Security Tradeoffs and Commissioning Methods for Wireless IoT Protocols
Many of the things we use on a daily basis are becoming smart and connected. The Internet of Things (IoT) will improve lives by helping reach our fitness goals, reduce resource consumption, increase productivity, and track and secure assets. Many embedded developers realize the potential benefits of the IoT and are actively developing various applications, from connected home devices to wearables to home security systems. However, along with these benefits come risks. No one wants to design an application that’s prone to hacking or data theft. One of the most complicated and crucial trade-offs in IoT security is the commissioning of wireless devices onto a network. This paper is a review of common commissioning methods and their security tradeoffs.
The Internet of Things (IoT) is often referred to as an industrial revolution. The amount of connected devices will grow rapidly over the next few years. If there is any disagreement among analysts, it is in the number of billions devices that will be connected. The value for society is estimated to be in the range of 4 to 11 trillion dollars. In the race for time-to-market, proper security is inconvenient because it adds cost: development cost, component cost, and complexity. At the same time, many traditional industries have not been exposed to security issues, but suddenly become hacking targets when their products become smart and connected. Finally, in many markets, having more security than your competitors is the key not to get hacked. The issue is that bad press and major security and privacy issues might temporarily or permanently slow down the adoption of IoT for improving our lives. Many are already skeptical to connect simple devices we rely on in our every day. Security researchers are calling IoT a catastrophe waiting to happen. In fact, quite recently there have been a number of highly publicized hacks that are gaining wide attention, so one could argue that the catastrophe is already on its way.
The Challenge of Commissioning
The Adversary: “Eve”
Before discussing commissioning, let’s review some of the models for the adversary during the commissioning. In particular, a passive attacker is an adversary that only listens to all the communication, without blocking, modifying, or resending data. The more powerful attacker is the active attacker, who will block, modify, or resend data. One of the most common attacks that an adversary can do is the man-in-the-middle (MITM) attack, as shown in Figure 1. Let us use the standard naming conventions, and call the legitimate communicating parties “Alice” and “Bob”, and let us call the eavesdropper “Eve”. In the MITM attack, Eve intercepts all traffic between Alice and Bob. So when Alice assumes she is communicating with Bob, she is in reality communicating with Eve, and likewise, when Bob thinks he is communicating with Alice, he is communicating with Eve.
Passive vs Active Eavesdroppers and the Man-in-the-Middle Attack. RX: Receive.
TX: Transmitt. A: Alice – Legitimate Party. B: Bob – Legitimate Party.
E: Eve – Eavesdropper Who Wishes to Intercept the Communication.
Security of Wireless Links
To secure a wireless (or wired) link, it is necessary to distribute a secret key between Alice and Bob. In this context, secret also implies that it would be infeasible for Eve to guess the secret key or to conduct a brute force attack by trying all key combinations. This key is referred to as the link key (although for some network topologies it is a network or mesh key since it is shared by more than two parties).
The crux of securing a wireless link is to distribute the link key. This typically happens during the commissioning step, where the device is associated with the wireless network. In this paper, the commissioning device is the device that wants to join the network, and the onboarding device is the device it communicates with to do so, typically a gateway. It is worth noting that different protocols and standards have different terms for these devices.
Key distribution schemes based on public key cryptography provide strong primitives to do this securely and efficiently, but still, authentication is necessary to avoid MITM attacks. Meanwhile, this is where the rubber hits the road in terms of security, and where real trade-offs need to be made. Typically, strong authentication requires either action by the user, or infrastructure and operations on the side of the device maker. The former might also put requirements on the device interfaces, while the latter might put requirements on online connectivity for the end device. For many applications, these requirements might be unacceptable.
Types of Commissioning Schemes
In general, there are three categories of commissioning schemes:
In this category, the commissioning and key exchange typically happens without authentication. The link key can besent in the clear, encrypted using a well-known key (equivalent of in the clear), or distributed via public key based key exchange. If the key is sent in the clear (or encrypted with a well-known key), the security is compromised by passive eavesdropping during the time of commissioning. If it is distributed via a public key-based key exchange, the attacker does not compromise security through passive eavesdropping, but rather needs to perform active eavesdropping and MITM. Hence, this raises the security significantly.
There are ways to strengthen the security even further for all key negotiation mechanisms and commissioning schemes, but they are particularly relevant for the permissive commissioning schemes due to their lack of other security mechanisms. One common scheme is to perform a received signal strength indicator (RSSI) measurement to enforce physical proximity between the commissioning device and the onboarding device. This is not a bulletproof countermeasure, since one can assume that the adversary has access to sensitive antennas and powerful transmitters. In practice, it does raise the bar for the adversary, especially since the power at a given distance from the antenna scales with the square of the distance.
One common scheme is to perform a received signal strength indicator (RSSI) measurement
to enforce physical proximity between the commissioning device and the onboarding device.
Rather than physical proximity, you can also use temporal proximity. This is accomplished by pushing a button on one or more devices, and only allowing commissioning to take place for a period of time after entering commissioning mode. This shortens the window where the system might be vulnerable to an attacker.
Wrapping up the security discussion of permissive commissioning, there is one threat that needs extra attention. In the permissive scheme, the device maker accepts risk during the time of commissioning and relies on the absence of passive or active eavesdropping at this time. In practice, several wireless protocols allow an attacker to force devices into commissioning mode, typically by blocking their communication over an extended time period. If the protocol does not automatically go into re-commissioning, it is likely that the user could re-commission devices if they behave erratically. The first step in most troubleshooting guides is to perform a factory reset. If an adversary can start commissioning at will, this significantly lowers the practical security of permissive commissioning schemes.
There are several, major benefits of the permissive commissioning schemes. First and foremost, they typically minimize the user effort and interaction. As discussed later, this is why Bluetooth calls its permissive scheme “Just Works.” The schemes minimize device cost, because there are minimal interface and component requirements for the commissioning scheme. There are also no operational complications to pre-install keys or certificates, nor any back-end databases. The scheme also works completely offline, with no communication requirements on either the commissioning device or the onboarding device. For these reasons, permissive schemes are both popular and very common in IoT devices.
In this category, the commissioning device and the onboarding device authenticate using a secret and identical key. Recursively, we may now ask how this key is distributed. The key is typically entered into one of the devices by the user. Compared to permissive schemes, two drawbacks are immediate: shared key schemes require user interaction and user interfaces.
In terms of security, in general, the more difficult it is to guess the key for the eavesdropper Eve, the more secure the scheme is. This advocates for long keys. At the same time, long keys are typically cumbersome to enter, and put further requirements on the interface.
There are a few ways to achieve high security with short keys. One example is using the J-PAKE protocol at the cost of processing time and power. Also, when the commissioning uses public key cryptography to do key exchange, it is necessary for the adversary to do MITM attacks and as such break the authentication scheme in a reasonable time. Therefore, it might give adequate security if a brute-force attack on the authentication would require “only” days, since the attacker would have to perform the attack in seconds.
Another option is to simplify the interface. One example is to have long keys, but make efficient ways of entering the keys. One example is the use of QR-codes to encode the keys.
The operational complexity of the shared key schemes varies. In particular, one of the devices might be without an interface, and require pre-installed, unique keys. These will later be entered into the onboarding device. This would require mechanisms to generate and distribute these keys during manufacturing. Furthermore, the packaging or devices are typically labeled with these keys, as in the case with QR-codes, and this also introduces operational complexity.
To summarize, shared keys offer better security, but also more user interaction compared with the permissive schemes.
Certificate-Based Commissioning Schemes
In this category, not only is the key exchange authenticated, but it is authenticated using public key cryptography primitives. These are typically referred to as certificates. From this point, this category will be referred to as certificate-based commissioning schemes. The biggest benefit of these schemes is security of the commissioning process itself, as well as flexibility. With certificates installed in every device, it is up to the farther infrastructure to distribute keys and grant rights to the devices. The schemes can be made without requirements of user interaction, or any requirements for a userinterface.
The biggest benefit of these schemes is security of the commissioning process itself, as well as flexibility.
The biggest challenges of certificate-based schemes is in the operational backend of distributing and managing keys and certificates. Furthermore, they typically require device connectivity or semi-connectivity. The latter means thateven though the device does not need to have live connectivity with the backend database at the time of commissioning, typically the on-boarding device will require connectivity at some time after device manufacturing but before commissioning.
Commissioning Schemes in IoT Protocols
This section contains a review of the standardized commissioning schemes in the most common IoT protocols. All of the protocols also support getting the link/network key from outside the protocol, also called out-of-band commissioning. Therefore, the topic of popular out-of-band schemes will be handled separately in the next section.
Wi-Fi is typically the IoT technology that most people have been exposed to and are familiar with. There have been a number of schemes to secure Wi-Fi-connections over the years, such as WEP, WPA (Personal) and now the most common scheme WPA2 (Personal). The schemes have evolved to counter various attacks that have been found. Common for all of these is that they are shared key commissioning schemes: the user has to enter the pre-shared key at the device. As discussed previously, the shared key schemes have usability drawbacks. In particular, it is necessary to have significant randomness in the key to avoid adversaries from using brute-force attacks. In practice, this means 16 or more character passwords.
Common for all of these is that they are shared key commissioning schemes: the user has to enter the pre-shared key at the device.
To simplify the Wi-Fi commissioning process, the Wi-Fi-alliance introduced the Wi-Fi Protected Setup (WPS). For WPS, there is a mandatory 8-digit PIN entry method. This method should theoretically require 10^8 attempts for brute-force attacks, but due to weaknesses in the scheme, only 11,000 attempts are required. This is brute-forced within 24-hours . This renders WPS insecure, and as such, users are recommended to turn off WPS, and are left with long passwords. WPS also supports temporal, permissive commissioning by pressing a button on the onboarding device, but since the PIN method is mandatory, the button-press method is also disabled when WPS is disabled.
Wi-Fi also supports a more elaborate scheme called WPA “Enterprise” commissioning. One of the drawbacks of the “Personal” WPA schemes is that all devices share the same key. This means that they can decrypt all of the traffic onthe network, and furthermore, removing a device from the network requires changing the key in all of the devices. WPA Enterprise is a certificate and/or shared-key-based commissioning scheme, which requires a server that contains certificates for all valid devices on the network. The benefit of this approach is that each device gets an individual link key. The biggest drawbacks of the Enterprise scheme are that it requires a backend, and that it typically requires a more elaborate UI to support both username and password. For this reason, many IoT devices do not support WPA “Enterprise”.
Bluetooth Low Energy
Bluetooth technology is often used to connect relatively simple devices to a mobile phone, either for communication with the mobile phone only, or to use the phone as an Internet gateway. The Bluetooth standard has evolved, and several versions have been released. Notably, Bluetooth version 4.2 significantly increased the security of the protocol by using public key based key exchange, and therefore requiring an attacker to perform MITM. That being said, the Bluetooth classic protocol does significant frequency hopping, and as such, hackers have reported that it is necessary to do active MITM to perform passive eavesdropping to control the frequency hopping. Therefore, such tools have been made easily available, and they also work on the most recent versions of Bluetooth low energy.
This paper will only discuss the commissioning methods that were introduced after version 4.2. Also, note that in Bluetooth language, commissioning is typically called “pairing”.
In addition to out-of-band commissioning, Bluetooth standardizes three commissioning methods. “Just Works” is a permissive, unauthenticated scheme that is vulnerable to MITM attacks. “Numeric Comparison” expects the user to compare two 6-digit numbers on the devices. The scheme is authenticated and the probability of launching a successful MITM attack is equal to 1/10^6. According to the Bluetooth SIG, this is an acceptable residual risk, especially since the user will typically get suspicious if repeated commissioning attempts fail. Another scheme is “Passkey Entry,” where one of the devices displays a 6-digit code that needs to be entered into the other device. This gives the same level of security as “Numeric Comparison.”
The choice of commissioning methods depends on the user interfaces available on each of the connecting devices. Itis worth noting that for many Bluetooth connections, the user interfaces are asymmetric, in the sense that one of the devices (typically a mobile phone) has a vastly richer interface than the other device. The table below shows which method should be used based on the UI of each of the devices.
UI Capabilities Versus Commissioning Methods for Bluetooth. Yellow color indicates permissive schemes,
and in particular these schemes are not authenticated. Green color indicates shared secret schemes which are authenticated.
Zigbee is a frequently used mesh protocol for home automation. Therefore, it is used with smart home devices with very limited interfaces, such as smart lightbulbs, wireless light switches, fan control, temperature control, energy control and measurement, and so on. For this reason, Zigbee has had to make deliberate trade-offs between security and user friendliness. In general, Zigbee Home Automation (HA) devices will happily join the first network that they see, if the network will allow the device to join. This scheme can be classified as permissive, and susceptible to passive eavesdroppers, with the network key being distributed to the new device, encrypted using a fixed key that is set in the Zigbee standard. It is possible for each vendor to replace this key with a different key-distribution-key, but this would make the device non-standard Zigbee, violating interoperability between devices from different vendors.
Zigbee also comes in different versions and profiles, notably Zigbee Light Link (ZLL), Zigbee Smart Energy (SE). There were also updates and more options to the HA commission method with the release of Zigbee 3.0. The variants and updates will be discussed below.
SE is using certificates to perform the key exchange, and as such makes the network resistant to passive eavesdropping. Furthermore, it mandates the use of unique shared secrets called install codes that are generated out-of-band. So the SE commissioning scheme is a shared secret scheme that is resistant to both passive and active eavesdroppers.
Zigbee 3.0 also includes the use of unique shared secrets, so-called install codes. Furthermore, the standard fixed key is replaced with per network and optionally per device unique key. This way, an eavesdropper would have to bepresent at the initial first commissioning to exploit the standard zigbee key, because subsequent commissioning would happen with a secret key. Finally, Zigbee 3.0 leaves the option of TouchLink to ensure interoperability between Zigbee 3.0 and legacy devices.
Thread is a fairly new mesh protocol for most of the same applications as Zigbee. Notably, Thread adds IPconnectivity, which allows end-to-end communication between nodes and IP-enabled devices. The IP-connectivity also enables new commissioning schemes, since this means that the commissioning device and the on-boarding device may communicate over IP.
The standard commissioning scheme for Thread is a secret-key-based scheme, with relatively short install codes tha tare typically unique per device. To protect the commissioning link, a Datagram Transport Layer Security (DTLS) secure link is established between the devices. One of the benefits of using DTLS is that future improvements to the TLS-standard will also improve the security of the commissioning scheme. To get sufficient security from short codes ,J-PAKE is used for the key exchange.
Out-of-Band Commissioning Schemes
As mentioned previously, all the protocols support getting a link key from outside the protocol itself, so-called out-of-band commissioning. When out-of-band commissioning is used, the security of the commissioning is the security, the usability and UI constraints is set by the out-of-band commissioning scheme. This paragraph discusses some common options.
Using Another Standard to Derive the Link Key
One option for out-of-band commissioning is using a different communication protocol to establish a key. This is becoming a particularly relevant option since more and more devices are able to operate multiple protocols. As discussed previously, Zigbee has done some deliberate security-usability tradeoffs. One way to harden the scheme to defeat passive eavesdroppers is to use Bluetooth Just Works as a commissioning scheme to feed the zigbee key outof-band.
Near-field communication (NFC) is a protocol that allows two devices in near physical proximity, usually some centimeters, to communicate. It is supported by most modern smart phones and is also used for contactless payment. Due to the physical proximity constraint, it is considered fairly secure from active and passive eavesdroppers, although there have been reports of passive eavesdropping from a 10 meter distance. In particular, it might be challenging to do MITM from a distance. It is possible to use a public-key-based key exchange over NFC. This would require MITM by an attacker, and asargued above, this is considered more difficult than using schemes without proximity constraints. From a usability and cost point of view, NFC seems attractive. NFC chips are typically an order of magnitude cheaper than the other technologies discussed in this paper. Furthermore, it requires minimal interaction from the user.
When commissioning a wireless device onto a wireless network, there are a number of schemes that require different resources, offer various levels of simplicity for the user, and provide different levels of security. In this paper we havereviewed the various options and their corresponding artifacts to make it simpler to choose a suitable tradeoff for agiven IoT product.
Lars Lydersen, Senior Director of Product Security, Silicon Labs
Lars Lydersen has an extensive background as a security researcher and was a part of the team that broke into the“unbreakable” commercial quantum cryptographic systems. Currently, he has shifted his focus to classical embedded security systems and works as the Senior Director of Product Security at Silicon Labs in Oslo, Norway. Lars holds a Master of Science degree in electronics and a PhD in quantum cryptography from the Norwegian University of Science and Technology.