io iot goes nuclear
play

Io IoT Goes Nuclear: Creatin ing a Zig igBee Chain in Reactio - PowerPoint PPT Presentation

Dec 04, 2023 •178 likes •1.11k views

Io IoT Goes Nuclear: Creatin ing a Zig igBee Chain in Reactio ion Eyal Ronen , Colin O Flynn, Adi Shamir, Achi-Or Weingarten Typical IoT devices: Philips Hue Smart Lights Typical IoT devices: Philips Hue Smart Lights Mature

  1. Io IoT Goes Nuclear: Creatin ing a Zig igBee Chain in Reactio ion Eyal Ronen , Colin O ’ Flynn, Adi Shamir, Achi-Or Weingarten

  3. Typical IoT devices: Philips Hue Smart Lights

  4. Typical IoT devices: Philips Hue Smart Lights • Mature technology and standards, a relatively simple system

  5. Typical IoT devices: Philips Hue Smart Lights • Mature technology and standards, a relatively simple system • A high end product with high end security, but …

  6. Creating a lightbulb worm • We have proven the possibility of creating a worm which spreads using only the standard ZigBee wireless interface

  7. Creating a lightbulb worm • We have proven the possibility of creating a worm which spreads using only the standard ZigBee wireless interface • Taking over a preinstalled smart light

  8. Creating a lightbulb worm • We have proven the possibility of creating a worm which spreads using only the standard ZigBee wireless interface • Taking over a preinstalled smart light • Spreading everywhere

  9. The underlying ZLL protocol

  10. The underlying ZLL protocol Zigbee Personal Area Network • Each installed light is connected to a central controller using the ZigBee Light Link (ZLL) wireless protocol in a Personal Area Network (PAN)

  11. The underlying ZLL protocol IP • Each installed light is connected to a central controller using the ZigBee Light Link (ZLL) wireless protocol in a Personal Area Network (PAN) • The bridge is connected to a secure home/ office network, and is controlled by a smartphone app via IP

  12. The underlying ZLL protocol • Each installed light is connected to a central controller using the ZigBee Light Link (ZLL) wireless protocol in a Personal Area Network (PAN) • The bridge is connected to a secure home/ office network, and is controlled by a smartphone app via IP • It enables each authorized user to turn each light on or off, to change the light intensity, and to set its color

  13. Starting the attack

  14. Starting the attack • Write a full python based ZLL stack, using Eval Board as RF transmitter

  15. Starting the attack • Write a full python based ZLL stack, using Eval Board as RF transmitter • Buy many lamps, sniff traffic, and break (physically) some lamps

  16. Starting the attack • Write a full python based ZLL stack, using Eval Board as RF transmitter • Buy many lamps, sniff traffic, and break (physically) some lamps • Start connecting wires

  17. Philps Hue Lamp Teardown

  19. Boot sequence debug printout

  20. Challenges in taking over a preinstalled smart light

  21. Challenges in taking over a preinstalled smart light • ZigBee Light Link standard uses multiple cryptographic and security protocols to prevent misuse

  22. Challenges in taking over a preinstalled smart light • ZigBee Light Link standard uses multiple cryptographic and security protocols to prevent misuse • In particular, uses a proximity test to make sure that the only way to take control of an already installed Hue lamp is by operating it within 10-20 cm from its new controller

  23. Protocol Session Outline Scan Request(Transaction ID) Proximity Test Scan Response Controller Lamp Network Start (Transaction ID) Reset to Factory New (Transaction ID)

  24. Protocol Session Outline Scan Request(Transaction ID) Proximity Test Scan Response Controller Lamp Network Start (Transaction ID) Reset to Factory New (Transaction ID)

  25. Protocol Session Outline Scan Request(Transaction ID) Proximity Test Scan Response Controller Lamp Network Start (Transaction ID) Reset to Factory New (Transaction ID)

  26. Protocol Implementation Bug

  27. Protocol Implementation Bug • We want to cause the light to Reset to Factory New

  28. Protocol Implementation Bug • We want to cause the light to Reset to Factory New

  29. Protocol Implementation Bug • We want to cause the light to Reset to Factory New • Can ’ t set a valid Transaction ID due to proximity test

  30. Protocol Implementation Bug • We want to cause the light to Reset to Factory New Non-Zero • Can ’ t set a valid Transaction ID due to proximity test

  31. The case of ZERO (day)

  32. The case of ZERO (day) • How is the Session data is saved in memory?

  33. The case of ZERO (day) • How is the Session data is saved in memory?

  34. The case of ZERO (day) • How is the Session data is saved in memory? • What is default values in the struct?

  35. The case of ZERO (day) • How is the Session data is saved in memory? • What is default values in the struct? • Well surely it is checked on access …

  36. The case of ZERO (day) • How is the Session data is saved in memory? • What is default values in the struct? • Well surely it is checked on access …

  37. The case of ZERO (day) • How is the Session data is saved in memory? • What is default values in the struct? • Well surely it is checked on access … • Just on Scan Request message

  38. Protocol Attack Outline Controller Lamp Factory Reset (Transaction ID=0)

  39. We bought a cheap and lightweight commercial Zigbee evaluation kit:

  40. ZigBee WarFlying - Taking over a building ’ s lights By launching a drone carrying a fully automated attack equipment 400 meters away

  41. second warflying video here

  42. Spreading everywhere

  43. Getting software updates • No software update for Atmel based lamps

  44. Getting software updates • No software update for Atmel based lamps • So lets impersonate to an older model and version

  45. Getting software updates • No software update for Atmel based lamps • So lets impersonate to an older model and version • Looked for posting on upgrades on the Internet (mainly Reddit)

  46. Getting software updates • No software update for Atmel based lamps • So lets impersonate to an older model and version • Looked for posting on upgrades on the Internet (mainly Reddit) Known upgrades (From Internet Posts) 66009663 -> 66013452 65003148 -> 66013452 (recorded with type 100) 66010820 -> 66012457 (recorded with type 104) (GU10) 65003148 -> 66012457 (recorded with type 104) (GU10) 65003148 -> 66013452 (recorded with type 103)

  47. Light impersonating • Write impersonating code, to identify as old models

  48. Light impersonating • Write impersonating code, to identify as old models • Sniff OTA updates on Zigbee and on bridge

  49. Light impersonating • Write impersonating code, to identify as old models • Sniff OTA updates on Zigbee and on bridge

  50. Light impersonating • Write impersonating code, to identify as old models • Sniff OTA updates on Zigbee and on bridge • They are encrypted

  54. Correlation power analysis

  55. Power Analysis Example Setup

  56. CPA for RE

  57. CCM

  58. New CPA attack on CCM Nonce (unknown) Counter (m) Nonce (unknown) Counter (m+1) Block Cipher Encryption Block Cipher Encryption Ciphertext (CT M ) Ciphertext (CT M+1 ) Plaintext (PT M ) Plaintext (PT M+1 ) CBC State m -1 (CBC M-1 ) Block Cipher Encryption Block Cipher Encryption CBC State m (CBC M ) CBC State m (CBC M+1 )

  59. New CPA attack on CCM Nonce (unknown) Counter (m) Nonce (unknown) Counter (m+1) Jaffe 07 Requires 2^16 blocks Block Cipher Encryption Block Cipher Encryption Ciphertext (CT M ) Ciphertext (CT M+1 ) Plaintext (PT M ) Plaintext (PT M+1 ) CBC State m -1 (CBC M-1 ) Block Cipher Encryption Block Cipher Encryption CBC State m (CBC M ) CBC State m (CBC M+1 )

  60. New CPA attack on CCM Nonce (unknown) Counter (m) Nonce (unknown) Counter (m+1) O ’ Flynn & Chen Chosen Nonce Block Cipher Encryption Block Cipher Encryption Ciphertext (CT M ) Ciphertext (CT M+1 ) Plaintext (PT M ) Plaintext (PT M+1 ) CBC State m -1 (CBC M-1 ) Block Cipher Encryption Block Cipher Encryption CBC State m (CBC M ) CBC State m (CBC M+1 )

  61. New CPA attack on CCM Nonce (unknown) Counter (m) Nonce (unknown) Counter (m+1) Block Cipher Encryption Block Cipher Encryption Ciphertext (CT M ) Ciphertext (CT M+1 ) Plaintext (PT M ) Plaintext (PT M+1 ) CBC State m -1 (CBC M-1 ) ECB - modified key Block Cipher Encryption Block Cipher Encryption CBC State m (CBC M ) CBC State m (CBC M+1 )

  62. New CPA attack on CCM Nonce (unknown) Counter (m) Block Cipher Encryption Ciphertext (CT M ) CBC State m -1 (CBC M-1 ) Block Cipher Encryption CBC State m (CBC M )

  63. New CPA attack on CCM Ciphertext (CT M ) Block m Const Block Cipher Encryption CBC State m (CBC M )

  64. New CPA attack on CCM Ciphertext (CT M ) Modified Key Block Cipher Encryption CBC State m (CBC M )

  68. https://www.youtube.com/watch?v=hi2D2MnwiGM Or: http://www.oflynn.com

  70. Creating An Explosive Infection:

  71. A New Type of Attack:

  72. A New Type of Attack: • A hacker can infect all the smart lights in the whole city, provided that the density of smart lights is above a certain critical mass, which can be calculated with percolation theory techniques

Recommend

Nuclear Leadership World Nuclear University Summer Radiation Short Course Nuclear Nuclear

Nuclear Leadership World Nuclear University Summer Radiation Short Course Nuclear Nuclear

Global Networking for Nuclear Leadership World Nuclear University Summer Radiation Short Course Nuclear Nuclear Institute Technologies English Course Olympiad School 2016: Canada Student 2017: Sweden challenge NESTET Conference 2016

236 views • 22 slides
Chapter 17 Chapter 17 Nuclear Chemistry uclear Chemistry Nuclear Decay Nuclear

Chapter 17 Chapter 17 Nuclear Chemistry uclear Chemistry Nuclear Decay Nuclear

Chapter 17 Chapter 17 Nuclear Chemistry uclear Chemistry Nuclear Decay Nuclear Radiation Nuclear Energy 1 Nuclear Decay Nuclear Decay History History Henri Becquerel stored uranium oxide in a drawer with photographic

150 views • 12 slides
Pakistan Nuclear Regulatory Authority 1 Contents Nuclear Regulatory Framework Nuclear

Pakistan Nuclear Regulatory Authority 1 Contents Nuclear Regulatory Framework Nuclear

Nuclear Industry Congress 2013 Istanbul, Turkey, 18-19 June 2013 Nuclear Safety and Security Culture in Pakistan and Nuclear Regulatory Framework in Pakistan Mohammad Anwar Habib Pakistan Nuclear Regulatory Authority 1 Contents Nuclear

577 views • 30 slides
Republic of Azerbaijan Ramin Pashayev The State Agency on Nuclear and Radiological Activity

Republic of Azerbaijan Ramin Pashayev The State Agency on Nuclear and Radiological Activity

International Conference on Physical Protection of Nuclear Material and Nuclear Facilities Vienna, Austria | 13 17 November 2017 Regulatory oversight and control of the physical protection of nuclear materials and nuclear facilities and

416 views • 28 slides
1 Why Peninsular Malaysia Needs Nuclear Generation 2 Nuclear Power Preparation and Steps Taken

1 Why Peninsular Malaysia Needs Nuclear Generation 2 Nuclear Power Preparation and Steps Taken

1 Why Peninsular Malaysia Needs Nuclear Generation 2 Nuclear Power Preparation and Steps Taken 3 Garnering Public Acceptance 4 Nuclear Power Development Timelines 5 The Prayer 2 3 Nuclear Renaissance World Challenges, Nuclear

1.33k views • 75 slides
NUCLEAR WASTE IN FRANCE Nuclear Waste Disposal Storage of nuclear waste in France Two

NUCLEAR WASTE IN FRANCE Nuclear Waste Disposal Storage of nuclear waste in France Two

NUCLEAR WASTE IN FRANCE Nuclear Waste Disposal Storage of nuclear waste in France Two problems : 1200 tons of nuclear - Traitement the used nuclear fuel waste produced each year in France - Storing the waste which cant be reused

196 views • 15 slides
Future of Nuclear Power in the United States Everett Redmond II, Ph.D. Nuclear Energy Institute

Future of Nuclear Power in the United States Everett Redmond II, Ph.D. Nuclear Energy Institute

Future of Nuclear Power in the United States Everett Redmond II, Ph.D. Nuclear Energy Institute October 15, 2015 If All U.S. Reactors Retire After 60 Years of Operation Year Total U.S. Nuclear Nuclear Nuclear Fuel New Generation

243 views • 13 slides
Nuclear Safety Update on Fukushima Dai-ichi Nuclear Accident and IAEA response Nuclear

Nuclear Safety Update on Fukushima Dai-ichi Nuclear Accident and IAEA response Nuclear

Nuclear Safety Update on Fukushima Dai-ichi Nuclear Accident and IAEA response Nuclear Installation Safety Department of Nuclear Safety & Security Presented by Maria J.. Moracho Ramirez Key Plant Systems (Mark-I) Safety Function Design

343 views • 19 slides
MPI fr Physik, Mnchen 2015 Nuclear Ground State Properties and their Importance for Nuclear

MPI fr Physik, Mnchen 2015 Nuclear Ground State Properties and their Importance for Nuclear

MPI fr Physik, Mnchen 2015 Nuclear Ground State Properties and their Importance for Nuclear Structure, Nuclear Astrophysics and Fundamental Studies. Motivation for precision nuclear data Atomic physics techniques in nuclear physics

426 views • 25 slides
Nuclear data required for measurements of reactivity and nuclear material composition Nuclear

Nuclear data required for measurements of reactivity and nuclear material composition Nuclear

Nuclear data required for measurements of reactivity and nuclear material composition Nuclear Technology Research Laboratory Central Research Institute of Electric Power Industry Yasushi NAUCHI 2018 Symposium on Nuclear Data Nov. 30, 2018 at

394 views • 25 slides
NUCLEAR ISSUES CURRENT NUCLEAR STATUS Hiatus in development in U.S. and W. Europe Opportunity

NUCLEAR ISSUES CURRENT NUCLEAR STATUS Hiatus in development in U.S. and W. Europe Opportunity

TR 9903--01 ~ NUCLEAR ISSUES CURRENT NUCLEAR STATUS Hiatus in development in U.S. and W. Europe Opportunity for review of past and future BASES FOR OBJECTIONS TO NUCLEAR POWER Concerns about radiation exposures. reactor accidents, nuclear

357 views • 21 slides
Nuclear Magnetic Nuclear Magnetic Nuclear Magnetic Nuclear Magnetic Resonance of Proteins

Nuclear Magnetic Nuclear Magnetic Nuclear Magnetic Nuclear Magnetic Resonance of Proteins

Nuclear Magnetic Nuclear Magnetic Nuclear Magnetic Nuclear Magnetic Resonance of Proteins Resonance of Proteins eso a ce o eso a ce o ote ote s s Christopher Pavlik Bioanalytical Chemistry March 2, 2011 Nuclear Magnetic Resonance

169 views • 15 slides
1. Shapes and Masses of Nuclei Or: Nuclear Phenomeology References: [PRSZR 5.4, 2.3, 3.1/3; HG

1. Shapes and Masses of Nuclei Or: Nuclear Phenomeology References: [PRSZR 5.4, 2.3, 3.1/3; HG

PHYS 6610: Graduate Nuclear and Particle Physics I H. W. Griehammer INS Institute for Nuclear Studies The George Washington University Institute for Nuclear Studies Spring 2018 II. Phenomena 1. Shapes and Masses of Nuclei Or: Nuclear

457 views • 27 slides
Nuclear Browns Ferry Nuclear Plant May 29, 2013 Preston Swafford, Chief Nuclear Officer

Nuclear Browns Ferry Nuclear Plant May 29, 2013 Preston Swafford, Chief Nuclear Officer

Nuclear Browns Ferry Nuclear Plant May 29, 2013 Preston Swafford, Chief Nuclear Officer Tennessee Valley Authority Discussion Points Nuclear Opening Remarks Preston Swafford Integrated Improvement Plan Keith Polson Results Achieved Keith

421 views • 16 slides
A Few Thoughts on Computational Nuclear Science and the New Nuclear Energy Era Dr Cassiano R E

A Few Thoughts on Computational Nuclear Science and the New Nuclear Energy Era Dr Cassiano R E

II SEN I ISNE Rio de Janeiro, August 13-17 2012 A Few Thoughts on Computational Nuclear Science and the New Nuclear Energy Era Dr Cassiano R E de Oliveira Department of Chemical and Nuclear Engineering The University of New Mexico

852 views • 59 slides
ALMOST NUCLEAR: INTRODUCING THE NUCLEAR LATENCY DATASET Matthew Fuhrmann and Benjamin Tkach

ALMOST NUCLEAR: INTRODUCING THE NUCLEAR LATENCY DATASET Matthew Fuhrmann and Benjamin Tkach

ALMOST NUCLEAR: INTRODUCING THE NUCLEAR LATENCY DATASET Matthew Fuhrmann and Benjamin Tkach Alyssa Martinec Nuclear Latency A country having the capacity to quickly produce nuclear weapons in the event of a crisis Limited scholarly

559 views • 30 slides
Legislative and Regulatory Framework for the Physical Protection of Nuclear Material and Nuclear

Legislative and Regulatory Framework for the Physical Protection of Nuclear Material and Nuclear

Legislative and Regulatory Framework for the Physical Protection of Nuclear Material and Nuclear Facilities in Nigeria By Dr. Nasiru-Deen A. Bello Director - Nuclear Safety, Physical Security & Safeguards Nigerian Nuclear Regulatory

207 views • 19 slides
Strengthening Nuclear Security Cooperation Capacities within Public Company with Nuclear

Strengthening Nuclear Security Cooperation Capacities within Public Company with Nuclear

International Conference on Physical Protection of Nuclear Material and Nuclear Facilities, Vienna, 13-17 November 2017 Background and International Cooperation in Objectives Strengthening Nuclear Security Cooperation Capacities within

462 views • 29 slides
Nuclear Divestment FOR EVERYONE Agenda 1. What is Divestment? 2. How to divest? 3. Nuclear

Nuclear Divestment FOR EVERYONE Agenda 1. What is Divestment? 2. How to divest? 3. Nuclear

Move the Nuclear Weapons (and fossil fuel) Money. Global Webinar, April 21, 2020 Nuclear Divestment FOR EVERYONE Agenda 1. What is Divestment? 2. How to divest? 3. Nuclear Divestment Guide What is divestment? Who can divest? As part

214 views • 10 slides
Nuclear Education at UCLan Laurence Williams FREng Professor of Nuclear Safety University of

Nuclear Education at UCLan Laurence Williams FREng Professor of Nuclear Safety University of

07/01/2012 Nuclear Education at UCLan Laurence Williams FREng Professor of Nuclear Safety University of Central Lancashire National Nuclear Laboratory 6 December 2011 European Union Nuclear Education Training (EUNET) Workshop Preston 14

286 views • 10 slides
Nuclear Imaging Medical Imaging Medical Imaging Nuclear Imaging Nuclear Imaging Nuclear

Nuclear Imaging Medical Imaging Medical Imaging Nuclear Imaging Nuclear Imaging Nuclear

Nuclear Imaging Medical Imaging Medical Imaging Nuclear Imaging Nuclear Imaging Nuclear imaging is the use of radioactive materials for imaging structure and function inside body. ED X Wu Overview Overview Radioactive Decay and

542 views • 18 slides
Nuclear Browns Ferry Nuclear Plant Filtering Strategies January 9, 2013 Preston Swafford,

Nuclear Browns Ferry Nuclear Plant Filtering Strategies January 9, 2013 Preston Swafford,

Nuclear Browns Ferry Nuclear Plant Filtering Strategies January 9, 2013 Preston Swafford, Executive Vice President and Chief Nuclear Officer Tennessee Valley Authority Discussion Points Nuclear TVA Post-Fukushima Strategy TVA FLEX

397 views • 13 slides
About Nuclear Change II UNIT 7 DAY 2 What are we going to learn today? Types of Nuclear Changes

About Nuclear Change II UNIT 7 DAY 2 What are we going to learn today? Types of Nuclear Changes

Thinking Like a Chemist About Nuclear Change II UNIT 7 DAY 2 What are we going to learn today? Types of Nuclear Changes Isotopic Stability Ionizing Radiation Review From Last Class: Nuclear Change vs. Chemical Change 1. Compare energy

437 views • 15 slides
Nuclear Energy I nstitute and Prospects for New Nuclear Tom Houghton Director, Strategic

Nuclear Energy I nstitute and Prospects for New Nuclear Tom Houghton Director, Strategic

Nuclear Energy I nstitute and Prospects for New Nuclear Tom Houghton Director, Strategic Regulatory Programs Nuclear Energy Institute August 26, 2008 Sources of U.S. Electricity 2007* 21.5% Natural Gas Low construction cost Volatile fuel

614 views • 47 slides

More recommend