 To be allowed to announce the following talk. Hunting the sick fox. You heard the talk, Hunting the Sick Fox, Wildest IoT Network Security from Florian in the German translation by Stefan and another Florian. On a popular German website called Furby from Hell. And somebody hacked Furby and there was also a video where you could see the debug output on the displays which are the eyes of the Furby. It was a really disturbing video. And the guy who did this is exactly Florian. Okay, yes. Florian hacked Furby and also made a video a while ago. Today he's going to talk about the sick fox. Today he's going to talk about the sick fox, but a network technology for IoT devices. Like it's always with the IoT world, we have security issues. And as always in the IoT world, there are a few security issues. And welcome him with a big round of applause. Yes, I'm glad to have this talk from Florian and welcome him with a round of applause. Thank you for the introduction. Thank you for the introduction. This talk is about a technical audience. But you don't have to be a high-frequency expert to understand the things. I'm going to load a few basic information about the sick fox technology and the sick fox analysis and then describe the analysis of the sick fox protocols and their security aspects. The important thing is first of all, I don't have any serious vulnerabilities, no serious uncertainties, but there are a few weak points. I want to introduce myself first. You don't have to know much. I'm showing you this picture of me because I think I look so fabulous, but because I think that's not because I look so great, but because I find this cow here in the background so great. That's not just any cow. That's Alice the cow. Alice has a great life. She lives somewhere in the mountains. There's just one problem with her. There's just one problem with her. She likes to run out of her throat. And then the farmer, the Bob, doesn't like that. But he heard something recently, the IoT, the Internet of Things, where he believes that all of his problems are solved. That's why he bought this neck band for Alice. This neck band makes a few things. First, it determines Alice's position based on her body temperature and transfers this data to Bob. That's just one problem. How do you get this data from Alice to Bob? Traditionally, in IoT there are two solutions. One is Wi-Fi, the other is mobile network. Wi-Fi won't work. You can't cover the whole thing with Wi-Fi. It's just not enough range. Mobile phone networks would function in principle, but they are relatively expensive and they need a lot of energy. So you have to change the battery often. Luckily, there's another approach, that's the LP-1. It's a wide area, a wide network with lower power. That's why all of these problems are solved. Now, why is that possible? Why didn't they make it earlier? Why wasn't it discovered earlier? What compromises were made about it? To understand these compromises, we have to look at the electromagnetic spectrum. This is the electromagnetic spectrum of a WLAN signal. WLAN is pretty wide, and you have these small dots on top. That's noise. And to find the power, you have to look at the curve and the area under the curve. The bandwidth of Wi-Fi is 20 MHz. And this red right angle is noise. We don't want that. We just want the signal. And the relative value of the noise is the signal performance, that's the noise signal performance, or SNR, or signal noise performance. And if you look here, the red signal is relatively big, compared to the signal. That means the signal noise is relatively bad. What you can do is to concentrate on the signal in a very small signal, in the signal frequency area. Then you only have a small noise square on the signal and the signal noise behavior is much better. This technology is called U-N-B, or ultrashmall band. You might wonder, why don't you use Wi-Fi as well? If the solution is so simple, why don't we do that with Wi-Fi? And the problem is, the answer is quite simple. The bandwidth is approximately proportional to the data rate. That means, for example, when I say, I have broadband internet, then you think, I'm, it's fast. You don't say that my internet uses a lot of frequencies. When I say, SIGFOX is an ultrashmall band technology, then you think, SIGFOX is slow. And when I say slow, it's not just a little slow, but very slow. So here is the comparison between SIGFOX and the standard configuration and a, yeah, traditional mode. In SIGFOX, you can only transfer about 140 wavelengths per day and a wavelength is about 12 bytes. So you can only transfer about four downlinks to the device per day, which you can get at 8 bytes. So what you're doing here, you can forget everything you know about internet protocol. There's no IP, no name, no HTTP. There's not even any signaling or connection establishment. There's no signalization or connection construction. So SIGFOX transfers it simply, it simply sleeps most of the time until a time has passed or a button is pressed and then SIGFOX base stations simply publish the data and take the signal and transfer it to the cloud or not. There's no great protocol about it. There's one device you may think. So how is this possible if you join Chef to have one device when there's more than one device? If there's not only one device, there's 10 or 1,000 devices. How can we make sure that all these transfers don't collide? Well, the answer is, they can just collide. The answer is again, we can look at the spectrum. The only thing is we have frequency multiplexing. SIGFOX ACP project happens at different frequencies at the same time. And whenever a device transfers something, check first the frequency if it's just colliding and only if they don't collide then it transfers. And all these peaks that you can see in these diagrams are not just cool cows but other SIGFOX devices for example smart home or smart meter smart streets in agriculture. We have the complete SIGFOX on buzzwords. Yes, over 250 million euros they could collect money. One thing that's cool about SIGFOX is that unlicensed spectrum is used. It's free to use. That means you can use it just the downside of SIGFOX is that SIGFOX is completely proprietary. SIGFOX is completely proprietary. The protocols are not open and that's exactly what's going on in my portfolio. SIGFOX is not the only thing that's available in this area. To be honest I'd say that these three here are really cool. That's the SIGFOX that's the base of our SIGFOX for SIGFOX and now there's a short introduction a short summary of the high-frequency technology that's playing here. To send something I have to create electromagnetic waves. That's how it looks. At the moment there's no information and the information transfer takes place and one of the types of modulation is phase modulation. And as you can see here when the phase changes in the signal I can transfer another bit for example. So you can see these knees in the sine wave. This is not the only modulation technique. There's also frequency modulation that you know from your autoradio for example where differences in frequency are used to transfer information. The autoradio of course uses the analog version to actually get started with the SIGFOX uplink. Let's link the SIGFOX uplink the send direction from an end device to the network. Paul Pinot has a series of reverse engineering information to find out how the protocol works. And I wanted to look at that as well and I got two devices for that. And the one is a PICOM the other is a developer kit by ST and I'm also using a software-defined radio basically a microphone not just for tones but for electromagnetic radiation and with that we can record possible signals and I'll show you how it sounds. And the whole thing is going against real-time but it's one piece of information. The interesting part is that although we only transfer one piece of information there are three different frequencies and I want to find out what's the relationship between what's the difference or what's the special on these different frequencies. I know that SIGFOX uses differential phase modulation and with this information I can write a program that decodes this signal in a binary representation of the data. So and I have the three different broadcasts in the three different colors so you can just distinguish them. All three have in common that there is this preamble and then there are bits that apparently don't correlate. And the reason I showed you is called convolutional coding. If you don't know what these words even mean then these terms don't tell you what the code is. The trick is that the data is pushed together with a X-offer and then the data is transferred. And if you use the correct decoding function then you can see that all three broadcasts contain the same information. And the technical name here is the coding gain in the sense of error correction where additional and then used to transfer the data safely to estimate decoding errors. I have a few of these transfers recorded always with the same data stream so that the analyzer gets simpler. And here is an example for a very long time. And the trick is that you look at these Hexdams of the data until you start to see the pattern. And there you can see for example a sequence number that increases in every broadcast at exactly one. This is the device recognition of the sender. And you can now know that this is the device from Alice that was sent. These are exactly the user data that I sent. Not further coded, not decoded. And the white paper from SickFox also says very clearly that there is no decoding. And if you start for a long time then you actually know the entire structure of the transfer frame. And if you are interested in that I have an 80-page document where exactly these details are read. To summarize what she is telling us when we get such a broadcast then this is the core information that we get. This is the actual data the device ID, the device recognition and the number for the broadcast. There are a few additional fields that are interesting. There is once the CRC the check number and that is the definition of the CRCs that are used here with this polynomial. You can see whether the entire frame actually received correctly only when this check number is calculated exactly as it was received. MAC is not here for an Apple computer. It is also not for a medium access control but for a message authentication code, a cryptographic method to check the data on authenticity. You know digital signatures maybe from PGP or GPG and there is an asymmetric procedure for use here and the only important part is that I wanted this not so important but important is there is a specific algorithm to calculate this message authentication code and I did not know the key at that time so it was very important to me to develop the key and SIGFOX says that you do not reach the key because it is hidden somewhere in the hardware when I got my sci-pi module I wanted to update the firmware first and before it did that I looked at the flash and compared with what was behind it and how you can find it at that time the device ID and this key in the flash is important you need physical access to the hardware on the flash chip and SIGFOX has a solution with a secure element that takes over the cryptographic functions and you cannot read the key but the disadvantage is that it costs extra money so that is the representation of the key algorithm to calculate and there is the IES in the Cypher block chaining mode and the actual data is expanded to 16 bytes then divided into two parts and then these two blocks are processed together and this data comes out so summarized in the uplink in the network are used very widespread methods there are no obvious errors in the implementation but there is no translation of the data why is that for today and that is very unusual but of course to calculate and the reason is simple that it costs money to hide every message you need powerful hardware that is why manufacturers are not interested in building something like that but what is really problematic with SIGFOX is the message authentication code is too short the sequence number the number that is increased when you send something are so short that you can send received messages later and they are accepted as valid or you can even send a message without knowing the market key because you can simply try all possibilities worst case you have to try and then you can try all possible keys values with many protocols you can't do that practically because it takes too long how long would it take at 600 bit per second and at the beginning I told you something about frequency multiplexing we can just the nice thing is that for this attack we can actually combine all these frequencies and at the same time send our test packages and if we do that it only takes a few minutes to send out all 65,000 possible packages and with that we can I wasn't able to confirm this information 16 bit is only the worst case 2x2 is a much shorter time there are a few countermeasures devices are blocked if they send too many unnecessary data and the deviation is how safe I have to be that my message is true versus how much is the availability of the solution the replay attacker so the return of earlier messages to solve functions for example with a software defined radio is very easy as a protector this so called sequence number is built in but it is only 12 bits so there are only 4,000 possibilities it is very likely that devices that usually send within a relatively short time start using old sequence numbers simply because the 12 bits are created because the 4,000 can be sent once so you could probably use that if you have presented so in summary if all you want to do is create that track cause you're probably going to be fine with the quality protection where you need it where you need it where you need it where you need it but if you want to protect valuable things or even check then 6fox alone is probably too little because there are corresponding weaknesses so we come to the downlink the downlink from the network to the final device the 6fox base station is not easy to send to a final device because it could be simply offline so you have to tell the network that it is available and then it can be transferred of course I wanted to record one of these I wanted to draw how such a transaction actually goes from city and it was necessary to find such a base station and I found one in Darfenberg and this antenna is actually the 6fox base station luckily you don't have to do a search with maps where you find such an antenna but there are corresponding systems at the federal network that the antenna station record that was the real-time version of a broadcast that was no phase modulation but frequency modulation I modulated it I showed a few of them and analyzed what could that be will they use connection very smart error correction this is a much much easier so called scrambling I don't show you how the scrambler works but parameters for this scrambling function are simply a forward-running number and the device ID. So scrambling does not provide any confidentiality. So this scrambling function does not provide any real protection of the data against people who want to read it. So a frame looks like this. There are a few fields that are quite interesting. A slightly more complex error correction. And this error correction function can correct up to eight bits of error. And there is also the MAC, as we already know it from the distance. In summary, reasonable algorithms are reasonably implemented. The scrambling function does not really lead to the isolation of the data. If you use the SIGFOX isolation additionally, then there is of course appropriate protection. So if you want to use this in your devices, then be aware of which protection level you actually reach there. If you have to secure the confidentiality of the data, then you should definitely put it on the SIGFOX isolation. And then there is the choice of hardware that you can use, but relatively strongly restricted, there are only a few devices that can do that. If you can use no modem with locks, then of course you can implement it yourself. And there are a few basic functions on which you can support yourself, but you then have to check the authenticity of the messages yourself. A few people, I have to thank Felix and Marc, have a large part of the technical details here, and they also read the lecture here. I also want to thank Mr. Lehmann from SIGFOX Germany, even though we have a communication with SIGFOX on our side, so none of them are SIGFOX's fault. He reacted really nicely and answered very nicely. When I talk to Mr. Lehmann from SIGFOX Germany, when I talked to Mr. Lehmann from SIGFOX, I told him that we didn't find any major issues, and he said that SIGFOX had the plan to actually make the protocol library available as an open source. If you want to find out more about SIGFOX, and if you don't want to wait for SIGFOX, SIGFOX has its library available, then you can click on my library and the reference implementation is for Software Defined Radio and you can find out more about SIGFOX with the SIGFOX ID and this secret key. Thank you very much. Especially two tips for that. First, a question is in general just one sentence long. Second, if you want us to hear you, you have to speak into the mic, so get close to the mic. It doesn't bite back. So, I think we have somebody on the mic there in the back. Yes, that's mic number. I can't read that from here. Okay, thanks. Number eight, you start. Hi. Is this on? Yeah. So you said scrambling didn't provide any confidentiality. So what is it for? Why is it there? It's for synchronization of the receiver. It's not a standard algorithm of scrambling. I'm not quite sure why it's there. I think it's just for synchronization of the receiver. It's a bit security based obscurity, because the algorithm is not documented. This was the mic. Hi. Thanks for the talk. My question is what is the reason you cannot disclose the scrambling algorithm? That's the reason why you can't disclose the scrambling algorithm. I could disclose it. It doesn't make any sense to me. I will disclose and unscramble versions of data so that someone else can do it differently. Is there a question from the Internet? Do you think that it will be possible in the future to leave your own base station or will you always be operated by SigVox? Absolutely. The question is, are there patents? Technically, there is no reason why you shouldn't be able to do it. But you need your own network, your own keys to separate from the SigVox network. You can build your own parallel network without any problems. Thanks for the talk. I have a student who wants to fuss Laura on. You mentioned a few times Did you use the SER implementation for sending as well? Or did you figure out how to manipulate one of the existing radio transceivers? I have adapted the Pricom SciFi, but I haven't adapted the implementation for the connection. Can you tell us what the latency is like on these networks? Can you tell us what the latency is like on those networks? Yes. The latency on these networks? You have to go to a website to call the data from the base station. I haven't really tested it. You actually need an API client to call the data. I think it's about a few seconds, maybe three seconds. Yes. So is SigVox algorithms, all the things running on the companies provided chips or is there some software involved which could be potentially irreversible? The software could be developed back. That's the small software. There are a few other aspects which you could take apart, but you can't get to the base station. SigVox probably won't be able to pull it out. And one last question from the internet. What are the advantages that you see on SigVox versus LoraOne? I think SigVox uses even less power in general. But it's good if there's a little bit of competition, if there are several providers. There are advantages in both solutions. It needs less power and maybe it's a little better than LoraOne. You just need to take care of the end devices and not about the network.