Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Protection for LoRaWAN security keys in EEPROM #121

Open
janakj opened this issue Nov 13, 2022 · 1 comment
Open

Protection for LoRaWAN security keys in EEPROM #121

janakj opened this issue Nov 13, 2022 · 1 comment
Assignees
Labels
enhancement New feature or request

Comments

@janakj
Copy link
Collaborator

janakj commented Nov 13, 2022

Related commit: 1bd604a

This is an interesting idea, but as currently implemented this would only provide minimal (accidental) protection. As long as you have access to USART1, USART2, or SPI interfaces, which all devices that I have seen have to support firmware updates, you can always access the keys stored in EEPROM. The application could flash a modified version of the firmware into the modem, or even just an older version of this firmware. Another method is to switch into the STM32 bootloader and read the EEPROM from there.

Also, the AppKey is only used in the OTAA mode to derive the AppSKey. In the APB mode, the modem directly uses the AppSKey. Since we support both modes in the firmware, we would need to lock both keys.

It might be a good idea to think about how we could provide more protection for the various LoRaWAN security keys. Perhaps we could keep the keys in EEPROM encrypted with a key encryption key (KEK) and, e.g., AES-SIV [1]. The modem would then be provided with the KEK, to only store in SRAM, on boot. We should also think about the threat model, i.e., what we would want to protect against.

Encrypting LoRaWAN security keys with a KEK might be interesting in designs where the Type ABZ module is replaceable such as the Hardwario Tower kit. There, one might want to prevent key extraction from a Type ABZ module that has been physically removed from the device. If the attacker has access only to the Type ABZ module and not to the host MCU, they would be unable to decrypt the keys. Perhaps it might also be useful to prevent another Core Module (host MCU) from using an already configured (joined) Type ABZ module, unless it has the KEK. Related: #72.

In designs where the TypeABZ module is hard-wired to the host MCU, encrypting LoRaWAN security keys stored in EEPROM with a KEK makes little sense. The host MCU would have to have access to the KEK in order to send it to the TypeABZ module. The attacker would always have access to both the host MCU and the Type ABZ module. Thus, they could (presumable) extract the KEK and decrypt the contents of Type ABZ's EEPROM.

If the host MCU had some kind of secure element, i.e., a place to securely store LoRaWAN keys, we could, in theory make the firmware in the Type ABZ module use that. This would require a simple protocol to delegate AES operations from Type ABZ to the host MCU.

Originally posted by @janakj in #117 (comment)

CC: @disk91

References

  1. RFC 5297: Synthetic Initialization Vector (SIV) Authenticated Encryption Using AES
  2. AN5156: Introduction to STM32 microcontrollers security
  3. Storing a key in an embedded device's memory
@janakj janakj self-assigned this Nov 13, 2022
@janakj janakj added the enhancement New feature or request label Nov 13, 2022
@janakj janakj changed the title Implement encryption of EEPROM security keys at rest Better protection for LoRaWAN security keys stored in EEPROM Nov 13, 2022
@janakj janakj changed the title Better protection for LoRaWAN security keys stored in EEPROM Better protection for LoRaWAN security keys in EEPROM Nov 13, 2022
@janakj janakj changed the title Better protection for LoRaWAN security keys in EEPROM Protection for LoRaWAN security keys in EEPROM Nov 13, 2022
janakj added a commit that referenced this issue Dec 28, 2022
This AT command can be used to prevent the application from reading
LoRaWAN security keys over the AT command interface. After this command
has been invoked, any attempt to read LoRaWAN security keys via the ATCI
will return an error (-50, access denied). This setting will remain in
effect until the next reset to factory defaults.

Note: This command provides only minimal accidental protection. If the
application has access to USART1, USART2, or SPI ports on the modem, it
could simply downgrade the modem's firmware to read the keys, or it
could switch into the STM32 bootloader mode to directly read the EEPROM.
LoRaWAN security keys are stored in the EEPROM in an unencrypted form.

This patch represents the first step towards securing LoRaWAN security
keys. Future patches may implement additional protection, e.g., store
the security keys in the EEPROM in an encrypted form.

Related to #121
@janakj
Copy link
Collaborator Author

janakj commented Dec 28, 2022

Rudimentary LoRaWAN security key readout protection is now implemented as AT$LOCKKEYS: https://github.com/hardwario/lora-modem-abz/wiki/AT-Command-Interface#atlockkeys

Will be released together with version 1.3.0.

janakj added a commit that referenced this issue Dec 28, 2022
The modem may return this error when the application attempts to read
LoRaWAN security keys after the command AT$LOCKKEYS has been used.

Related to #121
janakj added a commit that referenced this issue Dec 28, 2022
This command can be used to lock the LoRaWAN security keys. This patch
adds support for the command to the Python class OpenLoRaModem.

Related to #121
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant