IoT Security Part II
Syllabus
This module will cover the following
• Defences for devices
• Hardware device security
• Security for embedded software
• Wireless and network security
We’ll look at example mechanisms for supporting security in each case, mentioning some previous attacks.
2 © 2020 Arm Limited
Defences for devices
Conceptualising end point defences
Firewall: “Keeping bad stuff out” System Protection: “Keeping good stuff in”
4
Q. Why is this picture less accurate nowadays?
Pictures: Christian Collberg, by kind permission
PATE and R-PATE attacks on system trust
Person-At-The-End: where an adversary has physical access to a device and compromises it by inspecting, reverse engineering or tampering with its hardware or software, breaking trust in the device.
Remote-Person-At-The-End: where untrusted clients communicate with trusted servers over a network, a malicious user can get an advantage by compromising an untrusted device, breaking trust in the system.
5
Goals of Person-At-The-End Attacks
PATE
1. Malicious reverse engineering
2. License check removal, DRM key extraction
3. Protocol discovery
4. Stealing currency from a crypto-wallet
R-PATE
1. Accessing/changing distributed medical records
2. Attacking wireless sensor networks
3. Hacking smart meters to disrupt supply
4. Stealing from a cryptocurrency exchange
Using attacks on device and network controls, targeting trust in distributed system.
Attacks on device controls targeting device(s).
trust
in
6
In both cases, we need security mechanisms which help protect devices as well as their communications.
Hardware security for devices
Building on Physical Roots of Trust
8
Fig. 1.1 Relations between information security, cryptography, physical security and physical
roots of trust Picture from Roel Maes, Physically Unclonable Functions, Springer 2013.
1.2 Preview 7
One-Time-Programmable (OTP) memory
Permanently programmed memory cells with strong security (state-of-the-art today) Access tightly controlled, difficult to reverse engineer
Programmed during IC or subsequent system manufacturing.
With some, it is possible to destroy stored keys in response to tamper attempts. Secure key injection typically used to deploy randomly generated keys.
9
From hardware security modules to trusted execution
Build on secure and OTP memory to provide cryptographic features inside a hardware boundary.
Secure master keys give a “root of trust”. This can be used to provide a Trusted Execution Environment (TEE) for CPUs.
• Secure boot, checking loaded software integrity
• Run only authorized applications
• Introduce isolated regions of memory (enclaves) for
confidentiality.
State-of-the-art for secure operating system kernels.
Builds on particular manufacturer’s implementations (Intel SGX, Arm TrustZone ).
Crypto-modules.graffle
[ ]
and key generation) and is contained within the cryptographic boundary”
(http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pd
cryptographic boundary, also defined in FIPS 140-2, is
perimeter that establishes the physical bounds of a cryptographic module and cont
A ge
representation of a cryptographic module is shown in the following image
10
4PAI 4A <=I =I .8P?0 8=?E?= 6IAIA DEIC :A?PES 8=? 8P>EDEIC 7EEA 89PA 5> 3AI= D-A>?AI=LPA?E> 3A=A A I --
a
:
3SECD T 8=? 8P>EDEIC 7EEA 2 ECD AAQA
Physically Unclonable Functions (PUFs) provides an instinctive method to approach the design problem of PUFs. 20 2 Physically Unclonable Functions: Design Principles …
Provide a security primitive based on hardware.
Rely on physical disorder or designed variation: mass produced devices have intrinsic small physical variations which can be measured.
Idea: provide a way to respond to multi-bit challenge, e.g., to measure a combination of delay differences selected via a multiplexer.
For n stages we get 2! challenge-response pairs.
Exact table unique to chip, access to measurement is restricted. Want to ensure properties like: variability, reliability, uniformity, tamper resistance, unclonability.
11
entirely under any of these three categories, such as those which exploit variations
in both driving current and threshold voltages. Nevertheless, this categorization
In the next section, we will review in details existing PUF circuits and discuss
Fig. 2.2 Physical disorder of
their different implementations.
2.6 Delay-Based PUFs
These structures transform process variations into a measurable delay figure, and the latter is converted into a binary response. Initial designs of PUF circuits have all been based on this structure, there are many examples of such constructions in the literature, including arbiter-based circuits [1, 20–22], ring oscillator designs [23–31] and those based on asynchronous structure [31]. We will discuss examples of these constructions in the following subsections.
2.6.1 Arbiter PUFs
Let us consider the arbiter-based structure shown in Fig. 2.6; it consists of two dig2i.4talTphaethOsrigwinisthPhiydseicnatlicDaislorndoemr iinIanltedgeralateydaCnirdcuaitns arbiter. When an input signal is
In principles, integrated circuits are synthetic; therefore, it should be possible to design out all irregularities in their shapes or structures, however; this is not the case in the vast majority of modern chips, and the reason for this is variability. The latter refers to the inaccuracies in manufacturing processes and within-die voltage-temperature variations that lead to fluctuations in circuit performance and power consumption [8]. It arises from scaling very large-scale integrated (VLSI) circuit technologies beyond the ability to control specific performance-dependent and power-dependent parameters. Two sources of variations can be identified [9, 10], environmental factors, which include variations in power, supply voltage, operation temperature and degradation in the electrical parameters of devices also known as “aging”. Second, physical factors which include variations in the dimensions and the structures of the fabricated devices. Although environmental factors may lead to fluctuations in the electrical parameters of an integrated circuit, they do not cause physical disorder; therefore, they will not be discussed further in
Fig. 2.6 A single challenge arbiter PUF
Pictures from: Physically Unclonable Functions, Basel Halak, Springer 2018.
integrated circuits
Hardware attacks and side channels
Fault attacks use glitches in power, signals, temperature to cause hardware to misbehave, perhaps exploitably
• clock glitching: CPU may skip instructions
• with clever/repeated use, can extract keys etc.
• Row Hammer: DRAM bit-flips, “hammering” adjacent rows
Side channels use simultaneous observing/manipulating processes to infer sensitive data
• electrical side channels monitor power usage
• CPU architectural side channels exploit speculative/out-of-
order execution and cache behaviour to break isolation
Sensor transduction attacks are physical attacks on sensors which cause faulty/phantom readings.
https://en.wikipedia.org/wiki/Row_hammer
https://meltdownattack.com/
12
https://github.com/USSLab/DolphinAttack
Software security for devices
Secure coding
Essential “good hygiene” for modern programming:
1. All software has bugs
2. Some bugs may be security vulnerabilities
3. Some vulnerabilities may be exploitable
Can use mixture of testing and code analysis to help find mistakes.
Better technology eliminates worst classes of problems (e.g., HLLs which prevent buffer overflow).
Number 1 lesson: always check your inputs!
Q. Why?
14
Asymmetric encryption (reminder)
Also known as public key encryption
• Sender uses public key of recipient to encrypt
• Recipient uses own private key to decrypt
• Avoids the challenge of pairwise key distribution
• Easy to generate public key from private key but extremely difficult to guess private key
• But need trustworthy mechanism for sharing public keys
• Full PKC infrastructure needs certificates (signed public keys), starting from roots of trust.
15
Code signing for program integrity and authentication
• Enables devices to check if, for example a firmware update can be trusted
• Cryptographic hash generated to confirm code authenticity and integrity
• Key idea: map data of any size to a fixed size cryptographically secure hash.
• Public-key-infrastructure (PKI) used to provide assurance about who signed code (sign the hash).
• The code signature includes a certificate issued by a certificate authority (CA).
16
Q. What modes of attack are possible here which would undermine code signing?
Automated Exploit Generation
Making sure all code is secure is difficult and costly. Would like to focus on eliminating exploitable bugs.
Automatic Exploit Generation is a technique to help do this.
• start from likely vulnerable code, binary/source
• work outwards towards program inputs
• fuzzing, path constraints, symbolic execution
Like most security technologies, can be used by the “black hats” as well as “white hats”…
17
Network and wireless security
Physical layer security for wireless communications
Data confidentiality is particularly important in wireless communications, since the transmission medium is inherently broadcast (anyone can listen)
Wi-Fi is the most popular wireless technology and employed in a range of IoT scenarios.
Wired Equivalent Privacy (WEP) and Temporal Key Integrity Protocol (TKIP) used historically, but shown to have flaws and replaced with Wi-Fi Protected Access II (WPA2)
The latest Bluetooth specification relies on an Elliptic Curve Diffie Hellman (ECDH) key agreement protocol and connections are subsequently secured with AES
19 © 2020 Arm Limited
Secure channels and symmetric crypto (reminder)
A secure channel provides message confidentiality and integrity.
• Encryption: transforms plaintext message into cipher-text using a key and algorithm.
• Main algorithms use permutation and substitution operations.
• Hard for attacker intercepting to find key
• Attackers may be active (can alter messages) or passive (only observe)
20 © 2020 Arm Limited
Advanced Encryption Standard, AES (reminder)
The main standard for symmetric cryptography (bulk data transfer/storage).
An instance of Rijndael cipher, using matrix transforms for substitution and permutation.
Works with 128-bit square blocks arranged in 4×4 matrixes of bytes. A sequence of transformations perform key addition, linear mix, and non-linear transform.
Multiple rounds, whose number is determined by key size (10 rounds for 128 bits).
Standard, well-tested library implementations exist, also hardware implementations.
21 © 2020 Arm Limited
Transport layer security, TLS (reminder)
Provides encryption, authentication, and data integrity to applications
• Peers agree on TLS protocol version and choose cipher suites via three-way handshake
• Both may authenticate their identity based on established chain of trust
• Session identifier sent as part of ServerHello message during TLS negotiation
• Chain of trust used to verify the identity of parties (via PKC, X.509 certificate authorities)
• Once a shared secret is established, this is used as a symmetric key to encrypt all TLS records.
• Each message signed with a Message Authentication Code (MAC)
22 © 2020 Arm Limited
Wired Equivalent Privacy (WEP)
• Introduced in 1997 with the goal of providing confidentiality comparable to that in wired networks
• In essence WEP employs a stream cipher to hide plaintext information. Main idea: • Each bit of the message is XOR-ed with a bit of a pseudorandom stream, the keystream
• Keystream generated using shift registers initialised with a random seed
• Vulnerable to attacks if the same seed used twice
• Keystream obtained by concatenating 40/104-bit key with 24-bit initialisation vector (IV)
• CRC-32 used for integrity check
23 © 2020 Arm Limited
WEP’s weakness
• IVs transmitted in plain text (to avoid repetitions)
• Uses Rivest Cipher 4 (RC4) stream cipher – simple and fast, but subject to several vulnerabilities
• With 24-bit IVs, repetitions do not occur that often (attacks by passively sniffing packets take fairly long)
• ARP request attack – artificially generate responses that help gathering IVs fast – can crack the key in minutes.
24 © 2020 Arm Limited
WEP improvements
• Implement an additional layer of security on top of the link layer (IPsec, HTTPS, etc.) where possible (recommended anyway).
• In 2013, IEEE proposed an amendment to the standard (802.11i) that defined Wi-Fi Protected Access (WPA) to replace WEP
• Main ideas:
• Continue using the RC4 cipher, but
• Employ a per-packet key using the Temporal Key Integrity Protocol (TKIP)
• Combine the IV with a secret root key and add a rekeying mechanism (change key periodically)
• Unfortunately, attacks against TKIP were by forcing rekeying and guessing ~14 bits • Attack feasible in less than 20 minutes
Q. If we’re going to use additional layers of security, why do we need link-layer security anyway?
25 © 2020 Arm Limited
WPA2
• Two protocols defined for initial authentication:
• Via Pre-shared key (PSK) or
• Using an authentication server and the Extensible Authentication Protocol (EAP) with different
authentication options (TLS, Protected EAP, etc.)
• After authentication, a shared secret key, known as Pairwise Master Key (PMK) is generated that is derived from a password that is cryptographically hashed
• Four-way handshake used to
• enable the access point and client to prove to each other that they know the PSK/PMK, without
disclosing the key
• establish a Pairwise Transient Key (PTK) that is used to encrypt the traffic
• AES then used to encrypt payload
27 © 2020 Arm Limited
Encryption principles (reminder)
Freshness
Problem: How to verify that a message was not
already sent (replay attacks)
Possible solution:
Include a “token” in every message that is valid only for a limited duration T (e.g., 10 seconds)
Receiver keeps a message for T seconds,
compares new messages to previous ones, and discards any duplicates
Messages with a known token that are older than T seconds will be ignored
28
© 2020 Arm Limited
AP.
— Confirm the cipher suite selection.
WPA2 – Four-way handshake (IEEE 802.11i, 2004)
Upon successful completion of the 4-Way Handshake, the Authenticator and Supplicant have authenticated
each other; and the IEEE 802.1X Controlled Ports are unblocked to permit general data traffic. See Figure 11c.
Supplicant
Authenticator
Key (PMK) is Known Generate SNonce
Message 1: EAPOL-Key(ANonce, Unicast)
PMK: pairwise master key (determined by PSK or authentication server).
EAPOL-Key(): a type of message in the Extensible Authentication Protocol over LAN.
GTK: Group Temporal Key for Multicast
PTK: Pairwise Transient Key for channel data exchange.
Key (PMK) is Known Generate ANonce
Message 2: EAPOL-Key(SNonce, Unicast, MIC)
Derive PTK
Message 3: EAPOL-Key(Install PTK, Unicast, MIC, Encrypted GTK)
29 © 2020 Arm Limited
IEEE 802.1X Controlled Port Unblocked
Figure 11c—Establishing pairwise and group keys
Derive PTK If needed
Geenneeraratete GTK
Message 4: EAPOL-Key(Unicast, MIC)
Install PTK and GTK
Install
PTK
The WPA2 KRACK exploit
Key Reinstallation Attack
• Client and AP prove to each other that they know the PMK, without disclosing it.
• WPA2 was mathematically proven safe… and used without issues for almost 15 years.
• Until 2017 when the KRACK attack was published – Linux and Android implementations were especially susceptible.
• Flaw: Client can be made to reinstall an all-zero encryption key when the third message is received a second time.
• A middleperson attack is needed for this (message replay) See https://www.krackattacks.com/
30 © 2020 Arm Limited
WPA3
KRACK fixed in WPA3 (2018-, various RFCs). Additional features included:
Opportunistic Wireless Encryption – Replaces PSK with Diffie-Hellman key exchange, specific for each device Simultaneous Authentication of Equals (SAE) – more secure pre-shared keys, yet easy to use (weak passwords) Secure connection for devices with limited UI (e.g., without displays) – IoT
192-bit encryption in enterprise settings
Forward secrecy
31 © 2020 Arm Limited
Bluetooth Low Energy Secure Connections
Purpose: secure a connection between two Bluetooth devices. Several mechanisms with varying security before v4.2.
•
• •
Before 4.2, attacks to discover LTK were possible • LTK: long-term key stored in device after pairing
• Previously, slave device randomly chose LTK
Elliptic Curve Diffie Hellman (ECDH) used for key generation
Three different phases:
• Phase 1: Pairing feature exchange (share UI methods available, preferences)
• Phase 2: Key generation method selection & authentication (DH key exchange, UI confirm protocol) • Phase 3: Long term key (LTK) generation (AES 128 key based on nonces, device addrs, DH key)
New mechanisms rely more on recent standards.
32
© 2020 Arm Limited
• •
Alice collects data
Bob interferes with sensors or devices reading them.
Wireless sensor network attacks
Scenario: Wireless sensor networks
Alice
Radioactivity?
Chemicals?
Troup movements?
Bob
CPU
Sensor Wifi Code
bad
bad
38
The enemy can intercept/analyze/modify sensors.
Q. What kinds of security defence mechanisms Sensor networks are common in military scenarios.
can you imagine here?
Summary
We looked at:
• Defences for devices
• Hardware device security
• Embedded software security
• Wireless and network security
For the complete IoT spectrum, we also need to consider security of cloud services as well (API end points, secure protocols, good authentication mechanisms, trustworthy platforms, etc).
40