The crux of securing a wireless link is to distribute the link key. This typically happens during the commissioning step, where the device is associated with the wireless network.
« Previously: Tackling the challenge of securing wireless links
This section contains a review of the standardised commissioning schemes in the most common IoT protocols. All of the protocols also support getting the link/network key from outside the protocol, also called out-of-band commissioning. Therefore, the topic of popular out-of-band schemes will be handled separately in the next section.
Wi-Fi is typically the IoT technology that most people have been exposed to and are familiar with. There have been a number of schemes to secure Wi-Fi-connections over the years, such as WEP, WPA (Personal) and now the most common scheme WPA2 (Personal). The schemes have evolved to counter various attacks that have been found. Common for all of these is that they are shared key commissioning schemes: the user has to enter the pre-shared key at the device. As discussed previously, the shared key schemes have usability drawbacks. In particular, it is necessary to have significant randomness in the key to avoid adversaries from using brute-force attacks. In practice, this means 16 or more character passwords.
To simplify the Wi-Fi commissioning process, the Wi-Fi-alliance introduced the Wi-Fi Protected Setup (WPS). For WPS, there is a mandatory 8-digit PIN entry method. This method should theoretically require 108 attempts for brute-force attacks, but due to weaknesses in the scheme, only 11,000 attempts are required. This is brute-forced within 24-hours. This renders WPS insecure, and as such, users are recommended to turn off WPS and are left with long passwords. WPS also supports temporal, permissive commissioning by pressing a button on the on-boarding device, but since the PIN method is mandatory, the button-press method is also disabled when WPS is disabled.
Wi-Fi also supports a more elaborate scheme called WPA “Enterprise” commissioning. One of the drawbacks of the “Personal” WPA schemes is that all devices share the same key. This means that they can decrypt all of the traffic on the network and furthermore, removing a device from the network requires changing the key in all of the devices. WPA Enterprise is a certificate and/or shared-key-based commissioning scheme, which requires a server that contains certificates for all valid devices on the network. The benefit of this approach is that each device gets an individual link key. The biggest drawbacks of the Enterprise scheme are that it requires a backend and that it typically requires a more elaborate UI to support both username and password. For this reason, many IoT devices do not support WPA “Enterprise.”
Bluetooth Low Energy
Bluetooth is often used to connect relatively simple devices to a mobile phone, either for communication with the mobile phone only, or to use the phone as an Internet gateway. The Bluetooth standard has evolved and several versions have been released. Notably, Bluetooth version 4.2 significantly increased the security of the protocol by using public key based key exchange, and therefore requiring an attacker to perform MITM. The Bluetooth classic protocol does significant frequency hopping, and as such, hackers have reported that it is necessary to do active MITM in order to perform passive eavesdropping to control the frequency hopping. Therefore, such tools are now easily available, and they also work on the most recent versions of Bluetooth low energy. This paper will only discuss the commissioning methods that were introduced after version 4.2 in Bluetooth 5. Note that in Bluetooth language, commissioning is typically called “pairing.”
In addition to out-of-band commissioning, Bluetooth standardises three commissioning methods. “Just Works” is a permissive, unauthenticated scheme that is vulnerable to MITM attacks. “Numeric Comparison” expects the user to compare two 6-digit numbers on the devices. The scheme is authenticated and the probability of launching a successful MITM attack is equal to 10-6. According to the Bluetooth SIG, this is an acceptable residual risk, especially since the user will typically get suspicious if repeated commissioning attempts fail. Another scheme is “Passkey Entry,” where one of the devices displays a 6-digit code that needs to be entered into the other device. This gives the same level of security as “Numeric Comparison.”
The choice of commissioning methods depends on the user interfaces available on each of the connecting devices. It is worth noting that for many Bluetooth connections, the user interfaces are asymmetric, in the sense that one of the devices (typically a mobile phone) has a vastly richer interface than the other device. Figure 2 shows which method should be used based on the UI of each of the devices.
Figure 2: UI capabilities versus commissioning methods for Bluetooth. Yellow indicates permissive schemes, and in particular these schemes are not authenticated. Green indicates shared secret schemes which are authenticated.
Zigbee is a frequently used mesh protocol for home automation. It is used with smart home devices with very limited interfaces, such as smart light bulbs, wireless light switches, fan control, temperature control, energy control and measurement etc. For this reason, zigbee poses deliberate trade-offs between security and user friendliness. In general, zigbee Home Automation (HA) devices will happily join the first network that they see, if the network will allow the device to join. This scheme can be classified as permissive and susceptible to passive eavesdroppers, with the network key being distributed to the new device, encrypted using a fixed key that is set in the zigbee standard. It is possible for each vendor to replace this key with a different key-distribution-key, but this would make the device non-standard zigbee, violating interoperability between devices from different vendors.
Zigbee also comes in different versions and profiles, notably Zigbee Light Link (ZLL), Zigbee Smart Energy (SE). There were also updates and more options to the HA commission method with the release of Zigbee 3.0. The variants and updates will be discussed below.
SE is using certificates to perform the key exchange, and as such makes the network resistant to passive eavesdropping. Furthermore, it mandates the use of unique shared secrets called install codes that are generated out-of-band. So the SE commissioning scheme is a shared secret scheme that is resistant to both passive and active eavesdroppers.
Zigbee 3.0 also includes the use of unique shared secrets, so called install codes. Furthermore, the standard fixed key is replaced with per network and optionally per device unique key. This way, an eavesdropper would have to be present at the initial first commissioning to exploit the standard zigbee key, because subsequent commissioning would happen with a secret key. Finally, zigbee 3.0 leaves the option of TouchLink to ensure interoperability between zigbee 3.0 and legacy devices.
Thread is a fairly new mesh protocol targeting most of the same mesh applications as zigbee. Notably, Thread adds IP-connectivity, which allows end-to-end communication between nodes and IP-enabled devices. The IP-connectivity also enables new commissioning schemes, since this means that the commissioning device and the on-boarding device may communicate over IP.
The standard commissioning scheme for Thread is a secret-key-based scheme, with relatively short install codes that are typically unique per device. To protect the commissioning link, a Datagram Transport Layer Security (DTLS) secure link is established between the devices. One of the benefits of using DTLS is that future improvements to the TLS-standard will also improve the security of the commissioning scheme. To get sufficient security from short codes, J-PAKE is used for the key exchange.
Out-of-band commissioning schemes
As mentioned previously, all the protocols support getting a link key from outside the protocol itself, so-called out-of-band commissioning. When out-of-band commissioning is used, the security of the commissioning is the security, the usability and UI constraints is set by the out-of-band commissioning scheme. This paragraph discusses some common options.
Using another standard to derive the link key
One option for out-of-band commissioning is using a different communication protocol to establish a key. This is becoming a particularly relevant option since more and more devices are able to operate multiple protocols. As discussed previously, zigbee has done some deliberate security-usability trade-offs. One way to harden the scheme to defeat passive eavesdroppers is to use Bluetooth Just Works as a commissioning scheme to feed the zigbee key out-of-band.
Near-field communication (NFC) is a protocol that allows two devices in near physical proximity, usually some centimetres, to communicate. It is supported by most modern smart phones and is also used for contactless payment. Due to the physical proximity constraint, it is considered fairly secure from active and passive eavesdroppers, although there have been reports of passive eavesdropping from a 10-metre distance. In particular, it might be challenging to do MITM from a distance.
It is possible to use a public-key-based key exchange over NFC. This would require MITM by an attacker, and as argued above, this is considered more difficult than using schemes without proximity constraints. From a usability and cost point of view, NFC seems attractive. NFC chips are typically an order of magnitude cheaper than the other technologies discussed in this paper. Furthermore, it requires minimal interaction from the user.
When commissioning devices onto a wireless network, there are a number of options that:
- require different resources
- offer various levels of simplicity for the user
- provide different levels of security.
Developers must consider the various options and their corresponding side-effects when designing security for an IoT product.
Lars Lydersen has an extensive background as a security researcher and was a part of the team that broke into an “unbreakable” commercial quantum cryptographic system. He’s currently Senior Director of Product Security at Silicon Labs in Oslo, Norway.
First published by EDN.