Lecture: Hunting the Sigfox: Wireless IoT Network Security
Dissecting the radio protocol of Sigfox, the global cellular network for the IoT you have probably never heard of
This talk recounts my analysis of Sigfox's radio protocol and presents an open reference implementation of an alternative Sigfox protocol stack.
It confirms that while Sigfox ensures authenticity and integrity, transmitted payloads are not confidential.
This presentation is targeted at a technical audience with some basic knowledge of cryptography (security goals, AES), but no knowledge in RF technology (modulation, scrambling, error correction) is required.
Sigfox can be compared to a cellular network, but for mostly battery-powered IoT devices that don't need to transmit much data. While some sparse details on Sigfox's architecture and its security have been published and some basic reverse engineering has been carried out, most of the protocol specifications remain proprietary and closed, so by now, no independent security audit was performed. Advertised use cases of Sigfox include air quality monitoring, weather stations, utilities metering and tracking farm animals. In this talk, I illustrate why these applications are fine, but why one might not want to track a money transporter with Sigfox or base a home alarm system on it.
The Sigfox network is very atypical, with uplink and downlink based on different physical layers.
After a short introduction, I begin the presentation by taking a deep dive into Sigfox's radio protocol with a focus on its Security. Basics of radio technology (SDRs, ultra-narrow band (UNB) modulation, SRD bands) and techniques for analyzing protocols are briefly summarized and the uplink's and downlink's frame structures are presented.
Subsequently, I show how a radio sniffer that has captured Sigfox messages can extract the uplink's and downlink's contents. While the uplink's payload is already contained in plaintext, the downlink is scrambled, but I indicate how the downlink's pseudorandom whitening sequence used for scrambling can be generated or brute-forced by an eavesdropper. Moreover, I outline attacks that could even compromise Sigfox's authenticity checking.
Finally, I provide some suggestions on how to improve Sigfox's security.
The reference implementation of an alternative Sigfox protocol stack "librenard" that was created as part of this work as well as reconstructed protocol specifications detailing the uplink and significant portions of the downlink protocol will be published immediately after this talk.