Heinrich Wilhelm Klöpping, MSc CISSP CCSP SCI

The TTN volioti

Is the TTN voliotithe new

móðuharðindin?And what has Hedy Lamarr to do with all that?

� 2013 Information Security Management

� 2014 Computer Security Introduction to Cryptography

� 2015 Network Security

� 2016 Digital Forensics Cybercrime

� 2017 Dissertation title: "Investigating information security for a volunteer driven IoT infrastructure", viva voce on May 11th, 2017. Passed with distinction on July 13th 2017. Top-ranking project and elected to be presented at the Distant Learning weekend in London.

5 years of study

My tips for my fellow studentsScratch your itch Seek advice from others Do your own thinking Research the technology Experiment Use what you were taught Engage with the real world Know when to stop researchingKnow when to start writing

Tip #1Scratch your itch

About my millMolen van de Groote Polder

Built in 1783.

The volcano Laki in Iceland begins an 8-month eruption starting the chain of natural disasters known as

the Móðuharðindin, killing

tens of thousands throughout Europe. .

● A third of the population of iceland dies

● horrible deaths in all Europe due to suAocation.

● Red skies, famine and the French Revolution

● UK acknowledges the US

1783 - MóðuharðindinTerrible consequences!

1783 - Móðuharðindin

The Dag of my municipality

Red skies, the beast and Ere!

Farmers selling their souls to the devil with terrible consequences!

What would infosec specialists have said?

1783 - Móðuharðindin

These farmers should have done

proper risk analysis!... or perhaps they did?

2016 - MolenOpenApp● Facilitating visitors● Map on website

shows our mills● Millers have a web

based app● Very simple interface

(red/green)● Mill status changes

(turns wings)

MolenOpenApp fails

●Miller has no smartphone

●Miller forgot to bring his phone

●Miller forgets to use the App

●Out of reach of GSM network

●Simply not simple enough..

Alternatives

●Install a lock with a switch

●Door open – switch triggers

●Message is sent to central host●Status is updated

●Door close – status update

Sending messages..

●Smack in the middle of nowhere..

●No WiFi or GSM may be available

●WiFI / GSM / SMS .. expensive

●No power may be available

Tip #2Seek advice from

others

Help!Hey Henk, check out

● a global community of (August 2017) 21980 people over 89 countries building a FREE global Internet of Things data network.

● origins of the network can be traced back to June 2015 at a Hackerspace in Amsterdam

● uses a long range and low power radio frequency protocol called LoRaWAN

● no WiFi codes and no mobile subscriptions

● limited bandwidth, (very) long range (800 km!)

2015 - The Things Network

The Things Network

application

application

application

backend

InternetInternet

The Things Network

InternetGateway East

Gateway West

= node

Gateway South

The Things Network

Node broadcast LoRaWAN messages over the LoRa radio protocol.

Gateway forwards radio transmissions to the backend.

Router manages gateway's status and schedules transmissions.

Brokers map a device to an application, forward down- and uplink messages

Network Server is LoRaWAN speciEc, handles OTAA etc.

Handler handles the data of one or more applications

The Things Network

The Things Network – NO!

●Realtime data - you can only send small packets every couple of minutes

●Phone calls - you can do that with GPRS/3G/LTE

●Controlling lights - check out ZigBee or Bluetooth

●Sending photos, NetDix - check out WiFi

●Triangulation – later, not now

The Things Network – YES!

●Long range - multiple kilometers

●Low power - can last months (or even years) on a battery

●Low cost - less than 20€ CAPEX per node, almost no OPEX

●Low bandwidth - something like 400 bytes per hour

●Coverage everywhere – install yourself..

The Things Network – Maybe

Secure?TTN has this on their “yes” list.

“128bit end-to-end encrypted”

OTAA and ABP

Devices (nodes) need an address. Over The Air Activated

“dhcp”

or

Activated By Personalisation

(because not all nodes can receive!)

Encryption

●Node – network: NwkSKey (hash)

●Node – handler (you): AppSKey

●AppKey: used for OTAA (~“DHCP”)

Replay attacks!?

Ah, no, we thought of that too!

Frame counter!

The Things Network is

Secure!“128bit end-to-end encrypted”

is suUcient after all

Tip #3Do your own

thinking

What if..● hooligans cut your cable● the better half decides to vacuum clean ● they detonate a bomb using your gateway● the routers are hacked● you are made responsible for traUc you relayed● your ISP is not amused you're using his network● an emergency call is not relayed● LI takes place● etc ...

Tip #4Research the technology

Spread spectrum

Spread spectrumSpread spectrum is a means of transmission in which the signal occupies a bandwidth in excess of the mini-mum necessary to send the information; the band spread is accomplished by means of “a code” which is independent of the data, and a synchronized reception with the code at the receiver is used for despreading and subsequent data recovery.

Code: e.g. frequency hopping, time hopping, or both.

Spread spectrumThe code used with LoRa is a “chirp” - a frequency that rises, then falls etc.Synchronisation between sender and receiver is done by sending unmodulated (preamble) chirps. Note that this can be done without having a key so this is NOT a

security control. It brings advantages: anti-interference and long range, though at relatively low data rates.

TTN data rate●Band width

●Duty cycle

●Spread factor

●Adaptive data rate (ADR)

Band width● Dictated by EU regulations

● For the 868 Mhz band, depending on channel in use

either 125 or 250 Khz

● Higher bandwidth normally corresponds to a higher

data transmission speed

Duty cycle● Dictated by EU regulations

● For the 868 Mhz band, depending on channel in use

either 0.1% or 1% of available time per node / gateway

● So: at best1 14.4 minutes transmission each day..

1) gateways might use 2 timeslots and a frequency with 10% duty cycle

Spread factor● How many bits are sent per second

● You could compare this to two people taking in a noisy

place (a bar for example). If you're far from each other,

you have to talk slow (SF10), but if you're close, you

can talk faster (SF7)

Spread factor

ADR● Nodes closer to the gateway can use less power

● Nodes closer to the gateway can transmit higher bps

● Nodes farther away use more power and longer bursts

● Rate calculated by network over last 20 transmissions

● Only for static nodes (of course..)

● Can hence be set on or oA by the node (bit in frame)

Tip #5Experiment

Gateways

Slochteren Gateway

Old and new

Lonely gateway (still)https://www.thethingsnetwork.org/map

Recap TTN

LoRaWAN features a raw maximum data rate of 27 kbps (SF=7). Depending on the SF in use, LoRaWAN data rate ranges from 0.3 kbps to 27 kbps. Duty cycle is an additional limitation. For instance, the

maximum duty-cycle of the EU 868 ISM band is 1% and it results in a maximum transmission time of 36 sec/hour in each sub-band for each end-device.

Large spreadfactors allow for longer ranges, but increase the time on air hence the mandatory silence.

Recap TTN● In practice: “only” 1-10 km

(interference, objects) ● can use adaptive data rates (ADR)

to accomodate varying signal

strengths● In EU: 868 Mhz - free frequency,

but at best 1% duty cycle. ● best used for appliances with

limited data requirements e.g.

hourly temperature

measurements, on/oA signalling,

moisture sensors etc.● cheap/quick to deploy: Greater

Amsterdam 19 gateways.

Tip #6Use what you were taught

The Things NetworkHas anybody even taken a look at stuA like:

ISO27001:2013 - ISO27002:2013 – ISO27005:2011 - ISO31000:2009 - ISO31010:2011 – ISO20922:2016 -GSMA Guidelines DHS Strategic Principles -Volunteer Management Health Check Guide -.or what is said in the Law (and whose Law) - or what the community itself might teach us?

The Things NetworkGreiners' theory on

organisational

growth.

TTN is hardly a classical company and still in its infancy

Tip #7Engage with the

real world

Meetups

Meet the management● Conversations with Laurens Slats● Met founder Wienke Giezeman● Interesting conversation

My conclusion..

Awareness?

no

Observation: encryption is not enough. And life may be at stake!

What say us infosec specialists?

2018 - Móðuharðindin again?

CIA

These cowboys should have done

proper risk analysis!

Tip #8Know when to

stop..researching and widening your scope

Tip #9Know when to

start..writing your dissertation

Volunteer driven Internet of Things infrastructure

.. a bit much, right..hence

volioti

Dissertation stuUng..

Can best practices as listed in international standards, guidelines and the Law be employed to improve the security of information in the emerging volunteer driven, decentralised, technocrat-anarchistic Internet of Things infrastructure?

Main research question

Is the TTN voliotithe new

móðuharðindin?

So, can we help TTN?

According to me: yes.

● install Risk Analysis Committee for TTN (RACOM)

● have RACOM educate itself and others on InfoSec● work on a sector speciEc standard for IoT● experiment with tools and techniques● continue search for IoT speciEc controls

● establish a clear line of command

So, can we help TTN?

According to me: yes.

● I found 391 controls that might be considered

● some of them unusual (Volunteer Health Check)

● some very standard (ISO27K)

● some brand new and very relevant (GSMA)

SpinoA

Mix and match methodHow to determine the suitability of RA devices?

● E.g. Annex B of ISO 31010:2010 contains a list of 31 risk analysis related tools, techniques and methods that might be used to (help) perform risk analysis.

● should “be justiEable and appropriate to the situation or organization under consideration”

Mix and match methodHow do we 'measure' the devices on how well they Et

(which) requirements?

Our stakeholders are mostly ignorant of the world of information security, we also appreciate that it might require hours, possibly days of education to discuss the use of just one tool, technique, methodology or standard.

SpinoA

Mix and match Method

Using the descriptions in the standard itself I established 11 overarching qualities - 'generic qualities'.

They are: easy to use, inexpensive, eUcient, Dexible, thorough / structural, capable of handling complexity, exact, scalable, stimulate imagination and creativity, provide balanced insights, and stimulate ownership.

The 31 RA devices have been rated for their support of these generic qualities using a two step semi-quantitative method inspired by risk indices (B28) and the consequence / probability matrix (B29)

Mix and match Method

● for the part in scope (organisation, department):

● one assessor assesses how well an RA device provides a generic quality (the PQ assessor),

● another assesses how well the RA device is required to provide a generic quality to classify as suitable the RQ assessor.

Mix and match Method

For each generic quality the PQ assessor determines how well a generic quality is provided by the RA-device, using a semi-quantitative scale: “well” (represents a value of 3), “somewhat” (a value of 1) or “(almost) not” (a value of 0). This value is put in the column 'class'.

Mix and match Method

Then, per class, a rank within that class is provided (rank): the quality that is best provided by the RA device gets n points (where n is the number of entries for that class) down to the quality that is less well provided by the RA device which gets 1 point. This value is put in the column 'rank'

Mix and match Method

By multiplying the class and rank, a value PQ (provided quality) per RA device is produced, which is put in the column PQ.

Mix and match Method

By multiplying the class and rank, a value PQ (provided quality) per RA device is produced, which is put in the column PQ.

Mix and match Method

Similarly we determine the EQ (probably by another assessor).

First we rate (determine class).

Then we rank within the class.

Then we multiply and hence End EQ.

Mix and match Method

● By multiplying the Provided Quality (PQ) with the Required Quality (RQ) we end up with the “Total Quality” (TQ) for a RA device.

● Sort the devices on their TQ, this provides a table of RA devices ordered by suitability for the part in scope.

Mix and match MethodMix and match Method

Mix and match MethodMix and match Method

.. and so down to..

ISO27009● Standard on how to create a sector speciEc “ISO27K”

● Statement of the obvious.. somewhat ridiculous.

● Harshly commented

ISO27009

However!

A group of volioti related volunteers could use this standard to draft a speciEc standard for their segment. This might well be a use case for the ISO 27009 standard.

And of course...

they might use my dissertation as a starting point.

Tip #10

Tips for your projectScratch your itch Seek advice from others Do your own thinking Research the technology Experiment Use what you were taught Engage with the real world Know when to stop researchingKnow when to start writing