Zenseio Blog

IoT Security and 100 Million Volkswagens
Closeup of a Volkswagen symbol on a cars front grille

Researchers just published a startling discovery we’d never want to read about. It turns out that 100 Million Volkswagen vehicles sold since 1995 can be relatively easily hacked to open doors wirelessly without having the key.

It turns out 100 million vehicles used only a handful of private shared keys. Once a single private key is breached, millions of vehicles are compromised. The way cryptography based on Pre-Shared Key (PSK) works is that two devices (a vehicle and a key fob, in this case) share a secure private key that was programmed at a factory or at a dealership. This private cryptographic key, along with a rolling code are used for encrypted wireless transmission of authenticated commands to open/close doors.

With enough compute power, pretty much any secure communication can be cracked with brute force attack. But, in many cases, this may not be practical. The older VW Remote Keyless Entry (RKE) systems were trivial to crack, but the latest schemes ones are more robust. However, another, easier attack, is to snoop the memories of vehicle’s electronics for the private keys. This is what happened here. The secret keys were not so securely stored, and they were read out from the vehicle microcontrollers by people skilled at this. Normally, only one vehicle would be compromised (and only after hackers broke into the vehicle’s interior, in the first place). But, whether by ignorance, laziness, or mindless “cost-cutting”, 100 millions of vehicles and their key fobs were programmed with just a few common secret keys used worldwide over decades. So, once one vehicle got hacked, millions of others were compromised. Oops, another of Volkswagen’s expensive screwups. (To be fair, VW is not the only large corporation to suffer from such a security breach, but this one has been the most spectacular so far.)

IoT Security

So, how does this relate to security of IoT connected devices and sensors? Think of Volkswagens as IoT devices. Similar cryptography schemes are used to secure the communications between sensors and cloud services. While older obsolete cryptographic algorithms offer little protection to eavesdropping or spoofing, more advanced algorithms, such as AES-CCM are considered state-of-art for resource-constrained devices.

They use secret Pre-Shared Key along with another piece of information, called Initialization Vector (IV) are used for authentication and encryption of the information being transmitted. The IV is additionally incremented with a monotonic counter, so that the transmissions with the same payload data, always generate different encrypted messages. If there is enough secret key and IV bit length and randomness, this scheme can be very effective in resisting brute force hacking and spoofing attacks, especially for low-cost IoT devices that use low-power, long-range wireless communication.

But, these state-of-art cryptographic algorithms are only as good as the secrecy of the private keys, the design of the security system, and deployment methodologies being followed. Just like your credit cards are secure as long as you are careful whom you hand them to and how well you protect your wallet.

IoT security is a rightfully serious vulnerability today because, many times, it is designed and deployed by people who don’t understand the interplay of the technology nuances and the application’s  business risks. When cost pressures inevitably show up (these are supposed to be low cost devices, after all), wrong compromises are made. While there were many security breaches similar to the Volkswagen’s, and a few were as well publicized, my feeling is that the majority received little press and many more are the “ticking time-bombs” still waiting to happen.

Zenseio’s IoT device platform offers strong built-in security features. The private keys are uniquely and randomly generated for each device and stored in secure hardware crypto vault. After being written once, private keys can never be read back. Our devices will also prevent revealing of internal secrets through physical hacking or reverse-engineering, such as probing for voltage, temperature, frequency, light, or electromagnetic field signatures. Even if one of the devices is cracked with brute force cryptanalysis, others are unaffected. Additionally, as each device uses unique internal secrets for authentication of messages, spoofing attacks are also prevented.

Not every IoT application needs this high level of security. In fact, most applications are better served by less stringent key management schemes, but still using the state-of-art cryptography algorithms (which we support out-of-box) as they are easier to use and maintain. However, if your application needs ironclad security, we have built-in hardware features to deliver a hacker-resistant solution.