Dezhang Kong,Zhengyan Zhou,Yi Shen,Xiang Chen,Qiumei Cheng,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/IWQoS57198.2023.10188809

2023-01-01

Abstract:In-band Network Telemetry (INT) is a widely used monitoring framework in modern large-scale networks that provides fine-grained visibility into network conditions by inserting telemetry data into packets. However, this mechanism also introduces new vulnerabilities that malicious attackers can exploit. In this paper, we present four In-band Network Telemetry Manipulation Attacks that take advantage of INT's weakness, demonstrating that attackers can cause severe damage with little effort by manipulating INT packets. To address this issue, we design SecureINT, a novel INT prototype that ensures confidentiality and integrity for INT packets. To meet the stringent computational requirements of programmable switches, we comprehensively analyze possible attacks on the deployed encryption/hash algorithms and modify them accordingly without compromising their security. According to the experiments, SecureINT can be deployed on programmable switches using a single pipeline, providing encryption and integrity verification for INT packets with minimal overhead.

Zihao Dan,Fengchen Yang,Kaikai Pan,Chen Yan,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei256261.2022.10116254

2022-01-01

Abstract:With the rapid development of distributed generation(DG), the penetration rate of photovoltaics(PVs) in the power grid continues to increase. Therefore, various security issues faced by PV inverters have also become a major challenge to ensure the stability of the power grid.Due to the complex and open environment of PVs, attackers are more likely to access key devices such as grid-tied inverters, thereby causing damage to the entire power grid. Taking advantage of the above characteristics, this paper proposes a novel electromagnetic interference(EMI) attack against inverters, instead of cyber attacks that have been explored well in many other research works. It injects a bias signal into the PV inverter sensor through EMI, so as to change the sensor value finally transmitted to the controller. An attacker can tamper with the sensor value in this way. This paper also analyzes the vulnerability in the inverter control algorithm, and exploits the vulnerability to cause damage to the inverter through EMI attacks.The attack was verified on a commercial inverter from Texas Instruments. We present the induced DC voltage offset corresponding to different EMI frequencies of different sensors to demonstrate that EMI attacks can independently control different sensors on the inverter. In addition, we also analyze the inverter control algorithm and the possible consequences of attacks, further evaluate the consequences of the attack through simulations (we do simulations instead of real device tests to ensure safety). And the results show that this novel attack can shut down/burn the PV inverter.

Haoxiang Zhang,Qinhong Jiang,Yushi Cheng,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei256261.2022.10116648

2022-01-01

Abstract:Infrared thermal imaging camera can be used to measure the temperature of the target object or detect the existence of the object by generating the thermal image of the object, thus it is widely used in the military and civil fields, and plays a key role in human daily life. As the core module of the infrared thermal imaging camera, the infrared thermal imaging sensor is an indispensable part of the infrared thermal imaging camera. Infrared thermal imaging cameras rely on infrared thermal imaging sensors to measure temperature and perform thermal imaging. If the infrared thermal imaging sensor detects the temperature wrong, there will be serious consequences of delaying the military situation in the military, and will seriously affect the production and life of the society in the civilian field. In this work, it is demonstrated that intentional electromagnetic interference can affect the communication process of the infrared thermal imaging sensor MLX90640. The data transmission line between MLX90640 and MCU can be tampered with through intentional electromagnetic interference attacks, which eventually lead to temperature numerical errors and abnormal infrared thermal image display.

Yan Long,Qinhong Jiang,Chen Yan,Tobias Alam,Xiaoyu Ji,Wenyuan Xu,Kevin Fu

DOI: https://doi.org/10.14722/ndss.2024.24552

2024-01-01

Abstract:IoT devices and other embedded systems are increasingly equipped with cameras that can sense critical information in private spaces.The data security of these cameras, however, has hardly been scrutinized from the hardware design perspective.Our paper presents the first attempt to analyze the attack surface of physical-channel eavesdropping on embedded cameras.We characterize EM Eye-a vulnerability in the digital image data transmission interface that allows adversaries to reconstruct high-quality image streams from the cameras' unintentional electromagnetic emissions, even from over 2 meters away in many cases.Our evaluations of 4 popular IoT camera development platforms and 12 commercial off-the-shelf devices with cameras show that EM Eye poses threats to a wide range of devices, from smartphones to dash cams and home security cameras.By exploiting this vulnerability, adversaries may be able to visually spy on private activities in an enclosed room from the other side of a wall.We provide root cause analysis and modeling that enable system defenders to identify and simulate mitigation against this vulnerability, such as improving embedded cameras' data transmission protocols with minimum costs.We further discuss EM Eye's relationship with known computer display eavesdropping attacks to reveal the gaps that need to be addressed to protect the data confidentiality of sensing systems.

Yan Jiang,Xiaoyu Ji,Kai Wang,Chen Yan,Richard Mitev,Ahmad-Reza Sadeghi,Wenyuan Xu

DOI: https://doi.org/10.1109/sp46214.2022.9833740

2022-01-01

Abstract:The security of capacitive touchscreens is crucial since they have become the primary human-machine interface on smart devices. To the best of our knowledge, this paper presents WIGHT, the first wired attack that creates ghost touches on capacitive touchscreens via charging cables, and can manipulate the victim devices with undesired consequences, e.g., allowing malicious Bluetooth connections, accepting files with viruses, etc. Our study calls for attention to a new threat vector against touchscreens that only requires connecting to a malicious charging port, which could be a public charging station, and is effective across various power adapters and even USB data blockers. Despite the fact that smartphones employ abundant noise reduction and voltage management techniques, we manage to inject carefully crafted signals that can induce ghost touches within a chosen range. The underlying principle is to inject common-mode noises over the power line to avoid being effectively filtered yet affect the touch measurement mechanism, and synchronize the malicious noise with the screen measurement scanning cycles to place the ghost touches at target locations. We achieve three types of attacks: injection attacks that create ghost touches without users touching the screen, alteration attacks that change the detected legitimate touch position, and Denial-of-Service attacks that prevent the device from identifying legitimate touches. Our evaluation on 6 smartphones, 1 tablet, 2 standalone touchscreen panels, 6 power adapters, and 13 charging cables demonstrates the feasibility of all three type attacks.

Xianghui Cao,Devu Manikantan Shila,Yu Cheng,Zequ Yang,Yang Zhou,Jiming Chen

DOI: https://doi.org/10.1109/jiot.2016.2516102

IF: 10.6

2016-01-01

IEEE Internet of Things Journal

Abstract:ZigBee has been widely recognized as an important enabling technique for Internet of Things (IoT). However, the ZigBee nodes are normally resource-limited, making the network susceptible to a variety of security threats. This paper closely investigates a severe attack on ZigBee networks termed as ghost, which leverages the underlying vulnerabilities of the IEEE 802.15.4 security suites to deplete the energy of the nodes. We show that the impact of ghost is very large and that it can facilitate a variety of threats including denial of service and replay attacks. We highlight that merely deploying a standard suite of advanced security techniques does not necessarily guarantee improved security, but instead might be leveraged by adversaries to cause severe disruption in the network. We propose several recommendations on how to localize and withstand the ghost and other related attacks in ZigBee networks. Extensive simulations are provided to show the impact of the ghost and the performance of the proposed recommendations. Moreover, physical experiments also have been conducted and the observations confirm the severity of the impact by the ghost attack. We believe that the presented work will aid the researchers to improve the security of ZigBee further.

Xiaoyu Ji,Chaohao Li,Xinyan Zhou,Juchuan Zhang,Yanmiao Zhang,Wenyuan Xu

DOI: https://doi.org/10.1145/3399432

2020-01-01

ACM Transactions on Internet of Things

Abstract:Nowadays, most Internet of Things devices in smart homes rely on radio frequency channels for communication, making them exposed to various attacks such as spoofing and eavesdropping attacks. Existing methods using encryption keys may be inapplicable on these resource-constrained devices that cannot afford the computationally expensive encryption operations. Thus, in this article, we design a key-free communication method for such devices in a smart home. In particular, we introduce the Home-limited Channel (HLC) that can be accessed only within a house yet inaccessible for outside-house attackers. Utilizing HLCs, we propose HlcAuth, a challenge-response mechanism to authenticate the communications between smart devices without keys. The advantages of HlcAuth are low cost, lightweight as well as key-free, and requiring no human intervention. According to the security analysis, HlcAuth can defeat replay attacks, message-forgery attacks, and man-in-the-middle (MiTM) attacks, among others. We further evaluate HlcAuth in four different physical scenarios, and results show that HlcAuth achieves 100% true positive rate (TPR) within 4.2m for in-house devices while 0% false positive rate (FPR) for outside attackers, i.e., guaranteeing a high-level usability and security for in-house communications. Finally, we implement HlcAuth in both single-room and multi-room scenarios.

Qinhong Jiang,Yanze Ren,Yan Long,Chen Yan,Yumai Sun,Xiaoyu Ji,Kevin Fu,Wenyuan Xu

DOI: https://doi.org/10.14722/ndss.2024.23015

2024-01-01

Abstract:Keyboards are the primary peripheral input devices for various critical computer application scenarios.This paper performs a security analysis of the keyboard sensing mechanisms and uncovers a new class of vulnerabilities that can be exploited to induce phantom keys-fake keystrokes injected into keyboards' analog circuits in a contactless way using electromagnetic interference (EMI).Besides regular keystrokes, such phantom keys also include keystrokes that human operators cannot achieve, such as rapidly injecting over 10,000 keys per minute and injecting hidden keys that do not exist on the physical keyboard.The underlying principles of phantom key injections consist in inducing false voltages on keyboard sensing GPIO pins through EMI coupled onto matrix circuits.We investigate the voltage and timing requirements of injection signals both theoretically and empirically to establish the theory of phantom key injection.To validate the threat of keyboard sensing vulnerabilities, we design GhostType that can cause denial-of-service of the keyboard and inject random keystrokes as well as certain targeted keystrokes of the adversary's choice.We have validated GhostType on 48 of 50 off-the-shelf keyboards/keypads from 20 brands, including both membrane/mechanical structures and USB/Bluetooth protocols.Some example consequences of GhostType include completely blocking keyboard operations, crashing and turning off downstream computers, and deleting computer files.Finally, we glean lessons from our investigations and propose countermeasures, including shielding keyboards with metal materials and enhancing the keystroke sensing mechanism.

Yan Jiang,Xiaoyu Ji,Kai Wang,Chen Yan,Richard Mitev,Ahmad-Reza Sadeghi,Wenyuan Xu

DOI: https://doi.org/10.1109/tdsc.2023.3326181

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The security of capacitive touchscreens is crucial since they have become the primary human-machine interface on smart devices. This paper presents Marionette , the first wired attack that creates ghost touches on capacitive touchscreens via charging cables and can manipulate the victim's devices with undesired consequences, e.g., establishing malicious Bluetooth connections. Our study provides a new threat vector against touchscreens that only requires connecting to a malicious charging port, which could be a public charging station, and is effective across various USB data blockers and power adapters. Despite the fact that smartphones employ abundant noise reduction and voltage management techniques, we manage to inject carefully crafted signals that can induce ghost touches within a chosen range. The underlying principle is to inject common-mode noises over the power line to avoid being effectively filtered yet affecting the touch measurement mechanism and synchronize the malicious noise with the screen measurement scanning cycles to place the ghost touches at target locations. We achieve three types of attacks, i.e., injection, alteration, and Denial-of-Service, and the evaluation of 12 commercial electronics, 6 power adapters, and 13 charging cables demonstrate the feasibility of Marionette .

Youqian Zhang,Kasper Rasmussen

DOI: https://doi.org/10.48550/arXiv.2208.00343

2022-07-31

Abstract:Differential signaling is a method of data transmission that uses two complementary electrical signals to encode information. This allows a receiver to reject any noise by looking at the difference between the two signals, assuming the noise affects both signals in the same way. Many protocols such as USB, Ethernet, and HDMI use differential signaling to achieve a robust communication channel in a noisy environment. This generally works well and has led many to believe that it is infeasible to remotely inject attacking signals into such a differential pair. In this paper we challenge this assumption and show that an adversary can in fact inject malicious signals from a distance, purely using common-mode injection, i.e., injecting into both wires at the same time. We show how this allows an attacker to inject bits or even arbitrary messages into a communication line. Such an attack is a significant threat to many applications, from home security and privacy to automotive systems, critical infrastructure, or implantable medical devices; in which incorrect data or unauthorized control could cause significant damage, or even fatal accidents. We show in detail the principles of how an electromagnetic signal can bypass the noise rejection of differential signaling, and eventually result in incorrect bits in the receiver. We show how an attacker can exploit this to achieve a successful injection of an arbitrary bit, and we analyze the success rate of injecting longer arbitrary messages. We demonstrate the attack on a real system and show that the success rate can reach as high as $90\%$. Finally, we present a case study where we wirelessly inject a message into a Controller Area Network (CAN) bus, which is a differential signaling bus protocol used in many critical applications, including the automotive and aviation sector.

Cryptography and Security,Signal Processing

Haoqi Shan,Boyi Zhang,Zihao Zhan,Dean Sullivan,Shuo Wang,Yier Jin

DOI: https://doi.org/10.1109/SP46214.2022.9833718

2024-02-04

Abstract:Touchscreen-based electronic devices such as smart phones and smart tablets are widely used in our daily life. While the security of electronic devices have been heavily investigated recently, the resilience of touchscreens against various attacks has yet to be thoroughly investigated. In this paper, for the first time, we show that touchscreen-based electronic devices are vulnerable to intentional electromagnetic interference (IEMI) attacks in a systematic way and how to conduct this attack in a practical way. Our contribution lies in not just demonstrating the attack, but also analyzing and quantifying the underlying mechanism allowing the novel IEMI attack on touchscreens in detail. We show how to calculate both the minimum amount of electric field and signal frequency required to induce touchscreen ghost touches. We further analyze our IEMI attack on real touchscreens with different magnitudes, frequencies, duration, and multitouch patterns. The mechanism of controlling the touchscreen-enabled electronic devices with IEMI signals is also elaborated. We design and evaluate an out-of-sight touchscreen locator and touch injection feedback mechanism to assist a practical IEMI attack. Our attack works directly on the touchscreen circuit regardless of the touchscreen scanning mechanism or operating system. Our attack can inject short-tap, long-press, and omni-directional gestures on touchscreens from a distance larger than the average thickness of common tabletops. Compared with the state-of-the-art touchscreen attack, ours can accurately inject different types of touch events without the need for sensing signal synchronization, which makes our attack more robust and practical. In addition, rather than showing a simple proof-of-concept attack, we present and demonstrate the first ready-to-use IEMI based touchscreen attack vector with end-to-end attack scenarios.

Cryptography and Security

Jianwei Liu,Yinghui He,Chaowei Xiao,Jinsong Han,Le Cheng,Kui Ren

DOI: https://doi.org/10.1109/INFOCOM48880.2022.9796920

2022-01-01

Abstract:Behavior recognition plays an essential role in numerous behavior-driven applications (e.g., virtual reality and smart home) and even in the security-critical applications (e.g., security surveillance and elder healthcare). Recently, WiFi-based behavior recognition (WBR) technique stands out among many behavior recognition techniques due to its advantages of being non-intrusive, device-free, and ubiquitous. However, existing WBR research mainly focuses on improving the recognition precision, while neglecting the security aspects. In this paper, we reveal that WBR systems are vulnerable to manipulating physical signals. For instance, our observation shows that WiFi signals can be changed by jamming signals. By exploiting the vulnerability, we propose two approaches to generate physically online adversarial samples to perform untargeted attack and targeted attack, respectively. The effectiveness of these attacks are extensively evaluated over four real-world WBR systems. The experiment results show that our attack approaches can achieve 80% and 60% success rates for untargeted attack and targeted attack in physical world, respectively. We also propose three methods to mitigate the hazard of such attacks.

Pengfei Liu,Yang Liu,Xiangming Wang,Yuanyi Bao,Dong Yang,Wenqing Wang,Tong Wu,Zhuo Lv,Ting Liu

DOI: https://doi.org/10.1109/tii.2022.3198676

IF: 12.3

2023-03-29

IEEE Transactions on Industrial Informatics

Abstract:It is hard to conduct cyberattacks in industrial control systems (ICSs) because most underlying networks of ICS like the field bus network are isolated from the internet. However, attackers can physically connect the intrusive device into the target network to launch various attacks, which bypasses the security protection mechanisms between the ICS and the internet. Currently, no effective measures could defend against such unauthorized physical access attacks. In this article, a reflection-based channel fingerprint is proposed to detect and locate these physically intrusive devices in the field bus network. We theoretically analyze the signal reflection characteristics and utilize inevitable changes in the channel fingerprint to detect the intrusive device. Besides, the detected anomaly features could be used to accurately estimate the intrusive device's location. In the end, the proposed method's effectiveness is validated through extensive simulation experiments.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Zheng Zhou,Weiming Zhang,Nenghai Yu

DOI: https://doi.org/10.48550/arXiv.1801.03218

2018-01-10

Cryptography and Security

Abstract:he technology on infrared remote control is widely applied in human daily life. It is also applied in the place with a top security level. Infrared remote control signal is regarded as a simple, safe and clean resource that can help us control the electrical appliances nearby. In this paper, we build IREXF, a novel infrared optical covert channel from a well-protected air-gapped network via a malicious infrared module implanted previously into a keyboard. A malware preinstalled in the air-gapped PC receives the data from the malicious infrared module to study the infrared surroundings in the air-gapped network. Once a suitable appliance is found, infrared remote control commands will be sent in a proper time. With the development of technology on Internet of Things, more and more electrical appliances can access Internet. Those infrared command signals exfiltrating out of the air-gapped network can be received by an appliance without any malicious configuration. In our experiment, via a smart TV set-top box, the rate of the covert channel can be up to 2.62 bits per second without any further optimization. Finally, we give a list of countermeasures to detect and eliminate this kind of covert channels.

Minchul Kim,Taeweon Suh

DOI: https://doi.org/10.3390/s21248207

2021-12-08

Abstract:Infrared (IR) communication is one of the wireless communication methods mainly used to manipulate consumer electronics devices. Traditional IR devices support only simple operations such as changing TV channels. These days, consumer electronic devices such as smart TV are connected to the internet with the introduction of IoT. Thus, the user's sensitive information such as credit card number and/or personal information could be entered with the IR remote. This situation raises a new problem. Since TV and the set-top box are visual media, these devices can be used to control and/or monitor other IoT devices at home. Therefore, personal information can be exposed to eavesdroppers. In this paper, we experimented with the IR devices' reception sensitivity using remotes. These experiments were performed to measure the IR reception sensitivity in terms of distance and position between the device and the remote. According to our experiments, the transmission distance of the IR remote signal is more than 20 m. The experiments also revealed that curtains do not block infrared rays. Consequently, eavesdropping is possible to steal the user's sensitive information. This paper proposes a simple, practical, and cost-effective countermeasure against eavesdropping, which does not impose any burden on users. Basically, encryption is used to prevent the eavesdropping. The encryption key is created by recycling a timer inside the microcontroller typically integrated in a remote. The key is regenerated whenever the power button on a remote is pressed, providing the limited lifecycle of the key. The evaluation indicates that the XOR-based encryption is practical and effective in terms of the processing time and cost.

Zheng Zhou,Weiming Zhang,Shangbin Li,Nenghai Yu

DOI: https://doi.org/10.1016/j.comnet.2018.11.014

IF: 5.493

2018-01-01

Computer Networks

Abstract:Infrared (IR) remote control technology is widely applied in daily human life. IR remote control signals are a simple, safe and reliable resource that can help to control nearby electrical appliances. With the development of Internet of things (IoT) technology, an increasing number of IoT devices supporting IR remote control access the Internet. In this paper, a malicious IR hardware module (MIRM) is made. The MIRM is implanted into a keyboard in an air-gapped network to control nearby IoT devices to leak sensitive data out. In our attack experiments on a smart TV set-top box, the rate of the covert channel can reach 3.15 bits's. The potential risk that IoT devices can be exploited maliciously to leak sensitive data is revealed. Finally, a list of countermeasures is presented to enhance security of IR remote control and eliminate such covert channels. (C) 2018 Elsevier B.V. All rights reserved.

Devu Manikantan Shila,Xianghui Cao,Yu Cheng,Zequ Yang,Yang Zhou,Jiming Chen

DOI: https://doi.org/10.48550/arXiv.1410.1613

2014-10-07

Abstract:ZigBee has been recently drawing a lot of attention as a promising solution for ubiquitous computing. The ZigBee devices are normally resource-limited, making the network susceptible to a variety of security threats. This paper presents a severe attack on ZigBee networks termed as ghost, which leverages the underlying vulnerabilities of the IEEE 802.15.4 security suites to deplete the energy of the devices. We manifest that the impact of ghost is severe as it can reduce the lifetime of devices from years to days and facilitate a variety of threats including denial of service and replay attacks. We highlight that merely deploying a standard suite of advanced security techniques does not necessarily guarantee improved security, but instead might be leveraged by adversaries to cause severe disruption in the network. We propose several recommendations on how to localize and withstand the ghost and other related attacks in ZigBee networks. Extensive simulations are provided to show the impact of the ghost and the performance of the proposed recommendations. Moreover, physical experiments also have been conducted and the observations confirm the severity of the impact by the ghost attack. We believe that the presented work will aid the researchers to improve the security of ZigBee further.

Cryptography and Security,Networking and Internet Architecture

Pengfei Liu,Yang Liu,Xiangming Wang,Chao Fang,Xiaohong Guan,Ting Liu

DOI: https://doi.org/10.1109/jiot.2021.3126461

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:The development of Industrial Internet of Things has made industrial control systems more vulnerable to cyber attacks. Many defense measures have been proposed to prevent attacks in upper IP-based networks. However, the security of underlying field bus networks has not received enough attention. Adversaries could tap intrusive devices into the field bus network via unauthorized physical access. As adversaries' behaviors could be highly concealed when they are eavesdropping or camouflaging, it is challenging and costly to identify these inactive intrusive devices through the network traffic. However, inevitable changes in channel state caused by intrusive devices could be leveraged to detect unauthorized physical access. This article theoretically proves that the transmitted signal's voltage amplitude would vary after tapping intrusive devices into the field bus network. Leveraging the signal's variation, we propose an unauthorized physical access detection method via fingerprinting the channel state. Specifically, we adopt weak signal processing technologies to recover the signal's weak variation and extract its features for detection. The effectiveness of the proposed detection method is validated based on a real testbed. Moreover, simulation experiments with diverse settings demonstrate that the proposed detection method could successfully detect intrusive devices under different scenarios.

Wenfan Song,Jianwei Liu,Jinsong Han

DOI: https://doi.org/10.1145/3678570

2024-01-01

Abstract:Mouse is a ubiquitous input tool crucial for user-computer interaction in modern society. However, the inherent trust in the mouse may pose security risks. If the mouse is maliciously manipulated, the connected computer could be secretly controlled, endangering personal privacy and property. In this paper, we introduce PuppetMouse, the first intentional electromagnetic interference (IEMI) injection-based attack that can effectively manipulate mouse clicks and movements without physical contact. By adjusting the parameters of IEMI signals, PuppetMouse can precisely control the click side, as well as the movement direction and speed. We demonstrate PuppetMouse's effectiveness on 14 wired and wireless mice from popular brands. The short response delay (within 4 ms) affirms the real-time performance of PuppetMouse. Robustness analysis across different attack distances and material occlusions validate the stability and reliability of PuppetMouse. Two case studies on firewall disabling and malicious WiFi connection further prove the severe threats of PuppetMouse in the real world. We also propose an integrated set of hardware and software-based defensive mechanisms to mitigate the risks posed by PuppetMouse.

Isaac Ahlgren,Jack West,Kyuin Lee,George Thiruvathukal,Neil Klingensmith

2024-03-21

Abstract:Zero Involvement Pairing and Authentication (ZIPA) is a promising technique for autoprovisioning large networks of Internet-of-Things (IoT) devices. In this work, we present the first successful signal injection attack on a ZIPA system. Most existing ZIPA systems assume there is a negligible amount of influence from the unsecured outside space on the secured inside space. In reality, environmental signals do leak from adjacent unsecured spaces and influence the environment of the secured space. Our attack takes advantage of this fact to perform a signal injection attack on the popular Schurmann & Sigg algorithm. The keys generated by the adversary with a signal injection attack at 95 dBA is within the standard error of the legitimate device.

Cryptography and Security