Wade Trappe,Wenyuan Xu

DOI: https://doi.org/10.7282/t3rj4jw7

2007-01-01

Abstract:Wireless networks are built upon a shared medium that makes it easy for adversaries to conduct radio interference, or jamming attacks, which effectively cause a denial of service (DoS) of either transmission or reception functionalities. These attacks can be easily accomplished by an adversary by either bypassing MAC-layer protocols, or emitting a radio signal targeted at jamming a particular channel. In this thesis, we examine the issue of jamming wireless networks, and sensor networks in particular, by studying both the attack and defense side of the problem. On the attack side, we present four different jamming attack models that can be used by an adversary to disable the operation of a wireless network, and evaluate their effectiveness in terms of how each method affects the ability of a wireless node to send and receive packets. In order to cope with the problem of jamming, we discuss a two-phase strategy involving the diagnosis of the attack, followed by a suitable defense strategy. For detection, we show that single measurement statistics are not enough to reliably classify the presence of a jamming attack, and propose multimodal detection methods. To cope with jamming, we propose a technique, channel surfing, which involves evading the interferer in the spectral domain. Several different channel surfing models are presented, and we evaluate their effectiveness using a testbed of MICA2 motes. Beyond channel surfing, we overview a second defense strategy whereby it is possible to establish a low data rate jamming resistant communication channel by modulating the interarrival times between jammed packets.

Wenyuan Xu,Timothy Wood,Wade Trappe,Yanyong Zhang

DOI: https://doi.org/10.1145/1023646.1023661

2004-01-01

Abstract:Wireless networks are built upon a shared medium that makes it easy for adversaries to launch denial of service (DoS) attacks. One form of denial of service is targeted at preventing sources from communicating. These attacks can be easily accomplished by an adversary by either bypassing MAC-layer protocols, or emitting a radio signal targeted at jamming a particular channel. In this paper we present two strategies that may be employed by wireless devices to evade a MAC/PHY-layer jamming-style wireless denial of service attack. The first strategy, channel surfing, is a form of spectral evasion that involves legitimate wireless devices changing the channel that they are operating on. The second strategy, spatial retreats, is a form of spatial evasion whereby legitimate mobile devices move away from the locality of the DoS emitter. We study both of these strategies for three broad wireless communication scenarios: two-party radio communication, an infrastructured wireless network, and an ad hoc wireless network. We evaluate several of our proposed strategies and protocols through ns-2 simulations and experiments on the Berkeley mote platform.

Zang Li,Wenyuan Xu,Robert D. Miller,Wade Trappe

DOI: https://doi.org/10.1145/1161289.1161297

2006-01-01

Abstract:Although conventional cryptographic security mechanisms are essential to the overall problem of securing wireless networks, these techniques do not directly leverage the unique properties of the wireless domain to address security threats. The properties of the wireless medium are a powerful source of domain-specific information that can complement and enhance traditional security mechanisms. In this paper, we propose to utilize the fact that the radio channel decorre-lates rapidly in space, time and frequency in order to to establish new forms of authentication and confidentiality that operate at the physical layer and can be used to facilitate cross-layer security paradigms. Specifically, for authentication services, we illustrate two channel probing techniques that can be used to verify the authenticity of a transmitter. Similarly, for confidentiality, we examine several strategies for establishing shared secrets/keys between two communicators using the wireless medium. These strategies range from extracting keys from channel state information, to utilizing the channel variability to secretly disseminate keys. We then validate the feasibility of using physical layer techniques for securing wireless systems by presenting results from experiments involving the USRP/GNURadio software defined radio platform.

Mahyar Taj Dini,Volodymyr Sokolov

DOI: https://doi.org/10.5281/zenodo.2528810

2019-02-23

Abstract:This article discusses the available Software Defined Radios (SDRs), compatible software, message formats, and also shows how it is possible to do penetration tests using SDR for Bluetooth Low Energy (BLE) and ZigBee technologies.

Cryptography and Security,Networking and Internet Architecture

Xianghui Cao,Devu Manikantan Shila,Yu Cheng,Zequ Yang,Yang Zhou,Jiming Chen

DOI: https://doi.org/10.1109/jiot.2016.2516102

IF: 10.6

2016-01-01

IEEE Internet of Things Journal

Abstract:ZigBee has been widely recognized as an important enabling technique for Internet of Things (IoT). However, the ZigBee nodes are normally resource-limited, making the network susceptible to a variety of security threats. This paper closely investigates a severe attack on ZigBee networks termed as ghost, which leverages the underlying vulnerabilities of the IEEE 802.15.4 security suites to deplete the energy of the nodes. We show that the impact of ghost is very large and that it can facilitate a variety of threats including denial of service and replay attacks. We highlight that merely deploying a standard suite of advanced security techniques does not necessarily guarantee improved security, but instead might be leveraged by adversaries to cause severe disruption in the network. We propose several recommendations on how to localize and withstand the ghost and other related attacks in ZigBee networks. Extensive simulations are provided to show the impact of the ghost and the performance of the proposed recommendations. Moreover, physical experiments also have been conducted and the observations confirm the severity of the impact by the ghost attack. We believe that the presented work will aid the researchers to improve the security of ZigBee further.

Le Wang,Alexander M. Wyglinski

DOI: https://doi.org/10.1002/wcm.2527

2014-10-01

Wireless Communications and Mobile Computing

Abstract:Abstract Compared with a wired network, a wireless network is not protected by the cable transmission medium. Information is broadcasted over the air and it can be intercepted by anyone within the transmission range. Even though the transmissions could potentially be protected by security authentication mechanisms, malicious users can still intercept the information by mimicking the characteristics of normal user or a legitimate access point. This scenario is referred as a man‐in‐the‐middle (MITM) attack. In the MITM attack, the attackers can bypass the security mechanisms, intercept the unprotected transmission packets, and sniff the information. Because of several vulnerabilities in the IEEE 802.11 protocol, it is difficult to defend against a wireless MITM attack. In this paper, a received signal strength indicator (RSSI)‐based detection mechanism for MITM attacks is proposed. RSSI information is an arbitrary integer that indicates the power level being received by the antenna. The random RSSI values are processed via a sliding window, yielding statistic information about the signal characteristics such as mean and standard deviation profiles. By analyzing those profiles, the detection mechanism can detect if a rogue access point, the key component of an MITM attack, is launched. Our proposed approach has been validated via hardware experimentation using Backtrack 5 tools and MATLAB software suite. Copyright © 2014 John Wiley & Sons, Ltd.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ke Li,Xiangzhan Yu,Hongli Zhang,Longfei Wu,Xiaojiang Du,Paul Ratazzi,Mohsen Guizani

DOI: https://doi.org/10.1109/iccnc.2018.8390381

2018-01-01

Abstract:Software-defined radio (SDR) enables the flexible and efficient use of spectrum, which is a key technology to maintain high quality wireless services in the future. However, the flexibility of SDR brings serious security concerns of malicious attacks to the radio equipment. In this paper, we present a novel defense scheme for SDR to avoid the configuration parameters being tampered by malicious software, even if the operating system is comprised. Three manipulation attacks of radio parameters are considered. We developed a module called Security Monitor which is deployed below the operating system (OS) level and above the hardware level, to monitor and verify the configuration parameters in a timely manner. To demonstrate the effectiveness and efficiency of the proposed security mechanism, we implemented the Security Monitor on Ettus Universal Software Radio Peripheral (USRP) software-defined radio nodes, and evaluated its overhead. The experimental results show that the time overheads to detect the three types of manipulation attacks are 2.9 microsecond, 2.86 microsecond, and 3.4 microsecond, respectively.

Ian Lowe,William J Buchanan,Richard J Macfarlane,Owen Lo

DOI: https://doi.org/10.6025/jnt/2019/10/4/124-155

2020-02-13

Abstract:Bluetooth is a short-range wireless technology that provides audio and data links between personal smartphones and playback devices, such as speakers, headsets and car entertainment systems. Since its introduction in 2001, security researchers have suggested that the protocol is weak, and prone to a variety of attacks against its authentication, link management and encryption schemes. Key researchers in the field have suggested that reliable passive sniffing of Bluetooth traffic would enable the practical application of a range of currently hypothesised attacks. Restricting Bluetooth's frequency hopping behaviour by manipulation of the available channels, in order to make brute force attacks more effective has been a frequently proposed avenue of future research from the literature. This paper has evaluated the proposed approach in a series of experiments using the software defined radio tools and custom hardware developed by the Ubertooth project. The work concludes that the mechanism suggested by previous researchers may not deliver the proposed improvements, but describes an as yet undocumented interaction between Bluetooth and Wi-Fi technologies which may provide a Denial of Service attack mechanism.

Cryptography and Security

Mingrui Ai,Kaiping Xue,Bo Luo,Lutong Chen,Nenghai Yu,Qibin Sun,Feng Wu

DOI: https://doi.org/10.1145/3548606.3560668

2022-01-01

Abstract:ABSTRACTBluetooth is a short-range wireless communication technology widely used by billions of personal computing, IoT, peripheral, and wearable devices. Bluetooth devices exchange commands and data, such as keyboard/mouse inputs, audio, and files, through a secure communication channel that is established through a pairing process. Due to the sensitivity of those commands and data, security mechanisms, such as encryption, authentication, and authorization, have been developed and adopted in the standards. Nevertheless, vulnerabilities continue to be discovered. In the literature, few successful attacks against the Bluetooth connection establishment stage have been reported. Many attacks simply assume that connections are already established or use a compromised agent, e.g, a malicious app or a careless user, to initialize the connection. We argue that such assumptions are strong and impractical. A stealthily established connection is a critical starting point for any practical attack against Bluetooth devices. In this paper, we demonstrate that the Bluetooth Specification contains a series of vulnerabilities that will enable an attacker to impersonate a Bluetooth device and successfully establish a connection with a victim device. The entire process does not require any involvement of the device owner/user or any malicious app on the victim device. The attacker could further escalate permissions by switching Bluetooth profiles to retrieve sensitive information from the victim device and inject arbitrary commands. We name our new attack as the Blacktooth Attack. To demonstrate the effectiveness and practicality of the Blacktooth attack, we evaluate it against 21 different Bluetooth devices with diverse manufacturers and operating systems, and all major Bluetooth versions. We show that the newly proposed attack is successful on all victim devices.

Wahhab Albazrqaoe,Jun Huang,Guoliang Xing

DOI: https://doi.org/10.1109/tnet.2018.2880970

2019-01-01

IEEE/ACM Transactions on Networking

Abstract:With the prevalence of personal Bluetooth devices, potential breach of user privacy has been an increasing concern. To date, sniffing Bluetooth traffic has been widely considered an extremely intricate task due to Bluetooth's indiscoverable mode, vendor-dependent adaptive hopping behavior, and the interference in the open 2.4 GHz band. In this paper, we present BlueEar-a practical Bluetooth traffic sniffer. BlueEar features a novel dual-radio architecture where two Bluetooth-compliant radios coordinate with each other on learning the hopping sequence of indiscoverable Bluetooth networks, predicting adaptive hopping behavior, and mitigating the impacts of RF interference. We built a prototype of BlueEar to sniff on Bluetooth classic traffic. Experiment results show that BlueEar can maintain a packet capture rate higher than 90% consistently in real-world environments, where the target Bluetooth network exhibits diverse hopping behaviors in the presence of dynamic interference from coexisting 802.11 devices. In addition, we discuss the privacy implications of the BlueEar system, and present a practical countermeasure that effectively reduces the packet capture rate of the sniffer to 20%. The proposed countermeasure can be easily implemented on Bluetooth master devices while requiring no modification to slave devices such as keyboards and headsets.

Paul Staat,Kai Jansen,Christian Zenger,Harald Elders-Boll,Christof Paar

DOI: https://doi.org/10.48550/arXiv.2202.06554

2022-04-04

Abstract:Today, we use smartphones as multi-purpose devices that communicate with their environment to implement context-aware services, including asset tracking, indoor localization, contact tracing, or access control. As a de-facto standard, Bluetooth is available in virtually every smartphone to provide short-range wireless communication. Importantly, many Bluetooth-driven applications such as Phone as a Key (PaaK) for vehicles and buildings require proximity of legitimate devices, which must be protected against unauthorized access. In earlier access control systems, attackers were able to violate proximity-verification through relay station attacks. However, the vulnerability of Bluetooth against such attacks was yet unclear as existing relay attack strategies are not applicable or can be defeated through wireless distance measurement. In this paper, we design and implement an analog physical-layer relay attack based on low-cost off-the-shelf radio hardware to simultaneously increase the wireless communication range and manipulate distance measurements. Using our setup, we successfully demonstrate relay attacks against Bluetooth-based access control of a car and a smart lock. Further, we show that our attack can arbitrarily manipulate Multi-Carrier Phase-based Ranging (MCPR) while relaying signals over 90 m.

Cryptography and Security

Pei Cao,Chi Zhang,Xiang-Jun Lu,Hai-Ning Lu,Da-Wu Gu

DOI: https://doi.org/10.1007/s11390-022-1229-3

IF: 1.871

2023-01-01

Journal of Computer Science and Technology

Abstract:In the era of the Internet of Things, Bluetooth low energy (BLE/BTLE) plays an important role as a well-known wireless communication technology. While the security and privacy of BLE have been analyzed and fixed several times, the threat of side-channel attacks to BLE devices is still not well understood. In this work, we highlight a side-channel threat to the re-keying protocol of BLE. This protocol uses a fixed long term key for generating session keys, and the leakage of the long term key could render the encryption of all the following (and previous) connections useless. Our attack exploits the side-channel leakage of the re-keying protocol when it is implemented on embedded devices. In particular, we present successful correlation electromagnetic analysis and deep learning based profiled analysis that recover long term keys of BLE devices. We evaluate our attack on an ARM Cortex-M4 processor (Nordic Semiconductor nRF52840) running Nimble, a popular open-source BLE stack. Our results demonstrate that the long term key can be recovered within only a small amount of electromagnetic traces. Further, we summarize the features and limitations of our attack, and suggest a range of countermeasures to prevent it.

Wahhab Albazrqaoe,Jun Huang,Guoliang Xing

DOI: https://doi.org/10.1145/2906388.2906403

2016-01-01

Abstract:With the prevalence of personal Bluetooth devices, potential breach of user privacy has been an increasing concern. To date, sniffing Bluetooth traffic has been widely considered an extremely intricate task due to Bluetooth's indiscoverable mode, vendor-dependent adaptive hopping behavior, and the interference in the open 2.4 GHz band. In this paper, we present BlueEar -a practical Bluetooth traffic sniffer. BlueEar features a novel dual-radio architecture where two Bluetooth-compliant radios coordinate with each other on learning the hopping sequence of indiscoverable Bluetooth networks, predicting adaptive hopping behavior, and mitigating the impacts of RF interference. Experiment results show that BlueEar can maintain a packet capture rate higher than 90% consistently in real-world environments, where the target Bluetooth network exhibits diverse hopping behaviors in the presence of dynamic interference from coexisting Wi-Fi devices. In addition, we discuss the privacy implications of the BlueEar system, and present a practical countermeasure that effectively reduces the packet capture rate of the sniffer to 20%. The proposed countermeasure can be easily implemented on the Bluetooth master device while requiring no modification to slave devices like keyboards and headsets.

Devu Manikantan Shila,Xianghui Cao,Yu Cheng,Zequ Yang,Yang Zhou,Jiming Chen

DOI: https://doi.org/10.48550/arXiv.1410.1613

2014-10-07

Abstract:ZigBee has been recently drawing a lot of attention as a promising solution for ubiquitous computing. The ZigBee devices are normally resource-limited, making the network susceptible to a variety of security threats. This paper presents a severe attack on ZigBee networks termed as ghost, which leverages the underlying vulnerabilities of the IEEE 802.15.4 security suites to deplete the energy of the devices. We manifest that the impact of ghost is severe as it can reduce the lifetime of devices from years to days and facilitate a variety of threats including denial of service and replay attacks. We highlight that merely deploying a standard suite of advanced security techniques does not necessarily guarantee improved security, but instead might be leveraged by adversaries to cause severe disruption in the network. We propose several recommendations on how to localize and withstand the ghost and other related attacks in ZigBee networks. Extensive simulations are provided to show the impact of the ghost and the performance of the proposed recommendations. Moreover, physical experiments also have been conducted and the observations confirm the severity of the impact by the ghost attack. We believe that the presented work will aid the researchers to improve the security of ZigBee further.

Cryptography and Security,Networking and Internet Architecture

Ying Ju,Yanzi Zhu,Hui-Ming Wang,Qingqi Pei,Haitao Zheng

DOI: https://doi.org/10.1109/jsyst.2020.2976852

IF: 4.802

2020-12-01

IEEE Systems Journal

Abstract:Millimeter wave (mmWave) frequency band is a promising candidate for 5G wireless networks. In theory the communication is more secure, thanks to the narrow and directional beams of mmWave systems, but eavesdropping may still happen. Physical layer defenses for mmWave systems have raised lots of attentions recently, yet the practicality of these designs remains in question. In this article, we perform extensive experiments using commercial testbed and investigate practical secure transmission schemes for mmWave communication systems. We provide the first empirical results that demonstrate the severity of sidelobe eavesdropping in mmWave systems. We show that eavesdropping attacks on mmWave links are highly effective in both indoor and outdoor settings. We then analyze the practicality and vulnerability of existing defenses. We find that existing defenses either impose impractical hardware requirements, or remain vulnerable against multiple colluding eavesdroppers. Finally, we propose the artificial noise hopping (ANH), a practical secure transmission scheme that introduces minimal hardware complexity in hybrid beamforming. Our approach does not need symbol-level beam steering, and we only require two radio frequency chains. From both experimental and simulation results, we show that ANH can effectively reduce the hardware cost while maintaining comparable level of security with traditional hybrid beamforming schemes.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Smone Soderi

DOI: https://doi.org/10.1007/978-3-030-34833-5_20

2024-04-25

Abstract:Wireless communications among wearable and implantable devices implement the information exchange around the human body. Wireless body area network (WBAN) technology enables non-invasive applications in our daily lives. Wireless connected devices improve the quality of many services, and they make procedures easier. On the other hand, they open up large attack surfaces and introduces potential security vulnerabilities. Bluetooth low energy (BLE) is a low-power protocol widely used in wireless personal area networks (WPANs). This paper analyzes the security vulnerabilities of a BLE heart-rate sensor. By observing the received signal strength indicator (RSSI) variations, it is possible to detect anomalies in the BLE connection. The case-study shows that an attacker can easily intercept and manipulate the data transmitted between the mobile app and the BLE device. With this research, the author would raise awareness about the security of the heart-rate information that we can receive from our wireless body sensors.

Cryptography and Security,Computers and Society,Networking and Internet Architecture

Menglin Wei,Hanting Zhao,Vincenzo Galdi,Lianlin Li,Tie Jun Cui

DOI: https://doi.org/10.21203/rs.3.rs-1857836/v1

2022-01-01

Abstract:Abstract Information security is of paramount importance in the modern society, and it is crucial that communication systems are conceived and implemented in order to be inherently resilient in this respect. In current wireless communication systems, some of the most sophisticated attack strategies aim at the physical layer, i.e., at the electromagnetic wave signal carrying the information, but the implied physical interaction with the target inherently leaves traces in the physical environment, which render these attacks typically detectable. However, this may not be the case for future (the 6th generation and beyond) wireless networks, whose current vision relies on the concept of “smart radio environment”, empowered by suitably engineering reflecting devices (also called as metasurfaces) that can manipulate the wave signals in unconventional fashions (e.g., non-specular reflections) and that can be reconfigured at will. These metasurface elements, which should be pervasively deployed and suitably disguised in the indoor and outdoor environment, potentially introduce new vulnerabilities to the physical-layer attacks that should be fully understood and addressed. To this aim, here, we put forward the concept of smart wireless attacks at the physical layer by exploiting the unique capabilities of programmable metasurfaces in the joint manipulations of radio waves and digital information in a wireless scenario. Specifically, we illustrate both passive and active operational modes. In the passive mode, an attacker is capable of eavesdropping and breaking the target wireless information transfer by controlling the programmable metasurface, without radiating any signal actively. In the active mode, an attacker can not only eavesdrop but also furtively falsify the target wireless communications by sending some deceptive information to the target. In both operational modes, the detectability of the attacker can be minimized. As a proof of concept, we design and realize an attacker prototype working in the Wi-Fi band around 2.4GHz, and demonstrate experimentally its ability to hack wireless data streams. Our results raise awareness on the new types of security threats and challenges that the next-generation wireless networks will likely have to face, and indicate that suitable mitigation strategies and specific security protocols need to be conceived and developed at the present stage, while the smart-radio-environment concept is still in its infancy.

Paul Staat,Harald Elders-Boll,Markus Heinrichs,Christian Zenger,Christof Paar

DOI: https://doi.org/10.48550/arXiv.2107.01709

2021-08-03

Abstract:The intelligent reflecting surface (IRS) is a promising new paradigm in wireless communications for meeting the growing connectivity demands in next-generation mobile networks. IRS, also known as software-controlled metasurfaces, consist of an array of adjustable radio wave reflectors, enabling smart radio environments, e.g., for enhancing the signal-to-noise ratio (SNR) and spatial diversity of wireless channels. Research on IRS to date has been largely focused on constructive applications. In this work, we demonstrate for the first time that the IRS provides a practical low-cost toolkit for attackers to easily perform complex signal manipulation attacks on the physical layer in real time. We introduce the environment reconfiguration attack (ERA) as a novel class of jamming attacks in wireless radio networks. Here, an adversary leverages the IRS to rapidly vary the electromagnetic propagation environment to disturb legitimate receivers. The IRS gives the adversary a key advantage over traditional jamming: It no longer has to actively emit jamming signals, instead the IRS reflects existing legitimate signals. In addition, the adversary doesn't need any knowledge about the legitimate channel. We thoroughly investigate the ERA in wireless systems based on the widely employed orthogonal frequency division multiplexing (OFDM) modulation. We present insights into the attack through analytical analysis, simulations, as well as experiments. Our results show that the ERA allows to severely degrade the available data rates even with reasonably small IRS sizes. Finally, we implement an attacker setup and demonstrate a practical ERA to slow down an entire Wi-Fi network.

Cryptography and Security

Zhiqing Luo,Wei Wang,Qianyi Huang,Tao Jiang,Qian Zhang

DOI: https://doi.org/10.1109/tmc.2021.3084754

IF: 6.075

2021-01-01

IEEE Transactions on Mobile Computing

Abstract:The low-power radio technologies open up many opportunities to facilitate Internet-of-Things (IoT) into our daily life, while their minimalist design also makes IoT devices vulnerable to many active attacks. Recent advances use an antenna array to extract fine-grained physical-layer signatures to identify the attackers, which adds burdens in terms of energy and hardware cost to IoT devices. In this paper, we present ShieldScatter, a lightweight system that attaches low-cost tags to single-antenna devices to shield the system from active attacks. The key insight of ShieldScatter is to intentionally create multi-path propagation signatures with the careful deployment of tags. These signatures can be used to construct a sensitive profile to identify the location of the signals' arrival, and thus detect the threat. In addition, we also design a tag-random scheme and a multiple receivers combination approach to detect a powerful attacker who has the strong priori knowledge of the legitimate user. We prototype ShieldScatter with USRPs and tags to evaluate our system in various environments. The results show that even when the powerful attacker is close to the legitimate device, ShieldScatter can mitigate 95 percent of attack attempts while triggering false alarms on just 7 percent of legitimate traffic.

computer science, information systems,telecommunications

Muhammed Ali Yurdagul,Husrev Taha Sencar

DOI: https://doi.org/10.48550/arXiv.2103.16235

2021-03-30

Abstract:Bluetooth Low Energy (BLE) has become one of the most popular wireless communication protocols and is used in billions of smart devices. Despite several security features, the hardware and software limitations of these devices makes them vulnerable to man-in-the-middle (MITM) attacks. Due to the use of these devices in increasingly diverse and safety-critical applications, the capability to detect MITM attacks has become more critical. To address this challenge, we propose the use of the response time behavior of a BLE device observed in relation to select read and write operations and introduce an activeMITM attack detection system that identifies changes in response time. Our measurements on several BLE devices show that theirresponse time behavior exhibits very high regularity, making it a very reliable attack indicator that cannot be concealed by an attacker. Test results show that our system can very accurately and quickly detect MITM attacks while requiring a simple learning approach.

Cryptography and Security