What Security Do You Need From Low-Power Wide-Area Networks?
15
Franklin Heath Ltd What Security Do You Need From Low-Power Wide-Area Networks? Craig Heath @heathcr Mobile360 – Privacy & Security 24 May 2017
-
Upload
craig-heath -
Category
Mobile
-
view
55 -
download
4
Transcript of What Security Do You Need From Low-Power Wide-Area Networks?
Franklin Heath Ltd
What Security Do You Need From Low-Power Wide-Area Networks?
Craig Heath @heathcr
Mobile360 – Privacy & Security 24 May 2017
Presenter
Presentation Notes
Note changed title: important thing is not how secure they are, it’s how secure you need them to be for your use case.
© Franklin Heath Ltd c b CC BY 4.0
What Security Do You Need From Low-Power Wide-Area Networks?
24 May 2017 2
Why do You Need to Know?
How do You Work it Out?
What Features do You Need?
Which LPWANs Suit You?
White Paper: LPWA Technology Security Comparison
franklinheath.co.uk/blog/
Presenter
Presentation Notes
Thanks to GSMA for the funding that enabled this study.
© Franklin Heath Ltd c b CC BY 4.0
Why do You Need to Know?
24 May 2017 3
Low-Power WANs provide benefits for the Internet of Things: low BoM cost (← lower device complexity ?) extended coverage (← lower data rates ?) long battery life (← lower data throughput ?)
Security features usually have costs, such as: more device complexity (→ higher BoM cost ?) higher data rates (→ reduced coverage ?) higher data throughput (→ reduced battery life ?)
Trade-offs have to be managed
Presenter
Presentation Notes
Security features may be omitted, or optional to network service provider, for different LPWAN technologies. Not simply a case of using the one with the best security – there isn’t a overall “best”.
© Franklin Heath Ltd c b CC BY 4.0
How do You Work it Out?
24 May 2017 4
You know your use case Who / what are the threats? Why?
Consider the relevant risks: S poofing T ampering R epudiation I nformation Disclosure D enial of Service E levation of Privilege
Presenter
Presentation Notes
threats = “actors”; risks are how they might try to abuse your system design. Also need to consider how resilient the system needs to be.
© Franklin Heath Ltd c b CC BY 4.0
Example Use Case: Utility Metering
24 May 2017 5
Example threats: Utility customer: wants to cheat to reduce their bills? Burglar: wants to know when the property is unoccupied?
STRIDE (and resilience) risks: Spoofing (e.g. customer replaces device) Tampering (e.g. customer changes the readings sent) Information Disclosure (e.g. burglar sees when readings are low) Resilience (e.g. blackmail threat of disabling many meters)
(e.g. OTA update required for inaccessible meters)
Presenter
Presentation Notes
There are judgement calls involved here as to whether specific risks are sufficiently relevant and, in turn, how much resilience is required. This is why this part needs to be a business decision.
© Franklin Heath Ltd c b CC BY 4.0
What Features do You Need?
24 May 2017 6
Spoofing Tampering Repudiation Information Disclosure
Denial of Service
Elevation of Privilege
Resilience
Confidentiality 4 / 4
Integrity 1 / 3 2 / 3 1 / 3
Availability 1 / 1 1 / 1 1 / 1
Authentication 3 / 3 1 / 3
Authorization 1 / 1
Assurance 2 / 6 1 / 6 6 / 6
Renewability 2 / 2
Presenter
Presentation Notes
This is the first point at which it’s appropriate to hand the responsibility over to a “security guy”. We looked at 20 individual features within these categories.
© Franklin Heath Ltd c b CC BY 4.0
Utility Metering Example: 6 of 20 Features
24 May 2017 7
LTE-M NB-IoT EC-GSM-IoT LoRaWAN Sigfox
Identity Protection Yes Yes Yes Partial No
Device/Subscriber Authentication
Subscriber (opt. Device)
Subscriber (opt. Device)
Subscriber (opt. Device) Either Device
Data Integrity Limited Optional Limited Limited Variable
Updatability (Device) Possible Possible Possible Limited No
Updatability (Keys/Algorithms) Optional Optional Optional Limited No
Class Break Resistance Yes Yes Yes Optional Yes
I S T
Presenter
Presentation Notes
We are only considering the features that a relevant for this particular use case (I, S, T from STRIDE, others for resilience) For this use case only Sigfox is being ruled out, the others depend on options.
© Franklin Heath Ltd c b CC BY 4.0
Other Example Use Cases in our Report
24 May 2017 8
LTE-M NB-IoT EC-GSM-IoT LoRaWAN Sigfox
Smart Pallet Good Good * Adequate Good Poor
Smart Agriculture Good Good Good Adequate Adequate
Smart Street Lighting Adequate Good * Adequate Adequate * Adequate
Utility Metering Adequate * Good * Adequate * Adequate Poor
Domestic Smoke Detectors Good Good Good Adequate Adequate
Assessments marked * include some features which are optional to the service provider
Presenter
Presentation Notes
All are good for something, none are always good for everything (even NB-IoT depends on MNO options).
© Franklin Heath Ltd c b CC BY 4.0
Thank You!
24 May 2017
@heathcr @franklinheath
9
© Franklin Heath Ltd c b CC BY 3.0 24 May 2017 10
Backup Slides
© Franklin Heath Ltd c b CC BY 4.0
LPWAN Security Features (1/5)
24 May 2017 11
Confidentiality LTE-M NB-IoT EC-GSM-IoT LoRaWAN Sigfox
Identity Protection Yes Yes Yes Partial No
Data Confidentiality Yes Yes Optional Yes No
End-to-Middle Security No No Partial Yes No
Forward Secrecy No No No No No
I I I I
Presenter
Presentation Notes
Note that none implement forward secrecy, would have to be implemented at application layer.
© Franklin Heath Ltd c b CC BY 4.0
LPWAN Security Features (2/5)
24 May 2017 12
Integrity LTE-M NB-IoT EC-GSM-IoT LoRaWAN Sigfox
Data Integrity Limited Optional Limited Limited Variable
Control Integrity Yes Yes Optional Yes Unknown
Replay Protection Yes Optional Limited Yes Yes
T S T R
T R D Availability LTE-M NB-IoT EC-GSM-IoT LoRaWAN Sigfox
Reliable Delivery Yes Yes Yes No No
Presenter
Presentation Notes
Note that Sigfox control integrity details have not been published.
© Franklin Heath Ltd c b CC BY 4.0
LPWAN Security Features (3/5)
24 May 2017 13
Authentication LTE-M NB-IoT EC-GSM-IoT LoRaWAN Sigfox Globally Unique Identifiers Yes Yes Yes Optional Yes
Device/Subscriber Authentication
Subscriber (opt. Device)
Subscriber (opt. Device)
Subscriber (opt. Device) Either Device
Network Authentication Yes Yes Yes Optional No
Authorisation LTE-M NB-IoT EC-GSM-IoT LoRaWAN Sigfox Critical Infrastructure Class Yes Yes Yes No No
S S S
E
R
© Franklin Heath Ltd c b CC BY 4.0
LPWAN Security Features (4/5)
24 May 2017 14
Assurance LTE-M NB-IoT EC-GSM-IoT LoRaWAN Sigfox Network Monitoring and Filtering Yes Yes Yes Limited Monitoring
only
Key Provisioning OTA possible
OTA possible
OTA possible
OTA possible Not OTA
Algorithm Negotiation Yes Yes Yes No No
Class Break Resistance Yes Yes Yes Optional Yes
Certified Equipment Required Required Required Optional Required
IP Network Optional Optional Yes No No
D E
D
Presenter
Presentation Notes
All these features are likely to affect resilience.
© Franklin Heath Ltd c b CC BY 4.0
LPWAN Security Features (5/5)
24 May 2017 15
Renewability LTE-M NB-IoT EC-GSM-IoT LoRaWAN Sigfox Updatability (Device) Possible Possible Possible Limited No
Updatability (Keys/Algorithms) Optional Optional Optional Limited No
Presenter
Presentation Notes
All these features are likely to affect resilience.
