Category Archives: IoT

Security risk Smart Home – The Lives of Others

During IT Flash Paderborn #3 I gave a short presentation and demo concerning security risk smart home. With the described passive attack you can profile all residents of the smart home. And with the described active attack you can manipulate the smart home and the devices used there.

Picture of the film 'The Lives of Others'

From the movie ‘The Lives of Others’

In one of my previous blog post I described how to run a passive attack on a smart home in context of the protocol EnOcean. With the collected information you can set up a profile of all people living in this home.

For the passive attack I used a new tool that I own for a few weeks now: HackRF One. It’s an typical piece of hardware that you can use in context of Software Defined Radio (SDR). You can see this helpful tool on the following picture (Source: Great Scott Gadgets):

Picture of HackRF One

HackRF One

HackRF One was initiated as a Kickstarter project a few years ago and is used by a large community in the area of reengineering protocols. In my demonstration I used HackRF One on the one hand to find the exact frequency that is used by the EnOcean devices that I used. And on the other hand I used HackRF One to capture and replay the EnOcean telegram.

In a first step you need the exact frequency that is used by your EnOcean stuff. To find this frequency I used the tool gqrx. Gqrx is an open source software defined radio receiver powered by the project GNU Radio. The tool allows visualizing frequencies that are used in your environment. For example: EnOcean is works on 868 MHz, but gqrx helps you to find the exact frequency of this protocol, in my case: 868,290 MHz. The following screenshot shows the way gqrx works (Source gqrx-website):

Screenshot of gqrx

Screenshot of gqrx

As soon as you have found the exact frequency, you can use the software distributed with HackRF one to capture and to replay the messages in your smart home. In the demonstration I used a pushed button and a light actuator adapter to visualize the attack.

In case of EnOcean there are mechanisms to protect against these attacks available. One of these mechanisms is called ‘Rolling Code’ where telegrams are encrypted which makes the capture and replay attack above useless. The following command stores the traffic in a file:

hackrf_transfer -t switch.raw -f 869290000

Once the traffic is stored in a file, you can send this information again (capture and replay) with your HackRF One with the following command:

hackrf_transfer -t switch.raw -f 869290000 -x 47

You can find some more information in the slides of presentation. As you can see, smart home devices should be used carefully if you want to protect your privacy. Today it’s very easy to collect and manipulate a smart home. So always keep in mind the security risk smart home when you plan your smart home.

Apple adds NFC support to iOS 11

During Apple’s Word Wide Developer Conference (WWDC) this week the company shared the latest information concerning support of Near Field Communication (NFC) protocol in iOS 11. Developers coding for iOS 11 will be able to create apps that can read NFC tags. This opens the door for wireless exchange of information between an iPhone and various connected devices in a user’s environment.

Apple and NFC

Apple and NFC (Wikipedia)

Currently the NFC chip in the iPhone is only used to handle contactless Apple Pay transactions. But in the new framework called Core NFC the company provide the foundation for multiple use cases by third-party apps. Using Core NFC, you can read tags of types 1 through 5 that contain data in the NFC Data Exchange Format (NDEF). At present the API supports only read access for the tags. Hopefully in the future there will be also the possibility integrated to write to the tags. With the new framework Apple could let third-party developers make use of NFC in new ways, or it could simply expand NFC functions beyond Apple Pay for use in its own apps and services. The specification says, “For example, your app might give users information about products they find in a store or exhibits they visit in a museum”.

There are also first code samples available, e.g. iOS11-NFC-Example implemented by Hans Knöchel. In his GitHub repository Hans describes a quick example showing how to use the API in iOS 11 and Swift 4. The new framework requires at least XCode 9, iOS 11 and an iPhone 7 or iPhone 7 Plus.

However, the possibilities for NFC outside of banking area look set to expand with Apple’s next-generation mobile operating systems. So I’m looking forward to blogging of an additional version of iOS, which also allows complex contactless protocols we know in the context of eID like Chip Authentication Mapping (PACE-CAM). This would enable the iPhone to read ID cards of ePassports using ISO 14443 for contactless communication. Nevertheless this first step in iOS opens a world of possibilities for new apps on iPhones.

 

Eclipse IoT overview

Introduction

A few days before the Eclipse Neon release, the Eclipse Foundation has released several projects in context of IoT (Internet of things). The Eclipse IoT working group is engaged in projects like SmartHome, Kura, Paho and OM2M.

Logo Eclipse IoTThe Internet of Things is all about connecting devices (sensors and actuators) to the internet. You can find these devices in automobiles, wearables, industrial factories, homes, etc. A key challenge is the complexity of implementing an IoT solution where you need to deal with various hardware platforms, manage the IoT gateways to connect the devices to the internet, manage the connectivity and interoperability, and integrate the data in the existing systems and databases.

An important way to reduce this complexity is to create reusable libraries and frameworks. As a result these frameworks are abstract and implement key features. Consequently right here is the approach of Eclipse IoT delivering several technologies combined in an open source stack with all key features and standards that you need to develop your own IoT solution. Furthermore the Eclipse Foundation set up a community with more than 200 contributors to assure the enhancement of the IoT stack.

The current release includes Eclipse SmartHome Version 0.8 and Eclipse Paho Version 1.2. The projects Eclipse Kura and Eclipse OM2M will be available later this month. Additionally, the foundation starts a new project proposal called Eclipse Kapua. Goal is to create a modular integration platform for IoT devices and smart sensors. On this way there will be a bridge between Operation Technology and Information Technology.

Eclipse IoT

The Eclipse IoT ecosystem contains standards, gateways and of course frameworks. The following paragraphs will describe these modules. In addition you can find a reference to an Eclipse project that is relevant in this domain. Please keep in mind that this list is not complete, there are currently 24 different projects available in context of Eclipse IoT.

IoT stack

The following graphic describes the structure of Eclipse IoT stack. The stack includes frameworks, open communication standards and a gateway to assure management services. Consequently most modules based on Java and OSGi. OSGi describes a modular system and service platform for Java that implements a complete and dynamic component model. Finally the Eclipse IoT stack with its components addresses all key requirements in IoT: interoperability, security and connectivity.

Eclipse Open IoT Stack

Eclipse Open IoT Stack

Open communication standards

It’s an elementary feature in context of IoT to provide several mechanisms for protocols used in this domain. All devices must be connected, secured and managed. On this way the Eclipse projects in the IoT ecosystem supports the relevant protocols and standards:

  • MQTT: Eclipse Paho delivers a MQTT client implementation (Java, C/C++, JavaScript). The corresponding MQTT broker is implemented in Eclipse Mosquito (implementation in C). MQTT (Message Queuing Telemetry Transport) is a light-weight publish and subscribe messaging protocol specified in ISO/IEC 20922. Almost the new version 1.2 of Paho includes for example WebSocket support for Java and Pythons clients.
  • CoAP: Eclipse Californium delivers the CoAP standard in Java, including DTLS support.
  • Lightweight M2M: The server side of LwM2M is delivered by Eclipse Wakaama (C/C++) and the client side by Eclipse Leshan (Java). Wakaama provides an API for server applications to send commands to registered LwM2M clients. Leshan relies on the Eclipse IoT Californium project for the CoAP and DTLS implementation.
  • DNSSEC: Eclipse Tiaki provides a DNSSEC implementation in Java. Domain Name System Security Extensions (DNSSEC) is specified by IETF for securing certain kinds of information provided by the Domain Name System (DNS).
  • DTLS: Eclipse TinyDTLS implements the Data Transport Layer Security (DTLS) standard in C. The implementation covers both the client and the server state machine. DTLS in general is a communication protocol that provides security also for datagram protocols like UDP.

Gateways

A gateway manages the connectivity between devices and provides a platform for the upper applications. Eclipse Kura offers a set of services that helps to manage the devices and applications deployed onto IoT gateways. Same to other Eclipse projects the gateway is based on Java and OSGi services. Kura manages the cloud connectivity, supports different protocols and configures the network.

Frameworks

Eclipse IoT provides a set of frameworks:

  • Eclipse SmartHome is a set of Java and OSGi services for building and running Smart Homes. It is designed to run on “simple” devices like Raspberry Pi, BeagleBone Black or Intel Edison. Additionally, this framework supports typical protocols with their diversity used in Smart Homes like EnOcean, KNX or ZigBee. Most of all this way allows the devices and systems to communicate with each other. Almost the new version 0.8 of Eclipse Smart Home contains now a new REST interface that allows easier interaction with the clients. Furthermore, new bindings are supported, e.g. for DigitalStrom.
  • Eclipse SCADA is a set of Java and OSGi services that implements nearly all of the services required to run a SCADA (supervisory control and data acquisition) system. As one type of an Industrial Control System (ICS) Eclipse SCADA delivers functions for data acquisition, monitoring, visualization, etc. Additionally, the framework supports typical industrial automation standards like ModBus, Siemens PLC, SNMP and OPC.
  • Eclipse OM2M is one implementation of ETSI’s MSM standard. This implementation provides a horizontal Service Capability Layer (SCL) to be deployed in a M2M network.

Summary

In conclusion Eclipse IoT provides an open source stack including all relevant frameworks, protocols and standards to develop your own IoT application. The stack allows you to develop new devices but also to modernise existing ‘legacy’ devices.

Sending EnOcean telegram

EnOcean is an energy harvesting wireless technology used primarily in building automation systems and smart homes. All modules based on this technology combine on the one hand micro energy converters with ultra low power electronics, and on the other hand enable wireless communications between battery-less wireless sensors, actors and even gateways. The communication is based on so called ‘EnOcean telegram’. Since 2012 the EnOcean standard is specified as the international standard ISO/IEC 14543-3-10.

The EnOcean Alliance is an association of several companies to develop and promote Logo of EnOCeanself-powered wireless monitoring and control systems for buildings by formalizing the interoperable wireless standard. On their website the alliance offers some of their technical specifications for everybody.

To send an EnOcean telegram you need a piece of hardware connected to your host, e.g. an EnOcean USB300 USB Stick for your personal computer or an EnOcean Pi SoC-Gateway TRX 8051 for your Raspberry Pi. In this sample we use the USB300 to send a telegram using a small piece of software implemented in Java. The following photography shows an USB300 stick:

EnOcean USB300 Stick used to send EnOcean telegram

EnOcean USB300 Stick

The EnOcean radio protocol (ERP) is optimised to transmit information using extremely little power generated e.g. by piezo elements. The information sent between two devices is called EnOcean telegram. Depending on the EnOcean telegram type and the function of the device the payload is defined in EnOcean Equipment Profiles (EEP). The technical properties of a device define three profile elements:

  1. The ERP radio telegram type: RORG (range: 00…FF, 8 Bit)
  2. Basic functionality of the data content: FUNC (range 00…3F, 6 Bit)
  3. Type of device in its individual characteristics: TYPE (range 00…7F, 7 Bit)

Since version 2.5 of EEP the various Radio-Telegram types are grouped ORGanisationally:

TelegramRORGDescription
RPSF6Repeated Switch Communication
1BSD51 Byte Communication
4BSA54 Byte Communication
VLDD2Variable Length Data
MSCD1Manufacturer Specific Communication
ADTA6Addressing Destination Telegram
SM_LRN_REQC6Smart Ack Learn Request
SM_LRN_ANSC7Smart Ack Learn Answer
SM_RECA7Smart Ack Reclaim
SYS_EXC5Remote Management
SEC30Secure Telegram
SEC_ENCAPS31Secure Telegram with RORG encapsulation

In this context we use the type VLD (Variable Length Data) to have a closer look to EnOcean telegrams. VLD telegrams can carry a variable payload of data. The following graphic shows the structure of on EnOcean telegram (based on EnOcean Serial Protocol 3, short: ESP3):

This graphic describes the structure of an EnOcean telegram

Structure of EnOcean telegram

ESP3 is a point-to-point protocol with a packet data structure. Every packet (or frame) consists of header, data and optional data. As you can see in the structure, the length of the complete telegram is encoded in the header with two bytes. This suggests a maximum telegram length of 65535 bytes. Unfortunately, the maximum length of such a telegram is reduced to 21 bytes (data) due to limitations of low power electronics. Reduced by overhead information wasted in field data, the resulting net payload has finally a size of 14 Bytes. The following code snippet demonstrates how to send a telegram with 14 bytes payload ’00 11 22 33 44 55 66 77 88 99 AA BB CC DD’. At first we have look at the telegram:

Telegram: 55 00 14 07 01 65 D2 00 11 22 33 44 55 66 77 88 99 AA BB CC DD 00 00 00 00 00 01 FF FF FF FF 44 00 0B
Sync. byte: 55
Header: 00 14 07 01
CRC8 Header 65
Length data: 20 (0x14)
Length optional data: 7 (0x07)
Packet Type: 01
Data: D2 00 11 22 33 44 55 66 77 88 99 AA BB CC DD 00 00 00 00 00
RORG: D2
ID: 00 00 00 00
Status: 00
Data Payload: 00 11 22 33 44 55 66 77 88 99 AA BB CC DD
Optional data: 01 FF FF FF FF 44 00
SubTelNumber: 01
Destination ID: FF FF FF FF
Security: 00
Dbm: 68 (0x44)
CRC8 Data 0B

The following Java code demonstrates one way to send this telegram via USB300. The code snippet uses the library of RXTX to access the serial port.

import java.io.OutputStream;

import gnu.io.CommPort;
import gnu.io.CommPortIdentifier;
import gnu.io.SerialPort;

public class EnOceanSample {
	
	static SerialPort serialPort;
	static String serialPortName = "COM3";

	public static void main(String[] args) {
		
		byte[] sampleTelegram = new byte[] { (byte) 0x55, (byte) 0x00, (byte) 0x14, (byte) 0x07, (byte) 0x01, (byte) 0x65, 
				(byte) 0xD2, (byte) 0x00, (byte) 0x11, (byte) 0x22, (byte) 0x33, (byte) 0x44, (byte) 0x55, (byte) 0x66, (byte) 0x77, (byte) 0x88, (byte) 0x99, (byte) 0xAA, (byte) 0xBB, (byte) 0xCC, (byte) 0xDD, 
				(byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x01, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, (byte) 0x44, (byte) 0x00, (byte) 0x0B};
		
		try {
			CommPortIdentifier portIdentifier = CommPortIdentifier
					.getPortIdentifier(serialPortName);
			if (portIdentifier.isCurrentlyOwned()) {
				System.err.println("Port is currently in use!");
			} else {
				CommPort commPort = portIdentifier.open("EnOceanSample", 3000);
	
				if (commPort instanceof SerialPort) {
					serialPort = (SerialPort) commPort;
	
					// settings for EnOcean:
					serialPort.setSerialPortParams(57600, SerialPort.DATABITS_8,
							SerialPort.STOPBITS_1, SerialPort.PARITY_NONE);
					
					System.out.println("Sending Telegram...");
					OutputStream outputStream = serialPort.getOutputStream();
					outputStream.write(sampleTelegram);
					outputStream.flush();
					outputStream.close();
					serialPort.close();
					System.out.println("Telegram sent");
					
				} else {
					System.err.println("Only serial ports are handled!");
				}
			}
		}
		catch (Exception ex) {
		}
	}
}

On this way it’s not possible to send telegrams with a huge payload. If the information to be sent is longer than the described limit above, you can use a mechanism called ‘chaining’. To chain telegram a special sequence of telegrams is necessary. All protocol steps for chaining are specified in EO3000I_API.

Attention: In Europe EnOcean products are using the frequency 868,3 MHz. This frequency can be used by everybody for free but the traffic is limited, e.g. in Germany where it’s only allowed to send 36 seconds within one hour.

In one of my last blog posts I gave you the know how to receive EnOcean telegrams. Now, based on the information above, you can send your own EnOcean telegram in context of your Smart Home or your IoT environment.

EnOceanSpy as Java version available

In 2013 I’ve released a small tool called EnOceanSpy on github. This tool can be used on a Raspberry Pi (RasPi) to log all incoming EnOcean telegrams and was implemented in C. The following photography describes the composition of Raspberry Pi, EnOcean USB300 stick (and a WakaWaka as a portable power bank):

Raspberry Pi with EnOcean USB300

Raspberry Pi with EnOcean USB300

The post at that time described the usage of this composition.

Now I’ve release a Java implementation of EnOceanSpy also on github: https://github.com/hfunke/org.protocolbench.enoceanspy. This tool logs all incoming EnOcean telegrams as well, but this time in Java. You can set the used <com port name at> the command line and EnOceanSpy logs all incoming telegrams.

And here is a Java code snippet where you can find a way to connect the USB300 stick with RXTX:

    void connect(String portName) throws Exception {
        CommPortIdentifier portIdentifier = CommPortIdentifier
                .getPortIdentifier(portName);
        if (portIdentifier.isCurrentlyOwned()) {
            System.err.println("Port is currently in use!");
        } else {
            CommPort commPort = portIdentifier.open(this.getClass().getName(),
                    3000);

            if (commPort instanceof SerialPort) {
                serialPort = (SerialPort) commPort;

                // settings for EnOcean:
                serialPort.setSerialPortParams(57600, SerialPort.DATABITS_8,
                        SerialPort.STOPBITS_1, SerialPort.PARITY_NONE);

                InputStream in = serialPort.getInputStream();
            
                serialPort.addEventListener(new SerialReader(in));
                serialPort.notifyOnDataAvailable(true);
                
            } else {
                System.err.println("Only serial ports are handled!");
            }
        }
    }

EnOcean allows on the one hand one-way and on the other hand bidirectional communication between devices. Currently most of this communication is not decrypted, so you can read all information communicated via air. There is a first specification to use cryptography for EnOcean protocol. I will give you an overview on this way of encryption in the next time.

Have fun to seek your environment after EnOcean devices :)

 

Use RasPi to seek after EnOcean telegrams

During the last months I spent some hours in the specifications of EnOcean telegrams. These telegrams are used in domain of home automation. The EnOcean Alliance publishes all necessary specification on their website. One of the relevant specifications is EnOcean Serial Protocol 3 (ESP3). In this description you can find all information to understand the protocol used by EnOcean.The specification of this protocol is also standardized and published as ISO/IEC 14543-3-10.

If you are interested in collecting telegrams to analyze them and to understand the protocol behind them, the following project may be interesting for you: EnOceanSpy. I’ve hosted this small piece of software on GitHub. It’s written in C and there is a binary version available for Raspberry Pi (RasPi). On this way you can use your RasPi in combination with an USB300 stick. The following photo demonstrates a buildup including a WakaWaka as power source.

RasPi_WakaWaka_USB300EnOcean allows on the one hand one-way and on the other hand bidirectional communication between devices. Currently most of this communication is not decrypted, so you can read all information communicated via air. There is a first specification to use cryptography for EnOcean protocol. I will give you an overview on this way of encryption in the next time.

Have fun to seek your environment after EnOcean devices :)