MATT KNIGHT // BASTILLE NETWORKS WIRELESS...
Transcript of MATT KNIGHT // BASTILLE NETWORKS WIRELESS...
![Page 1: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/1.jpg)
WIRELESS LOCKPICKINGMATT KNIGHT // BASTILLE NETWORKS
EXPLORING 802.15.4 COMMAND INJECTION
![Page 2: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/2.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
WHO AM I
▸ Matt Knight
▸ SWE & Threat Researcher @ Bastille Networks
▸ Passionate about:
▸ Wireless sensor networks
▸ Information security
▸ Finding out what hardware actually does
![Page 3: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/3.jpg)
50 BILLIONINTERNET OF THINGS
BY 2020graphic: http://www.fronetics.com/wp-content/uploads/2015/03/Internet-of-things-and-the-supply-chain-industry.png
![Page 4: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/4.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
THE CONNECTED HOME
https://corporate.bestbuy.com/wp-content/uploads/2014/10/connected-house-main-image1.jpghttp://www.marketsonline.co.za/wp-content/uploads/2015/01/SmartHome.png
![Page 5: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/5.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
RSA IOT SANDBOX
▸ Coordinated by Balint Seeber, Jesus Molina, and Joe Gordon
▸ Idyllic IoT environment presented: the smart home
▸ Common smart home functions relate to physical security
▸ Door locks
▸ Home security systems
![Page 6: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/6.jpg)
THE HEIST
![Page 7: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/7.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
THE SETUP
▸ Yale door lock
▸ DSC home security system
▸ Internet connected doll
▸ Wireless shock collar
▸ IoT Snake!
THE HEIST
![Page 8: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/8.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
THE SETUP
▸ Yale door lock
▸ DSC home security system
▸ Internet connected doll
▸ Wireless shock collar
▸ IoT Snake!
THE HEIST
▸ Unlocked wirelessly
![Page 9: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/9.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
THE SETUP
▸ Yale door lock
▸ DSC home security system
▸ Internet connected doll
▸ Wireless shock collar
▸ IoT Snake!
THE HEIST
▸ Unlocked wirelessly
▸ Jammed
![Page 10: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/10.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
THE SETUP
▸ Yale door lock
▸ DSC home security system
▸ Internet connected doll
▸ Wireless shock collar
▸ IoT Snake!
THE HEIST
▸ Unlocked wirelessly
▸ Jammed
▸ Spies on your kids
![Page 11: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/11.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
THE SETUP
▸ Yale door lock
▸ DSC home security system
▸ Internet connected doll
▸ Wireless shock collar
▸ IoT Snake!
THE HEIST
▸ Unlocked wirelessly
▸ Jammed
▸ Spies on your kids
▸ Shocks attack dog
![Page 12: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/12.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
THE SETUP
▸ Yale door lock
▸ DSC home security system
▸ Internet connected doll
▸ Wireless shock collar
▸ IoT Snake!
THE HEIST
▸ Unlocked wirelessly
▸ Jammed
▸ Spies on your kids
▸ Shocks attack dog
▸ Does snake stuff
![Page 13: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/13.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
THE SETUP
▸ Yale door lock
▸ DSC home security system
▸ Internet connected doll
▸ Wireless shock collar
▸ IoT Snake!
THE HEIST
▸ Unlocked wirelessly
▸ Jammed
▸ Spies on your kids
▸ Shocks attack dog
▸ Does snake stuff
![Page 14: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/14.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
YALE DOOR LOCK
▸ Made smart by add-on ZigBee module
▸ Connected to SmartThings IoT hub
top: http://www.bhphotovideo.com/images/images1000x1000/yale_yrd220_ha_619_keyed_touchscreen_deadbolt_with_1172756.jpg bottom: https://support.smartthings.com/hc/en-us/article_attachments/202949444/Samsung-SmartThings-Hub-Front-Angle.jpg
![Page 15: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/15.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
WIRELESS PROTOCOLS
▸ Incumbent
▸ Cellular, WiFi, WiFi Direct, Bluetooth, BTLE, 802.15.4 (incl. ZigBee, 6PAN, Thread), Z-Wave, ANT, Enocean, etc.
http://cdn.nuvation.com/wp-content/uploads/2014/02/medical_wireless_table.jpg
![Page 16: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/16.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
WIRELESS PROTOCOLS
▸ Incumbent
▸ Cellular, WiFi, WiFi Direct, Bluetooth, BTLE, 802.15.4 (incl. ZigBee, 6PAN, Thread), Z-Wave, ANT, Enocean, etc.
▸ Emerging
▸ LoRa, SIGFOX, Ingenu, LTE-M
http://cdn.nuvation.com/wp-content/uploads/2014/02/medical_wireless_table.jpg
![Page 17: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/17.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
WIRELESS PROTOCOLS
▸ Incumbent
▸ Cellular, WiFi, WiFi Direct, Bluetooth, BTLE, 802.15.4 (incl. ZigBee, 6PAN, Thread), Z-Wave, ANT, Enocean, etc.
▸ Emerging
▸ LoRa, SIGFOX, Ingenu, LTE-M
▸ Deprecation
▸ AT&T 2G GSM shutdown this year!
http://cdn.nuvation.com/wp-content/uploads/2014/02/medical_wireless_table.jpg
![Page 18: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/18.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
WIRELESS PROTOCOLS
▸ Incumbent
▸ Cellular, WiFi, WiFi Direct, Bluetooth, BTLE, 802.15.4 (incl. ZigBee, 6PAN, Thread), Z-Wave, ANT, Enocean, etc.
▸ Emerging
▸ LoRa, SIGFOX, Ingenu, LTE-M
▸ Deprecation
▸ AT&T 2G GSM shutdown this year!
http://cdn.nuvation.com/wp-content/uploads/2014/02/medical_wireless_table.jpg
![Page 19: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/19.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
ZIGBEE
▸ Defines NWK and APP layers on top of 802.15.4 PHY/MAC
▸ Mesh routing topology
▸ Application Profiles: flexibility to suit different applications
http://www.securitymerchants.com.au/presets/product-slideshow/PageFiles/1446985/ImageGallery/130816040947532.jpg
![Page 20: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/20.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
ZIGBEE SECURITY
▸ AES-128
▸ Network key shared when device is added to network
▸ OTA key exchange encrypted with a pre-shared key… the value of which is widely known
▸ 2015 paper by Tobias Zillner/Cognosec: https://www.blackhat.com/docs/us-15/materials/us-15-Zillner-ZigBee-Exploited-The-Good-The-Bad-And-The-Ugly-wp.pdf
![Page 21: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/21.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
BATTERY POWERED COMMS
▸ Battery powered devices spend most of the time asleep
▸ Radios require a lot of power; battery powered devices can’t afford to listen promiscuously
▸ PANs are designed with power consumption in mind
▸ Z-Wave: beaming
▸ 802.15.4: indirect data request
![Page 22: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/22.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
802.15.4 INDIRECT DATA TRANSFER▸ Battery powered device calls home and asks for updates
![Page 23: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/23.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
802.15.4 INDIRECT DATA TRANSFER▸ Battery powered device calls home and asks for updates
▸ ACK FCF signals whether data is pending
![Page 24: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/24.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock ACKs unlock message
▸ Unlock message queued on hub
‣ Hub ACKs data request; frame pending flag set
‣ Hub sends unlock message
LOCK HUB
![Page 25: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/25.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
UNLOCK SEQUENCE
![Page 26: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/26.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock ACKs unlock message
▸ Unlock message queued on hub
‣ Hub ACKs data request; frame pending flag set
‣ Hub sends unlock message
LOCK HUBTHE ATTACK
![Page 27: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/27.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock ACKs unlock message
▸ Hub is idle
‣ Hub ACKs data request; frame pending flag set
‣ Hub sends unlock message
LOCK HUBTHE ATTACK
![Page 28: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/28.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock ACKs unlock message
▸ Hub is idle
‣ Hub ACKs data request; frame pending flag set
‣ Hub sends unlock message
LOCK HUBTHE ATTACK
FORGED
1. Inject forged ACK w/ frame pending set
![Page 29: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/29.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock ACKs unlock message
▸ Hub is idle
‣ Hub ACKs data request; frame pending flag set
‣ Hub sends unlock message
LOCK HUBTHE ATTACK
FORGED
FORGED
1. Inject forged ACK w/ frame pending set 2. Inject forged unlock frame
![Page 30: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/30.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock ACKs unlock message
▸ Hub is idle
‣ Hub ACKs data request; frame pending flag set
‣ Hub sends unlock message
LOCK HUBTHE ATTACK
FORGED
FORGED
1. Inject forged ACK w/ frame pending set 2. Inject forged unlock frame
0. Sniff encryption key
![Page 31: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/31.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
ATTEMPT 1: HOST-BASED USRP
▸ USRP B210; gr-ieee802-15-4
▸ Need sequence number from Data Request frame to compose ACK
▸ 802.15.4 ACK timeout: 864 us
▸ USB latency: ~ms
▸ Verdict:
photo: Balint Seeber
![Page 32: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/32.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
ATTEMPT 1: HOST-BASED USRP
▸ USRP B210; gr-ieee802-15-4
▸ Need sequence number from Data Request frame to compose ACK
▸ 802.15.4 ACK timeout: 864 us
▸ USB latency: ~ms
▸ Verdict: too slow!
photo: Balint Seeber
![Page 33: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/33.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
ATTEMPT 2: APIMOTE V4BETA
▸ USB 802.15.4 injection peripheral made by River Loop Security
▸ Host-based Killerbee attack framework
▸ MSP430 running GoodFET firmware
▸ CC2420 commodity RF IC
▸ USB2 to FTDI; UART to MSP430; bitbanged SPI to CC2420
![Page 34: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/34.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
ATTEMPT 2: APIMOTE V4BETA
▸ USB 802.15.4 injection peripheral made by River Loop Security
▸ Host-based Killerbee attack framework
▸ MSP430 running GoodFET firmware
▸ CC2420 commodity RF IC
▸ USB2 to FTDI; UART to MSP430; bitbanged SPI to CC2420TOO SLOW
![Page 35: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/35.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
MODIFIED APIMOTE FIRMWARE
▸ Pre-load unlock command on MSP430, via host
▸ Reflexively jam Data Request frame from lock
▸ Record enough symbols before jamming to get the sequence number
▸ Generate ACK in firmware
▸ Inject ACK and unlock command
![Page 36: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/36.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock ACKs unlock message
▸ Hub is idle
‣ Hub ACKs data request; frame pending flag set
‣ Hub sends unlock message
LOCK HUBTHE ATTACK
![Page 37: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/37.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock ACKs unlock message
‣ Hub is idle
‣ Hub ACKs data request; frame pending flag set
‣ Hub sends unlock message
LOCK HUBTHE ATTACK
1. Jam data request
![Page 38: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/38.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock ACKs unlock message
▸ Hub is idle
‣ Hub ACKs data request; frame pending flag set
‣ Hub sends unlock message
LOCK HUBTHE ATTACK
1. Jam data request 2. Inject forged ACK w/ frame pending set
FORGED
![Page 39: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/39.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock ACKs unlock message
▸ Hub is idle
‣ Hub ACKs data request; frame pending flag set
‣ Hub sends unlock message
LOCK HUBTHE ATTACK
1. Jam data request 2. Inject forged ACK w/ frame pending set 3. Inject forged unlock frame
FORGED
FORGED
![Page 40: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/40.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock ACKs unlock message
▸ Hub is idle
‣ Hub ACKs data request; frame pending flag set
‣ Hub sends unlock message
LOCK HUBTHE ATTACK
1. Jam data request 2. Inject forged ACK w/ frame pending set 3. Inject forged unlock frame 4. Jam ongoing traffic
FORGED
FORGED
![Page 41: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/41.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
ATTEMPT 2 RESULT
▸ Still too slow!!
▸ Jam works correctly but ACK arrives too late
▸ SPI latency is too high
![Page 42: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/42.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
ATTEMPT 3: COMMAND PIPELINING
▸ ApiMote with custom firmware
▸ Exploits protocol retries to fit in SPI transactions
▸ If a frame goes un-ACKed, sender will reattempt after a timeout
▸ 3 or 4 attempts typical
▸ Strategy: Jam initial message and retries while reading/composing ACK
![Page 43: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/43.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock ACKs unlock message
‣ Hub ACKs data request; frame pending flag set
‣ Hub sends unlock message
LOCK HUB
1. Jam data request 2. Inject forged ACK w/ frame pending set 3. Inject forged unlock frame 4. Jam ongoing traffic
FORGED
FORGED
THE ATTACK
![Page 44: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/44.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
PIPELINED UNLOCK SEQUENCE
▸ Lock makes data request
LOCK HUB
1. Jam data request, read its sequence number
![Page 45: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/45.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
PIPELINED UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock makes data request
LOCK HUB
1. Jam data request, read its sequence number 2. Jam data request, load forged ACK frame in
CC2420’s TXFIFO
![Page 46: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/46.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
PIPELINED UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock makes data request
▸ Lock makes data request
LOCK HUB
1. Jam data request, read its sequence number 2. Jam data request, load forged ACK frame in
CC2420’s TXFIFO 3. Jam data request using forged ACK
![Page 47: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/47.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
PIPELINED UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock makes data request
▸ Lock makes data request
‣ Hub ACKs data request; frame pending flag set
LOCK HUB
1. Jam data request, read its sequence number 2. Jam data request, load forged ACK frame in
CC2420’s TXFIFO 3. Jam data request using forged ACK 4. Inject forged ACK again
FORGED
![Page 48: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/48.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
PIPELINED UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock makes data request
▸ Lock makes data request
‣ Hub ACKs data request; frame pending flag set
‣ Hub sends unlock message
LOCK HUB
1. Jam data request, read its sequence number 2. Jam data request, load forged ACK frame in
CC2420’s TXFIFO 3. Jam data request using forged ACK 4. Inject forged ACK again 5. Inject forged unlock frame
FORGED
FORGED
![Page 49: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/49.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
PIPELINED UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock makes data request
▸ Lock makes data request
‣ Hub ACKs data request; frame pending flag set
‣ Hub sends unlock message
LOCK HUB
1. Jam data request, read its sequence number 2. Jam data request, load forged ACK frame in
CC2420’s TXFIFO 3. Jam data request using forged ACK 4. Inject forged ACK again 5. Inject forged unlock frame 6. Jam ongoing traffic
FORGED
FORGED
![Page 50: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/50.jpg)
Live Demo Time
![Page 51: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/51.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
PIPELINED UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock makes data request
▸ Lock makes data request
‣ Hub ACKs data request; frame pending flag set
‣ Hub sends unlock message
LOCK HUB
1. Jam data request, read its sequence number 2. Jam data request, load forged ACK frame in
CC2420’s TXFIFO 3. Jam data request using forged ACK 4. Inject forged ACK again 5. Inject forged unlock frame 6. Jam ongoing traffic
FORGED
FORGED
![Page 52: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/52.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
PIPELINED UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock makes data request
▸ Lock makes data request
‣ Hub ACKs data request; frame pending flag set
‣ Hub sends unlock message
LOCK HUB
1. Jam data request, read its sequence number 2. Jam data request, load forged ACK frame in
CC2420’s TXFIFO 3. Jam data request using forged ACK 4. Inject forged ACK again 5. Inject forged unlock frame 6. Jam ongoing traffic
FORGED
FORGED
![Page 53: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/53.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
PIPELINED UNLOCK SEQUENCE
▸ Lock makes data request
▸ Lock makes data request
▸ Lock makes data request
‣ Hub ACKs data request; frame pending flag set
‣ Hub sends unlock message
LOCK HUB
1. Jam data request, read its sequence number 2. Jam data request, load forged ACK frame in
CC2420’s TXFIFO 3. Jam data request using forged ACK 4. Inject forged ACK again 5. Inject forged unlock frame 6. Jam ongoing traffic
FORGED
FORGED
0. Still need that key!
![Page 54: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/54.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
WHAT ABOUT THAT MAJOR CAVEAT…?
▸ Attacker must possess ZigBee encryption key
▸ Key is sent in the clear only once, when lock is added to network
![Page 55: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/55.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
WHAT ABOUT THAT MAJOR CAVEAT…?
▸ Attacker must possess ZigBee encryption key
▸ Key is sent in the clear only once, when lock is added to network
▸ Entice user to add lock to network while you are sniffing
▸ De-authentication attack
▸ Denial of service
![Page 56: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/56.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
CONCLUSIONS
▸ SDR is awesome, but not always the right tool for the job
▸ Commodity hardware is a powerful complement
▸ We have a long way to go to secure the IoT
▸ ApiMote and GoodFET enhancements to be released on Bastille RFStorm’s github: github.com/RFStorm
![Page 57: MATT KNIGHT // BASTILLE NETWORKS WIRELESS LOCKPICKINGfiles.meetup.com/18094742/MattKnight-WirelessLockPicking.pdf · 2016-03-17 · WIRELESS LOCKPICKING // BASTILLE NETWORKS PIPELINED](https://reader034.fdocuments.in/reader034/viewer/2022042022/5e791e91a301a6112f5f1875/html5/thumbnails/57.jpg)
WIRELESS LOCKPICKING // BASTILLE NETWORKS
ACKNOWLEDGEMENTS
▸ Bastille RFStorm / Balint Seeber
▸ River Loop Security (ApiMote & Killerbee)
▸ Bastian Bloessel (gr-ieee802-15-4)
▸ Cyberspectrum community