[Cryptography] Simple IoT sensor encryption ?

Henry Baker hbaker1 at pipeline.com
Fri Apr 15 13:50:49 EDT 2016


At 10:26 AM 4/15/2016, Andrew Donoho wrote:
>> On Apr 15, 2016, at 12:05 , Henry Baker <hbaker1 at pipeline.com> wrote:
>> 
>> Let's take a totally trivial wireless application: a sports heart rate transmitter strap.  (There are lots of other applications, including audio & video, but let's focus on a much simpler, much less resource intensive application to start with.)
>
>        If this is a gedanken experiment on how minimal you can make your IoT sensor, then this is a great discussion to have.
>
>        That said, the sports scenario you described is currently being pragmatically solved by Bluetooth LE.  For some folks, Bluetooth LE does not provide enough security.  Hence, they run secure protocols over both Bluetooth and Wi-Fi.  To see this in action, try snooping both an Apple Watch and an Android powered Watch.  I'm told that one uses more security on the airwaves than the other.
>
>        Returning to your gedanken experiment, the only thing I think you need to add is a device identifier of some sort.  I would imagine a permanent in device random number encrypted along with the sensor data would be sufficient.

Yes, this discussion is primarily a gedanken experiment.

Bluetooth LE is -- as usual for anything that comes out of a standards committee -- a complete disaster.  A few years ago you could still get published exposing BLE hacks, but it's too easy, so people stopped caring and stopped publishing.

The major problem with Bluetooth (of any ilk) is that they need *proprietary* protocols so that they can charge $$$ for putting their damn logo on the device.  In order to have their own patented proprietary protocols, they have to put in something different -- even if it isn't as good as something in the public domain.

(Talk to the ANT folks -- now part of Garmin? -- up in Canada if you want to really understand what's going on with BLE.)

Since I really don't want my HR transmitter strap to be received by my auto radio -- or any random hacker -- I'd rather not use the crufty BLE protocol.

I'd love to be able to hack my own HR belt & HR wrist monitor to install my own protocols, but so far, no one has open-sourced these things.



More information about the cryptography mailing list