Internet of Things

Lecture 8 - Standardized Security Solutions for IoT

Main Challenges

• Very large attack surface and widespread deployment
• Limited device resources
• Security by design was not a top priority
• Focus on reduced energy consumption, reduced size, scalable protocols
• Lack of expertise
• Applying security updates
• OTA firmware update

2

Lecture 8 - Standardized Security Solutions for IoT

Security Requirements

• CIA security model
• Confidentiality
• ensure that only the intended receiver can read/interpret a message
• unauthorized access is prevented
• Integrity
• unauthorized individuals should not be able to destroy/alter message
• Availability
• ensure that system/network is able to perform its tasks without interruption
• often measured in terms of percentages of up/down time

3

Lecture 8 - Standardized Security Solutions for IoT

IoT Stack - Security Solutions

4

Lecture 8 - Standardized Security Solutions for IoT

IEEE 802.15.4

IEEE 802.15.4 Security

6

Source: M Shila, Devu & Cao, Xianghui & Cheng, Yu & Yang, Zequ & Zhou, Yang & Chen, Jiming. (2014). Ghost-in-the-Wireless: Energy Depletion Attack on ZigBee.

Lecture 8 - Standardized Security Solutions for IoT

IEEE 802.15.4 - Data integrity

• Message Authentication Code - MAC (aka MIC)
• Computed based on the message and pre-shared secret key
• MAC sent with the message
• Receiver recomputes and verifies MAC
• AES-CBC-MAC and AES-CCM with 3 MAC lengths
• 32, 64, 128 bits

7

Lecture 8 - Standardized Security Solutions for IoT

IEEE 802.15.4 - Data confidentiality

• Encryption
• Semantic security using a nonce
• Counter or random value
• Differentiate between similar or identical messages
• Sent in the packet, in plaintext
• AES-CTR and AES-CCM
• 13 bytes nonce
• Source address (8 bytes) + frame counter (4 bytes) + security control field (1 byte)

8

Lecture 8 - Standardized Security Solutions for IoT

IEEE 802.15.4 - Replay Protection

• Anti-replay protection
• Frame counter
• Incremented at each message
• Receiver rejects msgs with smaller sequence numbers
• Efficiency based on counter roll over
• 32 bits counter
• Part of nounces

9

Lecture 8 - Standardized Security Solutions for IoT

IEEE 802.15.4 - Access Control

• Access control list (ACL)
• List of valid devices
• Verify source address of packets
• Only packets from valid sources are forwarded
• Easily bypassed by spoofing attacks
• Node pretends to be another valid node

10

Lecture 8 - Standardized Security Solutions for IoT

CoAP + DTLS

CoAP + DTLS

• DTLS - transport layer security
• end-to-end security
• data confidentiality, integrity, authentication
• non-repudiation, anti-replay protection
• similar to TLS, but over UDP
• CoAP with DTLS support

12

Lecture 8 - Standardized Security Solutions for IoT

CoAP + DTLS

• Provisioning phase
• Device identifiers are collected
• Identifiers list => ACL
• Devices receive keys and ACL

​

• 4 security modes: NoSec, PreSharedKey, RawPublicKey, Certificates
• NoSec - no DTLS, just UDP

13

Lecture 8 - Standardized Security Solutions for IoT

CoAP + DTLS

• PreSharedKey
• pre-programmed with symmetric shared keys
• each device has a list of shared keys
• keys used to communicate with other nodes/groups of nodes
• DTLS in PSK mode
• TLS_PSK_WITH_AES_128_CCM_8 cipher suite

14

Lecture 8 - Standardized Security Solutions for IoT

CoAP + DTLS

• RawPublicKey
• pre-programmed with asymmetric key pair
• node identity - public key
• list of nodes to communicate
• keys compatible with ECDSA
• SHA-256 for hashing
• TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 cipher suite

15

Lecture 8 - Standardized Security Solutions for IoT

CoAP + DTLS

• Certificates
• asymmetric keys
• X.509 certificate signed by trust root
• devices have a list of trust anchors to validate certificates
• device authentication - signature (ECDSA and SHA-256)
• key agreement using ECDHE
• TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 cipher suite

16

Lecture 8 - Standardized Security Solutions for IoT

CoAP + DTLS

• ECC used in 2 security modes
• strong security
• small keys
• less processing power
• ECC with 160 bit keys ~ RSA with 1024 bit keys
• ECC is 15x faster
• suitable for IoT

17

Lecture 8 - Standardized Security Solutions for IoT

Wi-Fi

Wi-Fi

• More and more used in IoT
• Security protocols: WEP, WPA, WPA2, WPA3
• Krack attack for WPA2
• replay attack
• vulnerability in the 4-way handshake
• continuously retransmit the 3rd message => reset key
• key is exposed
• WPA3 is recommended

19

Lecture 8 - Standardized Security Solutions for IoT

Wi-Fi - WEP

• Encryption - RC4 stream cipher (xor)
• Open authentication - no credentials, only encryption
• Shared key authentication - authentication(user/pass) + encryption (64/128b keys)
• Device authentication - 4-step challenge-response handshake
• CRC32 for integrity
• Easy to compromise
• Deprecated since 2004

20

Lecture 8 -- Standardized Security Solutions for IoT

Wi-Fi - WPA

• RC4 stream cipher
• TKIP - obtain keys
• Dynamically generated keys for each packet
• 256 bit keys
• MIC for integrity - Michael

21

Wi-Fi - WPA2

• AES-CCMP for encryption
• 128 bit keys
• TKIP - only for compatibility with WPA
• 4 phases to create secure communication

1. C&AP agree on security policy

2. generate master key

3. generate temporal keys

4. use CCMP & temporal keys for data integrity & confidentiality

22

Lecture 8 - Standardized Security Solutions for IoT

Wi-Fi - WPA2

• WPA2-Personal
• PSK for authentication
• shared key introduced by user on the client
• WPA2-Enterprise
• 802.1X - username/password or certificate
• Server AAA (RADIUS) - centralized authentication
• EAP to send authentication messages
• Personal supports TKIP, Enterprise does not
• Personal for homes, Enterprise for companies

23

Lecture 8 - Standardized Security Solutions for IoT

Source: https://www.comparitech.com/blog/information-security/wpa2-aes-tkip/

WiFi - WPA3

• SAE for authentication
• improves the security of initial key exchange
• better protection against offline dictionary-based attacks
• better security even when a simple password is used
• variation of dragonfly handshake
• replacement for PSK
• WPA2 - KRACK attack

24

Lecture 8 - Standardized Security Solutions for IoT

WiFi - WPA3

• SAE for authentication
• considers devices as equals
• either device can initiate the handshake
• each device sends authentication info independently
• Krack and dictionary attacks cannot be applied
• forward secrecy
• password is changed for every connection

25

Lecture 8 - Standardized Security Solutions for IoT

WiFi - WPA3

• WPA3 Personal
• 128-bit encryption
• Authenticated encryption - AES-CCMP 128
• WPA3 Enterprise
• 128-bit mode
• Device authentication: EAP
• Authenticated encryption: AES-CCMP 128
• Key derivation: HMAC-SHA256
• Management frame protection: BIP-CMAC-128

26

Lecture 8 - Standardized Security Solutions for IoT

WiFi - WPA3

• WPA3 Enterprise Mode
• 192-bit mode
• Device authentication: EAP-TLS with ECDH and ECDSA
• Authenticated encryption: GCMP-256
• Key derivation: HMAC-SHA384
• Management frame protection: BIP-GMAC-256
• Stronger security
• Cannot be used on resource constrained devices

​

27

Lecture 8 - Standardized Security Solutions for IoT

BLE

Bluetooth Low Energy (BLE)

• Each connection has a Security Mode and a Security Level
• Pairing
• initiated by a central device -> peripheral device
• mutual device authentication
• encrypt traffic using short-term key (STK)
• distribute long-term keys (LTK)
• LTK saved for rapid reconnection (bonding)

29

Lecture 8 - Standardized Security Solutions for IoT

Bluetooth Low Energy (BLE)

• Encryption
• AES 128 with CCM mode (AES-CCM)
• LTK + AES-CCM => secret shared key (128b)

​

• Authentication
• digital signatures
• Connection Signature Resolving Key (CSRK)

30

Lecture 8 - Standardized Security Solutions for IoT

Bluetooth Low Energy (BLE)

• Generic Access Protocol (GAP)
• 2 security modes, each with multiple security levels
• each connection starts at mode 1 level 1
• update to another level depending on the authentication method
• the authentication method is decided during pairing

31

Lecture 8 - Standardized Security Solutions for IoT

BLE - Security Modes

• Security Mode 1
• Level 1: No Security
• Level 2: Unauthenticated pairing with encryption
• Level 3: Authenticated pairing with AES-CCM encryption
• Level 4: Authenticated LE Secure Connections pairing with encryption
• From Bluetooth 4.2
• ECDH and AES-CCM

32

Lecture 8 - Standardized Security Solutions for IoT

BLE - Security Modes

• Security Mode 2
• Level 1: Unauthenticated pairing with data signing
• Level 2: Authenticated pairing with data signing

​

• Mixed Security Mode
• support both Security Mode 1 and 2

33

Lecture 8 - Standardized Security Solutions for IoT

BLE - Pairing modes

• Pairing = authenticating the identity of 2 devices
• shared secret
• After that, link is encrypted and keys are distributed
• Keys are saved => Bonded devices, fast reconnect
• Pairing - 3 phases

34

Lecture 8 - Standardized Security Solutions for IoT

BLE - Pairing modes

• Phase 1:
• communicate capabilities in Pairing Request message
• capabilities:
• No Input No Output
• Display Only
• Display Yes/No
• Keyboard Only
• Keyboard Display
• determine the pairing method (phase 2)

35

Lecture 8 - Standardized Security Solutions for IoT

BLE - Pairing modes

• Phase 2:
• LE Legacy: generate Short Term Key (STK)
• using a Temporary Key + random numbers
• LE Secure Connections: generate Long Term Key (LTK)

​

• Phase 3:
• Generate LTK if it was not generated in phase 2 (Legacy)
• Generate other keys (CSRK, IRK)
• Distribute keys

36

Lecture 8 - Standardized Security Solutions for IoT

BLE - Legacy Pairing

37

Source: https://www.researchgate.net/publication/311611851_Exploiting_Bluetooth_Low_Energy_Pairing_Vulnerability_in_Telemedicine

Lecture 8 - Standardized Security Solutions for IoT

BLE - Pairing Methods

• Devices negotiate the Short Term Key
• 4 methods - depending on device capabilities
• Just Works, Passkey Display, Out of Band (OOB), Numeric Comparison

​

• Just Works
• key is generated on both sides
• based on the packets exchanged in plain text
• no protection against MITM

38

Lecture 8 - Standardized Security Solutions for IoT

BLE - Pairing Methods

• Passkey Display/Entry
• one device displays a randomly generated 6-digit passkey
• the other asks to enter the passkey
• no display -> enter the same passkey on both
• protection against MITM

39

Lecture 8 - Standardized Security Solutions for IoT

BLE - Pairing Methods

• Out of Band (OOB)
• data for generating the key is transmitted through other communication channel
• e.g. NFC
• protection against MITM

40

Lecture 8 - Standardized Security Solutions for IoT

BLE - Pairing Methods

• Numeric Comparison
• BLE 4.2
• LE Secure Connections Pairing
• ECDH for key generation
• New pairing method for key exchange
• LTK generated in phase 2 and used to encrypt messages

41

Lecture 8 - Standardized Security Solutions for IoT

BLE - Pairing Methods

42

BLE - Bluetooth 4.2

• New security model = LE Secure Connections
• ECDH for key generation
• public/private key pairs
• Security Manager
• protects against passive eavesdropping
• Numeric Comparison, Just Works, Passkey Entry, Out Of Band
• Protects against MITM attacks
• Numeric Comparison, Passkey Entry, Out Of Band

43

Lecture 8 - Standardized Security Solutions for IoT

Bibliography

• M Shila, Devu & Cao, Xianghui & Cheng, Yu & Yang, Zequ & Zhou, Yang & Chen, Jiming. (2014). Ghost-in-the-Wireless: Energy Depletion Attack on ZigBee.
• https://datatracker.ietf.org/doc/html/rfc3610
• https://www.krackattacks.com/
• https://www.wi-fi.org/discover-wi-fi/security
• https://www.grandmetric.com/2018/07/06/ended-wpa3-wi-fi-security-evolution/
• https://spectrum.ieee.org/everything-you-need-to-know-about-wpa3
• https://medium.com/rtone-iot-security/deep-dive-into-bluetooth-le-security-d2301d640bfc

44

Lecture 8 - Standardized Security Solutions for IoT