Transcript Spezifikation, Verifikation, Testtheorie

Information Security of
Embedded Systems
27.1.2010: remote access, wireless networks
Prof. Dr. Holger Schlingloff
Institut für Informatik
und
Fraunhofer FIRST
Structure
1. Introductory example
2. Embedded systems
engineering
1. definitions and terms
2. design principles
3. Foundations of security
1. threats, attacks, measures
2. construction of safe systems
4. Design of secure systems
1. design challenges
2. safety modelling and
assessment
3. cryptographic algorithms
Embedded Security © Prof. Dr. H. Schlingloff 2010
5. Communication of
embedded systems
1.
2.
remote access
sensor networks
6. Algorithms and
measures
1.
2.
3.
4.
digital signatures
key management
authentication
authorization
7. Formal methods for
security
1.
2.
protocol verification
logics and proof methods
27.1.2010
2
Communication of Embedded Systems
• Various wired and wireless bus systems are
being used
 CAN, LIN, MOST, I2C, …
 GSM, UMTS, …
 WiFi, Bluetooth, …
• Security considerations
 general rule: newer standards are more secure
 known problems with nearly all standards
Embedded Security © Prof. Dr. H. Schlingloff 2010
27.1.2010
3
Wireless Data Communication
• History: replacement of cables
 First: “make it work”
 Then: specialization (application-specific)
 Now: security vs. resource limitations
• Trend: All IP
 coalescence of telephone and data communication
(“B3G”, “NGN”, “4G”)
 data- vs. knowledge-communication, semantic net
Embedded Security © Prof. Dr. H. Schlingloff 2010
27.1.2010
4
WLAN (802.11x)
•
•
•
•
•
•
802.11 a,b (1999); 802.11 g,h(2003)
Widely used (2003 Intel Centrino)
Point-to-point and Access-point networking
Local data transfer, internet-connectivity, integration
in company or private networks
Air frequencies openly accessible (cf. mobile phones)
Threats: illegitimate foreign hard disk access,
unauthorized use of connectivity, unauthorized data
access, masking and fake identities
Embedded Security © Prof. Dr. H. Schlingloff 2010
27.1.2010
5
WLAN Security Measures
• Frequency hopping ( pseudo-random)
• SSID cloaked mode ( eavesdropping)
• MAC address control ( spoofing)
• VPN and CHAP (Server must know user passwords,
Client calculates hash key  possible attacks)
• WEP ( next slide)
• WPA with EAP and TKIP
Embedded Security © Prof. Dr. H. Schlingloff 2010
27.1.2010
6
WEP
• “Wired Equivalent Privacy”, Authentication & secured
•
communication via symmetric encryption and checksums
Authentication by challenge-response; client proves
knowledge of the common key
 up to 4 keys are possible; choice by client; 40 bit weak
 all user (and all access points) need to know the key(s);
key exchange difficult
 access point does not authentify itself to the client!
-
sending of challenges, analysing responses
denial-of-service, logoff of clients
• Checksums (CRC) instead of secure hashing
 modification and generation of messages even without key!
 redirection of communication (IP-address-faking)
Embedded Security © Prof. Dr. H. Schlingloff 2010
27.1.2010
7
WEP-Attack 1
• CRC-property: CRC(M  M’)=CRC(M)  CRC(M’)
• RC-4-property: M  Key  Key = M
(M|CRC(M))  Key
(M|CRC(M))
 Key
 (D|CRC(D))
 Key =
(M+D)|CRC(M+D
)
(M|CRC(M))  Key
 (D|CRC(D))
Embedded Security © Prof. Dr. H. Schlingloff 2010
27.1.2010
8
WEP-Attack 2
M’|CRC(M’)
1. M
2. (M|CRC(M))  Key
3. (M|CRC(M))  Key
 (M|CRC(M))
 (M’|CRC(M’))
Embedded Security © Prof. Dr. H. Schlingloff 2010
27.1.2010
9
WPA
• WiFi Protected Access
• 128 bit, AES/TKIP (temporal key integrity protocol)




message integrity code (MIC)
sequence numbering against replay-attacks
key management, key mixing, quasi asymmetric encryption
master key, session keys, key renewal
• EAP (extensible authentication protocol)
 password-based, certificate-based, SIM-based
 forwarding of requests to a designated server
 still no authentication of server! ( PEAP)
Embedded Security © Prof. Dr. H. Schlingloff 2010
27.1.2010
10
Sensor Networks
• Network of small, cheap, low-power nodes




e.g.
e.g.
e.g.
e.g.
earthquake early warning system
ambient assisted living
wireless controller network
logistics routing
Construction of threat scenarios?
• Self-organization
 new nodes must integrate into the network
 the network must be able to build “trust”
• Several emerging radio technologies
Embedded Security © Prof. Dr. H. Schlingloff 2010
27.1.2010
11
Bluetooth Security
• Replacement of IrDA
• Bluetooth profiles (> 30)
 headset, AV remote control, telephony, obj
exchange, ftp, serial, lan, pan, health devices…
• Security mechanisms





visibility restrictions (“non-discoverable”)
pairing via passkey or PIN
unit keys
encrypted communication
frequency hopping
Embedded Security © Prof. Dr. H. Schlingloff 2010
27.1.2010
12
Bluetooth Security
http://grouper.ieee.org/groups/1451/5/Comparison%20of%20PHY/Bluetooth_24Security_Paper.pdf
Embedded Security © Prof. Dr. H. Schlingloff 2010
27.1.2010
13
Vulnerabilities and Attacks
• Passkey for headsets: 1234 or 0000
• Default discoverability
• Pairing in public areas
 mobile phone always accepts a basic L2CAP connection request
without acceptance of the user
• Scanning for bluetooth addresses
 MAC address ranges of devices are known
• Eavesdropping air frequencies
 Pseudo-random frequency hopping scheme
• Reading passkeys from compromised devices
• Unauthorized access to information on devices
http://www.securityfocus.com/infocus/1830
Embedded Security © Prof. Dr. H. Schlingloff 2010
27.1.2010
14
• Public “Blue Kiosk”
 vulnerability: display of
device by name only
• Stack overflow attacks
 vCard
 file names in File Transfer or
Object Push
• Activating the microphone
• Tracking and positioning attacks
 triangulation
 antenna extensions
Embedded Security © Prof. Dr. H. Schlingloff 2010
27.1.2010
15
ZigBee
http://www.zigbee.org/imwp/idms/popups/pop_download.asp?contentID=9436
Embedded Security © Prof. Dr. H. Schlingloff 2010
27.1.2010
16
Embedded Security © Prof. Dr. H. Schlingloff 2010
27.1.2010
17
• Infrastructure security
 network access; keys installed in a trusted environment
 integrity of packet routing
• Application data security
 message integrity
 authentication
 data encryption
• Configurability of security
 memory and computational constraints
Embedded Security © Prof. Dr. H. Schlingloff 2010
27.1.2010
18