entirely up to you what you then may have is uh if you're like licensing this out as a service is you can say Okay company X you can have these nodes and you can build your own application server and I'll know to pass all that data through to you and you can control them so this connection entirely up to you could be using cellular networks you could run cables anything you want doesn't really matter obviously needs to be fairly high bandwidth and then the

connection between the Gateway in the node that's what's using Laura and Laura went to communicate it works on a call reply basis so traditional the class a setup is that the nodes will depending on how you program them send a message back to your application server you know the temperature is currently 20° the application server then has the opportunity to reply okay it's 20° open the valve that kind of message to understand how good the gateways are this is a map of Mion um the red um pins are Gateway the green area is the area that you could put a node in and it would make it back to the network server so they've covered most

of a city using just six gateways so it's pretty effective as you can tell we sort of move into this deeper heavier area built up the the um the range drops quite a lot obviously out in the country side a little bit more much easier so that's how it works there's only these three components only two of them are actually talking Laura lauran um so what does a spec actually say about security and imagine you were given this right your pentest a hat on so someone saids we finished we've built this it's got a th nodes um 10 gateways we've already built all the networks application service their parties can connect in we've got all the

infrastructure in the meantime the attack vectors on this are kind of mindboggling this is a huge huge project you could go after the radio you go after the devices you go after the servers any um internet facing areas what would be the effect of denial of service attack there's there's quite a lot so we wanted to break it down a little bit the way encryption works this whole aes1 128 this is the way it works it's using symmetric encryption so every node has its own unique Keys should have its own unique Keys according to the spec it will have two of them it will have an application session key Network session key application session key is

highlighted in red Network session key is highlighted in blue now what would happen is the node encrypts using the application session key and then signs makes the message Integrity uh check using uh the network session key goes through the gateway gateway is completely blind it has no ability to decrypt message it's got no access to Keys it just dumbly FS everything on that it sees that is a legitimate Laura packet the network server can then it's only got the network key so it can check yes that's a official message yes it had the right key pass it on I know which um application server send it to for the other fields telling me which one to

send it to the idea being it doesn't matter if the network server is owned by its TCO only you can then decrypt it that's the idea of course there's other issues of what if there are two um like lur Solutions in the same area you can actually shift the channel slightly although it shouldn't affect it too much um and these are command messages command messages are only sent by the network server the network server only has one of the keys so it's going to use the key for both encryption and signing so this would be a reply this time sent by the network server to say ah Could you actually shift Channel X interesting where it starts getting a

little bit more gray around the specification is how exactly do you join a new node to the network you don't just want me a terrible person connecting into your to your lauralan system you only want your official ones connecting when you want them to so joining you have two options one you could just program the keys when you're manufacturing them put them into the nodes throw the nodes out into the field they start working they've got the keys immediately so they can just start talking that's fine the other one is more complicated um is where you put you just still put a key onto the device but it doesn't have the session key set up yet so what you

need is some kind of exchange when the node starts up using the one key it does have to establish the two other keys so we have our node it has a unique application key on it again as1 128 so and this is the node's going to send this to start off with and this is our evil person in the middle trying to listen in working out what the keys are so the node is going to send a join request it's going to send okay I belong to this application I am this device number uh I've created a random number and I've um signed it with my app key not encrypted just signed so okay he can

get those that's fine so a128 hmac to assign those the server then needs to generate another Nots uh and using those values it calculates what um the application session key the network session key should be um it should also and this is where the specification doesn't really talk about it much it should also check that that node should even be joining or sending that message at this point and so that's kind of consideration we need adding these are the U formulas Ed again this is all on the specification um so the server is going to work it out this way it's going to take the app key which it also knows take the nons the other nons it's just

produced and actually produce the two keys it will then send yes you can join um and it's going to send its uh appns uh back but this time actually encrypt it with the application key and sign up so now both sides have the information and man in the middle is completely stuck without that so that's we can now join Network safely to our Network which is great how about the messaging itself oh we're going to as I said in the diagram it's going to be using the application session key the network session key uh for application messages encrypt with the app s with the sign with the network the network messages we can only use the

one key but that's fine okay let's get bit mathy it's actually using AES in counter mode which means it's going to be producing a key stream that key stream is then getting exord with our message and that then get sent across the idea is that the server can produce the same keyst stream because it has the same information exor and get the data out again a key point of this is obviously you don't want to produce the same keyst stream twice quite dangerous so what it's going to use is these counter values the idea being that when a node starts it's on zero every message it send it's going to be incrementing its counter and then on the server side the

server can do the same okay I've received one from that node increase that noe's counter so it can always produce the same keyst stream as the node but it should never produce same key stream twice the Exel message goes into there so that frm payload is our data the metric you know it's 20° whatever that gets encrypted we then sign it with the message Integrity check using the network key so that's pretty simple we can add nodes these noes can message us we can check the signing we can check you know as been tampered with we can decrypt it great class B is to what they've done when obviously some of the customers have put their hand up and say that's

not going to work for us um what if our nodes are inside containers that are constantly moving around the city what if they're in a car or something like that how does the server know to send a message to that particular gateway to know that it's going to reach that node if the notes now moved on well okay so Laura um Laura added Class B systems similarly you'll have times where the network needs to message you where you want to contact the the node first you don't just want to wait and reply so that's what this solves gateways at this point suddenly become active they suddenly start doing stuff they're going to start sending out messages to say hey

I'm the Gateway I'm Gateway number three this is my GPS coordinates um and the time is currently this the node that way can then receive all of those messages which are sent um synchronously and pick which Gateway is the closest if that one has now changed it will send a message to the server and the server can say okay it came from that Gateway this time right I know to talk through it that gateway to talk to it so useful to upd the time it's received in the node the node now says okay I'm now synchronized with the time sent from that Gateway message I now know at X seconds I should listen and because you

only have these short listening Windows you can sleep for a lot of the time and obviously far more efficient for battery life also allows multicast messages so now you can send one message to all the devices because you know they're all going to be listening at the same time so all of that that's that's also the technical side of it is it actually secure you can imagine these systems are going to be far more complex than that you can have Engineers pulling stuff out oh this one broke this one's Terri you know the latency lets redirect everything oh the network servers fallen over it's going to be incredibly complex so how do we test it let's break it down

so messages there's some things we can do very very quick first of all obviously check signing for encryption this is the kind of stuff that's in the spec and to have an official Laurer Alliance device you must have passed their tests but ultimately it's probably on you depending on your role to develop this and implement it securely so if we don't check the signing before the encryption there are several attacks we can do if we're not incrementing our counters properly then we're producing the same key stream that can be dangerous if we're sharing Keys around and yeah again a lot sort of please don't do this it's up to you to actually Implement that so what happens if we were to

decrypt before we check signing well given that we're xoring out using our key stream it's possible to start swapping bites so if I know the structure of the message as an attacker is roughly that those bites here will always be 24 because you're just xoring it so if I just start flipping bits then I can CH changing these values without um knowing what the key was obviously the Mi the signature check should just catch that straight away but that's up to you to implement F counter manipulation so denial of service attacks with these kind of systems is probably going to actually be quite expensive you can imagine the kind of crypto Locker attack is also um the big

point is with counters is they should always increment if you get one lower then that's out of syn or you know it's rubbish discard it so if we were to be able to send a message with the counter set to the maximum value You' just brick that node that node will just be ignored from then on so pretty dangerous obviously check the Mi first um if the count if you're replaying um that using the same keyst stream then you have the opportunity to EXO stuff out because you got the same keyst stream being exor therefore if you EXO two encrypted messages and you know the plane text are one you can get the plane text of the

other duplicate Keys is pretty obvious there's big messages to say please don't use them but it's up to you or again guessable Keys um if you're basing it off you know the ma address or something equivalent then then it's possible to start just sending your own messages as an attacker Mac only messages um so we're these are the uh Network messages change channel do this do that only uses one of the keys so again we actually um if we do get that one key then then we're in can actually do quite a lot of damage the commands you can actually send to mention some of these you can get the status you can change data rate

transmit power Channel or proprietary um so yeah potentially these messages are less secure you're only using one key now um and there's a lot you could actually do to damage a system now that's really interesting because some companies clearly don't get the fact that Network keys by themselves are um sensitive they they've obviously assumed well yeah but you've got an app session key and I don't know it so it's fine so the things Network is a hobbyist thing so totally fine they're doing this and this is in London as well um but for the hobbyist community you need to know the network session key that the Network's going to use so that's on their website so anyone right now could

produce something to knock over brick any node that's currently on uh the things Network in any country okay the over the a signing so when a node joins we could try and do that as well you know we need to worry about um whether we could rejoin if we can send it again produce new nonces get new session Keys you leave the actual node out in the dark because it's got the wrong ones in the server we just think it's malicious and ignore it similarly if we're able to guess the keys we can do a whole bunch of attacks on listening or start spoofing messages Key Management is not talked about at all in the specification and

this is where some of the most interesting attacks are you've got to have a server that the network server and potentially application servers can access to get those keys to be able to decrypt and read the messages but also to send replies now that's a potentially a single point of failure and a really critical asset that you want to worry about who's got access to that database what happens if that database was cryptool Locker your entire iot network running on Laura Now doesn't work it's it's a really really critical thing that you need to isolate away the other thing is the device uh is the nodes themselves we've had quite a play with these I'll show you some of

the the work we've done on this uh but physical attacks on these nodes these nodes are going to be out in the city they're in people's homes and their cars you know various um interested enthusiasts hello we'll probably pull them apart at some point and try and work out how they work a lauro is probably going to have something like this the antenna you're going to have your transceiver that does all the encryption and signing so that's going to have all the keys in it some kind of connection the one I've got it's a u connection that goes to a microcontroller that then does all the sort of busy logic that's sort of reading whatever measurement it is

that's sort of producing a message sends it to the Laurel and transceiver and that's then gets sent out so the nodes must have these keys they should be unique per node but would be an interesting one to test uh this is the transceiver I've got here um so normally your microcontrol would connect in these pins and then you can actually use this to send stuff so potentially we can steal the keys from the node we could also try going after the firmware because it must be paing the the file layer at least or the microcontroller might be doing pausing on on the actual application data that's being sent so it could be interesting so could we just pull the

keys out what is this transceiver what is this magical Black Box well if we took the shielding off it you can actually see it's a pick Chip Pick 18 LF um that's got debug ports so we can connect our pick kit debugger to it we can try and actually look how we pull the keys out have they set the registers correctly to stop attackers doing that yeah actually annoyingly they have one interesting thing is you can write to individual code blocks so these pic chips let you WR to one sector and leave the rest of the code intact you can they have made a mistake on the flags um to set that one block can read the code

from another block so if anyone's smart enough and I would be interested to talk to you afterwards about this can you write code flash to one part of the block with some kind of KN sled that then reads out the memory from the other sections and then we throw that one away get another device right to another sector and that way you'd get all four sectors of code out could be a good way of dumping the firmware there's nothing in the the data suit say there's any kind of protection against this or side Channel analysis um these devices actually have a way of measuring current draw exactly to that um chip so should be fairly

straightforward um to do uh par analysis to work out crypto unless they're using a secure AES Library maybe we can go far far cheaper and dirtier if this we if the server the network server the application server is just expecting data back and then putting it into a database we have all the classic Network attacks injection I actually put together a demo that does cross-site scripting through this because these values are just being displayed in the engineers web app so if we just replace the microcontroller part we can just sending anything I want and the great thing about that is if the transceiver has the keys it will just start encrypting and signing it for us very very

useful so we need to worry about those obviously internet facing components are pretty straightforward chances are it's going to look like that that is is the uh implementation for several of these Solutions these gateways are just talking out 3G dongle out over the internet to a web service that web service again single point of failure what happens if you just ddost it you know suddenly the nodes wouldn't be able to communicate anymore it's pretty big fault um we could start looking at Brute Force attacks against the mick but 4.3 billion messages you'd have to send is probably a little bit extreme so probably something you'd want is more like a private APN you can then

actually VPN to make sure that only the gateways are going to talk to the web services again you then might need to worry about what's the physical security of these gateways if they have assets like this class B is where things really start falling apart a little bit on Laura security um essentially to be able to send a broadcast you need to share Keys um and the Laura specification just straight up said like um we don't really know how you're going to do this we just kind of support that you can so please when you're going to send a broadcast magically change all of your nodes app keys and network keys to be the same

because we're going to send the same message to all of them and then please magically change them back again so they said they're not allowed to send Mac messages using this but again entirely up to you how you've implemented that so class feed generally is be careful uh multicast messages yeah good luck trying to do that securely it's going to be really really tricky Gateway beacons get properly interesting because there is no security on them Gateway doesn't have any Keys it can't do any signing can't do any encryption they're going to be sending their GPS coordinates and um a sort of a network time to all of the nodes so first of all there an attacker

that's very easy to wardrive because you've got the GPS coordinates of all the gateways that potentially have a secure connection back to the the server the other interesting thing is that the nodes are using these um values and I've seen some sort of stack Overflow type chats about it everyone's actually now just setting the node system time to be the message sent by the Gateway okay I've just received a message it's currently 12:00 noon set the time to that no encryption or authentication so I have no idea what would happen if you just start sending you know first of January 1970 to these things so in summary having read through this I think it is perfectly possible to build a

secure Laura Network there's a lot of onus on you to put the spec properly and to implement the spec properly um that was obviously ridiculously quick going through this the spec is pretty big um so what we did was put together a white paper on this so if you're interested in this that's freely downloadable from our website it goes through each of these um areas in far more detail and the test cases in far more detail as well the last thing I want to do um is to say Obviously we were looking at um I can do this uh producing tools so one thing I wanted to do was say well okay if you can get gateways to

gateways are just packet sniffers we don't have to do any kind of software to find radios on this because we the file layer is blackbox but what we could do is take a Gateway just have it record every packet it ever sees um and then we can use that to try and inspect to work out what information is being leaked we could actually maybe test the keys that we've stolen off a device or a server so hopefully this is all still running so I've got a Gateway here um and what we can do is I'll just send a message from a node I think this is something like AAA so I'm just setting it all up I'm just

going to make it go through ABP and quickly sign up and the Gateway is going to listen now this node I've set to just use a key of all zeros and that's sent the message and our nice little web interface in front end we can actually now inspect and start pausing this traffic so okay it was sent at 1037 yeah it was um so I get all this information which bandwidth which um Port it's going to so that's do the application I can then look at that encrypted payload as well and if I know that the key is all zeros in this case um okay that's just random data on that one let's have a

look okay so obviously you're going to pick up random messages as well interestingly this is going to be picking up every message I've just realized and we're currently in London so that might have been an actual Laura system in use cool see we can this one no that's someone else's system as well live demos you got a love um okay I can try and somewh later on if you're interested in this kit I'll have it around for the rest of the day um but it's essentially using a node so we can generate our own messages um and sort of hand set all the keys so we can start trying to inject messages into a network

we also have a Gateway so we can go W driving uh or actually try and passive decrypt and read these messages that's everything I wanted to cover um does anyone have any questions