A Test Environment for Wireless Hacking in Domestic IoT Scenarios

Security is gaining importance in the daily life of every citizen. The advent of Internet of Things devices in our lives is changing our conception of being connected through a single device to a multiple connection in which the centre of connection is becoming the devices themselves. This conveys the attack vector for a potential attacker is exponentially increased. This paper presents how the concatenation of several attacks on communication protocols (WiFi, Bluetooth LE, GPS, 433 Mhz and NFC) can lead to undesired situations in a domestic environment. A comprehensive analysis of the protocols with the identification of their weaknesses is provided. Some relevant aspects of the whole attacking procedure have been presented to provide some relevant tips and countermeasures.This work has been partially supported by the Spanish Ministry of Science and Innovation through the SecureEDGE project (PID2019-110565RB-I00), and by the by the Andalusian FEDER 2014-2020 Program through the SAVE project (PY18-3724). // Open Access funding provided thanks to the CRUE-CSIC agreement with Springer Nature. // Funding for open access charge: Universidad de Málaga / CBU

Sulautettu ohjelmistototeutus reaaliaikaiseen paikannusjärjestelmään

Asset tracking often necessitates wireless, radio-frequency identification (RFID). In practice, situations often arise where plain inventory operations are not sufficient, and methods to estimate movement trajectory are needed for making reliable observations, classification and report generation. In this thesis, an embedded software application for an industrial, resource-constrained off-the-shelf RFID reader device in the UHF frequency range is designed and implemented. The software is used to configure the reader and its air-interface operations, accumulate read reports and generate events to be reported over network connections. Integrating location estimation methods to the application facilitates the possibility to make deploying middleware RFID solutions more streamlined and robust while reducing network bandwidth requirements. The result of this thesis is a functional embedded software application running on top of an embedded Linux distribution on an ARM processor. The reader software is used commercially in industrial and logistics applications. Non-linear state estimation features are applied, and their performance is evaluated in empirical experiments.Tavaroiden seuranta edellyttää usein langatonta radiotaajuustunnistustekniikkaa (RFID). Käytännön sovelluksissa tulee monesti tilanteita joissa pelkkä inventointi ei riitä, vaan tarvitaan menetelmiä liikeradan estimointiin luotettavien havaintojen ja luokittelun tekemiseksi sekä raporttien generoimiseksi. Tässä työssä on suunniteltu ja toteutettu sulautettu ohjelmistosovellus teolliseen, resursseiltaan rajoitettuun ja kaupallisesti saatavaan UHF-taajuusalueen RFID-lukijalaitteeseen. Ohjelmistoa käytetään lukijalaitteen ja sen ilmarajapinnan toimintojen konfigurointiin, lukutapahtumien keräämiseen ja raporttien lähettämiseen verkkoyhteyksiä pitkin. Paikkatiedon estimointimenetelmien integroiminen ohjelmistoon mahdollistaa välitason RFID-sovellusten toteuttamisen aiempaa suoraviivaisemin ja luotettavammin, vähentäen samalla vaatimuksia tietoverkon kaistanleveydelle. Työn tuloksena on toimiva sulautettu ohjelmistosovellus, jota ajetaan sulautetussa Linux-käyttöjärjestelmässä ARM-arkkitehtuurilla. Lukijaohjelmistoa käytetään kaupallisesti teollisuuden ja logistiikan sovelluskohteissa. Epälineaarisia estimointiominaisuuksia hyödynnetään, ja niiden toimivuutta arvioidaan empiirisin kokein

HF RFID tag location using magneto-inductive waves

Location of passive RFID tags in the HF regime presents significant problems, because of the absence of radiating fields at the low frequencies involved. Here we present a solution for one-dimensional localization based on magneto-inductive (MI) waves. Passive tags are interrogated using a travelling wave antenna based on a MI waveguide, a magnetically coupled array of L−C resonators supporting travelling waves. Load modulation signals generated by the tag during its unique identifier response are coupled into the waveguide and travel to either end with low group velocity. Signal timings are measured by cross-correlation, and the tag position is estimated to the nearest resonant loop from the difference in their arrival times. Correlation detection is demonstrated using a system model, and theoretical predictions are confirmed using an experimental system containing eleven transformer-coupled resonators operating at 13.56 MHz frequency. Accurate localization is obtained up to the tag reading limit using <1W RF power

Realistic chipless RFID: identification and localization

Für die weitere Massenverbreitung von RFID Systemen ist ein günstiges und genaues Verfahren zur Objektlokalisierung und –verfolgung zwingend erforderlich. Chiplose RFID Systeme erlauben im Gegensatz zu herkömmlichen chipbehafteten RFID Systemen den Einsatz von einfachen, druckbaren RFID Tags, eine Möglichkeit zum Einstieg in die Ära von extrem billigen RFID Tags. Diese Dissertation konzentriert sich auf die Lösung von drei Herausforderungen bei der Erkennung von chiplosen RFID Tags innerhalb geschlossener Räume. Der erste in der vorliegenden Arbeit diskutierte Aspekt beschäftigt sich mit Methoden zum Eliminieren des Störechos der Umgebung (clutter removal techniques). Im chiplosen RFID System ist das Umgebungsstörecho definiert durch das von der Umgebung reflektierte Signal, das nicht mit dem RFID Tag interagiert. Die Stärke dieses Signals ist in jedem Fall größer als die des vom RFID Tag zurückgestrahlten (backscattered) Signals, was die Signaturerkennung des RFID Tags unmöglich macht. Zur Lösung dieses Problems schlage ich zwei Algorithmen vor. Der erste ist die Leerraum-Kalibrierung (empty room calibration). Bei diesem Algorithmus werden die Messungen mit RFID Tag von denen ohne RFID Tags abgezogen. Der zweite Algorithmus basiert auf dem Rake-Receiver unter Nutzung einer Zufallsfolge (PN sequence), er erfordert keine zusätzliche Kalibrierung. Der zweite Aspekt betrifft die Notch Erkennung und Identifikation, ein sehr wichtiger Bereich des chiplosen RFID Systems. Er ist dafür verantwortlich, die Notchs in Bits umzuwandeln. Für eine effektive Detektion werden Windowing (Fenster) Verfahren vorgeschlagen, wobei jedes Fenster einen oder auch keinen Notch beinhalten kann. Insgesamt drei neue Verfahren zur Notch Erkennung wurden implementiert. Als erstes ein Matched Filter (MF), in dem der einkommende Notch mit einem Referenz Notch verglichen wird. Das zweite Verfahren basiert auf einer gefensterten Singulärwertzerlegung, damit kann sowohl der Notch erkannt werden, als auch seine Bandbreite bestimmt werden. Als drittes Verfahren wird das dynamische Frequency Warping vorgestellt. Diese Technik nutzt nichtlineare um die Notche unddie Frequenzverschiebungen, die an den Notches auftreten, zu erkennen. Als dritter Aspekt wird die Lokalisierung der RFID Tags in dieser Dissertation diskutiert. Dazu werden zwei Algorithmen erklärt und implementiert. Der erste Algorithmus beruht auf der Triangulation durch drei getrennte RFID Lesegeräte, während sich der zweite die Position des RFID Tags aus der Signalstärke und dem Winkel des vom RFID Tag kommenden Signals berechnet. Alle genannten Algorithmen und Verfahren wurden in einer realen Innenraum Testumgebung mit RFID Tags und einer Software Defined Radio (SDR) Plattform vermessen, um die Zuverlässigkeit der Algorithmen unter normalen Bedingungen zu überprüfen.For mass deployment of RFID systems, cheap and accurate item level identification and tracking are profoundly needed. Fortunately, unlike conventional chip-based RFID, chipless RFID systems offers low-cost printable tags holding a better chance to enter the era of penny-cost tags. This dissertation concentrated on solving three challenges in the detection of the chipless tag inside an indoor environment. The first aspect discussed in the thesis are the chipless RFID clutter removal techniques. In chipless RFID the environmental clutter response is defined as the signal reflected from the environment, that does not interact with the tag. This signal has higher power than the backscattered signal from the tag, rendering the tag signature undetectable. Two algorithms to overcome this problem was used, the first is empty room calibration. The first algorithm is based on subtracting the measurement with the tag from the one without. The second algorithm is Rake receiver using PN sequence; this algorithm requires no pre-measurement calibration. The second aspect is notch detection and identification which is a critical part of the chipless system. This part is responsible for converting the notches into bits. For effective detection, a windowing operation is proposed, where each window may contain a notch or not. Three novel techniques are implemented to detect the notch. The first is matched filter were a reference notch is compared with the incoming signal. The second is window based singular value decomposition, where a constellation is created to detect not only the existence of a notch but also the bandwidth of the notch. The third notch detection technique is dynamic frequency warping. This technique utilizes non-linear warping to detect the notch and the frequency shifts that occurs on the notch. The third aspect discussed in the thesis is tag localization. In this aspect, two algorithms are implemented and explained. The first is trilateration which requires three different readers. The second localization algorithm exploits received signal strength and angle of arrival to detect the location of the tag accurately. All the algorithms were tested using a real testbed to validate the reliability of the techniques. The measurements were done using fabricated tags in an indoor environment using Software Defines Radio (SDR)

Design of a secure architecture for the exchange of biomedical information in m-Health scenarios

El paradigma de m-Salud (salud móvil) aboga por la integración masiva de las más avanzadas tecnologías de comunicación, red móvil y sensores en aplicaciones y sistemas de salud, para fomentar el despliegue de un nuevo modelo de atención clínica centrada en el usuario/paciente. Este modelo tiene por objetivos el empoderamiento de los usuarios en la gestión de su propia salud (p.ej. aumentando sus conocimientos, promocionando estilos de vida saludable y previniendo enfermedades), la prestación de una mejor tele-asistencia sanitaria en el hogar para ancianos y pacientes crónicos y una notable disminución del gasto de los Sistemas de Salud gracias a la reducción del número y la duración de las hospitalizaciones. No obstante, estas ventajas, atribuidas a las aplicaciones de m-Salud, suelen venir acompañadas del requisito de un alto grado de disponibilidad de la información biomédica de sus usuarios para garantizar una alta calidad de servicio, p.ej. fusionar varias señales de un usuario para obtener un diagnóstico más preciso. La consecuencia negativa de cumplir esta demanda es el aumento directo de las superficies potencialmente vulnerables a ataques, lo que sitúa a la seguridad (y a la privacidad) del modelo de m-Salud como factor crítico para su éxito. Como requisito no funcional de las aplicaciones de m-Salud, la seguridad ha recibido menos atención que otros requisitos técnicos que eran más urgentes en etapas de desarrollo previas, tales como la robustez, la eficiencia, la interoperabilidad o la usabilidad. Otro factor importante que ha contribuido a retrasar la implementación de políticas de seguridad sólidas es que garantizar un determinado nivel de seguridad implica unos costes que pueden ser muy relevantes en varias dimensiones, en especial en la económica (p.ej. sobrecostes por la inclusión de hardware extra para la autenticación de usuarios), en el rendimiento (p.ej. reducción de la eficiencia y de la interoperabilidad debido a la integración de elementos de seguridad) y en la usabilidad (p.ej. configuración más complicada de dispositivos y aplicaciones de salud debido a las nuevas opciones de seguridad). Por tanto, las soluciones de seguridad que persigan satisfacer a todos los actores del contexto de m-Salud (usuarios, pacientes, personal médico, personal técnico, legisladores, fabricantes de dispositivos y equipos, etc.) deben ser robustas y al mismo tiempo minimizar sus costes asociados. Esta Tesis detalla una propuesta de seguridad, compuesta por cuatro grandes bloques interconectados, para dotar de seguridad a las arquitecturas de m-Salud con unos costes reducidos. El primer bloque define un esquema global que proporciona unos niveles de seguridad e interoperabilidad acordes con las características de las distintas aplicaciones de m-Salud. Este esquema está compuesto por tres capas diferenciadas, diseñadas a la medidas de los dominios de m-Salud y de sus restricciones, incluyendo medidas de seguridad adecuadas para la defensa contra las amenazas asociadas a sus aplicaciones de m-Salud. El segundo bloque establece la extensión de seguridad de aquellos protocolos estándar que permiten la adquisición, el intercambio y/o la administración de información biomédica -- por tanto, usados por muchas aplicaciones de m-Salud -- pero no reúnen los niveles de seguridad detallados en el esquema previo. Estas extensiones se concretan para los estándares biomédicos ISO/IEEE 11073 PHD y SCP-ECG. El tercer bloque propone nuevas formas de fortalecer la seguridad de los tests biomédicos, que constituyen el elemento esencial de muchas aplicaciones de m-Salud de carácter clínico, mediante codificaciones novedosas. Finalmente el cuarto bloque, que se sitúa en paralelo a los anteriores, selecciona herramientas genéricas de seguridad (elementos de autenticación y criptográficos) cuya integración en los otros bloques resulta idónea, y desarrolla nuevas herramientas de seguridad, basadas en señal -- embedding y keytagging --, para reforzar la protección de los test biomédicos.The paradigm of m-Health (mobile health) advocates for the massive integration of advanced mobile communications, network and sensor technologies in healthcare applications and systems to foster the deployment of a new, user/patient-centered healthcare model enabling the empowerment of users in the management of their health (e.g. by increasing their health literacy, promoting healthy lifestyles and the prevention of diseases), a better home-based healthcare delivery for elderly and chronic patients and important savings for healthcare systems due to the reduction of hospitalizations in number and duration. It is a fact that many m-Health applications demand high availability of biomedical information from their users (for further accurate analysis, e.g. by fusion of various signals) to guarantee high quality of service, which on the other hand entails increasing the potential surfaces for attacks. Therefore, it is not surprising that security (and privacy) is commonly included among the most important barriers for the success of m-Health. As a non-functional requirement for m-Health applications, security has received less attention than other technical issues that were more pressing at earlier development stages, such as reliability, eficiency, interoperability or usability. Another fact that has contributed to delaying the enforcement of robust security policies is that guaranteeing a certain security level implies costs that can be very relevant and that span along diferent dimensions. These include budgeting (e.g. the demand of extra hardware for user authentication), performance (e.g. lower eficiency and interoperability due to the addition of security elements) and usability (e.g. cumbersome configuration of devices and applications due to security options). Therefore, security solutions that aim to satisfy all the stakeholders in the m-Health context (users/patients, medical staff, technical staff, systems and devices manufacturers, regulators, etc.) shall be robust and, at the same time, minimize their associated costs. This Thesis details a proposal, composed of four interrelated blocks, to integrate appropriate levels of security in m-Health architectures in a cost-efcient manner. The first block designes a global scheme that provides different security and interoperability levels accordingto how critical are the m-Health applications to be implemented. This consists ofthree layers tailored to the m-Health domains and their constraints, whose security countermeasures defend against the threats of their associated m-Health applications. Next, the second block addresses the security extension of those standard protocols that enable the acquisition, exchange and/or management of biomedical information | thus, used by many m-Health applications | but do not meet the security levels described in the former scheme. These extensions are materialized for the biomedical standards ISO/IEEE 11073 PHD and SCP-ECG. Then, the third block proposes new ways of enhancing the security of biomedical standards, which are the centerpiece of many clinical m-Health applications, by means of novel codings. Finally the fourth block, with is parallel to the others, selects generic security methods (for user authentication and cryptographic protection) whose integration in the other blocks results optimal, and also develops novel signal-based methods (embedding and keytagging) for strengthening the security of biomedical tests. The layer-based extensions of the standards ISO/IEEE 11073 PHD and SCP-ECG can be considered as robust, cost-eficient and respectful with their original features and contents. The former adds no attributes to its data information model, four new frames to the service model |and extends four with new sub-frames|, and only one new sub-state to the communication model. Furthermore, a lightweight architecture consisting of a personal health device mounting a 9 MHz processor and an aggregator mounting a 1 GHz processor is enough to transmit a 3-lead electrocardiogram in real-time implementing the top security layer. The extra requirements associated to this extension are an initial configuration of the health device and the aggregator, tokens for identification/authentication of users if these devices are to be shared and the implementation of certain IHE profiles in the aggregator to enable the integration of measurements in healthcare systems. As regards to the extension of SCP-ECG, it only adds a new section with selected security elements and syntax in order to protect the rest of file contents and provide proper role-based access control. The overhead introduced in the protected SCP-ECG is typically 2{13 % of the regular file size, and the extra delays to protect a newly generated SCP-ECG file and to access it for interpretation are respectively a 2{10 % and a 5 % of the regular delays. As regards to the signal-based security techniques developed, the embedding method is the basis for the proposal of a generic coding for tests composed of biomedical signals, periodic measurements and contextual information. This has been adjusted and evaluated with electrocardiogram and electroencephalogram-based tests, proving the objective clinical quality of the coded tests, the capacity of the coding-access system to operate in real-time (overall delays of 2 s for electrocardiograms and 3.3 s for electroencephalograms) and its high usability. Despite of the embedding of security and metadata to enable m-Health services, the compression ratios obtained by this coding range from ' 3 in real-time transmission to ' 5 in offline operation. Complementarily, keytagging permits associating information to images (and other signals) by means of keys in a secure and non-distorting fashion, which has been availed to implement security measures such as image authentication, integrity control and location of tampered areas, private captioning with role-based access control, traceability and copyright protection. The tests conducted indicate a remarkable robustness-capacity tradeoff that permits implementing all this measures simultaneously, and the compatibility of keytagging with JPEG2000 compression, maintaining this tradeoff while setting the overall keytagging delay in only ' 120 ms for any image size | evidencing the scalability of this technique. As a general conclusion, it has been demonstrated and illustrated with examples that there are various, complementary and structured manners to contribute in the implementation of suitable security levels for m-Health architectures with a moderate cost in budget, performance, interoperability and usability. The m-Health landscape is evolving permanently along all their dimensions, and this Thesis aims to do so with its security. Furthermore, the lessons learned herein may offer further guidance for the elaboration of more comprehensive and updated security schemes, for the extension of other biomedical standards featuring low emphasis on security or privacy, and for the improvement of the state of the art regarding signal-based protection methods and applications

Improving Group Integrity of Tags in RFID Systems

Checking the integrity of groups containing radio frequency identification (RFID) tagged objects or recovering the tag identifiers of missing objects is important in many activities. Several autonomous checking methods have been proposed for increasing the capability of recovering missing tag identifiers without external systems. This has been achieved by treating a group of tag identifiers (IDs) as packet symbols encoded and decoded in a way similar to that in binary erasure channels (BECs). Redundant data are required to be written into the limited memory space of RFID tags in order to enable the decoding process. In this thesis, the group integrity of passive tags in RFID systems is specifically targeted, with novel mechanisms being proposed to improve upon the current state of the art. Due to the sparseness property of low density parity check (LDPC) codes and the mitigation of the progressive edge-growth (PEG) method for short cycles, the research is begun with the use of the PEG method in RFID systems to construct the parity check matrix of LDPC codes in order to increase the recovery capabilities with reduced memory consumption. It is shown that the PEG-based method achieves significant recovery enhancements compared to other methods with the same or less memory overheads. The decoding complexity of the PEG-based LDPC codes is optimised using an improved hybrid iterative/Gaussian decoding algorithm which includes an early stopping criterion. The relative complexities of the improved algorithm are extensively analysed and evaluated, both in terms of decoding time and the number of operations required. It is demonstrated that the improved algorithm considerably reduces the operational complexity and thus the time of the full Gaussian decoding algorithm for small to medium amounts of missing tags. The joint use of the two decoding components is also adapted in order to avoid the iterative decoding when the missing amount is larger than a threshold. The optimum value of the threshold value is investigated through empirical analysis. It is shown that the adaptive algorithm is very efficient in decreasing the average decoding time of the improved algorithm for large amounts of missing tags where the iterative decoding fails to recover any missing tag. The recovery performances of various short-length irregular PEG-based LDPC codes constructed with different variable degree sequences are analysed and evaluated. It is demonstrated that the irregular codes exhibit significant recovery enhancements compared to the regular ones in the region where the iterative decoding is successful. However, their performances are degraded in the region where the iterative decoding can recover some missing tags. Finally, a novel protocol called the Redundant Information Collection (RIC) protocol is designed to filter and collect redundant tag information. It is based on a Bloom filter (BF) that efficiently filters the redundant tag information at the tag’s side, thereby considerably decreasing the communication cost and consequently, the collection time. It is shown that the novel protocol outperforms existing possible solutions by saving from 37% to 84% of the collection time, which is nearly four times the lower bound. This characteristic makes the RIC protocol a promising candidate for collecting redundant tag information in the group integrity of tags in RFID systems and other similar ones

Tag-collision resolution techniques for RFID systems.

Nie, Jing.Thesis (M.Phil.)--Chinese University of Hong Kong, 2007.Includes bibliographical references (leaves 73-77).Abstracts in English and Chinese.Abstract --- p.iAbstract (Chinese Version) --- p.iiiAcknowledgement --- p.ivChapter 1 --- Introduction --- p.1Chapter 2 --- Technology Overview --- p.4Chapter 2.1 --- History --- p.5Chapter 2.2 --- RFID Systems --- p.7Chapter 2.2.1 --- Tag --- p.8Chapter 2.2.2 --- Reader --- p.10Chapter 2.2.3 --- Software system --- p.12Chapter 2.2.4 --- Communication infrastructure --- p.13Chapter 2.3 --- Frequency Regulations and Standards --- p.13Chapter 2.3.1 --- RFID frequency --- p.13Chapter 2.3.2 --- Standards --- p.14Chapter 2.4 --- Technology Comparison and RFID Applications --- p.16Chapter 2.4.1 --- Technology Comparison --- p.16Chapter 2.4.2 --- RFID Applications --- p.19Chapter 3 --- Research Background --- p.22Chapter 3.1 --- Tag-Collision Resolution Techniques for RFID systems --- p.23Chapter 3.1.1 --- Deterministic Collision-Resolution Technique --- p.25Chapter 3.1.2 --- Stochastic Collision-Resolution Technique --- p.27Chapter 4 --- Optimized Anti-Collision Protocol --- p.30Chapter 4.1 --- System Description --- p.31Chapter 4.2 --- Mathematical System Model --- p.35Chapter 4.3 --- Optimal Parameter --- p.40Chapter 4.3.1 --- Stochastic Shortest Path --- p.41Chapter 4.3.2 --- Optimal Parameter --- p.44Chapter 4.4 --- Performance Evaluation --- p.45Chapter 4.4.1 --- Initial and Optimal Policy --- p.45Chapter 4.4.2 --- Performance Comparison --- p.48Chapter 4.5 --- Summary --- p.53Chapter 5 --- Unknown Tag Set Anti-Collision Protocol --- p.54Chapter 5.1 --- Protocol Description --- p.55Chapter 5.1.1 --- System Model --- p.55Chapter 5.1.2 --- Tag Estimation --- p.57Chapter 5.2 --- Performance Evaluation --- p.62Chapter 5.3 --- Summary --- p.67Chapter 6 --- Conclusion and Future Work --- p.68Chapter 6.1 --- Conclusion --- p.68Chapter 6.2 --- Future Work --- p.70Bibliography --- p.7

Building Information Modelling : Indoor Localization

This thesis presents an integrated system where BIM software is used together with IoT devices to visualize data generated in real-time. Two different IoT devices are modelled as case study that collect environmental and localization data. These devices were installed inside a Test room of an area approx. 22 m2 in UiT Narvik premises . The collected data were, filtered & transferred to database server which were then retrieved and visualized by BIM software in real time. The report presents tools and technologies that are implemented to develop such system and provides details on basic blocks required for such integrations. The combined platform visualize information about the things as it happens in real-time. This makes such systems capable for digitalization of physical process and have various application domains. In the report it is applied as monitoring platform for temperature and illumination data and can be used for facility management applications. Similarly, indoor localization is monitored making it applicable for localization and safety management purpose. The performance of the system is also discussed based on test, observations, and calculation