Further to my last (hopefully this posting is visible amongst all
the sporge).
The concern is that in my client's current product, RF communications
with the RTU's are in plaintext visible to anyone with a capable
receiver.
The Master Station is a hand-held device with a cell modem
and a proprietary RF transceiver to connect with the RTU's. It does
use a secure shell for Host messages. RF security has not been an issue
because it's extremely unlikely for an evesdropper to be nearby
(within 100 meters) with just the right snooping equipment when
a technician happens to be there servicing an installation.
However, by its nature the objective of this project creates a greater
security risk; it's to reduce the expense of personnel routinely
patrolling the coverage areas; only emergency situations would need
human intervention.
To achieve this the hand-held units are to be replaced with
network-accessed Master Stations installed in fixed locations with
difficult physical access. The RTU's cannot be protected so well however
and an intruder could operate unobserved.
My client believes that the threat of RTU tampering is still low,
but considering the liability issues wants some minimal security
protection for the RF signals, at least for marketing purposes.
The worst threat scenario is that the attacker steals an RTU.
The hardware designer will include some tamper detection, but we could
only detect the theft, not prevent it.
Once in possession of the RTU, the intruder breaks into its enclosure,
chips away the potting and extracts the transceiver, giving him
access to the cyphertext of legitimate message traffic. He also has
the RTU's main circuit board to experiment with faked messages.
After listening to enough traffic to break the security scheme,
the worst case is that he causes unauthorized actuations, with serious
results. This could be considered far-fetched, except that similar
tampering with remote telemetry control has actually happened.
There are several factors in our favor, however. One is that actuations
are rare. Most messages consist of a status poll and response and only
a seriously dedicated saboteur would have the determination to maintain
long enough surveillance to correlate an actuation command with
the action.
I suppose no scheme within our reach would be effective against anyone
with enough skills and intent. There are easier ways to wreck havoc,
and there is much better monetary payoff for a thief to prowl around
parking lots eavesdropping on Keeloq signals than to target our system.
I'm not sure what's worse, well-funded foreign terrorists, bored
teenagers with enough technical savvy to be dangerous or some one in
a million lunatic with an unshakable obsession (and a Ph.D in math).
So do we need encryption at all? My client is not comfortable sending
the RF messages in the clear, but I'm not sure how to implement anything
even approaching industry standard security on a tiny microcontroller
without (for cost reasons) any supporting hardware such as code-hopping.
I suppose whatever I come up with will be more of a marketing feature
than anything really effective and the Marketing Dept can conjure up
for the customer some shadowy Boogey-man which only our
state-of-the-art-secret-proprietary-not-subject-to-peer-review system
can stop.
Comments invited;
TIA, Sean_Q_
ps. For a small scale security model LFSR's could be sequenced by
the main tick interrupt, 100 msec or so, but slightly different for
each unit.
A 32-bit word with well chosen taps would ensure a reasonably long
pseudo-random sequence and RF commands to initiate a session would
arrive at asynchronous points in the sequence, providing some entropy
for key exchange/authentication.
The public key could be the unit's serial number. The messaging model
is mostly poll-and-response, unless the RTU detects a tamper, where
it sends an immediate alert to the Master Station.
In operation, routine network commands resulting in RF sessions
are fairly infrequent, making them harder to penetrate.
