J. Yaghob (Ed.): ITAT 2015 pp. 38–42 Charles University in Prague, Prague, 2015 About Security of the RAK DEK Richard Ostertág Department of Computer Science, Comenius University, Mlynská dolina, 842 48 Bratislava, Slovakia ostertag@dcs.fmph.uniba.sk Abstract: The RAK DEK operating unit is a standalone access control system. This unit, and its more advanced versions, are widely used in Slovakia to protect entrance doors to block of flats. In this paper we have studied se- curity of RAK DEK with respect to timing attack. We have tried two attack vectors. This system shows to be in- vulnerable to our first attack, but we have succeeded with the other attack vector. Now we are in state of finishing functional exploit using identified vulnerability and inves- tigation of its applicability to the more advanced version of this family of access control systems. 1 Introduction and Basic Description of the RAK DEK Figure 1: The RAK-DEK operating-memory unit The RYS is a Slovak company that develops and sales ac- cess control and door communication systems. This com- We are interested in the communication between the pany develops its own line of access control systems based DEK and the operating-memory unit. As the DEK is just on iButton (a.k.a. touch or digital electronic key – DEK) a standard DS1990R serial number iButton R from Maxim and the RAK DEK operating-memory units. Integrated Products, Inc., this communication uses stan- These systems were designed for the apartment build- dardized 1-Wire protocol. ings and became very popular. They are also used to pro- vide access control in commercial or industrial settings (e.g. hotels, offices, stores, schools, server housing) [1]. 1.2 Serial Number iButton We choose to discuss this system because of its popu- The DS1990R is a rugged button-shaped data carrier, larity in Slovakia. We have already described cloning of which serves as an electronic registration number. It is DEK and generally applicable brute-force attack in [2]. In produced in two basic sizes (F3 and F5) as is schemati- this paper we have exploited specific properties of RAK cally depicted on figure 2. DEK, so our conclusions apply only to this specific sys- tem. However, described timing attack may be applicable even to the other systems using 1-Wire protocol and serial number iButtons, but actual applicability has to be indi- vidually investigated. 1.1 Operating-Memory Unit The operating-memory unit, e.g. RAK-DEK (see figure 1) is the brain of RYS access control system. This unit is connected through its RELE output with door’s electromagnet and through 4-pin connector on back-side with an iButton touch probe. This unit is ca- pable to store serial numbers for hundreds of iButtons. If Figure 2: Schema of DS1990R serial number iButton a user touches the touch probe with a DEK, the iButton se- rial number is transferred from the DEK to the operating- For the DEK an iButton of F5 size is used, together with memory unit. If the transferred number is stored in the a plastic holder for it (see figure 3). This holder can be put unit, the unit temporarily deactivates the electromagnets on a key chain and can be in different colors (but black is (using the RELE output) and the user is allowed to enter. usually used). About Security of the RAK DEK 39 Figure 5 depicts simplified implementation of the 1-wire communication using two micro-controllers with two unidirectional ports. The slave (in this case iButton) has no power source and is powered from an operating- memory unit using the parasite power system on data lead. This system consists of diode D1 and capacitor C1 and pro- vides power to iButton during low voltage states of 1-wire bus. The master uses input port RX to sense value on 1-wire bus. The slave uses its RX input port the same way. In the idle state 1-wire bus is pulled up to 5 V by resistor RPU . In this state all RX ports read logical one. Standard defines that voltage should be at least 2.2 V to be interpreted as logical one. Figure 3: Picture of DS1990R-F5 serial number iButton If any device wants to set 1-wire bus to logical zero, it uses its output port (TXM or TXS) to activate its internal MOSFET switch (Q1 or Q2 ) to connect the data lead to Every DS1990R is factory lasered with a guaranteed the ground. As a result of this action, 1-wire voltage falls unique 64-bit registration number that allows for the abso- down to near 0 V. Standard defines that voltage should be lute traceability. This 64 bit registration (or serial) number at most 0.8 V to be interpreted as logical zero. has internal structure as depicted in figure 4. If device wants to set 1-wire bus to logical one, it just deactivates its internal MOSFET switch. If more devices set 1-wire bus state at the same time, then resulting state is logical AND of all states. In other words: if at least one device is setting 1-wire bus to logical zero, then resulting state is logical zero. Figure 4: Data structure of a DS1990R serial number V 0 2 4 6 8 5 5 It contains: six-byte device-unique serial number, one- 4 Command 4 0x33 byte family code and one-byte CRC verification. Every 11001100 Presence pulse Presence pulse 3 3 LSB MSB DS1990R have family code fixed to (01)16 . There are 2 2 also another iButton devices with different family codes. 1 Reset pulse Reset pulse 1 E.g. (10)16 is a temperature iButton, but they are not usu- 0 15.5 16.0 16.5 0 ally used in this kind of systems. Therefore every DEK can 5 0 2 4 6 8 5 be considered as a 48 bits long factory set unique number 4 4 (analogous to unique MAC addresses of network cards). 3 3 2 2 1 1 1 0 1.3 Communication Protocol between RAK-DEK 0 15.5 16.0 16.5 ms 0 and iButton All iButton devices utilizes the 1-Wire protocol, which Figure 6: Example of real 1-wire communication transfers data serially, half-duplex, through a single data lead (1-wire) and a ground return (GND). Communication always starts by the reset pulse issued by the master. The reset pulse is just long enough (in this +5 V case 1.1 ms) logical zero state of 1-wire bus (see figure 6). Master Slave After this reset pulse all slave devices are reseted to well- +5 V VDD int. known initial state. All slave devices respond to the reset D1 GND GND pulse by the presence pulse, in this case with length of RPU µC GND C1 GND µC iButton 0.149 ms. If no presence pulse is detected by the master, 1-wire RX RX 64-bit then no iButton is connected to the master. In this situa- Q1 Q2 ROM ID tion RAK-DEK waits for 100 ms and then tries again with TXM TXS another reset pulse. After successful detection of iButton, GND RAK-DEK makes a new, unnecessary, reset pulse for un- known reasons (again followed by the presence pulse). After presence pulse, the master will send a command. Figure 5: Simplified schema of an iButton and a master RAK-DEK always sends the command 0x33, i.e. the “read 40 R. Ostertág ROM” command. This command is transferred from the This hardware platform uses the Atmel ATmega328P master to the slave by serial transfer within defined time microcontroller running on 16 MHz, which we pro- slots. Any time slot is initiated by the master (in this case grammed in C++ like language, using standard Arduino RAK-DEK) and starts by falling edge on the data lead. IDE [5]. After 0.025 ms (after this falling edge), the iButton read In contrast to our previous paper [2], where we have state of the 1-wire bus. If it is at least 2.2 V, the master simulated operating-memory unit by Acrob, now we have sends bit 1, otherwise bit 0. Bits are always sent from the to buy a real RAK-DEK operating-memory unit, because least significant bit to more significant bits. timing attacks are very sensitive to implementation details. After receiving the “read ROM” command, the iButton We still use one Acrob device for emulation of iButtons. is ready to send its 64-bit serial number stored in its ROM. The 1-Wire protocol uses only one data line. We im- Again, transfer is done in time slots initiated by the master plement this line by connecting together digital pin 12 of from LSB to MSB. So, the slave is waiting for the falling Acrob, with the center pad of touch probe (this is equiva- edge. After 0.004 ms (after this falling edge) RAK-DEK lent to connecting directly with pin 2 of the RAK-DEK). turns off the switch Q1 and the pull up resistor will raise This probe is connected to the RAK-DEK using 4-pin con- the data lead to 5 V. So if iButton wants to send bit 1, it nector on the back-side of PCB. To establish a ground re- has just to wait. If iButton wants to send bit 0, then in turn we connect Acrob GND pin with outside ring of touch this 0.004 ms interval iButton activates its switch Q2 for probe (this is equivalent to connecting directly with pin 1 0.032 ms. In either case RAK-DEK reads state of 1-wire on the RAK-DEK). bus about 0.02 ms from the beginning of time slot. And The touch probe gives us one more information channel again, if it is at least 2.2 V, then master receives bit 1, oth- – the LED. RAK-DEK is blinking with this LED to make erwise bit 0. In figure 6 we can see first 8 bits of serial it easier to locate the touch probe at night. Also the LED number after command 0x33. In the case of DEK it is al- lights up for some time when iButton touches the probe. ways 0x01 (family code). Lower half of figure 6 zooms To be able to analyze even this source of information to the last but one byte of serial number (in case of this we decided to use a photoresistor facing to the LED in specific key it is (00110111)2 = (37)16 . the touch probe. We used a photoresistor module with an Communication ends when RAK-DEK receives whole opamp used as a comparator and a potentiometer for set- 64-bit serial number. If received number is on internal list ting a threshold. When light intensity is over the threshold, of authorized DEKs, then RAK-DEK releases electromag- then DO pin of the module is on logical 0 level (near 0 V), net holding the doors. At this point RAK-DEK sends the otherwise it is on logical 1 level (near 3.3 V because we reset pulse and the whole communication starts again. For have used 3.3 V as Vcc for the module). We have connected more implementation details of the protocol see [3]. DO pin on the photoresistor module to pin 8 on Acrob. V 0 2 4 6 8 10 698 700 702 704 706 708 2 Hardware 5 5 5 4 4 4 3 1-wire 3 1-wire 3 2 2 2 To be able to interact with RAK-DEK we need to imple- 1 1 1 700 702 704 706 708 0 ment an iButton emulator. We decided to use an Arduino 0 5 0 2 4 6 8 0 10 5 700 5 compatible hardware platform developed at Slovak Uni- 4 4 delayed stop 4 3 3 3 versity of Technology – Acrob [4], depicted on figure 7. 2 2 2 delayed start LED is ON 1 1 1 0 0 2 4 6 8 10 0 700 702 704 706 708 0 5 0 2 4 6 8 10 5 700 702 704 706 708 5 4 4 4 3 3 3 Photoresistor (analog) 2 2 Photoresistor (analog) 2 1 1 1 0 0 2 4 6 8 10 0 0 5 0 2 4 6 8 10 5 700 702 704 706 708 5 4 4 4 3 3 3 2 Photoresistor (digital) 2 Photoresistor (digital) 2 1 1 1 0 0 0 0 2 4 6 8 10 698 700 702 704 706 ms Figure 8: Calibration of the photoresistor module Photoresistors are slow and that is why we can see a de- layed start and a delayed stop in figure 8. We have rotated the potentiometer to set the threshold around 620 mV. By this calibration we obtained a small stop delay at cost of Figure 7: Acrob – an educational robotic platform longer start delay and hight sensitivity to ambient light. In About Security of the RAK DEK 41 ms this case it was not problem. We know, that LED starts to lit at the start of second reset pulse and the ambient light 314 was shielded. In fact, the length of the stop delay is not im- portant, we only need it to be constant. If smaller delays are needed then phototransistor can be used. 312 3 The Brute Force Attack 310 If we omit the predictable parts of serial numbers (i.e. fam- ily code and CRC), we have to find six bytes. Our empir- 308 ical observations suggest that serial numbers are allocated 0 1 2 3 4 5 6 Pos. in sequence. All keys we have seen so far had zeros in two most significant bytes of these six bytes. Therefore for a brute force attack it would be sufficient to try all 232 serial Figure 9: Position of first discrepancy vs. LED lit time. numbers of the form mentioned above. Positions are numbered from right (LSB) to left (MSB). In our experiments we have observed that RAK-DEK is issuing the reset pulse every 100 ms when waiting for DEK. But if DEK is found, then next rest pulse does value on position 1 (position 0 always has value of 0x01). not come immediately, but always after 700 ms from the But our implementation did not work. Finally, we found first. This does not leave any space for timing attack that RAK-DAK is comparing key bytes from LSB to MSB, and substantially increases time for the bruteforce attack but firstly it checks if CRCs are equal. This is probably that we have estimated in [2]. If we assume 700 ms as an optimization to speed up comparison of long byte se- an upper bound to try one serial number, we will need quences in case we have their CRCs already precomputed. 700 ms × 24×8 /60/60/24/365.5 ≈ 95 years for a success- Using this information, we can do much better then ful brute force attack in the worst case. brute force attack. We still need to search through the key space, but we can do it byte by byte now. Starting from CRC (at position 8) and then going from position 1 to 5, 4 The Timing Attack calculating value at position 6 in such way not to change resulting CRC. If we see that system response delayed by As a last resort we have tried to analyze time that elapses 1.3 ms we know, that we hit correct value for actual po- from the moment we send 64-bit serial number to the sition and we can advance to next position, until correct moment LED goes off. Ours idea was to store one DEK is found. Using this technique and our experience key, e.g. 0x0000000000000000 into RAK-DEK unit and of position 5 and 6 to be zero on all known DEKs we can then emulate two keys, e.g. 0xFF00000000000000 and estimate time of successful attack, in worst case, as: 0x00000000000000FF, and measure time needed for the LED to go off in both cases. Through this experiment we have realized that RAK-DAK is firstly validating CRC and 700 ms × 4 × 28 / 60 ≈ 12 minutes. family code. It is not possible to do tests with an unreal- istic DEK. Therefore we choose one valid DEK and make modifications only to its 6 inner bytes in such way to not 5 Conclusion modify resulting CRC. Then we tried to send four differ- ent keys to RAK-DEK with different positions of the first We have investigated possibilities of timing attacks on discrepancy from stored key. Resulting times are depicted RAK-DEK. We identified timing attack vulnerability ex- in figure 9. ploiting LED on the touch probe. We are now in state of From this figure we can see, that RAK-DAK is clearly finishing a functional exploit using identified vulnerability comparing DEK bytes form LSB to MSB, because time and investigation of its applicability to more advanced ver- is increasing as position of first discrepancy goes to more sion of this family of access control systems. This attack significant bytes. Also we can see a nice linear relation- requires only access to an Arduino compatible device and ship between the position and the time. Using a linear a photoresistor (cost around 30.00 A C). The time needed for regression we estimated it to be: this attack is less than 12 minutes. f (p) = (1.33 ms)p + 307.96 ms On the other hand, this attack can easily be mitigated by disconnecting LED in the touch probe from RAK-DEK. Based on this liner regression we can say that test of Better solution would be to modify firmware of RAK- one byte from electronic key takes approximately 1.3 ms. DEK to turn off LED with next reset pulse (which is al- To verify correctness of this hypothesis we loaded some ready fixed to 700 ms after beginning of communication). random DEKs into RAK-DEK. Then we tried to identify This work was supported by VEGA grant 1/0259/13. 42 R. Ostertág References [1] RYS: Access control and door entry systems. (http:// www.rys.sk/html_eng/english.htm) [Online; accessed 8-July-2015]. [2] Ostertág, R.: About security of digital electronic keys. In: ITAT 2013: Information Technologies – Applications and Theory, North Charleston: CreateSpace Independent Pub- lishing Platform (2013) 122–124 ISBN: 978-1490952000. [3] Maxim Integrated Products, Inc.: Book of iButton standards (application note 937). http://www.maximintegrated. com/en/app-notes/index.mvp/id/937 (2002) [Online; accessed 8-July-2015]. [4] Balogh, R.: Acrob - an educational robotic plat- form. AT&P Journal Plus 10 (2010) 6–9 ISSN 1336- 5010. http://ap.urpi.fei.stuba.sk/balogh/pdf/ 10ATPplusAcrob.pdf [Online; accessed 8-July-2015]. [5] Arduino: Arduino software. (http://www.arduino.cc/ en/main/software) [Online; accessed 8-July-2015].