Good thing mysensors has non-repeatable encryption....
-
because a veritable swiss army knife of radio hacking tools will soon be in the wild....and the creators of it just raised $5 Million for it on Kickstarter! The kickstarter video here:
https://www.youtube.com/watch?v=0T0YIzfigA4&feature=youtu.be
bears an uncanny resemblance to toy commercials. Soon even complete idiots will have the power to cause mayhem with yesteryear's radio devices. So far it's just for sub-1ghz, but surely 2.4ghz will be included in whatever the next product is that follows after this one. :face_with_rolling_eyes:
-
It's a nice find and thanks for sharing it and if someone adds support via GPIO link to a hackRF1 then it will go to 6GHz!
Personallly I think it is a little over hyped. The IR learner/replay is fine and I would expect a lot of 'built-in' ir codes from the start.
As for the RF side, well no mention about how it will deal with rolling encryption (used by most garage doors amongst others), no wifi or bluetooth (so many 'hackers' won't even bother with it) and a high price tag ($169USD) which is high for most 'kids' out there.
Also, any properly implemented RFID system will have measures to counter this device (I played with them a few years back and got it working where a clone card would not work).
I see there could be issues with it's use by some people, but I won't be ordering one. I HackRF1 will do all the RF send and receive up to 6GHz and an arduio can do the IR side. With HackRF1 about the same price it's the better option, but will require more learning to get going and a SBC to power it, still, it would be my choice if I wanted to go down that route.
-
It's a nice find and thanks for sharing it and if someone adds support via GPIO link to a hackRF1 then it will go to 6GHz!
Personallly I think it is a little over hyped. The IR learner/replay is fine and I would expect a lot of 'built-in' ir codes from the start.
As for the RF side, well no mention about how it will deal with rolling encryption (used by most garage doors amongst others), no wifi or bluetooth (so many 'hackers' won't even bother with it) and a high price tag ($169USD) which is high for most 'kids' out there.
Also, any properly implemented RFID system will have measures to counter this device (I played with them a few years back and got it working where a clone card would not work).
I see there could be issues with it's use by some people, but I won't be ordering one. I HackRF1 will do all the RF send and receive up to 6GHz and an arduio can do the IR side. With HackRF1 about the same price it's the better option, but will require more learning to get going and a SBC to power it, still, it would be my choice if I wanted to go down that route.
@skywatch I agree with you about the garage openers, but a lot of home automation products were built without encryption until relatively recently. For instance, IIRC, other than for z-wave doorlocks the z-wave standards had no encryption up until 2017, and well before then there were over 600 different kinds of home automation products built on the z-wave plantform. I think it may have been nearly the same for a great many other platforms as well.
-
@skywatch I agree with you about the garage openers, but a lot of home automation products were built without encryption until relatively recently. For instance, IIRC, other than for z-wave doorlocks the z-wave standards had no encryption up until 2017, and well before then there were over 600 different kinds of home automation products built on the z-wave plantform. I think it may have been nearly the same for a great many other platforms as well.
@NeverDie remember that mysensors encryption has a static IV so it is repeatable. Two identical messages will also be identical when encrypted. And therefore subject to replay attacks. Only when combined with signing do you get decent grade security.
Do you feel secure today? No? Start requiring some signatures and feel better tomorrow ;)
-
@NeverDie remember that mysensors encryption has a static IV so it is repeatable. Two identical messages will also be identical when encrypted. And therefore subject to replay attacks. Only when combined with signing do you get decent grade security.
@Anticimex said in Good thing mysensors has non-repeatable encryption....:
@NeverDie remember that mysensors encryption has a static IV so it is repeatable. Two identical messages will also be identical when encrypted. And therefore subject to replay attacks. Only when combined with signing do you get decent grade security.
You were right all along. I remember doubting that I would ever truly need it. Buying a signing chip and adding it a board seemed bordering on paranoid. And yet how quickly that perception has changed with the proliferation of hacker tools.
-
@Anticimex said in Good thing mysensors has non-repeatable encryption....:
@NeverDie remember that mysensors encryption has a static IV so it is repeatable. Two identical messages will also be identical when encrypted. And therefore subject to replay attacks. Only when combined with signing do you get decent grade security.
You were right all along. I remember doubting that I would ever truly need it. Buying a signing chip and adding it a board seemed bordering on paranoid. And yet how quickly that perception has changed with the proliferation of hacker tools.
@NeverDie in security engineering it is all about being ahead of the curve. Alas, personally I have not had the time to evolve the security solution further beyond the draft state as seen on github.
Do you feel secure today? No? Start requiring some signatures and feel better tomorrow ;)
-
@NeverDie in security engineering it is all about being ahead of the curve. Alas, personally I have not had the time to evolve the security solution further beyond the draft state as seen on github.
@Anticimex For a long time z-wave had all kinds of flaws that kept it from working the way it should. I remember that in 2010 I wanted to hack z-wave for the simple reason that I wanted to fix the flaws in my own system. However, I had no access to the tools now so readily available, and virtually everything about z-wave but the carrier frequency was a trade secret, so at the time it would have required tremendous effort to sort through it. At the time, that's what made it sufficiently secure for most people: not that z-wave couldn't be hacked, but the level of effort required to unravel it meant practically no one was doing it. And for most of the world mysensors was practically unknown, so for the same reason it seemed reasonably safe as well, even without the signing chip. Now that cracking tools are rapidly becoming a game that even children can play, it completely changes that assessment. I mean, in my neighborhood there are kids who ring doorbells and try to run away without being seen, just for fun. But from the looks of things, soon they'll be able to ring doorbells (figuratively and perhaps literally) and not have to run, because they'll be doing it from nowhere close.
So, what's coming next after that? i.e. where is the curve heading?
-
@Anticimex For a long time z-wave had all kinds of flaws that kept it from working the way it should. I remember that in 2010 I wanted to hack z-wave for the simple reason that I wanted to fix the flaws in my own system. However, I had no access to the tools now so readily available, and virtually everything about z-wave but the carrier frequency was a trade secret, so at the time it would have required tremendous effort to sort through it. At the time, that's what made it sufficiently secure for most people: not that z-wave couldn't be hacked, but the level of effort required to unravel it meant practically no one was doing it. And for most of the world mysensors was practically unknown, so for the same reason it seemed reasonably safe as well, even without the signing chip. Now that cracking tools are rapidly becoming a game that even children can play, it completely changes that assessment. I mean, in my neighborhood there are kids who ring doorbells and try to run away without being seen, just for fun. But from the looks of things, soon they'll be able to ring doorbells (figuratively and perhaps literally) and not have to run, because they'll be doing it from nowhere close.
So, what's coming next after that? i.e. where is the curve heading?
@NeverDie it is generally the view that because something is not easily understood by the general public, it does need securing. In other terms; security by obscurity.
To secure something properly, you need to view things from a more paranoid standpoint, assuming someone will actively try to bypass any mechanism put in place to prevent it. And always assume these mechanisms will be constantly challenged. The best approach (in my opinion) is to have as little obfuscation as possible and have the mindset that "even if you can access almost everything, you still cannot hack it".Do you feel secure today? No? Start requiring some signatures and feel better tomorrow ;)
-
@NeverDie it is generally the view that because something is not easily understood by the general public, it does need securing. In other terms; security by obscurity.
To secure something properly, you need to view things from a more paranoid standpoint, assuming someone will actively try to bypass any mechanism put in place to prevent it. And always assume these mechanisms will be constantly challenged. The best approach (in my opinion) is to have as little obfuscation as possible and have the mindset that "even if you can access almost everything, you still cannot hack it".@Anticimex One of the parents in my neighborhood is a professional penetration tester, and he has the view that just about any system can be penetrated if what's on it is valuable enough to justify the effort. He didn't elaborate on what the boundaries of effort were, so I guess you could both be right. Still, what we think is mathematically secure today could all be unraveled if quantum computers were to happen, so there's always that Damocles Sword hanging over things if there's no limit on paranoia. Just how does one judge what level of paranoia to apply? I mean an out-of-his-mind paranoid person would imagine that everyone but him already has access to unlimited quantum computing for free. On the other hand, if your security is good enough to handle even that, then you can certainly sleep soundly at night. ;-)
-
@Anticimex One of the parents in my neighborhood is a professional penetration tester, and he has the view that just about any system can be penetrated if what's on it is valuable enough to justify the effort. He didn't elaborate on what the boundaries of effort were, so I guess you could both be right. Still, what we think is mathematically secure today could all be unraveled if quantum computers were to happen, so there's always that Damocles Sword hanging over things if there's no limit on paranoia. Just how does one judge what level of paranoia to apply? I mean an out-of-his-mind paranoid person would imagine that everyone but him already has access to unlimited quantum computing for free. On the other hand, if your security is good enough to handle even that, then you can certainly sleep soundly at night. ;-)
@NeverDie well, post quantum cryptography is already a reality so the introduction of quantum technology won't prevent secrets staying secret if you so desire. But in most cases, the effort of breaking modern algorithms will still be so high it won't be readily doable since if the solution is designed clever enough, timeouts will be involved that force an attacker to derive the necessary keys in a limited time frame which require significant computing power.
Do you feel secure today? No? Start requiring some signatures and feel better tomorrow ;)
-
@NeverDie well, post quantum cryptography is already a reality so the introduction of quantum technology won't prevent secrets staying secret if you so desire. But in most cases, the effort of breaking modern algorithms will still be so high it won't be readily doable since if the solution is designed clever enough, timeouts will be involved that force an attacker to derive the necessary keys in a limited time frame which require significant computing power.
@Anticimex Well, seeing as you were already correctly ahead of the curve on this topic, you have my respect.
What then is your current view as to what is "good enough" security wrt mysensors? Is the current crypto-signing good enough, or is there something more (or different) that we should be doing now? -
@Anticimex Well, seeing as you were already correctly ahead of the curve on this topic, you have my respect.
What then is your current view as to what is "good enough" security wrt mysensors? Is the current crypto-signing good enough, or is there something more (or different) that we should be doing now?@NeverDie I would say that combined with signing (preferably hw based) the security solution should be good enough for personal use.
As always, with open source projects, deploying to sensitive environments are every person's own responsibility. To me the biggest issue with the existing signing solution is ease of use and efficiency. Removing the need for personalization and allowing less handshaking would be a good thing. A concept for this can be seen in the github issues tagged with security v3 but alas, time is not a luxury I have for this in recent years. Kids, house and so on takes its toll.
But technically, sha256 and hmac are still strong algorithms. But the shared static key is my biggest concern (which would be solved by ecdh key exchange). -
@Anticimex said in Good thing mysensors has non-repeatable encryption....:
@NeverDie remember that mysensors encryption has a static IV so it is repeatable. Two identical messages will also be identical when encrypted. And therefore subject to replay attacks. Only when combined with signing do you get decent grade security.
You were right all along. I remember doubting that I would ever truly need it. Buying a signing chip and adding it a board seemed bordering on paranoid. And yet how quickly that perception has changed with the proliferation of hacker tools.
@NeverDie Is a signing chip really necessary?
If the packets are truly encrypted, and the hack you're trying to foil is a simple replay attack, I would think that including a simple incrementing counter into the message would do it. All the receiver would have to do is to only accept decrypted messages with a counter number GREATER than the last one it received. This should be simple to do if the encryption/decryption is already considered relatively secure? -
@NeverDie Is a signing chip really necessary?
If the packets are truly encrypted, and the hack you're trying to foil is a simple replay attack, I would think that including a simple incrementing counter into the message would do it. All the receiver would have to do is to only accept decrypted messages with a counter number GREATER than the last one it received. This should be simple to do if the encryption/decryption is already considered relatively secure?@172pilot without a chip, the key for signing (and encryption) is entirely unprotected. So if your kode is stolen, it is trivial to extract it. And since it is shared on the network, that network is completely compromised until you change the key on all nodes that rely on it (which would be all in the network if encryption is used). Furthermore, in the case of encryption, the signing chip is not involved, so the encryption key is never physically protected.
So signing (with a atsha chip) is the only fully protected communication mechanism.Do you feel secure today? No? Start requiring some signatures and feel better tomorrow ;)
-
@172pilot without a chip, the key for signing (and encryption) is entirely unprotected. So if your kode is stolen, it is trivial to extract it. And since it is shared on the network, that network is completely compromised until you change the key on all nodes that rely on it (which would be all in the network if encryption is used). Furthermore, in the case of encryption, the signing chip is not involved, so the encryption key is never physically protected.
So signing (with a atsha chip) is the only fully protected communication mechanism.@Anticimex I 100% agree on the "totally protected" but since the issue, at least as far as protecting from the "kiddie toy" that was the subject of the original thread, I'm just saying to ONLY add a cheap level of protection that would prevent a basic record/playback of a valid signal, I'd think this would work... for free.. I totally get that a real signature system would be better, but at a significant cost and effort.
I dont know the bits and bytes of MySensors well, but I took as implication from the discussion that decryption of the packet wasn't the primary concern against this particular attack because you're right - If you can decrypt, it's over, especially if it's a single shared key amongst all the devices.. -
@Anticimex I 100% agree on the "totally protected" but since the issue, at least as far as protecting from the "kiddie toy" that was the subject of the original thread, I'm just saying to ONLY add a cheap level of protection that would prevent a basic record/playback of a valid signal, I'd think this would work... for free.. I totally get that a real signature system would be better, but at a significant cost and effort.
I dont know the bits and bytes of MySensors well, but I took as implication from the discussion that decryption of the packet wasn't the primary concern against this particular attack because you're right - If you can decrypt, it's over, especially if it's a single shared key amongst all the devices..@172pilot no, and this is why I have advocated signing over encryption. Signing gives entropy, authenticity and replay protection. It does not give obfuscation but the need for that is lower in my opinion than the other three. Yes, someone could sniff what states your locks are in, but they can also just try the handle to achieve the same thing.
-
@NeverDie Is a signing chip really necessary?
If the packets are truly encrypted, and the hack you're trying to foil is a simple replay attack, I would think that including a simple incrementing counter into the message would do it. All the receiver would have to do is to only accept decrypted messages with a counter number GREATER than the last one it received. This should be simple to do if the encryption/decryption is already considered relatively secure?@172pilot said in Good thing mysensors has non-repeatable encryption....:
@NeverDie Is a signing chip really necessary?
If the packets are truly encrypted, and the hack you're trying to foil is a simple replay attack, I would think that including a simple incrementing counter into the message would do it. All the receiver would have to do is to only accept decrypted messages with a counter number GREATER than the last one it received. This should be simple to do if the encryption/decryption is already considered relatively secure?I think the answer is probably yes. Today. At this moment. At least for me and probably you. I mean, one could reasonably ask: why bother with having better security than my garage door opener? But as cracker tools become more prevalent, who knows what's coming next? It's not just us against juveniles and thugs, it's us against whatever weapons juveniles or thugs can download or buy ready-to-use from kickstarter (or aliexpress for cheap soon thereafter).
