00:00:00.234,00:00:04.137
>> Welcome, everyone. [audience
noise] Thank you for coming to

00:00:04.137,00:00:09.309
this, uh, talk. We're going to,
to talk about 6LoWPAN, 6LoWPAN

00:00:09.309,00:00:13.513
networks, and more precisely how
to do penetration testing on

00:00:13.513,00:00:17.284
that type of networks. [tssk]
Uh, as you are going to

00:00:17.284,00:00:21.788
understand, uh, the hard part is
not to do the actual penetration

00:00:21.788,00:00:25.826
test but to reach the, the, the,
the, the point where you are

00:00:25.826,00:00:30.697
able to do the tests. [pause]
So, uh, a little bit of context,

00:00:30.697,00:00:34.601
uh, we are both security
auditors from Airbus Defence and

00:00:34.601,00:00:38.939
Space, we're working internally
to do security auditing,

00:00:38.939,00:00:42.543
penetration testing, you know,
within the Airbus group. But we

00:00:42.543,00:00:47.848
also, uh, work with all the, uh,
companies to help them improve

00:00:47.848,00:00:53.086
their security. So there's a
picture of particular audit that

00:00:53.086,00:00:58.725
we did, uhm, the actual subject
of this talk. Uh, that was,

00:00:58.725,00:01:03.764
uuuuh, water monitoring systems
and we did penetration testing

00:01:03.764,00:01:07.100
on it, they were going to, to,
to present to you the

00:01:07.100,00:01:11.004
methodology, the tool we
developed to do the test. We

00:01:11.004,00:01:15.809
actually will be using the tool
here and we're also going to

00:01:15.809,00:01:21.748
give the, the results of this
penetration test. [pause] So,

00:01:21.748,00:01:26.586
uhm, this network was relying on
the 6LoWPAN protocol. What is

00:01:26.586,00:01:31.591
the 6LoWPAN protocol? Basically
it is IPV6, uh, shred and and

00:01:33.627,00:01:38.632
torn apart to make it fit over
here to have less, less network

00:01:41.535,00:01:45.739
footprint. Think here we are
talking about smart green, uh,

00:01:45.739,00:01:48.809
that we want [cough] to work low
energy, uh, low energy protocol,

00:01:48.809,00:01:53.814
IPV6 is anything but low energy,
uh, just one address is one 128

00:02:00.654,00:02:04.958
bytes, you have two address -
social address and destination

00:02:04.958,00:02:09.963
address. And this is a lot of
information compared to the, the

00:02:12.099,00:02:16.837
information that we will be
broadcasted by infrastructure,

00:02:16.837,00:02:22.209
CISCO will broadcast the
information. So how does 6LoWPAN

00:02:22.209,00:02:26.413
network actually do the, the
compressing that's quite a,

00:02:26.413,00:02:32.119
quite simple. They have a, uhm,
6LoWPAN header on top of the,

00:02:32.119,00:02:37.357
the IPv6 header. With a lot of
flags and these flags, uh, just

00:02:37.357,00:02:42.896
basically tell you how to
decompress the iPV6 header.

00:02:42.896,00:02:47.100
[cough] For example you have a
flag to say that the first 64

00:02:47.100,00:02:51.471
bytes of the IP address is the,
the bytes from the [coughing]

00:02:51.471,00:02:56.410
MAC address. In fact it's IIIG
address but that's that's the

00:02:56.410,00:02:59.980
MAC address. And so, you have
plenty of flags, your flags for

00:02:59.980,00:03:03.450
example for the TDL the
predefined value, you cannot set

00:03:03.450,00:03:06.987
the TDL precisely, you will have
a few predefined value to

00:03:06.987,00:03:13.160
choose, to choose from. You can
also, uh, use flag to say that

00:03:13.160,00:03:16.563
you are omitting a, uh, complete
field because you do not need

00:03:16.563,00:03:20.734
that field. You can also use
context, context are pre-shared

00:03:20.734,00:03:25.705
information and you have indexes
and so you just provide the

00:03:25.705,00:03:28.875
index of the pre-shared
information and, the, the device

00:03:28.875,00:03:32.279
will just, fill, fill the blanks
with this pre-shared

00:03:32.279,00:03:38.919
information. [cough] Usually,
uh, with the, uh, with the, it's

00:03:38.919,00:03:44.157
the inner context of the
metering infrastructure. You are

00:03:44.157,00:03:48.562
broadcasting information and if
you miss one information that's

00:03:48.562,00:03:50.630
not critical - you have more
information communique

00:03:50.630,00:03:54.568
constantly. So you don't need to
be su, be sure you have all the

00:03:54.568,00:03:58.271
information, so you don't need a
connected protocol, meaning? I

00:03:58.271,00:04:02.309
mean you don't need TCP. So
usually we find UTP on top of

00:04:02.309,00:04:03.643
6LoWPAN and that's why the
6LoWPAN standard also specify

00:04:03.643,00:04:04.978
how to compress the UTP header.
Pretty much like it does with

00:04:04.978,00:04:06.313
the, the IPv6 header. Keep in
mind also that you have, uh,

00:04:06.313,00:04:07.647
the, the, a short
maximum-transmission unit, only

00:04:07.647,00:04:09.015
wanna join the 27 bytes compared
to the 1-thousand and, three,

00:04:09.015,00:04:10.350
and 500 bytes. So the 6LoWPAN
protocol also specifies how to

00:04:10.350,00:04:15.355
fragment and defragment IPv6
packets to, to a 6LoWPAN packet.

00:04:39.913,00:04:45.218
[pause] So, what's the big deal?
Are you, you know IPv6 is part

00:04:45.218,00:04:49.923
of IP protocol - there already a
lot of tool to interact with

00:04:49.923,00:04:54.427
IPv6. Usually when you do
penetration testing you do it

00:04:54.427,00:04:59.299
not directly, uh, target the IP,
if you get stuck you more,

00:04:59.299,00:05:04.371
usually you more about the, the
targetting the higher layer

00:05:04.371,00:05:09.843
protocol - TCP, HTTP. So, again,
there's nothing new here. You

00:05:09.843,00:05:13.747
can just use the existing tool,
the existing methodology. So why

00:05:13.747,00:05:16.950
not just, why not just use a USB
adapter? Just try to do with

00:05:16.950,00:05:20.854
WiFi, just buy, uh, just buy a
6LoWPAN USB adapter, plug into

00:05:20.854,00:05:26.593
your computer and start doing
the penetration test. [pause]

00:05:26.593,00:05:30.831
Well, that would be too easy!
[laughter] The, uh, underlayer,

00:05:30.831,00:05:37.637
under the 6LoWPAN protocol, what
I mean, the physical layer and

00:05:37.637,00:05:42.642
the MAC sub-layer is handled by
the 15 dot 4 protocol. And this

00:05:44.911,00:05:48.982
is where things get complicated.
You have, really, a lot of

00:05:48.982,00:05:53.086
possible configuration with 15
dot 4. For example, you can

00:05:53.086,00:05:58.258
setup the network topology as a
mash network when every end

00:05:58.258,00:06:01.127
device that communicate with
each other. Or, as a star

00:06:01.127,00:06:06.433
network where end device must
only send information to code

00:06:06.433,00:06:11.805
images. But how to send this
information? Well, you have also

00:06:11.805,00:06:15.075
two type of transmission - you
have the direct transmission

00:06:15.075,00:06:18.745
when one node would just send
the information, you have the

00:06:18.745,00:06:22.949
indirect transmission when
d-node will first say that he

00:06:22.949,00:06:27.954
has information pending and wait
for the receiving node to say

00:06:27.954,00:06:32.559
"Okay, you can send
information." You can use GTCs

00:06:32.559,00:06:36.062
guaranteeing slots, it's, uh,
it's a system to allow, uh,

00:06:36.062,00:06:39.165
timeslot to each, to each device
to make sure that there is no

00:06:39.165,00:06:42.235
collision. This is something
that is optional, you not, uh,

00:06:42.235,00:06:47.841
do not need necessarily to use
GTCs. And you could use beacons

00:06:47.841,00:06:52.178
- beacons in 6LoWPAN networks, I
mean in 15 dot 4 networks, not

00:06:52.178,00:06:57.117
only, uh, are beaconing the
network but they also can host a

00:06:57.117,00:07:01.488
lot of information. If you want
to... So, you can see here that

00:07:01.488,00:07:05.859
you, if you combine multiple
choice you can have really

00:07:05.859,00:07:11.131
several possible configurations.
[pause] But that's not all, you

00:07:11.131,00:07:15.168
also have to think about
security - objection security is

00:07:15.168,00:07:18.471
provided by the MAC layer and
there again you have multiple

00:07:18.471,00:07:22.275
choices. You can only protect
integrity, you can only protect

00:07:22.275,00:07:26.680
confidential or you can protect
both. You can choose, a,

00:07:26.680,00:07:31.985
different type of key - I mean
size of key - 32, 64 or one and

00:07:31.985,00:07:38.058
128. So again, more choice means
more possibilities if you make

00:07:38.058,00:07:41.695
more combination with the
possibilities, possibilities I

00:07:41.695,00:07:45.065
have exposed. And of course you
have multiple revision of the

00:07:45.065,00:07:49.703
standard. You have the 2003
standard that, which specifies

00:07:49.703,00:07:53.873
type of encryption which is
incompatible with the encryption

00:07:53.873,00:07:59.779
specified by the 2006 standard.
And the 2006 standard is, uh,

00:07:59.779,00:08:03.516
uh, use the same encryption as
the 2011 but the key-management

00:08:03.516,00:08:07.587
system is a little bit
different. So, again more

00:08:07.587,00:08:12.425
combination are possible. At
that point you should see that

00:08:12.425,00:08:17.630
you needed to connect to use the
6, the IPv6 tool so to connect

00:08:17.630,00:08:21.267
to 6LoWPAN networks. you must
first understand all the, the,

00:08:21.267,00:08:25.438
the predecessor configuration of
the underlying 15, 15 dot 4

00:08:25.438,00:08:30.343
infrastructure. [pause] And this
is really the, the hard part

00:08:30.343,00:08:34.981
because you have to guess, you
have to bruteforce, if you

00:08:34.981,00:08:39.085
walking with, uh, the, uh,
customer that asked you to the

00:08:39.085,00:08:43.323
penetration tests you can ask
for the information but usually

00:08:43.323,00:08:45.558
it does not have the
information, he relies on the

00:08:45.558,00:08:48.728
supplier to do the
infrastructure. And if you ask

00:08:48.728,00:08:51.865
the supplier he might say that
it's his intellectual property

00:08:51.865,00:08:54.801
he does not want to share this
information with you. You might

00:08:54.801,00:08:59.639
want to, uhm, get the, get the
infrastructure yourself by

00:08:59.639,00:09:04.310
taking apart a sensor, for
example. But, if the sensor is

00:09:04.310,00:09:10.183
embedded in the water pipe
that's quite difficult. Just,

00:09:10.183,00:09:14.654
to, to illustrate this, here are
the lists of the possible

00:09:14.654,00:09:20.160
encryption option on the 2003
standards, here from the 2006 -

00:09:20.160,00:09:24.330
you can see they are different.
But one additional difficulties

00:09:24.330,00:09:28.802
that in the 2006 version of the,
the frame format - you have

00:09:28.802,00:09:32.038
three bytes, three bits - sorry,
three bits to specify the

00:09:32.038,00:09:37.010
encryption you used. But that is
not the case we do 2003, uh,

00:09:37.010,00:09:40.346
version of the standard, you
have to know beforehand to guess

00:09:40.346,00:09:43.616
the version of the fr, the
choice you made for the

00:09:43.616,00:09:48.621
encryption. And of course, that
is not all... [laughter] Usually

00:09:51.357,00:09:57.397
when a supplier is building a,
an infrastructure - 15 dot 4 or

00:09:57.397,00:10:01.201
something else, you will be, the
supplier will be the one to

00:10:01.201,00:10:05.238
build everything. The sensor,
the coordinators, the that

00:10:05.238,00:10:11.344
connects the smart grid to the
IT infrastructure. That means

00:10:11.344,00:10:16.850
that if the supplier makes
mistake while implementing Gnome

00:10:16.850,00:10:19.419
[cough] usually this mistake
will not stay like this for

00:10:19.419,00:10:24.123
long. By that I mean that if the
mistake does not induce failure

00:10:24.123,00:10:28.595
or performance losses since
every component in the network

00:10:28.595,00:10:33.800
has this, uh, deviation from the
standard nobody will even notice

00:10:33.800,00:10:37.804
it for long. We have one good
example of this - uh, actually

00:10:37.804,00:10:41.508
we have many but this we can
publicly talk about it because

00:10:41.508,00:10:44.110
the component is freely
available, publicly available

00:10:44.110,00:10:49.949
to, to anyone. That is the XBee
51, uh, chip, form, uh, Digi,

00:10:49.949,00:10:55.522
who is using the 2003 version of
the frame format but, the 2006

00:10:55.522,00:11:01.060
security switch for encryption.
These chips have been around

00:11:01.060,00:11:05.832
since 2010, 2009, and nowhere on
the internet we could find

00:11:05.832,00:11:10.270
mention of this... And actually
we, we we did get to talk to

00:11:10.270,00:11:15.542
Digi engineer and, uh, they
realized that this, this

00:11:15.542,00:11:19.312
deviation with, by talking to
us. So, really, when I say that

00:11:19.312,00:11:20.647
and it's quite easy to talk to
them when you're doing audit and

00:11:20.647,00:11:21.981
that's really true. [pause] That
is why we started the ARSEN

00:11:21.981,00:11:26.986
project, and that stands for
Advanced Routing between 6LoWPAN

00:11:36.563,00:11:40.567
and Ethernet Networks and the
very idea of this project was to

00:11:40.567,00:11:46.072
build two distinct tools. The
first one was about a, a scanner

00:11:46.072,00:11:50.910
that could detect every
possible, uh, option from a 60,

00:11:50.910,00:11:56.115
uh, 15 dot 4 network- including
deviations. And then from all

00:11:56.115,00:11:59.586
this information this
information will be provided to

00:11:59.586,00:12:03.189
another tool, uh, above the
router that would be available

00:12:03.189,00:12:09.362
to translate IPv6 datagram to
6LoWPAN frames and vice versa

00:12:09.362,00:12:14.367
while using all the information
provided by the scanner. [pause]

00:12:16.703,00:12:20.306
This tool is based on another
tool we, we've released two

00:12:20.306,00:12:23.610
years ago that is
Scapy-radio,which basically use

00:12:23.610,00:12:29.916
Scapy, uh, fa, famous and very
powerful packet manipulator.

00:12:29.916,00:12:35.054
Combined with Gnu-radio a
software defender framework that

00:12:35.054,00:12:38.625
tells us to work with any kind
of radio communication protocol.

00:12:42.195,00:12:44.364
[coughing] [pause] So, I said
that we have two main components

00:12:44.364,00:12:49.135
in this project. The first one
is very simple, I mean it, the

00:12:49.135,00:12:53.873
way it works, it simply needs
the database of all device that

00:12:53.873,00:12:58.811
it can see by analyzing what
Scapy-radio is sniffing on the

00:12:58.811,00:13:03.282
15 dot 4 network and analyze
this information to infer

00:13:03.282,00:13:07.186
everything it can, actually.
Which device are running on

00:13:07.186,00:13:10.890
which channel? Which device are
communing, communicating with

00:13:10.890,00:13:15.294
which other? What type of friend
they are communicating? What are

00:13:15.294,00:13:18.231
the parameters, by that I also
mean encryption parameters that

00:13:18.231,00:13:23.136
are used to transmit this
frames. On the other end the

00:13:23.136,00:13:26.906
6LoWPAN border router uses this
information from this scanner,

00:13:26.906,00:13:32.779
create, a, a tune interface so
it's not type in the interface

00:13:32.779,00:13:39.318
anymore. And, basically, Scapy
automation that we translate

00:13:39.318,00:13:42.989
every datagram that we see on
the tune interface to one or

00:13:42.989,00:13:48.327
multiple 6LoWPAN frames and
translation while defragmenting

00:13:48.327,00:13:49.662
any 6LoWPAN frames to an IPv6
frame and transport it to the

00:13:49.662,00:13:50.997
tune interface. [pause]
[coughing] We had to modify his

00:13:50.997,00:13:52.331
computers th, to achieve this,
uh, irst, there, there were

00:13:52.331,00:13:54.834
existing 15 dot 4 layers and 6,
6LoWPAN layers. As for the 15

00:13:54.834,00:13:59.839
dot 4 layers we fix several bug
but we also, uh, imple, uh,

00:14:12.585,00:14:17.557
implemented both 2003 and 2006
version, encrypt, encryption

00:14:17.557,00:14:22.562
methods. And, we see later we
also implemented encryption, not

00:14:26.365,00:14:28.034
based on a key, not key
encryption, based on key stream

00:14:28.034,00:14:31.070
provided by user. This is
related to a cryptographic

00:14:31.070,00:14:33.940
attack that Arnaud is going to,
to present, uh, in a few, in a

00:14:33.940,00:14:38.978
few slides. As for the 6LoWPAN
we basically we implemented

00:14:38.978,00:14:43.549
everything, mostly we, we, I
think from the norm it's almost,

00:14:43.549,00:14:48.855
re, rewriting from scratch. As
far, as we, we know from our

00:14:48.855,00:14:52.658
tests everything is implemented
except for the indexes. Like I

00:14:52.658,00:14:56.162
said, uh, it's possible to work
with context, the, the 6LoWPAN

00:14:56.162,00:14:59.999
frame will provide indexes to
know which context to, to pull

00:14:59.999,00:15:03.970
out when the end device receives
a frame. Their is no way to know

00:15:03.970,00:15:06.973
this, con, this context that
they have, This is not something

00:15:06.973,00:15:09.575
that we have implemented so far,
but apart from that, everything,

00:15:09.575,00:15:14.580
everything else have been, uh,
implemented. [pause] [background

00:15:19.051,00:15:21.854
noise] [ahem] >> So, now, let's
talk about, uh, security

00:15:21.854,00:15:26.492
attacks! So we will not focus on
attacks on availability because

00:15:26.492,00:15:29.796
throughout looking at wireless,
you can simply use, uh, jammer,

00:15:29.796,00:15:34.300
and do a "Denial of Service",
uh, so there is no big point to

00:15:34.300,00:15:37.503
find a newer way to attack
availability because it's a

00:15:37.503,00:15:41.474
simple path. We want to be
focussed on confidentiality and

00:15:41.474,00:15:45.344
integrity and since we are
talking about sensor for water

00:15:45.344,00:15:48.481
management for example the
critical point is integrity

00:15:48.481,00:15:52.018
because in fact confidentiality
is not that much important at

00:15:52.018,00:15:53.619
this event. But, let's see, for
confidentiality we will talk

00:15:53.619,00:15:54.954
about same nonce attacks and for
integrity we'll play about

00:15:54.954,00:15:56.289
replay attacks and manageability
attack. [coughing] So, a few

00:15:56.289,00:15:57.623
word on IES and ctm mod, so as
Jonathan showed you, it's one

00:15:57.623,00:15:59.859
the modules for encryption, uhm,
and most interesting one, we

00:15:59.859,00:16:06.566
think. And, what we will say, I
will say that's also true for

00:16:06.566,00:16:10.203
ctm, so, uh, uh, encryption and
[00:16:22] . So why ctm mod?

00:16:10.203,00:16:13.806
It's because if you use IES in
C, in CBC Mod it will do a block

00:16:13.806,00:16:16.142
encryption [cough] and since we
are using short packets, I mean

00:16:16.142,00:16:18.444
shorter that the size of the
arrest block output, we will

00:16:18.444,00:16:20.980
have to do a lot of padding and
transmitting padding over the

00:16:20.980,00:16:24.083
air is the worst of efficiency
and energy. So, we use stream

00:16:24.083,00:16:30.723
encryption which is STM Mod. So,
one main point of stream

00:16:30.723,00:16:36.829
encryption is we are using the
case swim which is an output of

00:16:36.829,00:16:39.432
the clock cyphering, uh, and we
[00:17:02] it with the plain

00:16:39.432,00:16:42.468
text to have the ciphertext. My
only concern with that if, if we

00:16:42.468,00:16:45.238
have, uhm, several packet with
same gate stream we can do some

00:16:45.238,00:16:48.374
cryptanalysis. So, each packet
should have, uh, different,

00:16:48.374,00:16:53.312
different nonce, different gate
stream and if we see, see it's

00:16:53.312,00:16:59.118
made to a different nonce. Since
the control is an IRS control so

00:16:59.118,00:17:03.990
it's predictable and the is of
course constant. SO, the nonce

00:17:03.990,00:17:08.928
is a value that will change
between packet and avoid, to,

00:17:08.928,00:17:12.298
the possibility to do some
cryptanalysis with a lot of

00:17:12.298,00:17:13.733
packet with the same gate
stream. [pause] So, now, the

00:17:13.733,00:17:15.701
notes on 15 dot 4 is based on
the "source ext ID" so it's

00:17:15.701,00:17:22.441
something you can find and frame
counter, so, in order to do our

00:17:22.441,00:17:27.446
attack we will need nonce, the
same nonce attacks so basically,

00:17:30.316,00:17:35.288
having a large number of frame
with the same case stream and so

00:17:35.288,00:17:37.890
the same nonce that we have to
do our cryptanalysis. So, as we

00:17:37.890,00:17:39.892
plan our attack it's something
we'll leave basic, we say the

00:17:39.892,00:17:42.261
you have recorded, but you need
to send it with, with the good

00:17:42.261,00:17:44.096
counter value because you are
the frame counter. And the

00:17:44.096,00:17:46.499
manageability attack is
basically, there's uhm, present

00:17:46.499,00:17:48.834
[coughing] to the user so we
need to know a case stream to

00:17:48.834,00:17:52.238
create, for, to craft our packet
and we need to know the value of

00:17:52.238,00:17:55.474
the frame counter. Okay, so, no
I have time to do some pentests

00:17:55.474,00:17:58.010
so, we know of security works,
we have the tools, that

00:17:58.010,00:18:00.513
[coughing] I introduced and we
have some guest that we can

00:18:00.513,00:18:05.518
attack it. So, this is wireless
networks, uh, used in water

00:18:12.425,00:18:17.430
distribution, so we are working
on it. And, obviously the first

00:18:26.038,00:18:31.877
test of the pentest is like an
IT pentest we try to find as

00:18:31.877,00:18:33.980
much information as possible,
so, we scan all channel of, uhm,

00:18:33.980,00:18:36.082
15 dot 4 and we find that there
is communication on channel 18

00:18:36.082,00:18:37.416
that each sensor is
communication only with PAN

00:18:37.416,00:18:38.751
coordinator which makes sense
because if we have sensors that

00:18:38.751,00:18:40.086
are only broadcasting
information so, it's a star

00:18:40.086,00:18:41.420
topology. And the PAN is only
transmitting beacon-frame. So,

00:18:41.420,00:18:46.425
we can so, can see on the, uhm,
the screen it's a capture of the

00:18:49.562,00:18:54.567
tools on the right side. Uh, we
can see that the frame version

00:18:59.872,00:19:04.810
is 2006 standout. And the
security is used in CTI mod, and

00:19:09.315,00:19:14.320
we have also the short address
of the bar and the sensor. But

00:19:19.158,00:19:21.127
we will need the long address as
we have seen its use for the

00:19:21.127,00:19:24.030
nodes. So, we need the long
address, so, we know that the

00:19:24.030,00:19:29.635
long address is the extension or
long address [cough] Is

00:19:29.635,00:19:34.640
transmitted when the sensor is
associating with the PAN. So,

00:19:45.084,00:19:51.257
basically we need to force a new
association. This is something

00:19:51.257,00:19:58.197
you can find on a lot of attacks
on wireless network. So, [ahem],

00:19:58.197,00:20:00.733
how to do that? So, we tried to
flood the sensor - so send a lot

00:20:00.733,00:20:03.502
of frame, random frame to the
sensor so the sensor can not

00:20:03.502,00:20:08.507
track the PAN, the beacon frame
from the PAN because the channel

00:20:20.219,00:20:23.255
is full. And, since, [cough]
since the sensor is not

00:20:23.255,00:20:27.026
receiving any more bea, beacon
frame it will lose it's

00:20:27.026,00:20:30.930
synchronisation and if we stop
flooding it will resynchronize

00:20:30.930,00:20:34.066
and also send its extended
address. So, there you have it.

00:20:36.335,00:20:39.739
[pause] The next step, and the
simplest one, we want to add our

00:20:39.739,00:20:44.276
fake sensor to the network. So,
basically there is no secure

00:20:44.276,00:20:49.014
function to doing the
association process we do not

00:20:49.014,00:20:53.119
find any higher layer of
authentication system. And there

00:20:53.119,00:20:58.858
is no filter on the address, you
can, we can, use an address as

00:20:58.858,00:21:02.962
we want. So, it's basically
straightforward, but we see, we

00:21:02.962,00:21:05.397
are able to connect our sensor
but we are not able to send

00:21:05.397,00:21:10.703
frame because we can not encrypt
frame. We, we do not know the

00:21:10.703,00:21:16.642
gate. [pause] So, uh, as we see
previously our, our main goal is

00:21:16.642,00:21:21.180
to, uhm, to manage this frame
counter, so, to predict its

00:21:21.180,00:21:25.317
value. So, the simplest way is
to reset it so we know it's

00:21:25.317,00:21:30.823
zero. So we have some thinking
about that, how can we reset it?

00:21:30.823,00:21:33.792
How can we reset this frame
counter? With how? Maybe, maybe

00:21:33.792,00:21:38.330
it's value is never stored in
the non-volatile memory. So, if

00:21:38.330,00:21:43.602
we reboot the sensor it reset to
zero. So, we want to reboot the

00:21:43.602,00:21:47.206
sensor, remotely obviously - we
don't want to go and, uh, we

00:21:47.206,00:21:51.110
want to reboot remotely. So what
we did is we flood the PAN on

00:21:51.110,00:21:54.747
the channel - so, again, we
broadcast a lot of frame. And,

00:21:54.747,00:21:58.350
the sensor restart, looking up
for a new PAN, a new coordinator

00:21:58.350,00:22:04.890
on every channel and if they do
not find any PAN after a time

00:22:04.890,00:22:09.361
they will reboot so we know how
to reboot the sensor. So, now,

00:22:09.361,00:22:13.999
we have to reboot the
coordinator. So, we'll use

00:22:13.999,00:22:17.837
something the same way - we
flood the PAN so the sensor

00:22:17.837,00:22:20.072
cannot connect to the PAN
because we are flooding the

00:22:20.072,00:22:21.740
channel only one channel and we
use a fake PAN so basically our

00:22:21.740,00:22:23.108
tools setup on a no search
channel. ANd we raid the sensor

00:22:23.108,00:22:28.113
to connect, so we are to spoof
the PAN address but we know it

00:22:32.484,00:22:37.223
so there is no challenge. ANd
when the PAN do not receive any

00:22:37.223,00:22:42.861
for the center it's a PAN
reboot. [pause] So now we know

00:22:42.861,00:22:45.030
how to reboot the PAN
coordinator, we know how to

00:22:45.030,00:22:48.334
reboot the sensor, we know that
when we say reboot the frame

00:22:48.334,00:22:53.839
counter is reset, so what we do
is. We can get encrypted packet

00:22:53.839,00:22:57.476
with the same node. We reboot
the sensor where we code frame

00:22:57.476,00:23:00.579
so we know that the frame
counter is starting to zero, we

00:23:00.579,00:23:05.284
do that again and again and we
will need a lot of data but it's

00:23:05.284,00:23:09.054
wireless so we have plenty of
time to recode, reset, recode

00:23:09.054,00:23:14.493
and do it after that we do some
crypto analysis and to get the

00:23:14.493,00:23:18.464
plain text. Able to see if you
have some inside of the plain

00:23:18.464,00:23:24.036
text is here so for example that
we are talking about sensor, uh,

00:23:24.036,00:23:27.873
water sensor. We can see that
the value will not change really

00:23:27.873,00:23:33.078
fast and it's the kinda thing
that cryptanalysis. So, we are

00:23:33.078,00:23:37.650
also able to do replay attacks
since we can manage the frame

00:23:37.650,00:23:41.387
counter we can replay a packet
with the same counter value. So,

00:23:41.387,00:23:44.823
we start looking at integrity
and it's quite interesting but

00:23:44.823,00:23:47.926
of course what we wanted
crafting and injecting our

00:23:47.926,00:23:52.731
frame. But, we have in fact
everything we need because the

00:23:52.731,00:23:56.068
same, from the same nonce attack
we know the plain text and if we

00:23:56.068,00:23:59.338
know the plaintext and the
ciphertext of course we can have

00:23:59.338,00:24:03.108
the case stream and with the
case stream and the value and

00:24:03.108,00:24:06.045
knowing the value of the counter
again we can reset it. We can

00:24:06.045,00:24:11.150
craft out packet, our encrypted
packet and send it with our fake

00:24:11.150,00:24:30.369
sensor. And so we can send any
value we want on the PAN and the

00:24:30.369,00:24:30.936
integrity is not, uh, anymore.
[coughing] [background noise] >>

00:24:30.936,00:24:35.040
So, uh, as Arnaud just showed
you, uh, we, we started from

00:24:35.040,00:24:38.711
scratch, we had no information
because like I said previously

00:24:38.711,00:24:42.414
the, the, uh, sensors were in
the pipe and, and, uh, to, we

00:24:42.414,00:24:47.386
could not have any information,
at least the way we worked. And

00:24:47.386,00:24:51.156
we ended up being able to craft
uh encrypted packet so that

00:24:51.156,00:24:55.227
means we had whole we need to,
to fill to our border router to

00:24:55.227,00:25:04.002
be able to, to, to root IPv6
frame from, uh, from 6LoWPAN

00:25:04.002,00:25:06.572
frames and thus we were at home
we could use any map, we could

00:25:06.572,00:25:09.842
use whatever we wanted. So,
we're not talking about the rest

00:25:09.842,00:25:14.813
because this is nothing new
actually - VN map and stuff. But

00:25:14.813,00:25:18.984
we really did hard part is to
get from "We know nothing about

00:25:18.984,00:25:25.391
the network" to "We are able to
craft, uh, IPv6 to, one IPv6

00:25:25.391,00:25:29.261
packet to the 6LoWPAN networks."
The reason we were able to do so

00:25:29.261,00:25:33.966
is because the, the supplier did
four big mistakes that we, that

00:25:33.966,00:25:39.038
are very common. Uhm, first,
uhm, let me say that the usual

00:25:39.038,00:25:45.978
way to work on that encryption
aspect is to do, to find the GTI

00:25:45.978,00:25:49.248
or VDM to extract the frameware
and from that framework the

00:25:49.248,00:25:52.484
extract the key. But since we
were not able to, to do, that we

00:25:52.484,00:25:56.021
had to work at the encryption
level. So the mistakes made by

00:25:56.021,00:25:59.992
the supplier was first to think
that encryption protects

00:25:59.992,00:26:02.694
integrity. Uh, if you don't have
the key you can not forge

00:26:02.694,00:26:08.367
packet, uh, that is not true,
uhm. Integrity code, meek or MAC

00:26:08.367,00:26:12.438
can, uh, are there to protect
integrity, encryption only

00:26:12.438,00:26:17.843
protect confidentiality. [pause]
Actually, confidentiality on a

00:26:17.843,00:26:20.546
social network is not that
important. Integrity and

00:26:20.546,00:26:24.216
availability are the one, the
two aspects that are very

00:26:24.216,00:26:32.124
important. One of the mistakes
was to, uhm, to, to, sorry...

00:26:32.124,00:26:38.897
[laughter] [pause] [background
noise] Okay, I'll be sure to ask

00:26:38.897,00:26:42.201
them in in the right order.
Okay, uh. Volatile, non-volatile

00:26:42.201,00:26:45.170
memory usually when you have
counters to prevent replay

00:26:45.170,00:26:49.341
attacks, uh, these counters are
only kept in memory and they are

00:26:49.341,00:26:53.212
never stored in non-volatile,
non-volatile memory. That means

00:26:53.212,00:26:57.816
that if you are able to reboot
the device you reset the

00:26:57.816,00:27:03.856
counters and you have replay
attacks. And if, if you have

00:27:03.856,00:27:07.826
cryptographic properly you have
both replay attacks and attack

00:27:07.826,00:27:10.662
and then you can have uhm,
manageability attack, I don't,

00:27:10.662,00:27:16.034
uh, that's forge encrypted frame
without having the key. Uh, and

00:27:16.034,00:27:20.439
rebooting devices actually
because we've set certain

00:27:20.439,00:27:24.142
network the main consideration
is always availability and

00:27:24.142,00:27:27.446
rebooting is always the last
resort when they don't

00:27:27.446,00:27:30.148
understand why the coordinator
does not receive any

00:27:30.148,00:27:34.486
information, why does the sensor
are not able to code to

00:27:34.486,00:27:38.790
synchronize with the, the
coordinator. Whenever something

00:27:38.790,00:27:42.427
happen they try many things but
at some point the last resort is

00:27:42.427,00:27:46.665
always to reboot. So, if you
play with the network at some

00:27:46.665,00:27:50.536
point and you force a reboot and
you will force a lot of things

00:27:50.536,00:27:53.839
like the dissociation procedure
like resetting of the counters

00:27:53.839,00:28:00.979
and so on. So, uh, obviously we
didn't break the water pipes

00:28:00.979,00:28:05.517
[chuckle] but we have a little
demonstration here. So, uh....

00:28:05.517,00:28:23.468
sorry, what? [pause] [background
noise] [chatter] So, uh,

00:28:23.468,00:28:26.405
remember I said that, uh,
deviation are possible [pause]

00:28:26.405,00:28:30.509
so we set up out Windows, simple
out Windows with XB [indistinct]

00:28:30.509,00:28:35.447
that is not [coughing], uhm,
that is not, that has not, that

00:28:35.447,00:28:39.318
is not compliant with the
standard. And we set up the

00:28:39.318,00:28:44.590
ASPER tool with and we've set up
with a US IP to do the SDR part.

00:28:44.590,00:28:50.629
And if you switch the next slide
you can see that, you can

00:28:50.629,00:28:52.631
actually do this with my
computer right now, I dunno if I

00:28:52.631,00:28:58.904
can... plug the VGA cable. Okay,
yea... [laughter] I have to

00:28:58.904,00:29:03.675
[indistinct]. Let's say if you
want to, if you have question

00:29:03.675,00:29:07.245
notice to come here and we will
show you the demonstration.

00:29:07.245,00:29:12.217
Basically if you can see I do
Ping, I do MMap, I do TelNet and

00:29:12.217,00:29:15.988
I do all this for my computer,
ie. the computer has no idea

00:29:15.988,00:29:20.659
he's talking to, uh, 6LoWPAN
networks, uh, border router

00:29:20.659,00:29:24.763
we've all the information
provided by the scanner is doing

00:29:24.763,00:29:31.370
a good job so, I can pretty much
do, uh, standard presentation

00:29:31.370,00:29:33.672
test sorry, penetration testing
on this component, uh, without

00:29:33.672,00:29:37.843
having to, uh, to take care of
the 6LoWPAN and the 15 dot 4

00:29:37.843,00:29:42.514
parts of the network. And that's
it for the presentation. I thank

00:29:42.514,00:29:44.516
you... [chuckle] [applause] If
you have any question...

00:29:44.516,00:29:52.624
[applause] [background] >> And
if you want to see the demo

00:29:52.624,00:00:00.000
close up - please come. We have
some time so you can see it.