Wi-Fi HaLow 802.11ah for IoT. 802.11uh-oh?

A new standard for Wi-Fi – 802.11ah or HaLow – aimed at IoT devices was announced on Monday at the CES show in Las Vegas.

We read this with great interest, as it has potential to create open up IoT devices to greater attack.

It offers higher range through use of lower frequencies

WiFi operates in the 2.4 and 5GHz bands. Both of these frequencies are strongly attenuated by anything that gets in their way, so a lot of power is required for good range – a typical WiFi card will transmit at about 100mW.

Legacy products

Many legacy IoT products – thermostats, remote switches, burglar alarms, weather stations etc. – are already in the sub-1GHz ISM band (434/868/915MHz). These lower frequencies allow signals to travel further and more easily through buildings, furniture and trees, giving these devices the edge over 2.4GHz when it comes to range. These devices typically transmit at about 10mW.

Very few of these legacy products are IP enabled though. They rely on simple protocols, designed specifically for that product. There is no way to bridge between the IoT network and the home LAN – at most you can turn the heating on and off, trigger false alarms, or send someone false weather reports.

Segregation, or not…

When you move up to running IP on these networks – as is expected in 802.11ah – you can no longer assume the two networks are segregated. There is talk of 802.11ah functionality being incorporated into home routers themselves, rather than using dedicated gateways as is common today.

This may enable an attacker to bridge between your IoT network and your home network. An example of this is with the Netgear Arlo camera system. This system uses a custom Netgear WiFi access point to allow the cameras to connect to your home network, hopefully segregating the cameras from your home LAN. However, the access point uses a fixed WPA2 key of 123456, allowing an attacker onto the camera network. Some poor choices in the routing can then allow an attacker limited access onto your home network.

Distance as a security feature

802.11ah will significantly improve the distance from which Wi-Fi IoT devices can be attacked from. It may not be necessary to take such bulky RF antennas out on IoT ‘war drives’ any more. It’s also likely to increase the chance that these attacks can allow access onto the rest of the network.

We’ve never considered the limited range of 2.4GHz WiFi as a security feature before, but if 802.11ah means that attackers can get onto your network from hundreds of metres away, this may change.

Low power, less processing, poorer security?

A big driver behind many IoT protocols is to lower power usage. Low power usage implies less processing power, which can lead to corners being cut in security.

So, if HaLow offers lower power usage, the potential for it to support better security than related 802.11 standards is going to be very limited indeed. Will HaLow offer even worse security than current Wi-Fi offerings?

An example of where this has happened is Bluetooth Low Energy (now called Bluetooth Smart). This was designed to be simpler to use, longer range and lower power than regular Bluetooth. However, several big mistakes were made:

1. The specification left enough room for vendors to ship devices in a default insecure state. So the vendors shipped devices with default PIN codes, no encryption and so on.
2. They rolled their own key exchange protocol instead of using an established protocol like DIffie-Hellman. This protocol is insecure, allowing a passive eavesdropper to decrypt communications.

Importantly, it appears that the 802.11ah draft standard only specifies the PHY (physical/RF) and MAC (media access control) layers. This means that the network and transport layers are not part of the specification, leaving the IoT vendors to implement their own – possibly including any security functionality.

Whilst the power usage for implementing security is a tiny part of the power budget on tiny IoT devices, it’s often a large cost in terms of time and money. In the IoT market, which is extremely sensitive to time-to-market, corners will be cut.

Another function to improve range involves the use of relay stations, whereby traffic is relayed over greater distances to a maximum of two hops. Who owns the relay and who has access to your traffic? This depends very much on the implementation – is the relay acting simply as a switch and forwarding packets, or is it doing more?

What improvements would we like to see with Wi-Fi?

Client authentication

One of the most significant problems with earlier Wi-Fi implementations was that clients would connect to any access point with an SSID that they had previously connected to, even if the encryption type was incorrect. Simply add power and capture clients. Man in the Middle attacks are pretty easy at public Wi-Fi hotspots too.

The above issue has been resolved with some newer client operating systems, adding profile validation. However, in most of the Wi-Fi IoT devices we’ve looked into, Evil Twin and MITM attacks are possible. This is usually as a result of cheap & insecure Wi-Fi modules being chosen by the IoT device manufacturer, or being implemented poorly.

Client segregation

With the explosion of IoT device numbers, there are many more connected devices on home and other networks. The potential for ‘stepping stone’ attacks from one IoT device to the next is significant.

They’re all on the same home network, all likely using the same PSK. One insecure IoT device, and the better secured IoT devices on the network might be compromised too.

It would therefore be great to see Wi-Fi client segregation enforced by default in the new standard, with functionality available to open up services when explicitly required. Obviously there is a can of worms there (see UPnP for details!) but done well this could be a huge step forward for IoT and Wi-Fi security.

Conclusion

We don’t see that 802.11ah offers security improvements over existing popular 802.11 standards. If anything, it may make the job of attacking Wi-Fi IoT devices easier.