Return to search

Methods and tools for network reconnaissance of IoT devices

The Internet of Things (IoT) impacts nearly all aspects surrounding our daily life, including housing, transportation, healthcare, and manufacturing. IoT devices communicate through a variety of communication protocols, such as Bluetooth Low Energy (BLE), Zigbee, Z-Wave, and LoRa. These protocols serve essential purposes in both commercial industrial and personal domains, encompassing wearables and intelligent buildings.

The organic and decentralized development of IoT protocols under the auspices of different organizations has resulted in a fragmented and heterogeneous IoT ecosystem. In many cases, IoT devices do not have an IP address. Furthermore, some protocols, such as LoRa and Z-Wave, are proprietary in nature and incompatible with standard protocols.

This heterogeneity and fragmentation of the IoT introduce challenges in assessing the security posture of IoT devices. To address this problem, this thesis proposes a novel methodology that transcends specific protocols and supports network and security monitoring of IoT devices at scale. This methodology leverages the capabilities of software-defined radio (SDR) technology to implement IoT protocols in software.

We first investigate the problem of IoT network reconnaissance, that is the discovery and characterization of all the IoT devices in one’s organization. We focus on four popular protocols, namely Zigbee, BLE, Z-Wave, and LoRa. We introduce and analyze new algorithms to improve the performance and speed-up the discovery of IoT devices. These algorithms leverage the ability of SDRs to transmit and receive signals across multiple channels in parallel.

We implement these algorithms in the form of an SDR tool, called IoT-Scan, the first universal IoT scanner middleware. We thoroughly evaluate the delay and energy performance of IoT-Scan. Notably, using multi-channel scanning, we demonstrate a reduction of 70% in the discovery times of Bluetooth and Zigbee devices in the 2.4GHz band and of LoRa and Z-Wave devices in the 900MHz band, versus single-channel scanning.

Second, we investigate a new type of denial-of-service attacks on IoT cards, called Truncate-after-Preamble (TaP) attacks. We employ SDRs to assess the security posture of off-the-shelf Zigbee and Wi-Fi cards to TaP attacks. We show that all the Zigbee devices are vulnerable to TaP attacks, while the Wi-Fi devices are vulnerable to the attack to a varying degree. Remarkably, TaP attacks demand energy consumption five orders of magnitude lower than what is required by a continuous jamming mechanism. We propose several countermeasures to mitigate the attacks.

Third, we devise an innovative approach for the purpose of identifying and creating unique profiles for IoT devices. This approach leverages SDRs to create malformed packets at the physical layer (e.g., truncated or overlapping packets). Experiments demonstrate the ability of this approach to perform fine-grained timing experiments (at the microsecond level), craft multi-packet transmissions/collisions, and derive device-specific reception curves.

In summary, the results of this thesis validate the feasibility of our proposed SDR-based methodology in addressing fundamental security challenges caused by the heterogeneity of the IoT. This methodology is future-proof and can accommodate new protocols and protocol upgrades.

Identiferoai:union.ndltd.org:bu.edu/oai:open.bu.edu:2144/47939
Date18 January 2024
CreatorsGvozdenović, Stefan
ContributorsStarobinski, David
Source SetsBoston University
Languageen_US
Detected LanguageEnglish
TypeThesis/Dissertation
RightsAttribution-NonCommercial-ShareAlike 4.0 International, http://creativecommons.org/licenses/by-nc-sa/4.0/

Page generated in 0.0025 seconds