Sweet Dreams and Nightmares: Security in the Internet of Things

Wireless embedded devices are predominant in the Internet of Things: Objects tagged with Radio Frequency IDentification and Near Field Communication technology, smartphones, and other embedded tokens interact from device to device and thereby often process information that is security or privacy relevant for humans. For protecting sensitive data and preventing attacks, many embedded devices employ cryptographic algorithms and authentication schemes. In the past years, various vulnerabilities have been found in commercial products that enable to bypass the security mechanisms. Since a large number of the devices in the field are in the hands of potential adversaries, implementation attacks (such as side-channel analysis and reverse engineering) can play a critical role for the overall security of a system. At hand of several examples of assailable commercial products we demonstrate the potential impact of the found security weaknesses and illustrate "how to not do it".

[1]  Martijn Stam Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions , 2008, CRYPTO.

[2]  Ran Canetti,et al.  Advances in Cryptology – CRYPTO 2013 , 2013, Lecture Notes in Computer Science.

[3]  Christof Paar,et al.  When Reverse-Engineering Meets Side-Channel Analysis - Digital Lockpicking in Practice , 2013, Selected Areas in Cryptography.

[4]  Christof Paar,et al.  Black-Box Side-Channel Attacks Highlight the Importance of Countermeasures - An Analysis of the Xilinx Virtex-4 and Virtex-5 Bitstream Encryption Mechanism , 2012, CT-RSA.

[5]  Bart Preneel Progress in Cryptology - AFRICACRYPT 2009, Second International Conference on Cryptology in Africa, Gammarth, Tunisia, June 21-25, 2009. Proceedings , 2009, AFRICACRYPT.

[6]  Frederik Vercauteren,et al.  Practical Realisation and Elimination of an ECC-Related Software Bug Attack , 2012, CT-RSA.

[7]  Eli Biham,et al.  A Practical Attack on KeeLoq , 2008, Journal of Cryptology.

[8]  Roger Frost,et al.  International Organization for Standardization (ISO) , 2004 .

[9]  Christof Paar,et al.  All You Can Eat or Breaking a Real-World Contactless Payment System (Short Paper) , 2010 .

[10]  Christof Paar,et al.  An Embedded System for Practical Security Analysis of Contactless Smartcards , 2007, WISTP.

[11]  Christof Paar,et al.  All You Can Eat or Breaking a Real-World Contactless Payment System , 2010, Financial Cryptography.

[12]  Alessandro Barenghi,et al.  On the vulnerability of FPGA bitstream encryption against power analysis attacks: extracting keys from xilinx Virtex-II FPGAs , 2011, CCS '11.

[13]  Christof Paar,et al.  Breaking KeeLoq in a Flash: On Extracting Keys at Lightning Speed , 2009, AFRICACRYPT.

[14]  Marc Dacier,et al.  Research in Attacks, Intrusions and Defenses , 2014, Lecture Notes in Computer Science.

[15]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.

[16]  Tsuyoshi Takagi,et al.  Cryptographic Hardware and Embedded Systems - CHES 2011 - 13th International Workshop, Nara, Japan, September 28 - October 1, 2011. Proceedings , 2011, CHES.

[17]  Christof Paar,et al.  Fuming Acid and Cryptanalysis: Handy Tools for Overcoming a Digital Locking and Access Control System , 2013, CRYPTO.

[18]  Christof Paar,et al.  Side-Channel Attacks on the Yubikey 2 One-Time Password Generator , 2013, RAID.

[19]  Christof Paar,et al.  Breaking Mifare DESFire MF3ICD40: Power Analysis and Templates in the Real World , 2011, CHES.

[20]  Christof Paar,et al.  On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme , 2008, CRYPTO.

[21]  Patel,et al.  Information Security: Theory and Practice , 2008 .

[22]  Christof Paar,et al.  Chameleon: A Versatile Emulator for Contactless Smartcards , 2010, ICISC.

[23]  Kristin E. Lauter,et al.  Selected Areas in Cryptography -- SAC 2013 , 2013, Lecture Notes in Computer Science.

[24]  Kyung-Hyune Rhee,et al.  Information Security and Cryptology - ICISC 2010 , 2010, Lecture Notes in Computer Science.

[25]  Christof Paar,et al.  EM Side-Channel Attacks on Commercial Contactless Smartcards Using Low-Cost Equipment , 2009, WISA.

[26]  Christof Paar,et al.  Side-channel attacks on the bitstream encryption mechanism of Altera Stratix II: facilitating black-box analysis using software reverse-engineering , 2013, FPGA '13.