Cryptographic bugs in RF Encryption What could possibly go wrong? Introduction Small system, ridiculous number of cryptographic bugs. Very popular, recommended by official vendor, +200 forks on GitHub Predictable IV in CBC 01 Security requirements? —Someone Famous “In the CBC mode, the IV should be unpredictable but not secret, and differ from message to message. But bro, just use AES-GCM.” CBC Padding Oracle attack 02 “I have a couple of questions...” Cool padding bro PKCS#7 —Your friend “Always use authenticated encryption. AEAD is the best choice.” CTR with fixed nonce 03 XOR here and there... —Interested people “In AES-CTR AND AES-GCM NONCE MUST BE UNIQUE. Though it can predictable.” Integrity protection Man vs Universe and Man vs Adversary 04 ERROR CORRECTION CODE ● Military grade 96, 128-bit ● Requires secret key ● Detects any change ● Too small (16, 32 bits) ● Easy to compute ● Malleable MAC CRC-16 MESSAGE AUTHENTICATION CODE Even if data is encrypted, it still can be used to trigger some processing again. In a nutshell Replay attacks Reusing and Recycling... Summary - Forging fake packets - Recovering keys and secrets - DoS - And a lot more... Use integrity protection 01 Say no to oracle and malleability attacks! Understand security requirements 02 Make CTR and GCM nonce unique, CBC IV unpredictable Use AEAD 03 AES-GCM or ChaCha-Poly1305 are your friends Build accurate threat model 04 And even better, hire someone who can Educate developers 05 Even Google has bad examples