io iot goes nuclear
play

Io IoT Goes Nuclear: Creatin ing a Zig igBee Chain in Reactio - PowerPoint PPT Presentation

Dec 04, 2023 •178 likes •1.11k views

Io IoT Goes Nuclear: Creatin ing a Zig igBee Chain in Reactio ion Eyal Ronen , Colin O Flynn, Adi Shamir, Achi-Or Weingarten Typical IoT devices: Philips Hue Smart Lights Typical IoT devices: Philips Hue Smart Lights Mature

  1. Io IoT Goes Nuclear: Creatin ing a Zig igBee Chain in Reactio ion Eyal Ronen , Colin O ’ Flynn, Adi Shamir, Achi-Or Weingarten

  3. Typical IoT devices: Philips Hue Smart Lights

  4. Typical IoT devices: Philips Hue Smart Lights • Mature technology and standards, a relatively simple system

  5. Typical IoT devices: Philips Hue Smart Lights • Mature technology and standards, a relatively simple system • A high end product with high end security, but …

  6. Creating a lightbulb worm • We have proven the possibility of creating a worm which spreads using only the standard ZigBee wireless interface

  7. Creating a lightbulb worm • We have proven the possibility of creating a worm which spreads using only the standard ZigBee wireless interface • Taking over a preinstalled smart light

  8. Creating a lightbulb worm • We have proven the possibility of creating a worm which spreads using only the standard ZigBee wireless interface • Taking over a preinstalled smart light • Spreading everywhere

  9. The underlying ZLL protocol

  10. The underlying ZLL protocol Zigbee Personal Area Network • Each installed light is connected to a central controller using the ZigBee Light Link (ZLL) wireless protocol in a Personal Area Network (PAN)

  11. The underlying ZLL protocol IP • Each installed light is connected to a central controller using the ZigBee Light Link (ZLL) wireless protocol in a Personal Area Network (PAN) • The bridge is connected to a secure home/ office network, and is controlled by a smartphone app via IP

  12. The underlying ZLL protocol • Each installed light is connected to a central controller using the ZigBee Light Link (ZLL) wireless protocol in a Personal Area Network (PAN) • The bridge is connected to a secure home/ office network, and is controlled by a smartphone app via IP • It enables each authorized user to turn each light on or off, to change the light intensity, and to set its color

  13. Starting the attack

  14. Starting the attack • Write a full python based ZLL stack, using Eval Board as RF transmitter

  15. Starting the attack • Write a full python based ZLL stack, using Eval Board as RF transmitter • Buy many lamps, sniff traffic, and break (physically) some lamps

  16. Starting the attack • Write a full python based ZLL stack, using Eval Board as RF transmitter • Buy many lamps, sniff traffic, and break (physically) some lamps • Start connecting wires

  17. Philps Hue Lamp Teardown

  19. Boot sequence debug printout

  20. Challenges in taking over a preinstalled smart light

  21. Challenges in taking over a preinstalled smart light • ZigBee Light Link standard uses multiple cryptographic and security protocols to prevent misuse

  22. Challenges in taking over a preinstalled smart light • ZigBee Light Link standard uses multiple cryptographic and security protocols to prevent misuse • In particular, uses a proximity test to make sure that the only way to take control of an already installed Hue lamp is by operating it within 10-20 cm from its new controller

  23. Protocol Session Outline Scan Request(Transaction ID) Proximity Test Scan Response Controller Lamp Network Start (Transaction ID) Reset to Factory New (Transaction ID)

  24. Protocol Session Outline Scan Request(Transaction ID) Proximity Test Scan Response Controller Lamp Network Start (Transaction ID) Reset to Factory New (Transaction ID)

  25. Protocol Session Outline Scan Request(Transaction ID) Proximity Test Scan Response Controller Lamp Network Start (Transaction ID) Reset to Factory New (Transaction ID)

  26. Protocol Implementation Bug

  27. Protocol Implementation Bug • We want to cause the light to Reset to Factory New

  28. Protocol Implementation Bug • We want to cause the light to Reset to Factory New

  29. Protocol Implementation Bug • We want to cause the light to Reset to Factory New • Can ’ t set a valid Transaction ID due to proximity test

  30. Protocol Implementation Bug • We want to cause the light to Reset to Factory New Non-Zero • Can ’ t set a valid Transaction ID due to proximity test

  31. The case of ZERO (day)

  32. The case of ZERO (day) • How is the Session data is saved in memory?

  33. The case of ZERO (day) • How is the Session data is saved in memory?

  34. The case of ZERO (day) • How is the Session data is saved in memory? • What is default values in the struct?

  35. The case of ZERO (day) • How is the Session data is saved in memory? • What is default values in the struct? • Well surely it is checked on access …

  36. The case of ZERO (day) • How is the Session data is saved in memory? • What is default values in the struct? • Well surely it is checked on access …

  37. The case of ZERO (day) • How is the Session data is saved in memory? • What is default values in the struct? • Well surely it is checked on access … • Just on Scan Request message

  38. Protocol Attack Outline Controller Lamp Factory Reset (Transaction ID=0)

  39. We bought a cheap and lightweight commercial Zigbee evaluation kit:

  40. ZigBee WarFlying - Taking over a building ’ s lights By launching a drone carrying a fully automated attack equipment 400 meters away

  41. second warflying video here

  42. Spreading everywhere

  43. Getting software updates • No software update for Atmel based lamps

  44. Getting software updates • No software update for Atmel based lamps • So lets impersonate to an older model and version

  45. Getting software updates • No software update for Atmel based lamps • So lets impersonate to an older model and version • Looked for posting on upgrades on the Internet (mainly Reddit)

  46. Getting software updates • No software update for Atmel based lamps • So lets impersonate to an older model and version • Looked for posting on upgrades on the Internet (mainly Reddit) Known upgrades (From Internet Posts) 66009663 -> 66013452 65003148 -> 66013452 (recorded with type 100) 66010820 -> 66012457 (recorded with type 104) (GU10) 65003148 -> 66012457 (recorded with type 104) (GU10) 65003148 -> 66013452 (recorded with type 103)

  47. Light impersonating • Write impersonating code, to identify as old models

  48. Light impersonating • Write impersonating code, to identify as old models • Sniff OTA updates on Zigbee and on bridge

  49. Light impersonating • Write impersonating code, to identify as old models • Sniff OTA updates on Zigbee and on bridge

  50. Light impersonating • Write impersonating code, to identify as old models • Sniff OTA updates on Zigbee and on bridge • They are encrypted

  54. Correlation power analysis

  55. Power Analysis Example Setup

  56. CPA for RE

  57. CCM

  58. New CPA attack on CCM Nonce (unknown) Counter (m) Nonce (unknown) Counter (m+1) Block Cipher Encryption Block Cipher Encryption Ciphertext (CT M ) Ciphertext (CT M+1 ) Plaintext (PT M ) Plaintext (PT M+1 ) CBC State m -1 (CBC M-1 ) Block Cipher Encryption Block Cipher Encryption CBC State m (CBC M ) CBC State m (CBC M+1 )

  59. New CPA attack on CCM Nonce (unknown) Counter (m) Nonce (unknown) Counter (m+1) Jaffe 07 Requires 2^16 blocks Block Cipher Encryption Block Cipher Encryption Ciphertext (CT M ) Ciphertext (CT M+1 ) Plaintext (PT M ) Plaintext (PT M+1 ) CBC State m -1 (CBC M-1 ) Block Cipher Encryption Block Cipher Encryption CBC State m (CBC M ) CBC State m (CBC M+1 )

  60. New CPA attack on CCM Nonce (unknown) Counter (m) Nonce (unknown) Counter (m+1) O ’ Flynn & Chen Chosen Nonce Block Cipher Encryption Block Cipher Encryption Ciphertext (CT M ) Ciphertext (CT M+1 ) Plaintext (PT M ) Plaintext (PT M+1 ) CBC State m -1 (CBC M-1 ) Block Cipher Encryption Block Cipher Encryption CBC State m (CBC M ) CBC State m (CBC M+1 )

  61. New CPA attack on CCM Nonce (unknown) Counter (m) Nonce (unknown) Counter (m+1) Block Cipher Encryption Block Cipher Encryption Ciphertext (CT M ) Ciphertext (CT M+1 ) Plaintext (PT M ) Plaintext (PT M+1 ) CBC State m -1 (CBC M-1 ) ECB - modified key Block Cipher Encryption Block Cipher Encryption CBC State m (CBC M ) CBC State m (CBC M+1 )

  62. New CPA attack on CCM Nonce (unknown) Counter (m) Block Cipher Encryption Ciphertext (CT M ) CBC State m -1 (CBC M-1 ) Block Cipher Encryption CBC State m (CBC M )

  63. New CPA attack on CCM Ciphertext (CT M ) Block m Const Block Cipher Encryption CBC State m (CBC M )

  64. New CPA attack on CCM Ciphertext (CT M ) Modified Key Block Cipher Encryption CBC State m (CBC M )

  68. https://www.youtube.com/watch?v=hi2D2MnwiGM Or: http://www.oflynn.com

  70. Creating An Explosive Infection:

  71. A New Type of Attack:

  72. A New Type of Attack: • A hacker can infect all the smart lights in the whole city, provided that the density of smart lights is above a certain critical mass, which can be calculated with percolation theory techniques

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Nuclear Leadership World Nuclear University Summer Radiation Short Course Nuclear Nuclear

Nuclear Leadership World Nuclear University Summer Radiation Short Course Nuclear Nuclear

Global Networking for Nuclear Leadership World Nuclear University Summer Radiation Short Course Nuclear Nuclear Institute Technologies English Course Olympiad School 2016: Canada Student 2017: Sweden challenge NESTET Conference 2016

236 views • 22 slides
Chapter 17 Chapter 17 Nuclear Chemistry uclear Chemistry Nuclear Decay Nuclear

Chapter 17 Chapter 17 Nuclear Chemistry uclear Chemistry Nuclear Decay Nuclear

Chapter 17 Chapter 17 Nuclear Chemistry uclear Chemistry Nuclear Decay Nuclear Radiation Nuclear Energy 1 Nuclear Decay Nuclear Decay History History Henri Becquerel stored uranium oxide in a drawer with photographic

150 views • 12 slides
Pakistan Nuclear Regulatory Authority 1 Contents Nuclear Regulatory Framework Nuclear

Pakistan Nuclear Regulatory Authority 1 Contents Nuclear Regulatory Framework Nuclear

Nuclear Industry Congress 2013 Istanbul, Turkey, 18-19 June 2013 Nuclear Safety and Security Culture in Pakistan and Nuclear Regulatory Framework in Pakistan Mohammad Anwar Habib Pakistan Nuclear Regulatory Authority 1 Contents Nuclear

577 views • 30 slides
Republic of Azerbaijan Ramin Pashayev The State Agency on Nuclear and Radiological Activity

Republic of Azerbaijan Ramin Pashayev The State Agency on Nuclear and Radiological Activity

International Conference on Physical Protection of Nuclear Material and Nuclear Facilities Vienna, Austria | 13 17 November 2017 Regulatory oversight and control of the physical protection of nuclear materials and nuclear facilities and

416 views • 28 slides
1 Why Peninsular Malaysia Needs Nuclear Generation 2 Nuclear Power Preparation and Steps Taken

1 Why Peninsular Malaysia Needs Nuclear Generation 2 Nuclear Power Preparation and Steps Taken

1 Why Peninsular Malaysia Needs Nuclear Generation 2 Nuclear Power Preparation and Steps Taken 3 Garnering Public Acceptance 4 Nuclear Power Development Timelines 5 The Prayer 2 3 Nuclear Renaissance World Challenges, Nuclear

1.33k views • 75 slides
NUCLEAR WASTE IN FRANCE Nuclear Waste Disposal Storage of nuclear waste in France Two

NUCLEAR WASTE IN FRANCE Nuclear Waste Disposal Storage of nuclear waste in France Two

NUCLEAR WASTE IN FRANCE Nuclear Waste Disposal Storage of nuclear waste in France Two problems : 1200 tons of nuclear - Traitement the used nuclear fuel waste produced each year in France - Storing the waste which cant be reused

196 views • 15 slides
Future of Nuclear Power in the United States Everett Redmond II, Ph.D. Nuclear Energy Institute

Future of Nuclear Power in the United States Everett Redmond II, Ph.D. Nuclear Energy Institute

Future of Nuclear Power in the United States Everett Redmond II, Ph.D. Nuclear Energy Institute October 15, 2015 If All U.S. Reactors Retire After 60 Years of Operation Year Total U.S. Nuclear Nuclear Nuclear Fuel New Generation

243 views • 13 slides
Nuclear Safety Update on Fukushima Dai-ichi Nuclear Accident and IAEA response Nuclear

Nuclear Safety Update on Fukushima Dai-ichi Nuclear Accident and IAEA response Nuclear

Nuclear Safety Update on Fukushima Dai-ichi Nuclear Accident and IAEA response Nuclear Installation Safety Department of Nuclear Safety & Security Presented by Maria J.. Moracho Ramirez Key Plant Systems (Mark-I) Safety Function Design

343 views • 19 slides
MPI fr Physik, Mnchen 2015 Nuclear Ground State Properties and their Importance for Nuclear

MPI fr Physik, Mnchen 2015 Nuclear Ground State Properties and their Importance for Nuclear

MPI fr Physik, Mnchen 2015 Nuclear Ground State Properties and their Importance for Nuclear Structure, Nuclear Astrophysics and Fundamental Studies. Motivation for precision nuclear data Atomic physics techniques in nuclear physics

426 views • 25 slides
Nuclear data required for measurements of reactivity and nuclear material composition Nuclear

Nuclear data required for measurements of reactivity and nuclear material composition Nuclear

Nuclear data required for measurements of reactivity and nuclear material composition Nuclear Technology Research Laboratory Central Research Institute of Electric Power Industry Yasushi NAUCHI 2018 Symposium on Nuclear Data Nov. 30, 2018 at

394 views • 25 slides
NUCLEAR ISSUES CURRENT NUCLEAR STATUS Hiatus in development in U.S. and W. Europe Opportunity

NUCLEAR ISSUES CURRENT NUCLEAR STATUS Hiatus in development in U.S. and W. Europe Opportunity

TR 9903--01 ~ NUCLEAR ISSUES CURRENT NUCLEAR STATUS Hiatus in development in U.S. and W. Europe Opportunity for review of past and future BASES FOR OBJECTIONS TO NUCLEAR POWER Concerns about radiation exposures. reactor accidents, nuclear

357 views • 21 slides
Nuclear Magnetic Nuclear Magnetic Nuclear Magnetic Nuclear Magnetic Resonance of Proteins

Nuclear Magnetic Nuclear Magnetic Nuclear Magnetic Nuclear Magnetic Resonance of Proteins

Nuclear Magnetic Nuclear Magnetic Nuclear Magnetic Nuclear Magnetic Resonance of Proteins Resonance of Proteins eso a ce o eso a ce o ote ote s s Christopher Pavlik Bioanalytical Chemistry March 2, 2011 Nuclear Magnetic Resonance

169 views • 15 slides
1. Shapes and Masses of Nuclei Or: Nuclear Phenomeology References: [PRSZR 5.4, 2.3, 3.1/3; HG

1. Shapes and Masses of Nuclei Or: Nuclear Phenomeology References: [PRSZR 5.4, 2.3, 3.1/3; HG

PHYS 6610: Graduate Nuclear and Particle Physics I H. W. Griehammer INS Institute for Nuclear Studies The George Washington University Institute for Nuclear Studies Spring 2018 II. Phenomena 1. Shapes and Masses of Nuclei Or: Nuclear

457 views • 27 slides
Nuclear Browns Ferry Nuclear Plant May 29, 2013 Preston Swafford, Chief Nuclear Officer

Nuclear Browns Ferry Nuclear Plant May 29, 2013 Preston Swafford, Chief Nuclear Officer

Nuclear Browns Ferry Nuclear Plant May 29, 2013 Preston Swafford, Chief Nuclear Officer Tennessee Valley Authority Discussion Points Nuclear Opening Remarks Preston Swafford Integrated Improvement Plan Keith Polson Results Achieved Keith

421 views • 16 slides
A Few Thoughts on Computational Nuclear Science and the New Nuclear Energy Era Dr Cassiano R E

A Few Thoughts on Computational Nuclear Science and the New Nuclear Energy Era Dr Cassiano R E

II SEN I ISNE Rio de Janeiro, August 13-17 2012 A Few Thoughts on Computational Nuclear Science and the New Nuclear Energy Era Dr Cassiano R E de Oliveira Department of Chemical and Nuclear Engineering The University of New Mexico

852 views • 59 slides
ALMOST NUCLEAR: INTRODUCING THE NUCLEAR LATENCY DATASET Matthew Fuhrmann and Benjamin Tkach

ALMOST NUCLEAR: INTRODUCING THE NUCLEAR LATENCY DATASET Matthew Fuhrmann and Benjamin Tkach

ALMOST NUCLEAR: INTRODUCING THE NUCLEAR LATENCY DATASET Matthew Fuhrmann and Benjamin Tkach Alyssa Martinec Nuclear Latency A country having the capacity to quickly produce nuclear weapons in the event of a crisis Limited scholarly

559 views • 30 slides
Arizona State University Spring 2020 Request for Proposals HUE Project Leads Charles Redman, HUE

Arizona State University Spring 2020 Request for Proposals HUE Project Leads Charles Redman, HUE

Healthy Urban Environments (HUE) Arizona State University Spring 2020 Request for Proposals HUE Project Leads Charles Redman, HUE Co-PI (charles.redman@asu.edu) Matthew Fraser, HUE Co-PI (matthew.fraser@asu.edu) Christopher Sanchez, HUE

374 views • 12 slides
Turn on living Share your thoughts: #meethue #philipshue #huego #philipslighting Here today.

Turn on living Share your thoughts: #meethue #philipshue #huego #philipslighting Here today.

Turn on living Share your thoughts: #meethue #philipshue #huego #philipslighting Here today. More tomorrow. Well never stop evolving and expanding on what Philips Hue can do. Super easy to expand Expand Philips Hue up to 50 lights Up

369 views • 18 slides
VHCB Funds Available for Projects, FY16 Governor's Recommend and a Reduction of $750,000

VHCB Funds Available for Projects, FY16 Governor's Recommend and a Reduction of $750,000

VHCB Funds Available for Projects, FY16 Governor's Recommend and a Reduction of $750,000 Governor''s Recommend FY2016 Governor's less $750,000 and switch of Recommend additional $2M to Bond Program Area Statutory Share of Prop. Transfer Tx

326 views • 16 slides
Will You Have a Role in Detroits Future? The Next 5 Years Mike Duggan Mayor, City of Detroit

Will You Have a Role in Detroits Future? The Next 5 Years Mike Duggan Mayor, City of Detroit

Will You Have a Role in Detroits Future? The Next 5 Years Mike Duggan Mayor, City of Detroit May 30, 2019 Detroit Population: 1900 to 2010 Population of Detroit 2,000 1,600 Thousands 1,200 800 400 0 1900 1910 1920 1930 1940

1.16k views • 115 slides
ChAT-Meeting, Nrnberg 30 September 2011 Hue San Do European Benchmarking Chinese Project

ChAT-Meeting, Nrnberg 30 September 2011 Hue San Do European Benchmarking Chinese Project

ChAT-Meeting, Nrnberg 30 September 2011 Hue San Do European Benchmarking Chinese Project (EBCL) Common European Framework of References for Languages: Learning, teaching assessment European Benchmarking Chinese Project Challenges and

154 views • 11 slides
THE FUTURE OF AT IS NOW! DR. RUCHI PALAN AND TIM KOMAROV GRID 3 BY A SAMPLE OF ACCESSIBLE APPS

THE FUTURE OF AT IS NOW! DR. RUCHI PALAN AND TIM KOMAROV GRID 3 BY A SAMPLE OF ACCESSIBLE APPS

THE FUTURE OF AT IS NOW! DR. RUCHI PALAN AND TIM KOMAROV GRID 3 BY A SAMPLE OF ACCESSIBLE APPS ON GRID 3 INTRODUCING THE ALEXA BY INTRODUCING GOOGLE HOME BY AMAZON ALEXA AND GOOGLE HOME ALLOWS YOU TO CONTROL DEVICES THROUGH VOICE

521 views • 25 slides
The Internet of Things is a recognized paradigm that already helps society in many

The Internet of Things is a recognized paradigm that already helps society in many

E ND -U SER D EVELOPMENT IN THE I NTERNET OF T HINGS A LBERTO M ONGE R OFFARELLO SUPER ERVISOR: F UL ULVIO C OR ORNO e-Lite https://elite.polito.it The Internet of Things is a recognized paradigm that already helps society in many

1.32k views • 113 slides
Building Immersive NVIDIA SHIELD Android TV Games GTC 2016 | Luc Beaulieu (CTO) & JP Doiron

Building Immersive NVIDIA SHIELD Android TV Games GTC 2016 | Luc Beaulieu (CTO) & JP Doiron

Building Immersive NVIDIA SHIELD Android TV Games GTC 2016 | Luc Beaulieu (CTO) & JP Doiron (Technology Director) Todays Menu Immersive experience What went right Challenges What's next Immersive experience

473 views • 33 slides

More recommend