Wireless & IoT protocols & their security tradeoffs
In the race for time-to-market in the Internet of Things (IoT), proper security is inconvenient because it adds development and component cost and design complexity. While many traditional industries have not been exposed to security issues, they suddenly become hacking targets when their products become smart and connected.
The issue is that bad press and major security and privacy issues might slow down the adoption of IoT for improving our lives. Many end users are already skeptical to connect simple devices we rely on in our everyday lives. And security researchers are calling IoT a catastrophe waiting to happen. In fact, a number of highly publicized hacks have already occurred, so one could argue that the catastrophe is already on its way.
The challenge of commissioning
The Adversary: “Eve”
Let’s begin by reviewing some models of an attacker – or adversary – during device commissioning – the adding of a device to a network. In particular, a passive attacker is an adversary that only listens to all communications, without blocking, modifying, or resending data.
More powerful is an active attacker, who will block, modify, or resend data. One of the most common attacks is the man-in-the-middle (MITM) attack as shown in Figure 1. Using standard naming conventions, let’s call the legitimate communicating parties “Alice” and “Bob”, and let’s call the eavesdropper “Eve”. In the MITM attack, Eve intercepts all traffic between Alice and Bob. So when Alice assumes she is communicating with Bob, she is in reality communicating with Eve, and likewise, when Bob thinks he is communicating with Alice, he is communicating with Eve.
Security of wireless links
To secure a wireless (or wired) link, it is necessary to distribute a secret key between Alice and Bob. In this context, secret also implies that it would be infeasible for Eve to guess the secret key or to conduct a brute force attack by trying all key combinations. We will refer to this key as the link key (although for some network topologies it is a network or mesh key since it is shared by more than two parties).
The crux of securing a wireless link is to distribute the link key. This typically happens during the commissioning step, where the device is associated with the wireless network. The commissioning device is the device that wants to join the network, and the onboarding device is the device it communicates with to do so, typically a gateway. It is worth noting that different wireless protocols and standards have different terms for these devices.
Key distribution schemes based on public key cryptography provide strong primitives to do this securely and efficiently, but authentication is still necessary to avoid MITM attacks. Typically, strong authentication requires either action by the user, or infrastructure and operations on the side of the device maker. The former approach might also put requirements on the device interfaces, while the latter might put requirements on online connectivity for the end device. For many applications, these requirements might be unacceptable.
Types of Commissioning Schemes
In general, there are three categories of commissioning schemes:
In this category, the commissioning and key exchange typically happens without authentication. The link key can be sent in the clear, encrypted using a well-known key (equivalent of in the clear), or distributed via public key based key exchange. If the key is sent in the clear (or encrypted with a well-known key), the security is compromised by passive eavesdropping during the time of commissioning. If it is distributed via a public key-based key exchange, the attacker does not compromise security through passive eavesdropping, but rather needs to perform active eavesdropping and MITM. Hence, this raises the security significantly.
There are ways to strengthen the security even further for all key negotiation mechanisms and commissioning schemes, but they are particularly relevant for the permissive commissioning schemes due to their lack of other security mechanisms. One common scheme is to perform a received signal strength indicator (RSSI) measurement to enforce physical proximity between the commissioning device and the onboarding device. This is not a bulletproof countermeasure, since one can assume that the adversary has access to sensitive antennas and powerful transmitters. In practice, it does raise the bar for the adversary, especially since the power at a given distance from the antenna scales with the square of the distance.
Rather than physical proximity, one can also use temporal proximity. This is accomplished by pushing a button on one or more devices, and only allowing commissioning to take place for a period of time after entering commissioning mode. This shortens the window where the system might be vulnerable to an attacker.
Wrapping up the security discussion of permissive commissioning, there is one threat that needs extra attention. In the permissive scheme, the device maker accepts risk during the time of commissioning, and relies on the absence of passive or active eavesdropping at this time. In practice, several wireless protocols allow an attacker to force devices into commissioning mode, typically by blocking their communication over an extended time period. If the protocol does not automatically go into re-commissioning, it is likely that the user could re-commission devices if they behave erratically. The first step in most troubleshooting guides is to perform a factory reset. If an adversary can start commissioning at will, this significantly lowers the practical security of permissive commissioning schemes.
There are several major benefits of the permissive commissioning schemes. First, they typically minimize the user effort and interaction. This is why Bluetooth calls its permissive scheme “Just Works.” The schemes minimize device cost, because there are minimal interface and component requirements for the commissioning scheme. There are also no operational complications to pre-install keys or certificates, nor any back-end databases. The scheme also works completely offline, with no communication requirements on either the commissioning device or the onboarding device. For these reasons, permissive schemes are both popular and very common in IoT devices.
In this category, the commissioning device and the onboarding device authenticate using a secret and identical key. Recursively, we may now ask how this key is distributed. The key is typically entered into one of the devices by the user. Compared to permissive schemes, two drawbacks are immediate: shared key schemes require user interaction, and they require user interfaces.
In terms of security, in general, the more difficult it is to guess the key for the eavesdropper Eve, the more secure the scheme is. This advocates for long keys. At the same time, long keys are typically cumbersome to enter, and put further requirements on the interface.
There are a few ways to achieve high security with short keys. One example is using the J-PAKE protocol at the cost of processing time and power. Also, when the commissioning uses public key cryptography to do key exchange, it is necessary for the adversary to do MITM attacks and as such break the authentication scheme in a reasonable time. Therefore, it might give adequate security if a brute-force attack on the authentication would require “only” days, since the attacker would have to perform the attack in seconds.
Another option is to simplify the interface. One example is to have long keys, but make efficient ways of entering the keys. One example is the use of QR-codes to encode the keys.
The operational complexity of the shared key schemes varies. In particular, one of the devices might be without an interface, and require pre-installed, unique keys. These will later be entered into the onboarding device. This would require mechanisms to generate and distribute these keys during manufacturing. Furthermore, the packaging or devices are typically labeled with these keys, as in the case with QR-codes, and this also introduces operational complexity.
To summarize, shared keys offer better security, but also more user interaction compared with the permissive schemes.
Certificate-Based Commissioning Schemes
In this category, not only is the key exchange authenticated, but it is authenticated using public key cryptography primitives, which are typically referred to as certificates. Let’s refer to this category as certificate-based commissioning schemes.
The biggest benefit of these schemes is security of the commissioning process itself, as well as flexibility. With certificates installed in every device, it is up to the farther infrastructure to distribute keys and grant rights to the devices. The schemes can be made without requirements of user interaction, or any requirements for a user interface.
The biggest challenges of certificate-based schemes is in the operational backend of distributing and managing keys and certificates. Furthermore, they typically require device connectivity or semi-connectivity. The latter means that even though the device does not need to have live connectivity with the backend database at the time of commissioning, typically the on-boarding device will require connectivity at some time after device manufacturing but before commissioning.