Methods and tools for network reconnaissance of IoT devices

The Internet of Things (IoT) impacts nearly all aspects surrounding our daily life, including housing, transportation, healthcare, and manufacturing. IoT devices communicate through a variety of communication protocols, such as Bluetooth Low Energy (BLE), Zigbee, Z-Wave, and LoRa. These protocols serve essential purposes in both commercial industrial and personal domains, encompassing wearables and intelligent buildings. The organic and decentralized development of IoT protocols under the auspices of different organizations has resulted in a fragmented and heterogeneous IoT ecosystem. In many cases, IoT devices do not have an IP address. Furthermore, some protocols, such as LoRa and Z-Wave, are proprietary in nature and incompatible with standard protocols. This heterogeneity and fragmentation of the IoT introduce challenges in assessing the security posture of IoT devices. To address this problem, this thesis proposes a novel methodology that transcends specific protocols and supports network and security monitoring of IoT devices at scale. This methodology leverages the capabilities of software-defined radio (SDR) technology to implement IoT protocols in software. We first investigate the problem of IoT network reconnaissance, that is the discovery and characterization of all the IoT devices in one’s organization. We focus on four popular protocols, namely Zigbee, BLE, Z-Wave, and LoRa. We introduce and analyze new algorithms to improve the performance and speed-up the discovery of IoT devices. These algorithms leverage the ability of SDRs to transmit and receive signals across multiple channels in parallel. We implement these algorithms in the form of an SDR tool, called IoT-Scan, the first universal IoT scanner middleware. We thoroughly evaluate the delay and energy performance of IoT-Scan. Notably, using multi-channel scanning, we demonstrate a reduction of 70% in the discovery times of Bluetooth and Zigbee devices in the 2.4GHz band and of LoRa and Z-Wave devices in the 900MHz band, versus single-channel scanning. Second, we investigate a new type of denial-of-service attacks on IoT cards, called Truncate-after-Preamble (TaP) attacks. We employ SDRs to assess the security posture of off-the-shelf Zigbee and Wi-Fi cards to TaP attacks. We show that all the Zigbee devices are vulnerable to TaP attacks, while the Wi-Fi devices are vulnerable to the attack to a varying degree. Remarkably, TaP attacks demand energy consumption five orders of magnitude lower than what is required by a continuous jamming mechanism. We propose several countermeasures to mitigate the attacks. Third, we devise an innovative approach for the purpose of identifying and creating unique profiles for IoT devices. This approach leverages SDRs to create malformed packets at the physical layer (e.g., truncated or overlapping packets). Experiments demonstrate the ability of this approach to perform fine-grained timing experiments (at the microsecond level), craft multi-packet transmissions/collisions, and derive device-specific reception curves. In summary, the results of this thesis validate the feasibility of our proposed SDR-based methodology in addressing fundamental security challenges caused by the heterogeneity of the IoT. This methodology is future-proof and can accommodate new protocols and protocol upgrades

Toward Open and Programmable Wireless Network Edge

Increasingly, the last hop connecting users to their enterprise and home networks is wireless. Wireless is becoming ubiquitous not only in homes and enterprises but in public venues such as coffee shops, hospitals, and airports. However, most of the publicly and privately available wireless networks are proprietary and closed in operation. Also, there is little effort from industries to move forward on a path to greater openness for the requirement of innovation. Therefore, we believe it is the domain of university researchers to enable innovation through openness. In this thesis work, we introduce and defines the importance of open framework in addressing the complexity of the wireless network. The Software Defined Network (SDN) framework has emerged as a popular solution for the data center network. However, the promise of the SDN framework is to make the network open, flexible and programmable. In order to deliver on the promise, SDN must work for all users and across all networks, both wired and wireless. Therefore, we proposed to create new modules and APIs to extend the standard SDN framework all the way to the end-devices (i.e., mobile devices, APs). Thus, we want to provide an extensible and programmable abstraction of the wireless network as part of the current SDN-based solution. In this thesis work, we design and develop a framework, weSDN (wireless extension of SDN), that extends the SDN control capability all the way to the end devices to support client-network interaction capabilities and new services. weSDN enables the control-plane of wireless networks to be extended to mobile devices and allows for top-level decisions to be made from an SDN controller with knowledge of the network as a whole, rather than device centric configurations. In addition, weSDN easily obtains user application information, as well as the ability to monitor and control application flows dynamically. Based on the weSDN framework, we demonstrate new services such as application-aware traffic management, WLAN virtualization, and security management

LINK ADAPTATION IN WIRELESS NETWORKS: A CROSS-LAYER APPROACH

Conventional Link Adaptation Techniques in wireless networks aim to overcome harsh link conditions caused by physical environmental properties, by adaptively regulating modulation, coding and other signal and protocol specific parameters. These techniques are essential for the overall performance of the networks, especially for environments where the ambient noise level is high or the noise level changes rapidly. Link adaptation techniques answer the questions of What to change? and When to change? in order to improve the present layer performance. Once these decisions are made, other layers are expected to function perfectly with the new communication channel conditions. In our work, we have shown that this assumption does not always hold; and provide two mechanisms that lessen the negative outcomes caused by these decisions. Our first solution, MORAL, is a MAC layer link adaptation technique which utilizes the physical transmission information in order to create differentiation between wireless users with different communication capabilities. MORAL passively collects information from its neighbors and re-aligns the MAC layer parameters according to the observed conditions. MORAL improves the fairness and total throughput of the system through distributing the mutually shared network assets to the wireless users in a fairer manner, according to their capabilities. Our second solution, Data Rate and Fragmentation Aware Ad-hoc Routing protocol, is a network layer link adaptation technique which utilizes the physical transmission information in order to differentiate the wireless links according to their communication capabilities. The proposed mechanism takes the physical transmission parameters into account during the path creation process and produces energy-efficient network paths. The research demonstrated in this dissertation contributes to our understanding of link adaptation techniques and broadens the scope of such techniques beyond simple, one-step physical parameter adjustments. We have designed and implemented two cross-layer mechanisms that utilize the physical layer information to better adapt to the varying channel conditions caused by physical link adaptation mechanisms. These mechanisms has shown that even though the Link Adaptation concept starts at the physical layer, its effects are by no means restricted to this layer; and the wireless networks can benefit considerably by expanding the scope of this concept throughout the entire network stack

A Survey of Medium Access Mechanisms for Providing QoS in Ad-Hoc Networks

n/

Advanced Wireless LAN

The past two decades have witnessed starling advances in wireless LAN technologies that were stimulated by its increasing popularity in the home due to ease of installation, and in commercial complexes offering wireless access to their customers. This book presents some of the latest development status of wireless LAN, covering the topics on physical layer, MAC layer, QoS and systems. It provides an opportunity for both practitioners and researchers to explore the problems that arise in the rapidly developed technologies in wireless LAN

Performance assessment for mountain bike based on WSN and Cloud Technologies

The mountain bike is one of the most used equipment’s in outdoor sports activities. The thesis describes the design and all development and implementation of Performance Assessment for Mountain Bike based on Wireless Sensor Network (WSN) and Cloud Technologies. The work presents a distributed sensing system for cycling assessment-providing data for objective evaluation of the athlete performance during training. Thus a wireless sensor network attached to the sport equipment provides to the athlete and the coach with performance values during practice. The sensors placed in biker equipment’s behave as nodes of a WSN. This is possible with the developing of IoT-based systems in sports, the tracking and monitoring of athletes in their activities has an important role on his formation as bikers and helps to increase performance, through the analyze of each session. The implemented system performs acquisition, processing and transmission, of data using a ZigBee wireless networks that provide also machine-to-machine communication and data storage in a server located in the cloud. As in many cycling applications use the phone as a module to get the values, this work will be a little different making use of phone/tablet to consult information. The information stored on the cloud server is accessed through a mobile application that analyses and correlates all metrics calculated using the training data obtained during practice. Additional information regarding the health status may be also considered. Therefore, the system permits that athletes perform an unlimited number of trainings that can be accessed at any time through the mobile application by the bikers and coach. Based on capability of the system to save a history of the evolution of each athlete during training the system permits to perform appropriate comparisons between different training sessions and different athlete’s performances.A bicicleta de montanha é um dos equipamentos para desportos no exterior mais usada. A tese descreve todo o desenho, desenvolvimento e implementação de Performance Assessment for Mountain Bike based on WSN and Cloud Technologies. Este apresenta um sistema de deteção distribuída para o aumento do desempenho, melhorar a metodologia da prática do ciclismo e para formação de atletas. Para tal foi desenvolvida e anexada uma rede de sensores que está embutida no equipamento do ciclista, através desta rede de sensores sem fios são obtidos os valores respetivos à interação do utilizador e a sua bicicleta, sendo estes apresentados ao treinador e ao próprio ciclista. Os sensores colocados comportam-se como nós de uma rede de sensores sem fios. Isso é possível com o desenvolvimento de sistemas baseados na Internet das coisas no desporto, a observação da movimentação e monitoramento de atletas nas suas atividades tem um papel importante na sua formação como ciclistas e ajuda a aumentar o desempenho. O sistema é baseado numa rede ZigBee sem fios, que permite a comunicação máquina-para-máquina e o armazenamento de dados num servidor localizado na nuvem. Toda a informação na nuvem pode ser acedida através de uma aplicação mobile que analisa e correlaciona todos os valores calculados usando os dados recolhidos durante o treino efetuado por cada ciclista. Como em muitas aplicações de ciclismo estas usam o telefone como um módulo para obter os valores, neste trabalho o caso é diferente fazendo o uso do telefone/tablet para apenas consultar as informações. Alguma informação sobre o ciclista é fornecida para poder efetuar alguns cálculos, relativos à saúde do ciclista, neste caso toda a energia gasta na prática de um determinado treino. Toda esta informação pode ser acedida através de uma aplicação Android e por consequência num dispositivo Android. Com a aplicação desenvolvida é possível observar e processar toda a informação recolhida através dos sensores implementados, a observação dos dados recolhidos pode ser efetuada pelo treinador responsável, como pelo próprio atleta. Portanto, o sistema permite a realização de um ilimitado número de sessões de treino, estes podem ser consultados a qualquer momento através da aplicação móvel. Fazendo com que seja possível manter um histórico da evolução de cada atleta, podendo assim observar e comparar cada sessão de treino, realizada por cada atleta

Interference management in impulse-radio ultra-wide band networks

We consider networks of impulse-radio ultra-wide band (IR-UWB) devices. We are interested in the architecture, design, and performance evaluation of these networks in a low data-rate, self-organized, and multi-hop setting. IR-UWB is a potential physical layer for sensor networks and emerging pervasive wireless networks. These networks are likely to have no particular infrastructure, might have nodes embedded in everyday life objects and have a size ranging from a few dozen nodes to large-scale networks composed of hundreds of nodes. Their average data-rate is low, on the order of a few megabits per second. IR-UWB physical layers are attractive for these networks because they potentially combine low-power consumption, robustness to multipath fading and to interference, and location/ranging capability. The features of an IR-UWB physical layer greatly differ from the features of the narrow-band physical layers used in existing wireless networks. First, the bandwidth of an IR-UWB physical layer is at least 500 MHz, which is easily two orders of magnitude larger than the bandwidth used by a typical narrow-band physical layer. Second, this large bandwidth implies stringent radio spectrum regulations because UWB systems might occupy a portion of the spectrum that is already in use. Consequently, UWB systems exhibit extremely low power spectral densities. Finally IR-UWB physical layers offer multi-channel capabilities for multiple and concurrent access to the physical layer. Hence, the architecture and design of IR-UWB networks are likely to differ significantly from narrow-band wireless networks. For the network to operate efficiently, it must be designed and implemented to take into account the features of IR-UWB and to take advantage of them. In this thesis, we focus on both the medium access control (MAC) layer and the physical layer. Our main objectives are to understand and determine (1) the architecture and design principles of IR-UWB networks, and (2) how to implement them in practical schemes. In the first part of this thesis, we explore the design space of IR-UWB networks and analyze the fundamental design choices. We show that interference from concurrent transmissions should not be prevented as in protocols that use mutual exclusion (for instance, IEEE 802.11). Instead, interference must be managed with rate adaptation, and an interference mitigation scheme should be used at the physical layer. Power control is useless. Based on these findings, we develop a practical PHY-aware MAC protocol that takes into account the specific nature of IR-UWB and that is able to adapt its rate to interference. We evaluate the performance obtained with this design: It clearly outperforms traditional designs that, instead, use mutual exclusion or power control. One crucial aspect of IR-UWB networks is packet detection and timing acquisition. In this context, a network design choice is whether to use a common or private acquisition preamble for timing acquisition. Therefore, we evaluate how this network design issue affects the network throughput. Our analysis shows that a private acquisition preamble yields a tremendous increase in throughput, compared with a common acquisition preamble. In addition, simulations on multi-hop topologies with TCP flows demonstrate that a network using private acquisition preambles has a stable throughput. On the contrary, using a common acquisition preamble exhibits an effect similar to exposed terminal issues in 802.11 networks: the throughput is severely degraded and flow starvation might occur. In the second part of this thesis, we are interested in IEEE 802.15.4a, a standard for low data-rate, low complexity networks that employs an IR-UWB physical layer. Due to its low complexity, energy detection is appealing for the implementation of practical receivers. But it is less robust to multi-user interference (MUI) than a coherent receiver. Hence, we evaluate the performance of an IEEE 802.15.4a physical layer with an energy detection receiver to find out whether a satisfactory performance is still obtained. Our results show that MUI severely degrades the performance in this case. The energy detection receiver significantly diminishes one of the most appealing benefits of UWB, specifically its robustness to MUI and thus the possibility of allowing for parallel transmissions. This performance analysis leads to the development of an IR-UWB receiver architecture, based on energy detection, that is robust to MUI and adapted to the peculiarities of IEEE 802.15.4a. This architecture greatly improves the performance and entails only a moderate increase in complexity. Finally, we present the architecture of an IR-UWB physical layer implementation in ns-2, a well-known network simulator. This architecture is generic and allows for the simulation of several multiple-access physical layers. In addition, it comprises a model of packet detection and timing acquisition. Network simulators also need to have efficient algorithms to accurately compute bit or packet error rates. Hence, we present a fast algorithm to compute the bit error rate of an IR-UWB physical layer in a network setting with MUI. It is based on a novel combination of large deviation theory and importance sampling

Attack on WiFi-based Location Services and SSL using Proxy Servers

Wireless LANs are very common in any household or business today. It allows access to their home or business network and the Internet without using wires. Their wireless nature allows mobility and convenience for the user and that opens up a lot of new possibilities in mobile devices such as smartphones and tablets. One application that makes use of wireless LANs is positioning, which can be used in areas where Global Positioning Systems may have trouble functioning or not at all. However, a drawback of using wireless communication is that it is susceptible to eavesdropping and jamming. Once the wireless signal is jammed, an attacker can set up fake access points on different channels or frequencies to impersonate a legitimate access point. In this thesis, this attack is performed specifically to trick WiFi-based location services. The attack is shown to work on Skyhook, Google, Apple and Microsoft location services, four of the major location service providers, and on dual-band hardware. Some countermeasures to such an attack are also presented. The web is an important part of many people’s lives nowadays. People expect that their privacy and confidentiality is preserved when they use the web. Previously, web traffic uses HTTP which meant traffic is all unencrypted and can be intercepted and read by attackers. This is clearly a security problem so many websites now default to using a more secure protocol, namely HTTPS which uses HTTP with SSL, and forces the user to HTTPS if they connect to the no SSL protocol. SSL works by exchanging keys between the client and server and the actual data is protected using the key and the cipher suite that is negotiated between the two. However, if a network uses a proxy server, it works slightly different. The SSL connection is broken up into two separate ones and that creates the potential for man-in-the-middle attacks that allow an attacker to intercept the data being transmitted. This thesis analyzes several scenarios in which an adversary can conduct such a man-in-the-middle attack, and potential detection and mitigation methods

Dish networks: Protocols, strategies, analysis, and implementation

Ph.DDOCTOR OF PHILOSOPH