Security in networked lighting control
Introduction
Security is clearly among the hottest topics in the Internet of Things and networked lighting control. Multiple media reports on additional security flaws found in all kinds of smart devices keep heating things up – to the point where some even herald that the proliferation of connected “things” will trigger the coming of a massive wave of cyber criminal activity that could potentially affect any of us. There is no reason to panic, though. Doomsday scenarios always sell well, as opposed to gradual, painstaking work carried out by security experts day by day. What we must be aware of is that when it comes to connected technologies, we are all still early on the learning curve. This mirrors the challenges faced by the technology industry in the early days of networking. Security was a mess back then, but effective mechanisms were eventually developed, allowing us to use the Internet and all types of electronic devices on a regular basis to process payments and manage confidential information. As long as we - end users - follow common sense, today’s IT can be considered safe. The IoT will be safe, too. And smart lighting controls are no different.
That said, security threats of course need to be taken very seriously. The IoT undeniably offers new levels of exposure to security threats and lighting control products are a perfect example. In the era of traditional wired lighting control systems, security wasn’t even an issue. It simply wasn’t needed, which is why “wired” protocols – such as BACnet, DALI or KNX – didn’t have any security mechanisms implemented. Instead, cables were hidden deep in the walls and were therefore considered safe. While taking control over such a system is theoretically possible, the effort required to do so is simply bigger than the reward. If a criminal is able to enter a building and drill through its walls then lighting controls are probably the last thing he’d be interested in anyway. But wireless lighting devices are a different story. Connected LEDs with flawed security can potentially be taken over remotely by someone who’s not even inside a given building. Furthermore, such an intruder might get access to much more than lighting controls. The abundance of data that can be generated by sensory networks is one of the biggest benefits of commercial smart lighting systems, but this data might be attractive also for cyber criminals. In certain scenarios, configuration data obtained from connected lighting might even allow to gain access to companies’ internal IT networks. This would require multiple errors to be made in the process of smart lighting network design and implementation, but it is certainly possible in certain circumstances. Finally, many risks will become more relevant as IoT solutions mature. With modern buildings embracing technology at a rapid pace, lighting control solution can be expected to become more and more integrated with building management systems and other key infrastructure, such as HVAC systems. This means that ultimately connected LEDs will be an even more tempting target for cyber criminals.
For these reasons, security is a must in wireless environment. This is one of the most profound differences between wired and wireless lighting control systems. And part of the reason why we hear about security issues so often is that the resource-scarce nature of connected devices makes designing security particularly hard. Flawless security measures and guarantees cannot be achieved by copying the solutions and methods known from traditional IT systems, since networking lighting devices usually offer very small storage space and very low processing power. Plus, there is the security versus ease-of-use challenge that developers struggle with when building controlled lighting. If a given security scheme is too time-consuming or too difficult to apply in indoor or outdoor lighting, customers will stay away from products using it.
What about encryption?
In many applications, security is often mistakenly associated almost exclusively with encryption. A digital lighting system is considered secure if no one can find out what’s going on inside of it, e.g. what commands are exchanged between individual devices. While encryption is an important part of the security architecture, it is not what security is all about. The exchange of data between wireless switches, sensor lights, and other lighting units basically wouldn’t have to be encrypted in any way. If someone eavesdrops the signal sent between the two, the obtained information is going to be pretty much useless. You don’t need sophisticated decryption techniques to guess what a switch could say to an LED, and just by looking at a given space or an office building window you can determine what types of commands are being exchanged at a given time. Sensor data might be a bit more sensitive, though. While some sensors transfer publicly available data, others might generate more or less commercially sensitive information. In such case, appropriate security methodology and security standards, including encryption mechanisms, obviously need to be applied.
What is more important?
So if encryption isn’t the crucial part, then what is more important? Authentication. This is what prevents unauthorized access to the lighting control infrastructure. Ina secure networked lighting environment, a smart fixture needs to be sure that a command it receives originates from an authorized entity, be it a smartphone or a wireless switch on the wall. In addition, the integrity of the exchanged data must be ensured - so that no one can alter the message before it reaches its recipient. Authentication is also an absolutely crucial part of the onboarding process, preventing potential intruders or Trojan horses from sneaking into the lighting solution when a new device joins the network.
Before data exchange can be authenticated and ultimately processed, devices must first exchange authentication keys. What is crucial is the secure delivery of these keys. If this process is sabotaged, an unauthorized party can obtain some very sensitive security information that lighting provides. This was the case with the infamous security flaws in ZigBee devices that were presented during the Black Hat USA 2015 conference. Despite the fact that the protocol uses a 128-bit AES algorithm for data encryption, as well as three types of keys for managing authentication, it was demonstrated that ZigBee communication could be easily hijacked due to vulnerable device pairing procedure that allows external parties to sniff the exchanged network key.
As far as encryption is concerned, the abovementioned data encryption standard AES-128 is currently used by all of the leading low-power wireless communication protocols. It’s been around for a while, so one might wonder whether it still remains computationally secure against brute-force attacks. After all, technologies aimed at breaching popular security mechanisms keep developing rapidly - just like security technologies themselves. But there is a good reason why governments and businesses place such a great deal of faith in AES-128. The standard remains, realistically speaking, unbreakable. That’s because today there is no computationally feasible method to crack it. Doing so would require ridiculous amounts of time even when multiple supercomputers were involved in the process (and we’re talking about thousands and millions of years here). Even if cracking AES-128 becomes technologically feasible in any foreseeable future, such an attempt still wouldn’t make much sense, since it would be more expensive than the value of whatever the key is protecting. Currently, the U.S. National Institute of Standards and Technology (NIST) claims that AES-128 will be a totally secure encryption method at the very least up to 2030. What can be said for sure is that cheaper and more efficient low-power technologies will become available by that time, allowing us to use stronger encryption methods, such as AES-256 which is a bit too power-hungry for today’s generation of facilities requiring lighting systems.
This shows that encryption isn’t an issue in smart lighting security today. Commonly used technologies are good enough to ensure that encrypted data cannot be deciphered. As already pointed out, authentication is much more sensitive and thus much more important. It is also the only effective weapon against the so-called replay attack, also referred to as playback attack, which can easily get around even the strongest encryption solutions we could ever come up with.
Long story short, a replay attack is about recording certain data packets and playing them back later on to achieve a desired result. The intercepted message does not have to be decrypted at any point. It’s re-transmitted in exactly the same form in which it was originally sent, to produce exactly the same result. Since encryption is helpless against such an attack, how can it be prevented? By appropriate authentication mechanisms. Once they are applied, the network from which the intercepted data packets originate won’t allow such re-transmitted messages to be executed. Authentication is also the only effective tool against man-in-the-middle (MITM) attacks which occur when communication between two devices is secretly monitored, captured and potentially altered by an unauthorized third party.
What authentication can’t prevent is the so-called trash can attack. Building administrators need to get used to the fact that each smart device within a network stores certain sensitive access data, such as network keys. Therefore, it would be wise to have certain carefully thought-out procedures implemented for discarding broken or worn-out devices. Unauthorized persons should be prevented from being able to retrieve security keys manually from e.g. a discarded bulb, because such attempts might be highly successful if non-volatile memory is poorly protected in such devices. What can manufacturers do to prevent that? Use only integrated memory instead of separate memory chips and disable debugging interfaces, while at the same time ensuring that attempts aimed at retrieving security keys will result in damaging the chip and destroying any data it contains. Do all of the vendors of smart lighting sources use such preventive measures? Few of them, unfortunately.
Security is a complex issue
One more thing to remember is that smart lighting security is a complex issue, and needs to be treated comprehensively if we want the applied mechanisms to be really effective. From hardware and software to wireless data exchange and cloud, there are several different areas where vulnerabilities might be found and exploited. They all interact with each other so it’s crucial to ensure that all of them are protected against potential attacks. After all, a chain is only as strong as its weakest link.
Similarly, interactions occur between different layers of the wireless communication process which are specified by the OSI model (more on OSI here). Solutions based on a combination of different technologies – e.g. with one technology taking care of the physical, network & transport layers, and another taking care of the application layer – often lack clear and agreed upon security architectures. As a result, such a patchwork system ends up being less secure than the individual technologies it is made up of. Not to mention that it is also much more difficult to update, and seamless over-the-air update capability is absolutely crucial for long-term security of smart lighting systems. For these reasons, ensuring true security is much easier in the case of full-stack technologies where relevant mechanisms can be implemented with the security by design approach.
Last but not least, if you really care about security then you should go for open standards and forget about proprietary solutions. Not only is a proprietary technology unlikely to be as secure as the one developed by multiple leading companies which share their expertise along the process, but the transparency of open standards guarantees that any potential vulnerabilities can be identified and addressed before someone decides to exploit them. In the case of proprietary technologies, it’s basically impossible to state whether one or another solution is secure. At most, it can be stated that it hasn’t been broken so far. But only open standards receive the scrutiny and attention that is necessary for true security.
Security standards
IoXT (Internet of Secure Things) and PSA (Platform Security Architecture) are security standards and certifications aimed at ensuring the security of connected devices, including lighting systems. These certifications become increasingly important as the Internet of Things (IoT) continues to expand, connecting more devices and systems and potentially exposing them to security risks. Let's take a closer look at each of these certifications and their importance for lighting systems.
IoXT Alliance:
The IoXT Alliance is a global organization that seeks to improve the security of IoT devices by establishing and promoting security standards. The IoXT certification is granted to products that meet the alliance's criteria, which focuses on eight principles: device identity, data protection, cloud security, secure software, secure communication, security updates, no universal passwords, and vulnerability reporting programs.
IoXT certification is important for lighting systems as it ensures that the devices are designed with security in mind, minimizing the risk of unauthorized access and data breaches. As more lighting systems become connected and integrated with other systems (e.g., building management or energy management systems), ensuring the security of these devices is paramount to protect user data and privacy.
PSA (Platform Security Architecture):
PSA is an initiative by ARM (a semiconductor and software design company) that provides a framework for securing connected devices. It consists of guidelines, analysis methods, and reference implementations to help manufacturers develop secure IoT devices. The PSA Certified program offers a certification process that evaluates devices against the PSA security requirements.
For lighting systems, PSA certification helps ensure that the devices have been designed and manufactured with security best practices, making it more difficult for potential attackers to compromise the system. This certification provides an additional layer of trust for end-users and is particularly important for systems that may be used in sensitive environments or applications.
How can we guarantee security with a Bluetooth mesh network?
Bluetooth mesh was developed with strong security lighting techniques as its number one priority. In addition to advanced encryption and authentication measures, it includes multiple security features designed to prevent specific threats and address specific lighting requirements for interior and exterior lighting. These include secure device provisioning, separation of concerns, area isolation, key refresh procedure, and many others. For detailed information about its security fundamentals, take a look at the Bluetooth mesh security overview available on the website of the Bluetooth SIG.
What is particularly important, security in Bluetooth mesh networking is mandatory. Component manufacturers are obliged to introduce the security measures mentioned above, so it is practically impossible to set up an insecure Bluetooth mesh network.
As far as the security architecture of Bluetooth mesh is concerned, there are no known security vulnerabilities. This has been confirmed by several scientific papers published by independent researchers. The fact that Bluetooth mesh is a global and open standard makes it even more secure for end users. The transparency of open standards guarantees that any potential vulnerabilities can be identified and addressed before someone decides to exploit them. In the case of proprietary technologies, it’s basically impossible to state whether one or another solution is secure. At most, it can be stated that it hasn’t been broken so far. Only open standards receive the scrutiny and attention that is necessary for true security.