Survey of Spectrum Sharing for Inter-Technology Coexistence

Increasing capacity demands in emerging wireless technologies are expected to be met by network densification and spectrum bands open to multiple technologies. These will, in turn, increase the level of interference and also result in more complex inter-technology interactions, which will need to be managed through spectrum sharing mechanisms. Consequently, novel spectrum sharing mechanisms should be designed to allow spectrum access for multiple technologies, while efficiently utilizing the spectrum resources overall. Importantly, it is not trivial to design such efficient mechanisms, not only due to technical aspects, but also due to regulatory and business model constraints. In this survey we address spectrum sharing mechanisms for wireless inter-technology coexistence by means of a technology circle that incorporates in a unified, system-level view the technical and non-technical aspects. We thus systematically explore the spectrum sharing design space consisting of parameters at different layers. Using this framework, we present a literature review on inter-technology coexistence with a focus on wireless technologies with equal spectrum access rights, i.e. (i) primary/primary, (ii) secondary/secondary, and (iii) technologies operating in a spectrum commons. Moreover, we reflect on our literature review to identify possible spectrum sharing design solutions and performance evaluation approaches useful for future coexistence cases. Finally, we discuss spectrum sharing design challenges and suggest future research directions

Survey on wireless technology trade-offs for the industrial internet of things

Aside from vast deployment cost reduction, Industrial Wireless Sensor and Actuator Networks (IWSAN) introduce a new level of industrial connectivity. Wireless connection of sensors and actuators in industrial environments not only enables wireless monitoring and actuation, it also enables coordination of production stages, connecting mobile robots and autonomous transport vehicles, as well as localization and tracking of assets. All these opportunities already inspired the development of many wireless technologies in an effort to fully enable Industry 4.0. However, different technologies significantly differ in performance and capabilities, none being capable of supporting all industrial use cases. When designing a network solution, one must be aware of the capabilities and the trade-offs that prospective technologies have. This paper evaluates the technologies potentially suitable for IWSAN solutions covering an entire industrial site with limited infrastructure cost and discusses their trade-offs in an effort to provide information for choosing the most suitable technology for the use case of interest. The comparative discussion presented in this paper aims to enable engineers to choose the most suitable wireless technology for their specific IWSAN deployment

InternalBlue - Bluetooth Binary Patching and Experimentation Framework

Bluetooth is one of the most established technologies for short range digital wireless data transmission. With the advent of wearables and the Internet of Things (IoT), Bluetooth has again gained importance, which makes security research and protocol optimizations imperative. Surprisingly, there is a lack of openly available tools and experimental platforms to scrutinize Bluetooth. In particular, system aspects and close to hardware protocol layers are mostly uncovered. We reverse engineer multiple Broadcom Bluetooth chipsets that are widespread in off-the-shelf devices. Thus, we offer deep insights into the internal architecture of a popular commercial family of Bluetooth controllers used in smartphones, wearables, and IoT platforms. Reverse engineered functions can then be altered with our InternalBlue Python framework---outperforming evaluation kits, which are limited to documented and vendor-defined functions. The modified Bluetooth stack remains fully functional and high-performance. Hence, it provides a portable low-cost research platform. InternalBlue is a versatile framework and we demonstrate its abilities by implementing tests and demos for known Bluetooth vulnerabilities. Moreover, we discover a novel critical security issue affecting a large selection of Broadcom chipsets that allows executing code within the attacked Bluetooth firmware. We further show how to use our framework to fix bugs in chipsets out of vendor support and how to add new security features to Bluetooth firmware

Design and evaluation of coexistence mechanisms for Bluetooth and IEEE 802.11b systems

Short-range wireless technologies are becoming increasingly important in enabling useful mobile applications. Bluetooth and IEEE 802.11b standards are the most commonly deployed technologies for WPAN and WLAN. However, because both standards share the same unlicensed ISM (Industrial, Scientific, Medical) radio spectrum, severe interference is inevitable and performance can be impaired significantly when heterogeneous devices using the two technologies come into close proximity. The most notable solution to this problem is a frequency domain noncollaborative coexistence mechanism called adaptive frequency hopping (AFH). However, we find that the efficiency of the 'channel classification' sub-process in noncollaborative mechanisms is by and large ignored in the literature. Moreover, we also find that there is no system resources awareness and no interference source genre concerns in IEEE 802.15 Task Group 2 AFH (TG2 AFH) design. Thus, we suggest a new approach called ISOAFH (Interference Source Oriented AFH). With the above considerations, we propose a customized channel classification process, thereby simplifying the time and space complexity of the mechanism. Through our detailed implementation of various coexistence mechanisms in MATLAB Simulink, it is observed that TG2 AFH performance is sensitive to memory and power limitations, while ISOAFH is much less sensitive to these constraints and can keep a much lower channel collision rate. On the other hand, We also study some open issues of a time domain mechanism called MDMS (Master Delay MAC Scheduling). We compare different coexistence mechanisms and find that the performance of each approach very much depends on the efficiency of its sub-processes.published_or_final_versio

On adaptive frequency hopping to combat coexistence interference between bluetooth and IEEE 802.11b with practical resource constraints

In contrast to traditional frequency hopping techniques, Adaptive Frequency Hopping (AFH) is a low cost and low power solution to avoid interference dynamically. While each AFH algorithm proposed previously is shown to be efficient, a detailed performance analysis of various AFH mechanisms under realistic resource constraints is yet to be done. In particular, based on our performance study on Bluetooth systems presented in this paper, we have found that the AFH mechanism adopted by IEEE 802.15 Task Group 2 (TG2) is very sensitive to memory and power limitations. We then propose a novel Interference Source Oriented Adaptive Frequency Hopping (ISOAFH) approach based on a cross-layer design, in which the baseband layer of Bluetooth considers not only the instantaneous channels condition but also the physical layer transmission characteristics of potential interference sources in determining the hop sequence. In our simulations using detailed MATLAB Simulink modeling, we find that our proposed method is much more robust in that it is insensitive to memory and energy constraints. Indeed, our approach generally achieves a lower collision rate and higher ISM spectrum utilization.published_or_final_versio

JamLab: Augmenting Sensornet Testbeds with Realistic and Controlled Interference Generation

Radio interference drastically affects the performance of sensor-net communications, leading to packet loss and reduced energy-efficiency. As an increasing number of wireless devices operates on the same ISM frequencies, there is a strong need for understanding and debugging the performance of existing sensornet protocols under interference. Doing so requires a low-cost flexible testbed infrastructure that allows the repeatable generation of a wide range of interference patterns. Unfortunately, to date, existing sensornet testbeds lack such capabilities, and do not permit to study easily the coexistence problems between devices sharing the same frequencies. This paper addresses the current lack of such an infrastructure by using off-the-shelf sensor motes to record and playback interference patterns as well as to generate customizable and repeat-able interference in real-time. We propose and develop JamLab: a low-cost infrastructure to augment existing sensornet testbeds with accurate interference generation while limiting the overhead to a simple upload of the appropriate software. We explain how we tackle the hardware limitations and get an accurate measurement and regeneration of interference, and we experimentally evaluate the accuracy of JamLab with respect to time, space, and intensity. We further use JamLab to characterize the impact of interference on sensornet MAC protocols

Selective Jamming of LoRaWAN using Commodity Hardware

Long range, low power networks are rapidly gaining acceptance in the Internet of Things (IoT) due to their ability to economically support long-range sensing and control applications while providing multi-year battery life. LoRa is a key example of this new class of network and is being deployed at large scale in several countries worldwide. As these networks move out of the lab and into the real world, they expose a large cyber-physical attack surface. Securing these networks is therefore both critical and urgent. This paper highlights security issues in LoRa and LoRaWAN that arise due to the choice of a robust but slow modulation type in the protocol. We exploit these issues to develop a suite of practical attacks based around selective jamming. These attacks are conducted and evaluated using commodity hardware. The paper concludes by suggesting a range of countermeasures that can be used to mitigate the attacks.Comment: Mobiquitous 2017, November 7-10, 2017, Melbourne, VIC, Australi

Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets

Wireless communication standards and implementations have a troubled history regarding security. Since most implementations and firmwares are closed-source, fuzzing remains one of the main methods to uncover Remote Code Execution (RCE) vulnerabilities in deployed systems. Generic over-the-air fuzzing suffers from several shortcomings, such as constrained speed, limited repeatability, and restricted ability to debug. In this paper, we present Frankenstein, a fuzzing framework based on advanced firmware emulation, which addresses these shortcomings. Frankenstein brings firmware dumps "back to life", and provides fuzzed input to the chip's virtual modem. The speed-up of our new fuzzing method is sufficient to maintain interoperability with the attached operating system, hence triggering realistic full-stack behavior. We demonstrate the potential of Frankenstein by finding three zero-click vulnerabilities in the Broadcom and Cypress Bluetooth stack, which is used in most Apple devices, many Samsung smartphones, the Raspberry Pis, and many others. Given RCE on a Bluetooth chip, attackers may escalate their privileges beyond the chip's boundary. We uncover a Wi-Fi/Bluetooth coexistence issue that crashes multiple operating system kernels and a design flaw in the Bluetooth 5.2 specification that allows link key extraction from the host. Turning off Bluetooth will not fully disable the chip, making it hard to defend against RCE attacks. Moreover, when testing our chip-based vulnerabilities on those devices, we find BlueFrag, a chip-independent Android RCE.Comment: To be published at USENIX Securit