In the fall of 2002, an employee of a Norwegian newspaper was watching TV when his brand new computer suddenly came out of sleep mode and started beeping as if text was being typed on his keyboard. When he started his word processor, he discovered that the text was a private letter written by his boss and neighbor, even though they lived 150 meters apart.1 Both PCs had the same type of wireless keyboard, and the keyboard didn't implement an addressing function or any form of data encryption. Having neighbors inadvertently read your private correspondence doesn't exactly inspire confidence in wireless technology. In this case, a few simple precautions could have been made in the keyboard design to prevent such occurrences.
The above example underscores the security implications that must be addressed as more consumers adapt to wireless devices, leading to their greater proliferation and, ultimately, dropping prices. We'll look at what's known as the short-range radio market here, and consider security problems and possible solutions, including some example applications.
A typical short-range radio system transmits a few milliwatts or less of RF power, costs a few dollars, runs on batteries, and has a range of up to a few hundred meters. Although most of these systems use proprietary protocols, standards such as Bluetooth, IEEE 802.15.4, and ZigBee are gaining popularity. Many systems are implemented via small 8-bit MCUs, so they don't contain vast amounts of firmware.
Common applications might be simple cable replacement, car door openers, home automation equipment, automatic meter-reading systems, and so on. The security requirements of these different systems vary from none to relatively strict. Therefore, designers must look at the needs of each specific application.
Security Concepts And Threats
If no steps are taken, a radio link is an open medium that can be observed and tampered with by anyone in range. In a system with wired signalling, a potential wrongdoer must first gain physical access to some part of the system. However, in a wireless system, it's possible to access the system from a distance. There are several different ways to attack a system: eavesdrop on communications, alter or insert data, or make the system inoperable.
Different security tools can be used to counter these attacks. Cryptography works by rendering data unreadable to the attacker, which also helps prevent data alteration. Authentication helps to ensure that you're communicating with the correct person or device, and makes certain that the data you read hasn't been tampered with. Finally, techniques such as spread-spectrum radio technology and frequency agility make it difficult for an attacker to jam the radio link.
Cryptography is a field that has captured the public imagination with ingredients such as secret spy rings, cryptanalysts cracking Axis codes during World War II, and so on. It's extremely difficult to design a secure cipher from scratch. Even experts can fail embarrassingly. Therefore, it's sensible to choose a well-known algorithm that has passed the test of time. The Data Encryption Standard (DES) and Advanced Encryption Standard (AES) are two of the best-known algorithms. They are so-called symmetric ciphers, where the same key is used to encrypt and decrypt data.
Asymmetric ciphers also exist. The encryption key (called the public key) is different from the decryption key (called the private key), and the public key needn't be kept secret. This lets anyone send a coded message to a person or a device, which is very convenient. But asymmetric ciphers are much more processor-intensive than symmetric ciphers. So they're usually used to exchange symmetric keys instead of encrypting data directly.
Incorrectly implementing an encryption algorithm can create an insecure system. Security design can be very complex, so it's important to focus on the application's most important issues. Trying to think like an attacker is a useful technique; a good brainstorming session with your colleagues can help. In general, lots of thought should be put into determining the potential most serious threats. Studying what has gone wrong in other systems can shed light on the typical weaknesses.
Therefore, it's useful to study some standard attacks in detail. A popular one is the playback attack. If an attacker can record a valid message, he can play this back later to attack the system. Such an attack would be possible against car-door openers, prompting manufacturers to devise a solution called rolling codes. In a rolling-code system, the car key sends a different code each time. The code is determined by a pseudo-random sequence, and the receiver will only accept the next valid code (in real systems it will accept a few codes further into the sequence as well, in case a packet is lost).
In two-way systems, a challenge-response system is very efficient in foiling playback attacks. This works by having the receiver send a random challenge code. The key must then perform a secret computation on this code and send back a response.
Unfortunately, such a system is vulnerable to another attack. For example, let's say that your car has a keyless vehicle system. These systems interrogate the access card that you carry in your pocket, so the door opens automatically when you grab its handle. A car thief with a radio repeater and an accomplice could defeat this system simply by following you when you leave your car. While you're enjoying a cappuccino at your favorite coffee shop, the car thief activates his radio repeater. The thief's accomplice then grabs hold of the car door handle. The car sends an interrogation command, which is picked up by the repeater and amplified. The access card in your pocket receives this amplified signal and responds. The radio repeater then relays the response back to the car. Upon returning, you see that the car is gone. When the police find the stripped car, the black box inside reports only that it was opened using the authentic access card.
The car manufacturers are trying to foil this attack either by using an inductive system with a range of only a few inches for the interrogation channel, or by trying to measure the radio signal's "flight time." The latter is difficult to do with low-cost equipment, since time must be accurately measured within a few tens of nanoseconds. That's because analog and digital signal processing inside the radio, as well as protocol handling in embedded microcontrollers (MCUs), add jitter.
What Is An Appropriate Level Of Security?
Not every application needs a high level of security. For example, a wireless controller for a game console probably doesn't require any security features. Security must be weighed against other factors such as design time, cost, power consumption, convenience for the user, and so on. For example, DES or AES encryption may increase the cost of the final product if this isn't already built into the MCU or radio chip. Also, user convenience shouldn't be dismissed. For instance, the security of computer passwords is largely determined by how easy they are to remember.
The wireless keyboard story at the beginning of the article is a good example of insufficient security measures. A wireless keyboard for consumer use may not be able to withstand a deliberate attack, but inadvertent eavesdropping should never happen. Most people would be distressed if their neighbors could easily gain access to private letters and e-mails.
The simplest measure is to embed a unique ID, such as a serial number, in the keyboard. This is easy to achieve if the design uses a one-time-programmable (OTP) or flash-based MCU. If an MCU with ROM program memory is used, you will need to add an external low-cost EEPROM or dedicated-serial-number chip to the design.
Once a system uses unique serial numbers, the receiver that's connected to the PC can then check every received packet to see if it comes from the correct unit or not (Fig. 1). It's possible to implement a learning function so that the receiver can be paired with a different keyboard if this is desirable. This would work by having the user press a button on both units simultaneously. One unit would then send a packet containing its ID, and the other unit would store this ID for future use. Some kind of scrambling of the data also would foil inadvertent eavesdropping. A full-blown encryption algorithm such as DES or AES needs dedicated hardware or a powerful MCU, and is most likely ruled out in this application for cost reasons. A determined and skilled attacker could easily plant a bug in the keyboard or gain access in some other manner anyway, so there's little use in encrypting the radio link.
These assumptions are based on home or light business use. If the keyboard were to be used in a high-threat application, such as in a bank or in a company that's subject to industrial espionage, a higher level of security would be appropriate. Most likely, wireless keyboards would be banned in such environments.
The situation for home users could change as well. If criminals start driving around in neighborhoods collecting credit-card numbers and passwords by eavesdropping on people's wireless keyboards, strong encryption could become a necessary selling feature. That most likely would lead to dropping prices for MCU and radios with built-in encryption.