[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:19.92,Default,,0000,0000,0000,,{\i1}35c3 preroll music{\i0}
Dialogue: 0,0:00:19.92,0:00:25.90,Default,,0000,0000,0000,,Angel: I'm very happy to be allowed to\Nannounce the following talk. Hunting the
Dialogue: 0,0:00:25.90,0:00:34.73,Default,,0000,0000,0000,,Sigfox: Wireless IoT network security by\NFlorian. Some of you have might heard of
Dialogue: 0,0:00:34.73,0:00:39.78,Default,,0000,0000,0000,,the work of Florian already, because\Nsometime ago there was an article on a
Dialogue: 0,0:00:39.78,0:00:46.70,Default,,0000,0000,0000,,popular German website called "Furby from\Nhell" and somebody there hacked the Furby
Dialogue: 0,0:00:46.70,0:00:51.03,Default,,0000,0000,0000,,and there was also a video where you could\Nsee the debug output on the displays which
Dialogue: 0,0:00:51.03,0:00:56.97,Default,,0000,0000,0000,,are the eyes of the Furby. It was a really\Ndisturbing video and the guy who did this
Dialogue: 0,0:00:56.97,0:01:08.36,Default,,0000,0000,0000,,is exactly Florian. {\i1}applause{\i0} Today he's\Ngonna talk about Sigfox which is not
Dialogue: 0,0:01:08.36,0:01:15.11,Default,,0000,0000,0000,,another toy but a network technology for\NIoT devices. And like it's always we see
Dialogue: 0,0:01:15.11,0:01:22.03,Default,,0000,0000,0000,,IoT word the security issues. So let's\Nhear a talk about the Internet of shit by
Dialogue: 0,0:01:22.03,0:01:26.16,Default,,0000,0000,0000,,Florian and welcome him with a big round\Nof applause.
Dialogue: 0,0:01:26.16,0:01:33.72,Default,,0000,0000,0000,,{\i1}applause{\i0}\NThank you for that introduction. So this
Dialogue: 0,0:01:33.72,0:01:37.99,Default,,0000,0000,0000,,talk will be targeted at the technical\Naudience which is the case here but you
Dialogue: 0,0:01:37.99,0:01:42.79,Default,,0000,0000,0000,,don't have to be RF experts on the trip in\Norder to understand this. So I will start
Dialogue: 0,0:01:42.79,0:01:48.00,Default,,0000,0000,0000,,by covering some basics of RF technology\Nand some basics about Sigfox. And just
Dialogue: 0,0:01:48.00,0:01:52.54,Default,,0000,0000,0000,,after that I'll start talking about an\Nanalysis of the Sigfox protocol and its
Dialogue: 0,0:01:52.54,0:01:57.70,Default,,0000,0000,0000,,security. I'll mention the most important\Nthing first , which is that I didn't find
Dialogue: 0,0:01:57.70,0:02:02.68,Default,,0000,0000,0000,,any serious vulnerabilities in the Sigfox\Nprotocol. But there are substantial weak
Dialogue: 0,0:02:02.68,0:02:06.50,Default,,0000,0000,0000,,spots and you should be aware of these if\Nyou want to use Sigfox in your own
Dialogue: 0,0:02:06.50,0:02:12.14,Default,,0000,0000,0000,,application. But let me introduce myself\Nfirst. I don't think there's a lot of
Dialogue: 0,0:02:12.14,0:02:16.45,Default,,0000,0000,0000,,information you need to know about me, so\NI figured I'd just show you this picture
Dialogue: 0,0:02:16.45,0:02:20.66,Default,,0000,0000,0000,,here of me instead. I'm not showing you\Nthis picture because I think I look so
Dialogue: 0,0:02:20.66,0:02:27.38,Default,,0000,0000,0000,,fabulous but because I think that this cow\Nhere in the background is amazing and this
Dialogue: 0,0:02:27.38,0:02:32.46,Default,,0000,0000,0000,,is not just any cow. This is Alice. Alice\Nthe cow. And as you can see she has a
Dialogue: 0,0:02:32.46,0:02:38.36,Default,,0000,0000,0000,,great life, so she lives somewhere in the\Nmountains. And there's just one problem
Dialogue: 0,0:02:38.36,0:02:45.95,Default,,0000,0000,0000,,with her. She likes to break out of her\Ncollar - her collar now her farmer which
Dialogue: 0,0:02:45.95,0:02:50.60,Default,,0000,0000,0000,,is called Bob doesn't like this very\Nmuch but he recently heard about something
Dialogue: 0,0:02:50.60,0:02:57.74,Default,,0000,0000,0000,,called the IoT. And he thinks that the IoT\Nis going to solve all of his problems. So
Dialogue: 0,0:02:57.74,0:03:02.89,Default,,0000,0000,0000,,he purchased this collar here for Alice.\NSo this collar does a couple of thing -
Dialogue: 0,0:03:02.89,0:03:08.72,Default,,0000,0000,0000,,couple of things. First of all, it\Ndetermines Alice's position based on GPS
Dialogue: 0,0:03:08.72,0:03:13.57,Default,,0000,0000,0000,,satellites. It also measures measures her\Nbody temperature and then it transmits all
Dialogue: 0,0:03:13.57,0:03:18.60,Default,,0000,0000,0000,,of this information to Bob. So that's what\Nhe wants to do. There's just one obvious
Dialogue: 0,0:03:18.60,0:03:25.14,Default,,0000,0000,0000,,problem: How do we even get this data from\NAlice to Bob? Well, traditionally in the
Dialogue: 0,0:03:25.14,0:03:30.39,Default,,0000,0000,0000,,IoT there have been two solutions that\Nhave often been employed. One of them is
Dialogue: 0,0:03:30.39,0:03:34.89,Default,,0000,0000,0000,,Wi-Fi and the other one is mobile\Nnetworks. Now Wi-Fi is not going to work
Dialogue: 0,0:03:34.89,0:03:41.18,Default,,0000,0000,0000,,in this application. Here we cannot cover\Nthe whole country site with Wi-Fi there's
Dialogue: 0,0:03:41.18,0:03:46.55,Default,,0000,0000,0000,,just not enough range. Mobile networks,\Nthey would theoretically work but they are
Dialogue: 0,0:03:46.55,0:03:51.20,Default,,0000,0000,0000,,just really expensive and they need a lot\Nof power. So you have to change the
Dialogue: 0,0:03:51.20,0:03:56.74,Default,,0000,0000,0000,,battery relatively often. Luckily, these\Ndays there's a third option and it's
Dialogue: 0,0:03:56.74,0:04:02.40,Default,,0000,0000,0000,,called the LPWan. And this is short for\NLow Power Wide Area Network. And the
Dialogue: 0,0:04:02.40,0:04:07.65,Default,,0000,0000,0000,,LPWan is great because it solves\Nall of these problems. Now, how is this
Dialogue: 0,0:04:07.65,0:04:12.18,Default,,0000,0000,0000,,possible? Why might we just - might have\Nwe just discovered the LPWan so recently,
Dialogue: 0,0:04:12.18,0:04:17.25,Default,,0000,0000,0000,,why hasn't this been done before. What\Nkind of compromises do they make. And to
Dialogue: 0,0:04:17.25,0:04:20.90,Default,,0000,0000,0000,,understand the compromises that LP\Nnetworks make we have to look at the
Dialogue: 0,0:04:20.90,0:04:26.25,Default,,0000,0000,0000,,electromagnetic spectrum. So that's what\Nthe electromagnetic spectrum of a Wi-Fi
Dialogue: 0,0:04:26.25,0:04:31.48,Default,,0000,0000,0000,,signal looks like. You can see that Wi-Fi\Nis fairly wide band and you have these
Dialogue: 0,0:04:31.48,0:04:36.69,Default,,0000,0000,0000,,tiny ripples on top of the signal that is\Nnoise and we don't like this noise. In
Dialogue: 0,0:04:36.69,0:04:41.41,Default,,0000,0000,0000,,order to find the power that's contained\Nin one of these Wi-Fi transmissions, we
Dialogue: 0,0:04:41.41,0:04:45.82,Default,,0000,0000,0000,,have to look at the area underneath a\Ncurve. So that's the power of the Wi-Fi
Dialogue: 0,0:04:45.82,0:04:54.69,Default,,0000,0000,0000,,signal. It's typically 20 MHz, that's the\Nbandwidth of Wi-Fi, and this red rectangle
Dialogue: 0,0:04:54.69,0:04:59.58,Default,,0000,0000,0000,,on on top of the signal, this is the noise\Nand we don't want this. Now what
Dialogue: 0,0:04:59.58,0:05:03.85,Default,,0000,0000,0000,,determines the range is not the absolute\Nvalue of the noise but the relative value
Dialogue: 0,0:05:03.85,0:05:08.95,Default,,0000,0000,0000,,of the noise compared to the single power.\NAnd this root ratio is called the signal
Dialogue: 0,0:05:08.95,0:05:14.50,Default,,0000,0000,0000,,to noise ratio or SNR for short. Now if\Nyou look at the blue and the red square
Dialogue: 0,0:05:14.50,0:05:18.75,Default,,0000,0000,0000,,you can see that the red square is very\Nbig compared to the blue square, which
Dialogue: 0,0:05:18.75,0:05:24.56,Default,,0000,0000,0000,,means that our signal to noise ratio is\Nreally bad. Now the solution to this is
Dialogue: 0,0:05:24.56,0:05:28.95,Default,,0000,0000,0000,,kind of obvious once you know it: You just\Nconcentrate this whole signal power in a
Dialogue: 0,0:05:28.95,0:05:35.26,Default,,0000,0000,0000,,very narrow frequency range. Now this way,\Nyou just have this tiny little ripple on
Dialogue: 0,0:05:35.26,0:05:39.71,Default,,0000,0000,0000,,top of the signal and that's all your\Nnoise. So now your signal to noise ratio
Dialogue: 0,0:05:39.71,0:05:44.06,Default,,0000,0000,0000,,is a lot better. And this focusing of the\Ncomplete signal power in a very near
Dialogue: 0,0:05:44.06,0:05:48.96,Default,,0000,0000,0000,,frequency range that's called ultra\Nnarrowband technology and Sigfox is one of
Dialogue: 0,0:05:48.96,0:05:55.62,Default,,0000,0000,0000,,these ultra narrowband technologies. Now\Nyou might wonder why don't we do this with
Dialogue: 0,0:05:55.62,0:06:00.06,Default,,0000,0000,0000,,Wi-Fi as well. If the solution is so\Nsimple why don't we always concentrate the
Dialogue: 0,0:06:00.06,0:06:04.05,Default,,0000,0000,0000,,complete signal power in a very narrow\Nfrequency range. And the answer's kind of
Dialogue: 0,0:06:04.05,0:06:08.46,Default,,0000,0000,0000,,obvious. You can see it already. It's that\Nbandwidth is proportional to data rate.
Dialogue: 0,0:06:08.46,0:06:11.77,Default,,0000,0000,0000,,When I'm saying that is obvious, that's\Nbecause it's sort of ingrained in our
Dialogue: 0,0:06:11.77,0:06:16.42,Default,,0000,0000,0000,,language. So when I tell you that I have\Nbroadband internet you think that my
Dialogue: 0,0:06:16.42,0:06:20.77,Default,,0000,0000,0000,,internet is fast. You don't think that my\Ninternet uses a lot of frequency real
Dialogue: 0,0:06:20.77,0:06:25.87,Default,,0000,0000,0000,,estate. On the other hand if I tell you\Nthat Sigfox is an ultra narrowband
Dialogue: 0,0:06:25.87,0:06:30.93,Default,,0000,0000,0000,,technology, you have to think Sigfox is\Nslow. And when I'm slow - things slow here
Dialogue: 0,0:06:30.93,0:06:35.72,Default,,0000,0000,0000,,- it's not just a bit slow but extremely\Nslow. So here on the right you can see a
Dialogue: 0,0:06:35.72,0:06:40.61,Default,,0000,0000,0000,,comparison between Sigfox and its very\Nfastest configuration and the 56k dial
Dialogue: 0,0:06:40.61,0:06:49.44,Default,,0000,0000,0000,,up modem. Now this means that we can only\Ntransmit 140 uplinks per day and then
Dialogue: 0,0:06:49.44,0:06:53.64,Default,,0000,0000,0000,,uplink can contain up to 12 bytes so\Nuplink would be from Alice's collar to the
Dialogue: 0,0:06:53.64,0:06:59.68,Default,,0000,0000,0000,,Sigfox base station to Bob and we can only\Nreceive four downings per day and they are
Dialogue: 0,0:06:59.68,0:07:04.28,Default,,0000,0000,0000,,not big either they are just 8 bytes. So\Nwhat I'm saying here is that you can
Dialogue: 0,0:07:04.28,0:07:09.38,Default,,0000,0000,0000,,forget everything you happen to know about\NInternet protocol so there's no IP,
Dialogue: 0,0:07:09.38,0:07:13.02,Default,,0000,0000,0000,,there's no DNS, there's no HDTV or\Nanything like that. Sigfox is a completely
Dialogue: 0,0:07:13.02,0:07:18.75,Default,,0000,0000,0000,,separate protocol. Now even more than\Nthat, there's not even any signaling or
Dialogue: 0,0:07:18.75,0:07:24.03,Default,,0000,0000,0000,,connection establishment. So when a Sigfox\Ndevice wants to transmit something, it's
Dialogue: 0,0:07:24.03,0:07:28.61,Default,,0000,0000,0000,,just - it's just transmittes it's just\Nbroadcasting. So Sigfox device just sleeps
Dialogue: 0,0:07:28.61,0:07:34.52,Default,,0000,0000,0000,,all day long until some interrupt occurs\Nlike some some timer overflows or some
Dialogue: 0,0:07:34.52,0:07:40.28,Default,,0000,0000,0000,,button is pressed and then it broadcasts\Nthe information it has gathered. Sigfox
Dialogue: 0,0:07:40.28,0:07:43.99,Default,,0000,0000,0000,,base stations may pick it up or not, and\Nif they do, they just forward this
Dialogue: 0,0:07:43.99,0:07:47.88,Default,,0000,0000,0000,,information to Sigfox cloud. So we just\Nhave to look at one uplink transmission
Dialogue: 0,0:07:47.88,0:07:54.24,Default,,0000,0000,0000,,and there's no, no long protocol on top of\Nthat. Now that's cool and this only works
Dialogue: 0,0:07:54.24,0:07:57.20,Default,,0000,0000,0000,,if there's one device you may think. So\Nhow is this possible if you don't just
Dialogue: 0,0:07:57.20,0:08:03.09,Default,,0000,0000,0000,,have one device but like ten devices or or\Nhundreds or thousands of devices. How can
Dialogue: 0,0:08:03.09,0:08:06.98,Default,,0000,0000,0000,,we make sure that these uplink\Ntransmissions don't collide. And the
Dialogue: 0,0:08:06.98,0:08:11.21,Default,,0000,0000,0000,,reality is that these uplink transmissions\Nmay actually collide. Again we have to
Dialogue: 0,0:08:11.21,0:08:16.45,Default,,0000,0000,0000,,look at the radio spectrum to understand\Nthis - the sort of frequency multiplex our
Dialogue: 0,0:08:16.45,0:08:22.09,Default,,0000,0000,0000,,uplink. So this this is frequency and\Ntime division multiple access. So you have
Dialogue: 0,0:08:22.09,0:08:26.48,Default,,0000,0000,0000,,Sigfox uplink at different frequencies at\Nthe same time and whenever a Sigfox device
Dialogue: 0,0:08:26.48,0:08:30.32,Default,,0000,0000,0000,,wants to transmit an uplink, it first\Nchooses a frequency to transmit at
Dialogue: 0,0:08:30.32,0:08:35.01,Default,,0000,0000,0000,,randomly. And the likelihood of two of\Nthese very narrow band signals colliding
Dialogue: 0,0:08:35.01,0:08:41.57,Default,,0000,0000,0000,,is just extremely slim. Now all of these\Npeaks you can see in this diagram, are not
Dialogue: 0,0:08:41.57,0:08:46.77,Default,,0000,0000,0000,,all cows. There are also a bunch\Nof other Sigfox devices. And for instance
Dialogue: 0,0:08:46.77,0:08:52.21,Default,,0000,0000,0000,,Sigfox is also used in areas like smart\Nhomes, MARK metering, smart city, the
Dialogue: 0,0:08:52.21,0:08:58.11,Default,,0000,0000,0000,,agriculture industry 4.0. So essentially\Nwe have the full range of buzzwords and
Dialogue: 0,0:08:58.11,0:09:02.94,Default,,0000,0000,0000,,this probably helps Sigfox raise 250\Nmillion euros during the last couple of
Dialogue: 0,0:09:02.94,0:09:07.24,Default,,0000,0000,0000,,years. And with all of that money they\Nalready got pretty decent coverage, as you
Dialogue: 0,0:09:07.24,0:09:12.40,Default,,0000,0000,0000,,can see in the coverage map on the left.\NNow one thing that's cool about Sigfox is
Dialogue: 0,0:09:12.40,0:09:17.97,Default,,0000,0000,0000,,that they use the unlicensed spectrum in\NEurope. That's at 868 MHz. This is cool
Dialogue: 0,0:09:17.97,0:09:24.24,Default,,0000,0000,0000,,because it's free to use so Sigfox is\Nextremely cheap. Now just the downside of
Dialogue: 0,0:09:24.24,0:09:29.21,Default,,0000,0000,0000,,Sigfox is that Sigfox is completely\Nproprietary so we cannot verify whether
Dialogue: 0,0:09:29.21,0:09:32.18,Default,,0000,0000,0000,,it's secure or not. And this is the part\NI'm trying to change with this
Dialogue: 0,0:09:32.18,0:09:36.99,Default,,0000,0000,0000,,presentation here. And look at a security\Nof the Sigfox protocol and see if it's if
Dialogue: 0,0:09:36.99,0:09:42.11,Default,,0000,0000,0000,,it's any good. I'll say Sigfox is not the\Nonly LP of technology. There are a bunch
Dialogue: 0,0:09:42.11,0:09:48.12,Default,,0000,0000,0000,,of others. So here are a couple of names\Nbut to be honest I'd say that these three
Dialogue: 0,0:09:48.12,0:09:55.26,Default,,0000,0000,0000,,here are the ones you should remember. So\Nthat's all I have to say about the Sigfox.
Dialogue: 0,0:09:55.26,0:10:00.40,Default,,0000,0000,0000,,Sigfox technology and Sigfox basics. Let's\Njust do a quick refresher of RF basics
Dialogue: 0,0:10:00.40,0:10:04.07,Default,,0000,0000,0000,,first. So this is going to be extremely\Nshort and many of you are going to know
Dialogue: 0,0:10:04.07,0:10:08.94,Default,,0000,0000,0000,,this already. So the basic idea is that I\Nwant to transmit some information
Dialogue: 0,0:10:08.94,0:10:15.55,Default,,0000,0000,0000,,wirelessly and to do this I have to emit\Nan electromagnetic wave. So this is what
Dialogue: 0,0:10:15.55,0:10:20.08,Default,,0000,0000,0000,,an EM wave looks like. As you can see\Nthere's no information on there. We have
Dialogue: 0,0:10:20.08,0:10:24.89,Default,,0000,0000,0000,,to put some information on there somehow\Nand this process is called modulation.
Dialogue: 0,0:10:24.89,0:10:28.82,Default,,0000,0000,0000,,There are different ways to modulate a\Nradio wave. And one of them is phase
Dialogue: 0,0:10:28.82,0:10:35.05,Default,,0000,0000,0000,,modulation. This means that in this case\Nhere whenever the phase changes by 180
Dialogue: 0,0:10:35.05,0:10:40.46,Default,,0000,0000,0000,,degrees that's the one when if phase is\Nchanged and stays the same. That's zero.
Dialogue: 0,0:10:40.46,0:10:44.33,Default,,0000,0000,0000,,So this is a special kind of phase\Nmodulation that Sigfox uses. So you can
Dialogue: 0,0:10:44.33,0:10:49.76,Default,,0000,0000,0000,,see these knees in the sine wave. Now this\Nis not the only modulation technique.
Dialogue: 0,0:10:49.76,0:10:55.24,Default,,0000,0000,0000,,There's also frequency modulation. You\Nprobably know this from your car radio for
Dialogue: 0,0:10:55.24,0:11:01.51,Default,,0000,0000,0000,,instance. So this is frequency modulation\N- frequency modulation just means that
Dialogue: 0,0:11:01.51,0:11:05.21,Default,,0000,0000,0000,,whenever the frequency is a bit higher\Nthen that's the one. And when the
Dialogue: 0,0:11:05.21,0:11:08.91,Default,,0000,0000,0000,,frequency is a bit lower that's a zero.\NLike your car radio uses the analog
Dialogue: 0,0:11:08.91,0:11:12.17,Default,,0000,0000,0000,,version of this but this just frequency\Nshift keying which is a very similar
Dialogue: 0,0:11:12.17,0:11:18.24,Default,,0000,0000,0000,,technique. Let's actually get started with\Nthe Sigfox uplink. At this point I want to
Dialogue: 0,0:11:18.24,0:11:23.83,Default,,0000,0000,0000,,thank Paul Pino. He did some really\Namazing reverse engineering work of some
Dialogue: 0,0:11:23.83,0:11:27.57,Default,,0000,0000,0000,,basic reverse engineering work of the\NSigfox protocol and published it on his
Dialogue: 0,0:11:27.57,0:11:33.20,Default,,0000,0000,0000,,blog. And this really helped me get\Nstarted with my own analysis. So to
Dialogue: 0,0:11:33.20,0:11:37.98,Default,,0000,0000,0000,,analyze the Sigfox protocol myself, I\Nfirst wanted to record one of these uplink
Dialogue: 0,0:11:37.98,0:11:44.26,Default,,0000,0000,0000,,frames. So I got two Sigfox devices, one\Nof them is the pycom SiPy and the other
Dialogue: 0,0:11:44.26,0:11:49.25,Default,,0000,0000,0000,,one is a development kit by FC micro\Nelectronics. And I also had a software
Dialogue: 0,0:11:49.25,0:11:53.93,Default,,0000,0000,0000,,defined radio so for those of you who\Ndon't know a software defined radio or as
Dialogue: 0,0:11:53.93,0:11:59.32,Default,,0000,0000,0000,,SDR for short is just a device that's\Npretty much a microphone but not for
Dialogue: 0,0:11:59.32,0:12:03.81,Default,,0000,0000,0000,,sound, for sound waves, but for\Nelectromagnetic waves. So we can use this
Dialogue: 0,0:12:03.81,0:12:09.28,Default,,0000,0000,0000,,to record electromagnetic waves into\Nsomething that's very similar to a sound
Dialogue: 0,0:12:09.28,0:12:14.56,Default,,0000,0000,0000,,file. And I just want you to listen to one\Nof these sound files first and I want you
Dialogue: 0,0:12:14.56,0:12:19.03,Default,,0000,0000,0000,,to know that this is going to be in real\Ntime. And it's also just one piece of
Dialogue: 0,0:12:19.03,0:12:22.73,Default,,0000,0000,0000,,information that I'm transmitting, so this\Nis not a couple of transmissions but just
Dialogue: 0,0:12:22.73,0:12:34.65,Default,,0000,0000,0000,,one transmission. The interesting part\Nhere is that even though I was just
Dialogue: 0,0:12:34.65,0:12:39.92,Default,,0000,0000,0000,,transmitting one piece of information, we\Nhave three uplinks at different
Dialogue: 0,0:12:39.92,0:12:45.24,Default,,0000,0000,0000,,frequencies apparently. Now I wanted to\Nfind out what's the relationship between
Dialogue: 0,0:12:45.24,0:12:50.44,Default,,0000,0000,0000,,these these different Sigfox uplinks and\Nto find this out I had to demodulate it,
Dialogue: 0,0:12:50.44,0:12:56.92,Default,,0000,0000,0000,,so demodulation means that I know that Fox\Nuplink uses D-BPSK, thats differential
Dialogue: 0,0:12:56.92,0:13:00.23,Default,,0000,0000,0000,,binary phase shift keying, which is a\Nspecial kind of the phase modulation I've
Dialogue: 0,0:13:00.23,0:13:05.67,Default,,0000,0000,0000,,been talking about and using this\Ninformation I can write a demodulator
Dialogue: 0,0:13:05.67,0:13:11.19,Default,,0000,0000,0000,,software and this outputs a hexadecimal\Nrepresentation of the Sigfox uplink; so
Dialogue: 0,0:13:11.19,0:13:15.42,Default,,0000,0000,0000,,just binary representation. And that's\Nwhat it looks like. So I've colored these
Dialogue: 0,0:13:15.42,0:13:20.76,Default,,0000,0000,0000,,three uplink frames in different colors so\Nthat you can distinguish them. Now let's
Dialogue: 0,0:13:20.76,0:13:26.31,Default,,0000,0000,0000,,have a close look at these and see what\Nthey have in common. So the one thing they
Dialogue: 0,0:13:26.31,0:13:31.44,Default,,0000,0000,0000,,have in common is this preamble here but\Neverything else appears to be completely
Dialogue: 0,0:13:31.44,0:13:37.70,Default,,0000,0000,0000,,uncorrelated. That's what I thought at\Nfirst, but eventually it turned out that
Dialogue: 0,0:13:37.70,0:13:42.30,Default,,0000,0000,0000,,this is convolution or coding. I guess if\Nyou're a coding person it's enough for me
Dialogue: 0,0:13:42.30,0:13:46.95,Default,,0000,0000,0000,,to tell you that this is a (5,7)\Nconvolutional code and if not you probably
Dialogue: 0,0:13:46.95,0:13:51.48,Default,,0000,0000,0000,,don't know what these words even mean. So\Nthis is a convolutional code. It just
Dialogue: 0,0:13:51.48,0:13:56.00,Default,,0000,0000,0000,,means that I take this unencoded input,\Nwhich is the red frame, and feed it into
Dialogue: 0,0:13:56.00,0:14:01.38,Default,,0000,0000,0000,,these schematic diagrams here which are\Nmade up of shift registers and XOR
Dialogue: 0,0:14:01.38,0:14:06.21,Default,,0000,0000,0000,,operations and out comes the encoded data.\NThat's that's all there is to have (5,7)
Dialogue: 0,0:14:06.21,0:14:14.06,Default,,0000,0000,0000,,convolutional code. Now this means that\Nthe first, second and third transmission
Dialogue: 0,0:14:14.06,0:14:18.72,Default,,0000,0000,0000,,all contain the exact same information. So\Nwhy am I transmitting this information
Dialogue: 0,0:14:18.72,0:14:26.99,Default,,0000,0000,0000,,three times? The technical term for this\Nis coding gain. So coding gain is just a
Dialogue: 0,0:14:26.99,0:14:31.21,Default,,0000,0000,0000,,fancy way of saying that this helps us\Ncorrect bit errors or transmissions errors
Dialogue: 0,0:14:31.21,0:14:36.84,Default,,0000,0000,0000,,if they happen to occur in the uplink\Ntransmission. But to continue I just have
Dialogue: 0,0:14:36.84,0:14:42.65,Default,,0000,0000,0000,,to focus on this initial transmission here\Nwhich is the one that's unencoded, and I
Dialogue: 0,0:14:42.65,0:14:46.08,Default,,0000,0000,0000,,can just ignore the other ones because\Nthey are just the same information anyway,
Dialogue: 0,0:14:46.08,0:14:50.42,Default,,0000,0000,0000,,just encoded differently. So of course I\Ncaptured a couple of these first
Dialogue: 0,0:14:50.42,0:14:55.56,Default,,0000,0000,0000,,transmissions just ignored the rest and\Nthey were all with the same payload so
Dialogue: 0,0:14:55.56,0:15:01.18,Default,,0000,0000,0000,,that I can find some similarities. Now\Nlet's look at a bunch of these. So the
Dialogue: 0,0:15:01.18,0:15:06.35,Default,,0000,0000,0000,,whole trick to analyzing these wireless\Nprotocols is just to keep staring at these
Dialogue: 0,0:15:06.35,0:15:12.09,Default,,0000,0000,0000,,hex dumps for a very long time until you\Nsee some patterns. And I think you can
Dialogue: 0,0:15:12.09,0:15:16.43,Default,,0000,0000,0000,,already spot some of them. So that's the\Npreamble, we already talked about that.
Dialogue: 0,0:15:16.43,0:15:21.02,Default,,0000,0000,0000,,Then here we have some header. Then this\Nis a sequence number. This is especially
Dialogue: 0,0:15:21.02,0:15:26.05,Default,,0000,0000,0000,,easy to spot because the number is\Nincremented after every transmission. Then
Dialogue: 0,0:15:26.05,0:15:31.18,Default,,0000,0000,0000,,here that's the device ID. So this is a\Nunique identifier for every Sigfox device
Dialogue: 0,0:15:31.18,0:15:35.03,Default,,0000,0000,0000,,which tells us that this uplink\Ntransmission was from Alice and not from
Dialogue: 0,0:15:35.03,0:15:40.58,Default,,0000,0000,0000,,some other cow or some other device, and\Nthat is the payload. And as you can see
Dialogue: 0,0:15:40.58,0:15:46.65,Default,,0000,0000,0000,,it's completely unencoded and unencrypted.\NNow this may seem bad but it's not really
Dialogue: 0,0:15:46.65,0:15:51.41,Default,,0000,0000,0000,,a problem in terms of security issues\Nbecause this is documented behavior. So
Dialogue: 0,0:15:51.41,0:15:55.79,Default,,0000,0000,0000,,when you look at Sigfox security white\Npaper they say that data is conveyed over
Dialogue: 0,0:15:55.79,0:16:00.49,Default,,0000,0000,0000,,the air without any encryption. So that's\Nstrange, but it's not really really a
Dialogue: 0,0:16:00.49,0:16:05.56,Default,,0000,0000,0000,,problem as long as it's documented. But\Neventually after staring at these frames
Dialogue: 0,0:16:05.56,0:16:10.94,Default,,0000,0000,0000,,for some more time I figured out this\Nframe structure here. So you don't have to
Dialogue: 0,0:16:10.94,0:16:16.05,Default,,0000,0000,0000,,remember all of this. I'm going to publish\Nan 80 page document that contains all of
Dialogue: 0,0:16:16.05,0:16:21.21,Default,,0000,0000,0000,,the boring protocol details and you can\Nread up what every flag bit means later
Dialogue: 0,0:16:21.21,0:16:25.99,Default,,0000,0000,0000,,on. But for now I just want to focus on a\Ncouple of things. First one to wrap this
Dialogue: 0,0:16:25.99,0:16:31.20,Default,,0000,0000,0000,,up a bit. So whenever we receive an uplink\Nframe from Alice the cow this is
Dialogue: 0,0:16:31.20,0:16:35.26,Default,,0000,0000,0000,,essentially what she's telling us. So most\Nimportantly that's the payload. What she's
Dialogue: 0,0:16:35.26,0:16:40.18,Default,,0000,0000,0000,,doing right now for instance. And then\Nthere's also the device ID which tells us
Dialogue: 0,0:16:40.18,0:16:46.81,Default,,0000,0000,0000,,that this is Alice. And there's also a\Nbunch of more information in there. Now
Dialogue: 0,0:16:46.81,0:16:51.07,Default,,0000,0000,0000,,again I want to focus on two fields here\Nthat are a bit more interesting. One of
Dialogue: 0,0:16:51.07,0:16:57.77,Default,,0000,0000,0000,,them is the CRC and the other one is the\NMAC. Now, CRC, if you're a coding person
Dialogue: 0,0:16:57.77,0:17:03.22,Default,,0000,0000,0000,,again you probably know what to do with\Nthis information here for everyone else
Dialogue: 0,0:17:03.22,0:17:07.97,Default,,0000,0000,0000,,you might know this already, but this is\Njust the checksum so this helps us detect
Dialogue: 0,0:17:07.97,0:17:12.42,Default,,0000,0000,0000,,bit errors in the uplink frame and correct\N... not correct them, but to discard the
Dialogue: 0,0:17:12.42,0:17:17.65,Default,,0000,0000,0000,,uplink frame in case these bit errors\Noccur. Now this here, the MAC is a bit
Dialogue: 0,0:17:17.65,0:17:22.98,Default,,0000,0000,0000,,more interesting. So in this case MAC does\Nnot stand for an Apple computer. It also
Dialogue: 0,0:17:22.98,0:17:27.35,Default,,0000,0000,0000,,doesn't stand for a MAC address so it has\Nnothing to do with medium access control
Dialogue: 0,0:17:27.35,0:17:33.23,Default,,0000,0000,0000,,or Ethernet or anything. It stands for\Nmessage authentication code. Now as the
Dialogue: 0,0:17:33.23,0:17:38.07,Default,,0000,0000,0000,,name says a message authentication code is\Nfor authenticity protection. So this is
Dialogue: 0,0:17:38.07,0:17:42.46,Default,,0000,0000,0000,,something that's very similar to digital\Nsignatures. So you might know digital
Dialogue: 0,0:17:42.46,0:17:48.40,Default,,0000,0000,0000,,signatures just from PGP e-mails and so\Non. But it doesn't use ... like PGP
Dialogue: 0,0:17:48.40,0:17:54.95,Default,,0000,0000,0000,,e-mails use something like RSA so they\Nhave an asymmetric scheme, whereas message
Dialogue: 0,0:17:54.95,0:18:00.19,Default,,0000,0000,0000,,authentication codes they use a symmetric\Nencryption scheme like for instance AES.
Dialogue: 0,0:18:00.19,0:18:04.18,Default,,0000,0000,0000,,Now this slide is not that important. The\Nonly important part is that I wanted this
Dialogue: 0,0:18:04.18,0:18:08.51,Default,,0000,0000,0000,,algorithm here. So I wanted the algorithm\Nthat I can use to generate one of these
Dialogue: 0,0:18:08.51,0:18:14.51,Default,,0000,0000,0000,,MACs. I already have the payload and all\Nof the message I'm transmitting. I didn't
Dialogue: 0,0:18:14.51,0:18:21.36,Default,,0000,0000,0000,,have the key yet so I wanted the key. Now\Nat first I thought it was impossible to
Dialogue: 0,0:18:21.36,0:18:26.34,Default,,0000,0000,0000,,get the key from a Sigfox device because\Nif you watch Sigfoxes YouTube video on
Dialogue: 0,0:18:26.34,0:18:32.40,Default,,0000,0000,0000,,security, they say that the secret key is\Nstored in non accessible memory. So this
Dialogue: 0,0:18:32.40,0:18:38.30,Default,,0000,0000,0000,,sounds secure right? But it turns out that\Nwhen I first got the pycom SiPy, this
Dialogue: 0,0:18:38.30,0:18:42.74,Default,,0000,0000,0000,,development kit here, it wanted to update\Nthe firmware and it didn't just update the
Dialogue: 0,0:18:42.74,0:18:47.59,Default,,0000,0000,0000,,firmware, but this is a section of the\NSiPys flash memory before the so-called
Dialogue: 0,0:18:47.59,0:18:51.61,Default,,0000,0000,0000,,firmware update, and this is the same\Nsection after the firmware update and it
Dialogue: 0,0:18:51.61,0:18:55.23,Default,,0000,0000,0000,,totally provisioned the device ID, some\Nother code and that's the secret key.
Dialogue: 0,0:18:55.23,0:18:59.15,Default,,0000,0000,0000,,{\i1}applause{\i0}\NSo the secret key is in plain text in
Dialogue: 0,0:18:59.15,0:19:03.85,Default,,0000,0000,0000,,flash memory.\N{\i1}applause continues{\i0}
Dialogue: 0,0:19:03.85,0:19:09.17,Default,,0000,0000,0000,,You might say that's not really a problem\Nbecause you need physical access to this
Dialogue: 0,0:19:09.17,0:19:15.35,Default,,0000,0000,0000,,device in order to to get the secret key.\NBut still I confronted Sigfox about this
Dialogue: 0,0:19:15.35,0:19:21.74,Default,,0000,0000,0000,,issue and their response was that yeah\Nthey do offer solutions where the secret
Dialogue: 0,0:19:21.74,0:19:27.22,Default,,0000,0000,0000,,key is not stored in plain text but it\Ncosts some money and many manufacturers
Dialogue: 0,0:19:27.22,0:19:32.09,Default,,0000,0000,0000,,don't choose to use it. So pycom for\Ninstance didn't have this secure element
Dialogue: 0,0:19:32.09,0:19:38.79,Default,,0000,0000,0000,,chip. But at this point I had the key, So\Njust based on some educated guessing I was
Dialogue: 0,0:19:38.79,0:19:44.09,Default,,0000,0000,0000,,able to find the algorithm that's used for\Ncalculating the MAC, and many of you
Dialogue: 0,0:19:44.09,0:19:48.41,Default,,0000,0000,0000,,probably know this already, so this is\NCBC-MAC which is just a AES in chiper block
Dialogue: 0,0:19:48.41,0:19:52.85,Default,,0000,0000,0000,,chaining mode, so can we can use the\Nstructure to generate a MAC. The input to
Dialogue: 0,0:19:52.85,0:19:57.99,Default,,0000,0000,0000,,this algorithm is not just the payload but\Nalso some other information like the flag
Dialogue: 0,0:19:57.99,0:20:02.74,Default,,0000,0000,0000,,bits, the sequence number, the device ID\Nand the payload of course. So yeah that's
Dialogue: 0,0:20:02.74,0:20:07.98,Default,,0000,0000,0000,,that's how it should be. So let's look at\Nthe security of the uplink. It looks
Dialogue: 0,0:20:07.98,0:20:12.83,Default,,0000,0000,0000,,pretty good at this first glance. So they\Nuse well-established algorithms like CBC-
Dialogue: 0,0:20:12.83,0:20:18.42,Default,,0000,0000,0000,,MAC. So CBC-MAC is also used in Wi-Fi, so\Nit's tried and true. I didn't find any
Dialogue: 0,0:20:18.42,0:20:22.64,Default,,0000,0000,0000,,obvious implementation flaws in the uplink\Nso I tried to fuzz the uplink but it
Dialogue: 0,0:20:22.64,0:20:27.38,Default,,0000,0000,0000,,didn't get accepted. Now one problem is\Nthat we don't have any payload
Dialogue: 0,0:20:27.38,0:20:32.74,Default,,0000,0000,0000,,confidentiality, so this is documented but\Nstill I wondered why would you design a
Dialogue: 0,0:20:32.74,0:20:38.40,Default,,0000,0000,0000,,protocol in 2018 or a couple of years ago\Nwithout any encryption? And their response
Dialogue: 0,0:20:38.40,0:20:44.25,Default,,0000,0000,0000,,was that they do offer an encrypted\Nsolution, but of course it takes some
Dialogue: 0,0:20:44.25,0:20:49.88,Default,,0000,0000,0000,,energy to calculate encryption and it\Nreally matters if you're talking about
Dialogue: 0,0:20:49.88,0:20:54.29,Default,,0000,0000,0000,,devices with tens of years of battery\Nlife, than just performing this one
Dialogue: 0,0:20:54.29,0:21:00.50,Default,,0000,0000,0000,,encryption can make a difference. Now this\Nis not a real problem in my opinion. I
Dialogue: 0,0:21:00.50,0:21:04.79,Default,,0000,0000,0000,,think the real problem with the Sigfox\Nuplink are these two here. I think the MAC
Dialogue: 0,0:21:04.79,0:21:09.44,Default,,0000,0000,0000,,is just way too short and the sequence\Nnumber is extremely short and this makes
Dialogue: 0,0:21:09.44,0:21:14.47,Default,,0000,0000,0000,,brute force and replay attacks possible.\NSo let's look at the brute force attack
Dialogue: 0,0:21:14.47,0:21:21.09,Default,,0000,0000,0000,,first and let's just look at the ideal\Nscenario. So this is an ideal world - just
Dialogue: 0,0:21:21.09,0:21:25.49,Default,,0000,0000,0000,,Alice transmitting her uplink frame to the\NSigfox cloud. That's what we want. No
Dialogue: 0,0:21:25.49,0:21:30.90,Default,,0000,0000,0000,,attacker here. Now when she's transmitting\Nthis uplink frame she's also transmitting
Dialogue: 0,0:21:30.90,0:21:36.53,Default,,0000,0000,0000,,a MAC and in a worst case scenario this\NMac is just 16 bits long. So if you do the
Dialogue: 0,0:21:36.53,0:21:42.51,Default,,0000,0000,0000,,math, the number of possible values for\Nthe MAC is very limited. So the idea would
Dialogue: 0,0:21:42.51,0:21:47.26,Default,,0000,0000,0000,,be to just try one Mac after the other...\N{\i1}laughter{\i0}
Dialogue: 0,0:21:47.26,0:21:52.50,Default,,0000,0000,0000,,...that's brute-forcing, right. Now with\Nmost protocols this is not very practical
Dialogue: 0,0:21:52.50,0:21:57.80,Default,,0000,0000,0000,,because this takes a lot of time. Again\Nlooking at the worst case scenario if we
Dialogue: 0,0:21:57.80,0:22:03.33,Default,,0000,0000,0000,,do the math it's possible in just less\Nthan four hours. So that's not great. And
Dialogue: 0,0:22:03.33,0:22:08.26,Default,,0000,0000,0000,,remember in the beginning I told you\Nsomething about frequency Multiplexing and
Dialogue: 0,0:22:08.26,0:22:13.60,Default,,0000,0000,0000,,these multiple uplinks that can coexist at\Nthe same time, we can even do this for the
Dialogue: 0,0:22:13.60,0:22:18.82,Default,,0000,0000,0000,,attack. We can just frequency multiplex\Nour attack and we can do this at not just
Dialogue: 0,0:22:18.82,0:22:23.56,Default,,0000,0000,0000,,at four frequencies like it's shown here\Nbut at 300 frequencies. And then we're not
Dialogue: 0,0:22:23.56,0:22:27.46,Default,,0000,0000,0000,,talking about a couple of hours to try all\Npossible MACs, but it's a matter of
Dialogue: 0,0:22:27.46,0:22:34.69,Default,,0000,0000,0000,,minutes so that sounds bad. So I\Nconfronted Sigfox about this and their
Dialogue: 0,0:22:34.69,0:22:39.22,Default,,0000,0000,0000,,response was that yes they are aware of\Nthis issue but they have implemented some
Dialogue: 0,0:22:39.22,0:22:43.88,Default,,0000,0000,0000,,kind of blacklist. Now I wasn't able to\Nconfirm this information because I only
Dialogue: 0,0:22:43.88,0:22:48.10,Default,,0000,0000,0000,,had development kits and they say that\Ndevelopment kits are exempt from this
Dialogue: 0,0:22:48.10,0:22:53.85,Default,,0000,0000,0000,,regulation. Now, this is great if they\Nhave implemented this blacklist, but on
Dialogue: 0,0:22:53.85,0:22:57.13,Default,,0000,0000,0000,,the other hand this also means that now we\Nhave a conflict between two security
Dialogue: 0,0:22:57.13,0:23:00.96,Default,,0000,0000,0000,,goals. One of them is authenticity\Nprotection and the other one is
Dialogue: 0,0:23:00.96,0:23:04.81,Default,,0000,0000,0000,,availability. So you're not going to have\Nperfect availability if you're using
Dialogue: 0,0:23:04.81,0:23:10.94,Default,,0000,0000,0000,,Sigfox. But on the other hand maybe if you\Nwant perfect availability maybe you just
Dialogue: 0,0:23:10.94,0:23:15.47,Default,,0000,0000,0000,,shouldn't use a wireless system in the\Nfirst place. Now, the other attack is the
Dialogue: 0,0:23:15.47,0:23:20.55,Default,,0000,0000,0000,,replay attack. This just means that I\Ncapture an uplink frame from Alice and at
Dialogue: 0,0:23:20.55,0:23:25.72,Default,,0000,0000,0000,,some later point in time I just replay it\Nto the Sigfox base station and hope it
Dialogue: 0,0:23:25.72,0:23:31.07,Default,,0000,0000,0000,,gets accepted. But usually it doesn't get\Naccepted because the sequence number is a
Dialogue: 0,0:23:31.07,0:23:36.09,Default,,0000,0000,0000,,replay protection. But again in the case\Nof Sigfox the sequence number is very
Dialogue: 0,0:23:36.09,0:23:41.01,Default,,0000,0000,0000,,short just 12 bits long. So it's going to\Noverflow eventually. And again looking at
Dialogue: 0,0:23:41.01,0:23:46.59,Default,,0000,0000,0000,,the worst case scenario this is after less\Nthan 30 days. I had to ask Sigfox about
Dialogue: 0,0:23:46.59,0:23:50.75,Default,,0000,0000,0000,,this as well, and their response was that\Nif you choose their so-called encrypted
Dialogue: 0,0:23:50.75,0:23:55.87,Default,,0000,0000,0000,,solution. So that was the one that also\Ndoes the payload encryption, then you're
Dialogue: 0,0:23:55.87,0:24:01.18,Default,,0000,0000,0000,,going to have a 20 bit sequence number. So\Nyou should probably use that if you if you
Dialogue: 0,0:24:01.18,0:24:08.19,Default,,0000,0000,0000,,don't want to have replay attacks. So in\Nsummary if all you want to do is create a
Dialogue: 0,0:24:08.19,0:24:13.75,Default,,0000,0000,0000,,device that tracks cows you're probably\Ngoing to be fine with just normal Sigfox
Dialogue: 0,0:24:13.75,0:24:17.89,Default,,0000,0000,0000,,without the encrypted solution and you\Ndon't need perfect authenticity and no
Dialogue: 0,0:24:17.89,0:24:22.94,Default,,0000,0000,0000,,perfect confidentiality protection. But on\Nthe other hand if you have a money
Dialogue: 0,0:24:22.94,0:24:28.55,Default,,0000,0000,0000,,transporter or a security system where you\Nneed confidentiality or authenticity, then
Dialogue: 0,0:24:28.55,0:24:33.30,Default,,0000,0000,0000,,you should probably think about using\NSigfox or implement your own checks or use
Dialogue: 0,0:24:33.30,0:24:38.95,Default,,0000,0000,0000,,Sigfoxs encrypted solution. So that's all\Nfor the uplink. Now, I'm just going to
Dialogue: 0,0:24:38.95,0:24:43.15,Default,,0000,0000,0000,,quickly talk about the downlink. This is\Ngoing to be extremely short because the
Dialogue: 0,0:24:43.15,0:24:49.55,Default,,0000,0000,0000,,downlink protocol is so much simpler. So I told\Nyou that a Sigfox device sleeps all day. This
Dialogue: 0,0:24:49.55,0:24:54.04,Default,,0000,0000,0000,,means that the Sigfox base station cannot\Njust transmit a downlink, but the Sigfox
Dialogue: 0,0:24:54.04,0:24:58.20,Default,,0000,0000,0000,,device has to request it first. So it\Nsends an uplink that contains a downlink
Dialogue: 0,0:24:58.20,0:25:04.15,Default,,0000,0000,0000,,request and the Sigfox base station, uhm\NSigfox cloud then decides which base
Dialogue: 0,0:25:04.15,0:25:11.06,Default,,0000,0000,0000,,station is going to answer with a\Ndownlink. Now, of course I want to record
Dialogue: 0,0:25:11.06,0:25:16.47,Default,,0000,0000,0000,,one of these downlink transmissions so I\Nhad to find a base station at some point a
Dialogue: 0,0:25:16.47,0:25:20.04,Default,,0000,0000,0000,,friend of mine hinted me that there was\Nthis omnidirectional antenna here on a
Dialogue: 0,0:25:20.04,0:25:26.38,Default,,0000,0000,0000,,cell tower in Grafenberg. And it turns out\Nthat this antenna was actually a Sigfox
Dialogue: 0,0:25:26.38,0:25:31.58,Default,,0000,0000,0000,,base station. Now if you want to find your\Nown Sigfox base station you don't have to
Dialogue: 0,0:25:31.58,0:25:35.31,Default,,0000,0000,0000,,go around hunting for omnidirectional\Nantennas on cell towers. You can just go
Dialogue: 0,0:25:35.31,0:25:39.34,Default,,0000,0000,0000,,to the website of the Bundesnetzagentur.\NAnd I figured out that whenever there is
Dialogue: 0,0:25:39.34,0:25:43.43,Default,,0000,0000,0000,,something called a 'sonstige Funkanlage'\Nand it has these specific security
Dialogue: 0,0:25:43.43,0:25:47.37,Default,,0000,0000,0000,,clearances, then that's Sigfox.\N{\i1}laughter{\i0}
Dialogue: 0,0:25:47.37,0:25:50.42,Default,,0000,0000,0000,,So here's another one.\N{\i1}applause{\i0}
Dialogue: 0,0:25:50.42,0:25:57.24,Default,,0000,0000,0000,,So let's just listen to one of these\Ndownlinks.
Dialogue: 0,0:25:57.24,0:26:01.72,Default,,0000,0000,0000,,{\i1} short signal noise{\i0}\NAgain that was in real time and it was
Dialogue: 0,0:26:01.72,0:26:06.89,Default,,0000,0000,0000,,really short and it sounded differently.\NThis is because this is not phase
Dialogue: 0,0:26:06.89,0:26:12.40,Default,,0000,0000,0000,,modulation but frequency modulation or in\Nthis particular case GFSK that's Gaussian
Dialogue: 0,0:26:12.40,0:26:15.97,Default,,0000,0000,0000,,Frequency Shifting Keying. Again I\Ndemodulated this uplink er this downlink
Dialogue: 0,0:26:15.97,0:26:20.72,Default,,0000,0000,0000,,frame that's what it looks like. I\Ncaptured a couple of these I looked at
Dialogue: 0,0:26:20.72,0:26:27.51,Default,,0000,0000,0000,,them that's the preamble, that's a garbled\Nmess. So what could that be? I thought
Dialogue: 0,0:26:27.51,0:26:32.25,Default,,0000,0000,0000,,that maybe suddenly they're using\Nencryption, or maybe some very smart error
Dialogue: 0,0:26:32.25,0:26:36.49,Default,,0000,0000,0000,,correction code scheme, but it turns out\Nthat it's something much simpler called
Dialogue: 0,0:26:36.49,0:26:41.70,Default,,0000,0000,0000,,scrambling. So unfortunately I'm not going\Nto tell you the algorithm that's used for
Dialogue: 0,0:26:41.70,0:26:45.76,Default,,0000,0000,0000,,scrambling here, but I can tell you that\Nthe inputs to the scrambling algorithm is
Dialogue: 0,0:26:45.76,0:26:52.06,Default,,0000,0000,0000,,just the sequence number and the device ID\Nof the corresponding uplink. So you can
Dialogue: 0,0:26:52.06,0:26:55.75,Default,,0000,0000,0000,,totally reverse the scrambling or you can\Neven brute force it because these two
Dialogue: 0,0:26:55.75,0:27:01.82,Default,,0000,0000,0000,,numbers are very finite. So scrambling\Ndoes not provide any confidentiality. I
Dialogue: 0,0:27:01.82,0:27:05.30,Default,,0000,0000,0000,,can tell you what I figured out in the\Nend. So this is the complete frame
Dialogue: 0,0:27:05.30,0:27:11.99,Default,,0000,0000,0000,,structure of the downlink it's static so\Nvery simple, think that two fields here
Dialogue: 0,0:27:11.99,0:27:16.90,Default,,0000,0000,0000,,are particularly interesting. One of them\Nis this one here so if you're a coding
Dialogue: 0,0:27:16.90,0:27:22.07,Default,,0000,0000,0000,,person this is a BCH(15, 11, 1) code and\Nthis is cool because this can correct
Dialogue: 0,0:27:22.07,0:27:27.45,Default,,0000,0000,0000,,correct up to 8 bit errors in the downlink\Nframe and the other interesting thing of
Dialogue: 0,0:27:27.45,0:27:31.49,Default,,0000,0000,0000,,course is this message authentication\Ncode, so we also have authenticity
Dialogue: 0,0:27:31.49,0:27:38.50,Default,,0000,0000,0000,,protection for the downlink. So in\Nsummary, for the Sigfox downlink it looks
Dialogue: 0,0:27:38.50,0:27:44.30,Default,,0000,0000,0000,,pretty secure, again, the only real\Nproblem I found is that there's scrambling
Dialogue: 0,0:27:44.30,0:27:49.78,Default,,0000,0000,0000,,but this scrambling doesn't provide any\Nconfidentiality. But last week I figured
Dialogue: 0,0:27:49.78,0:27:55.25,Default,,0000,0000,0000,,out that if you use, or, Paul Pinault\Nhinted me that if you use Sigfox's
Dialogue: 0,0:27:55.25,0:27:59.75,Default,,0000,0000,0000,,encrypted solution he figured this out,\Nthen you're also going to have an
Dialogue: 0,0:27:59.75,0:28:03.91,Default,,0000,0000,0000,,encrypted downlink, so you should probably\Nuse that. And this is also pretty much my
Dialogue: 0,0:28:03.91,0:28:09.78,Default,,0000,0000,0000,,summary for you: If you are a device maker\Nand you want to build a Sigfox device and
Dialogue: 0,0:28:09.78,0:28:15.41,Default,,0000,0000,0000,,add Sigfox connectivity to your device,\Nit's fine to use Sigfox but you should be
Dialogue: 0,0:28:15.41,0:28:19.82,Default,,0000,0000,0000,,aware of the level of security it\Nprovides, and most importantly this means
Dialogue: 0,0:28:19.82,0:28:24.06,Default,,0000,0000,0000,,that if you need confidentiality and if\Nyou need good authenticity protection you
Dialogue: 0,0:28:24.06,0:28:29.03,Default,,0000,0000,0000,,should probably use Sigfox's encrypted\Nsolution, and this means that you have to
Dialogue: 0,0:28:29.03,0:28:34.04,Default,,0000,0000,0000,,buy one of the very few modems still that\Nsupport this encryption. This also kind of
Dialogue: 0,0:28:34.04,0:28:41.03,Default,,0000,0000,0000,,puts some pressure on the manufacturers to\Njust start providing this modems and not
Dialogue: 0,0:28:41.03,0:28:46.57,Default,,0000,0000,0000,,the old ones. Now if you don't buy a modem\Nwith the encryption solution these are
Dialogue: 0,0:28:46.57,0:28:51.55,Default,,0000,0000,0000,,your options: So you have to implement\Nencryption yourself if you need it. There is
Dialogue: 0,0:28:51.55,0:28:56.87,Default,,0000,0000,0000,,some things you can do to improve the\Nauthenticity protection that the Sigfox
Dialogue: 0,0:28:56.87,0:29:02.70,Default,,0000,0000,0000,,uplink and downlink already provide, and\Nif you don't do that you're just going to
Dialogue: 0,0:29:02.70,0:29:08.66,Default,,0000,0000,0000,,have to implement your own authenticity\Nchecks. Now I want to thank a couple of
Dialogue: 0,0:29:08.66,0:29:13.92,Default,,0000,0000,0000,,people most importantly that is Felix and\NMarc and they didn't just help me with the
Dialogue: 0,0:29:13.92,0:29:18.27,Default,,0000,0000,0000,,whole technical aspect of this\Npresentation here, but they also helped me
Dialogue: 0,0:29:18.27,0:29:23.27,Default,,0000,0000,0000,,proofread the documentation I'm going to\Npublish soon and this presentation here. I
Dialogue: 0,0:29:23.27,0:29:27.68,Default,,0000,0000,0000,,also want to thank Paul Pinault for\Nproviding quite a lot of information and
Dialogue: 0,0:29:27.68,0:29:31.92,Default,,0000,0000,0000,,you will see a link to his blog on the\Nwebsite I'm going to show you in a second.
Dialogue: 0,0:29:31.92,0:29:36.65,Default,,0000,0000,0000,,I also want to thank Mr. Lehmann from\NSigfox Germany. Even though there were
Dialogue: 0,0:29:36.65,0:29:40.55,Default,,0000,0000,0000,,some screw ups in the communication with\NSigfox on our side. So none of that was
Dialogue: 0,0:29:40.55,0:29:45.88,Default,,0000,0000,0000,,Sigfox's fault. He reacted really nicely\Nand handled it very nicely and responded
Dialogue: 0,0:29:45.88,0:29:50.49,Default,,0000,0000,0000,,to all of our questions, And I also want\Nto thank Linus Neumann for organizing that
Dialogue: 0,0:29:50.49,0:29:59.79,Default,,0000,0000,0000,,communication with Sigfox. Now when I\Ntalked to Mr. Lehmann from Sigfox Germany
Dialogue: 0,0:29:59.79,0:30:04.24,Default,,0000,0000,0000,,essentially I told him that there were\Nthese weak spots, these substantial weak
Dialogue: 0,0:30:04.24,0:30:09.31,Default,,0000,0000,0000,,spots but we didn't find any major issues,\Nand what he said then was that Sigfox is
Dialogue: 0,0:30:09.31,0:30:13.64,Default,,0000,0000,0000,,planning to open source their device\Nlibrary and I really hope that they carry
Dialogue: 0,0:30:13.64,0:30:18.26,Default,,0000,0000,0000,,through with this, because if they do\Nthat, that to me would signal that Sigfox
Dialogue: 0,0:30:18.26,0:30:24.33,Default,,0000,0000,0000,,is a company that really cares about\Nsecurity. Now if you want to find more, if
Dialogue: 0,0:30:24.33,0:30:29.52,Default,,0000,0000,0000,,you want to find out more about Sigfox and\Nyou don't want to wait for Sigfox to
Dialogue: 0,0:30:29.52,0:30:34.96,Default,,0000,0000,0000,,release their device library you can just\Ngo to this website here and download my
Dialogue: 0,0:30:34.96,0:30:39.21,Default,,0000,0000,0000,,open source library instead. I'm also\Ngoing to publish these protocol
Dialogue: 0,0:30:39.21,0:30:42.96,Default,,0000,0000,0000,,specifications and the reference\Nimplantation is for software defined
Dialogue: 0,0:30:42.96,0:30:48.07,Default,,0000,0000,0000,,radio. If you have any questions you can\Ncontact me by email. You can also call me
Dialogue: 0,0:30:48.07,0:30:53.53,Default,,0000,0000,0000,,on my DECT phone here during conference\Nand of course here's my Sigfox device ID
Dialogue: 0,0:30:53.53,0:30:58.34,Default,,0000,0000,0000,,and my Sigfox secret key, so just send me\Na Sigfox uplink. Thank you.
Dialogue: 0,0:30:58.34,0:31:11.04,Default,,0000,0000,0000,,{\i1}applause{\i0}\NHerald: Thank you Florian for this amazing
Dialogue: 0,0:31:11.04,0:31:18.81,Default,,0000,0000,0000,,talk, and now we have time for some\Nquestions. There's I think a lot of
Dialogue: 0,0:31:18.81,0:31:24.30,Default,,0000,0000,0000,,microhones all around, so please line up\Non the microphones if you want to ask a
Dialogue: 0,0:31:24.30,0:31:31.41,Default,,0000,0000,0000,,question, and especially two tips for\Nthat: First a question is in general just
Dialogue: 0,0:31:31.41,0:31:38.54,Default,,0000,0000,0000,,one sentence long. Second if you want us\Nto hear you you have to speak into the mic
Dialogue: 0,0:31:38.54,0:31:48.07,Default,,0000,0000,0000,,so get close to the mic, it doesn't bite\Nback. So I think we have somebody on the
Dialogue: 0,0:31:48.07,0:31:54.30,Default,,0000,0000,0000,,mic there in the back. Yes that's mic, number\NI can't read that from here, I'm too old
Dialogue: 0,0:31:54.30,0:31:59.22,Default,,0000,0000,0000,,for that shit. Eight. Okay thanks. Number\Neight you start.
Dialogue: 0,0:31:59.22,0:32:08.12,Default,,0000,0000,0000,,Q: So Hi, is this on, yeah, so you said\Nscrambling didn't provide any
Dialogue: 0,0:32:08.12,0:32:14.33,Default,,0000,0000,0000,,confidentiality, so what is it for?\NA: It might be for, just for receiver
Dialogue: 0,0:32:14.33,0:32:19.31,Default,,0000,0000,0000,,synchronization because it facilitates\Nreceiver synchronization. I'm not sure
Dialogue: 0,0:32:19.31,0:32:22.71,Default,,0000,0000,0000,,what what it's for. Now the scrambling\Nalgorithm, it's not a very standard
Dialogue: 0,0:32:22.71,0:32:28.28,Default,,0000,0000,0000,,algorithm. So this is why I'm not really\Nsure what it's good for. If it was a very
Dialogue: 0,0:32:28.28,0:32:32.53,Default,,0000,0000,0000,,standard algorithm I would think that it's\Njust for receiver synchronization but
Dialogue: 0,0:32:32.53,0:32:38.65,Default,,0000,0000,0000,,that's not the case. So maybe it's some\Nkind of security by obscurity but I'm not
Dialogue: 0,0:32:38.65,0:32:45.53,Default,,0000,0000,0000,,sure I can tell you.\NHerald: OK now we shift over there to the
Dialogue: 0,0:32:45.53,0:32:55.65,Default,,0000,0000,0000,,mic, yes you exactly in the white shirt.\NThis was the mic. Okay, then I was then I
Dialogue: 0,0:32:55.65,0:32:59.93,Default,,0000,0000,0000,,want to go to 7 sorry, the numbers are too\Nfar away. It's just such such a big room,
Dialogue: 0,0:32:59.93,0:33:06.16,Default,,0000,0000,0000,,number seven please.\NQ: Hi. Thanks for the talk. My question is
Dialogue: 0,0:33:06.16,0:33:12.84,Default,,0000,0000,0000,,what is the reason you cannot disclose the\Nscrambling algoritm?
Dialogue: 0,0:33:12.84,0:33:17.46,Default,,0000,0000,0000,,A: I could disclose thie scrambling\Nalgorithm but I have decided not to. So
Dialogue: 0,0:33:17.46,0:33:21.92,Default,,0000,0000,0000,,there is no one forcing me to do this,\Nit's just based on the legal advice that I
Dialogue: 0,0:33:21.92,0:33:27.23,Default,,0000,0000,0000,,have received, but I am going to publish\Nscrambled and unscrambled versions of
Dialogue: 0,0:33:27.23,0:33:31.56,Default,,0000,0000,0000,,Sigfox downlinks so I cannot stop you from\Nreverse engineering this algorithm
Dialogue: 0,0:33:31.56,0:33:36.05,Default,,0000,0000,0000,,yourself. Thank you.\NHerald: OK, now we take a question from
Dialogue: 0,0:33:36.05,0:33:41.79,Default,,0000,0000,0000,,the Internet.\NQ: Yes, so one of the IRC users asks: Do
Dialogue: 0,0:33:41.79,0:33:46.72,Default,,0000,0000,0000,,you think that it is possible to run your\Nown base stations in the future or will
Dialogue: 0,0:33:46.72,0:33:52.18,Default,,0000,0000,0000,,they always be run by Sigfox?\NA: Absolutely. It's just a matter of
Dialogue: 0,0:33:52.18,0:33:56.20,Default,,0000,0000,0000,,intellectual property and whether that's\Nlegal or not, I think they do have some
Dialogue: 0,0:33:56.20,0:34:01.29,Default,,0000,0000,0000,,patents on their technology, but there's\Nnothing stopping you from running your own
Dialogue: 0,0:34:01.29,0:34:05.76,Default,,0000,0000,0000,,base station. So you will have to have a\Nseparate network from Sigfox with your own
Dialogue: 0,0:34:05.76,0:34:09.27,Default,,0000,0000,0000,,secret keys, you you cannot get the\Nsecret, well you could extract them from
Dialogue: 0,0:34:09.27,0:34:13.55,Default,,0000,0000,0000,,the devices but you cannot get the secret\Nkeys of all devices from Sigfox but of
Dialogue: 0,0:34:13.55,0:34:19.76,Default,,0000,0000,0000,,course you could run your own parallel\NSigfox network.
Dialogue: 0,0:34:19.76,0:34:26.25,Default,,0000,0000,0000,,H: OK. Mike. Number eight again. Thanks\Nfor the talk. I have a student who wants
Dialogue: 0,0:34:26.25,0:34:32.90,Default,,0000,0000,0000,,to fuzz LoRaWAN. You mentioned a few\Ntimes you fuzzed the uplink. Did you use
Dialogue: 0,0:34:32.90,0:34:40.54,Default,,0000,0000,0000,,the ACR implementation for sending as well\Nor did you figure out how to manipulate
Dialogue: 0,0:34:40.54,0:34:47.79,Default,,0000,0000,0000,,one of the existing radio transceivers.\NA: I did manipulate the PI comp sci pi but
Dialogue: 0,0:34:47.79,0:34:52.40,Default,,0000,0000,0000,,I didn't use that to fuzz the uplink so I\Nused the SDR implementation to fuzz the
Dialogue: 0,0:34:52.40,0:34:57.83,Default,,0000,0000,0000,,uplink.\NHerald: Okay. Sing a number 7. There's
Dialogue: 0,0:34:57.83,0:35:00.83,Default,,0000,0000,0000,,another question.\NQ: Hi. Can you tell us what an agency is
Dialogue: 0,0:35:00.83,0:35:05.64,Default,,0000,0000,0000,,like on these networks.\NA: Didn't get that. Sorry.
Dialogue: 0,0:35:05.64,0:35:09.50,Default,,0000,0000,0000,,Q: Can you tell us what's the latency is\Nlike on those networks.
Dialogue: 0,0:35:09.50,0:35:15.60,Default,,0000,0000,0000,,A: The latency on these networks. (Q:\NYes.) Well it's like you have to go to a
Dialogue: 0,0:35:15.60,0:35:19.88,Default,,0000,0000,0000,,website to to retrieve all of the\Ninformation from that the Sigfox base
Dialogue: 0,0:35:19.88,0:35:25.72,Default,,0000,0000,0000,,Station has received. And I didn't really\Ntest this because theoretically you could
Dialogue: 0,0:35:25.72,0:35:33.91,Default,,0000,0000,0000,,also have some some API calls and have\NSigfax automaticly transmit this API calls
Dialogue: 0,0:35:33.91,0:35:37.22,Default,,0000,0000,0000,,but I'd say it's in a matter of a couple\Nof seconds.
Dialogue: 0,0:35:37.22,0:35:42.27,Default,,0000,0000,0000,,Like three seconds or so. I haven't tested\Nit.
Dialogue: 0,0:35:42.27,0:35:47.47,Default,,0000,0000,0000,,Herald: Okay now I have to ask is there\Nsomebody on mic eight. One more. Yes yes.
Dialogue: 0,0:35:47.47,0:35:54.30,Default,,0000,0000,0000,,One more. Okay. Please. It's you.\NQ: Yeah. So is the sigfox algorithms all
Dialogue: 0,0:35:54.30,0:36:02.65,Default,,0000,0000,0000,,of these things are running on the companies\Nprovided chips or is there some software
Dialogue: 0,0:36:02.65,0:36:06.87,Default,,0000,0000,0000,,involved which could be potentially\Nreverse engineered?
Dialogue: 0,0:36:06.87,0:36:11.27,Default,,0000,0000,0000,,A: So the software that is involved that\Ncould be reverse engineered is the client
Dialogue: 0,0:36:11.27,0:36:17.01,Default,,0000,0000,0000,,library. But this is already the part I am\Npublishing now. Also there's a couple of
Dialogue: 0,0:36:17.01,0:36:23.25,Default,,0000,0000,0000,,more things that you can reverse engineer\Nabout this. I don't think you're going to
Dialogue: 0,0:36:23.25,0:36:30.36,Default,,0000,0000,0000,,be able to get a sigfox base station,\Nthey're probably not giving one to you.
Dialogue: 0,0:36:30.36,0:36:34.52,Default,,0000,0000,0000,,Herald: Okay. Yeah we have time for one\Nmore question. We take one from the
Dialogue: 0,0:36:34.52,0:36:40.38,Default,,0000,0000,0000,,Internet.\NQ: What are the advantages of Sigfox
Dialogue: 0,0:36:40.38,0:36:49.02,Default,,0000,0000,0000,,verses LoRaWAN.\NA: I think that sigFox is even more low
Dialogue: 0,0:36:49.02,0:36:55.48,Default,,0000,0000,0000,,power than LoRaWAN. There are also a\Ncouple of other advantage, but in general
Dialogue: 0,0:36:55.48,0:37:00.64,Default,,0000,0000,0000,,I think that it's good if we have two\Ncompeting providers in the LP events space
Dialogue: 0,0:37:00.64,0:37:06.54,Default,,0000,0000,0000,,just to have some diversity. And yeah\Nthere are advantages to both of them. So
Dialogue: 0,0:37:06.54,0:37:10.77,Default,,0000,0000,0000,,but in general I think that that's greate\Ntoo to have both of them around. But as I
Dialogue: 0,0:37:10.77,0:37:16.35,Default,,0000,0000,0000,,told you it's more low power. I also think\Nthat it's a bit more scalable and also
Dialogue: 0,0:37:16.35,0:37:22.63,Default,,0000,0000,0000,,from the perspective of someone that's\Ntrying to deploy a sigfox device fleet
Dialogue: 0,0:37:22.63,0:37:26.41,Default,,0000,0000,0000,,that you just have to take care of the\Ndevices you don't have to take care of the
Dialogue: 0,0:37:26.41,0:37:32.08,Default,,0000,0000,0000,,network. So that's another advantage.\NHerald: Okay. So as time's up thank you
Dialogue: 0,0:37:32.08,0:37:37.98,Default,,0000,0000,0000,,very much. And please another round of\Napplause for this amazing talk Florian.
Dialogue: 0,0:37:37.98,0:37:40.86,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:37:40.86,0:37:46.46,Default,,0000,0000,0000,,{\i1}35c3 postroll music{\i0}
Dialogue: 0,0:37:46.46,0:38:03.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2019. Join, and help us!