A State-of-the-Art Review on the Security of Mainstream IoT Wireless PAN Protocol Stacks
Abstract
:1. Introduction
2. Overview and Security Features
2.1. BLE
2.2. ZigBee
2.3. Z-Wave
2.4. Thread
2.5. Enocean
3. Literature Review
3.1. Group I
3.1.1. BLE
3.1.2. Z-Wave
3.1.3. ZigBee
3.1.4. Thread
3.2. Group II
4. Discussion
- (a)
- Protocols that support mesh networking infrastructure, i.e., ZigBee, Thread, EnOcean, and Z-Wave, are more robust in terms of connectivity and “service” availability in contrast to other architectures.
- (b)
- The introduction of improved security mechanisms as a result of a new version of a protocol should not be considered a panacea. For instance, although Z-Wave S2 offers advanced security features over its predecessor, it can be still leapfrogged by evil-doers to eavesdrop on and/or tamper with certain communication messages.
- (c)
- All the examined protocols cater for over-the-air confidentiality, source authentication, and integrity. Barring some exceptions [61,62,63], they also offer protection against replay attacks, which can lead to unauthorized control of nodes. These essential security properties for any wireless protocol are effective against external attacks, such as eavesdropping, impersonation, message spoofing, tampering, and injection, as well as MAC layer generic attacks. More interestingly, EnOcean provides a scheme to repel MITM attacks, but this can be only enabled in practice for line-powered devices. Not less important, some or all of the aforementioned security services are mandatory for devices/applications that require a high safety level, such as door locks, while less security-sensitive ones may not enable such services at all.
- (d)
- While energy-preserving, the use of a network-wide key to protect communications between devices leaves more room to aggressors. Protocols mitigate this threat by means of either additional security offered at the application layer (e.g., DTLS in Thread), network segmentation which leads to segmentation of keys (e.g., security classes in Z-Wave), or EEC-based AKA procedures to secure the transfer of such a key to joining devices. The frequent change of network-wide keys can also help toward the same direction.
- (e)
- Perhaps the most important weakness is related to devices having old certifications, for providing backward compatibility. That is, despite the fact that the protocols constantly evolve to cope with certain shortcomings, IoT devices are designed to be of long-lived and install-and-forget nature. Therefore, typically, their firmware is rarely updated by the respective vendor, and, therefore, until their withdrawal, are prone to several attacks.
- (f)
- In addition to the employment of standardized technologies as the IEEE 802.15.4 and ITU-T G.9959 in wireless IoT protocol stacks, the use of standardized or well-established security mechanisms, such as the DTLS, CoaP, and J-PAKE protocols in Thread, is a big step towards more interoperable and robust, in terms of security, solutions. In any case, especially when it comes to security, the “not-invented-here” syndrome should be avoided because amongst others can easily lead to positive biases, which in turn may create falsely elevated expectations. On the downside, it is expected that, due to the use of ECC schemes (or more generally public key cryptography) as in DTLS, J-PAKE, ECMQV, and Curve25519, the respective IoT protocols are also susceptible to clogging/flooding attacks.
- (g)
- At this point it has been made clear that the IoT ecosystem is highly fragmented in terms of adopted wireless communication technologies. This diversity stems mainly from the (i) computational resources and (ii) energy resources of the devices, as well as the (iii) bandwidth and (iv) security requirements of the application. Protocols such as 6LoWPAN attempt to bridge the interoperability gap at a higher layer. Nevertheless, such attempts introduce security issues of their own [93,94] and secondarily fail to cover the majority, let alone the totality, of alternative protocols. To this date, the problem of interoperability in a secure fashion in the IoT realm largely remains open with several works providing comprehensive descriptions on the issues as well as potential solutions [95,96,97].
- (h)
- A large number of attacks is a product of misconfiguration or poor implementation decisions on behalf of device manufacturers. This phenomenon is particularly true in the case of BLE communications where such flaws allow the tracking of users through their mobile devices and potentially the full dismantle of the encryption services offered by the protocol.
- (i)
- For enabling the reset of devices in an automatic manner, e.g., in the case of accidental malfunction or loss of power, some important pieces of data must be kept in the device’s persistent, non-volatile storage. Note that storing such information in a centralized manner, e.g., in a trusted remote location, including the cloud, may be prone to backhaul link disconnection problems, and thus pivotal data should be stored in each network node. Such data include network information, security material, authentication and commissioning data, factory-default settings, and others, and therefore they must be sufficiently protected from compromise after a device is hijacked. Most of the protocols specifically address this issue for the case a device leaves the network (secure leaving). For instance, in Thread, this event is completed over CoAP management messages and starts when a device receives a network leave request by the Commissioner. Then, the device must delete all network security material from its persistent memory and transit itself into the uncommissioned state. In any case, the authenticity of leave messages should be guaranteed in order to prevent spoof leave attacks resulting in device isolation. In addition, certain countermeasures should be deployed against device theft incidents, namely a device is stolen and moved to another network where it can be manipulated. For instance, as explained in Section 2.2, ZigBee Touchlink commissioning may be susceptible to this threat.
- (j)
- The use of more powerful devices acting as network coordinators (e.g., TC in ZigBee and Commissioner and Border router in Thread) can be of major help in applying and enforcing security policies in a centralized manner. As a first layer of defence, such devices can make use of white/black lists to enforce device authentication in terms of, e.g., MAC address, but they can also cater for fine-grained device authorization, e.g., if a device is allowed to rejoin the network, if a device is allowed to create a link key for P2P enabling P2P communication with another device, etc. On the negative side, such devices, including network gateways, are inherently alluring targets for attackers, and thus may create a single point of failure if their attack surface is not minimized.
- (k)
- Closely related to the previous issue is that of device tamper protection. Naturally, this kind of defence is in many cases unrealistic to be offered by means of physical isolation, and thus it should be applied through the use of tamper-proof hardware. For the same reason, firmware updates need to be delivered in a secure manner because may also result in having the device compromised and/or be enslaved in a bot army [4,98].
- (l)
- In cases where the WPAN network makes use of cloud services, then all nodes become susceptible to a plethora of Internet attacks if the connection to the cloud is not secure end-to-end.
- (m)
- An interesting and timely kind of attacks against WPAN devices capitalizes on physical side-channel analysis techniques. Such techniques have been traditionally exploited for mounting attacks against cryptographic systems in general, but, as discussed in Section 3, they have been lately tested against certain WPAN protocols either for device fingerprinting [78] or for obtaining the network credentials [79,84]. A possible research direction could be the use of physical side-channel analysis for also defending intrusions against such devices. In fact, this idea is not new, as it has already been explored in recent works mainly for industrial and other kind of IoT devices [99,100,101,102].
- (n)
- Inevitably, as the case with virtually any wireless technology, all the protocols discussed in the context of this work are prone to DoS attacks caused by radio jamming. This may result to loss of service due to—even in some cases unintentional—interference (recall that, among others, IEEE 802.11 also uses the 2.4 GHz band). Consider, for example, a door-lock which is clogged with interference to block it from locking. Typically, this threat is mitigated by “frequency agility”, including frequency hopping (e.g., BLE) or dynamic frequency selection and transmission power control (e.g., ZigBee) for migrating the network to a “quieter” channel, and raising alarms if the problem persists. Such a scheme may be implemented in a network manager/coordinator node as the case may be. The same threat, but for the upper layers, applies to key control frames, including beacons. Namely, the aggressor may flood the network controller/router with a surge of spurious beacon request messages send to a specific of several radio channels aiming to overload or paralyze the latter device.
5. Conclusions
Author Contributions
Funding
Conflicts of Interest
Abbreviations
6LoWPAN | IPv6 over Low-Power Wireless Personal Area Networks |
AES | Advanced Encryption Standard |
AES-CTR | AES Counter mode of operation |
AKA | Authentication & Key Agreement |
ATT | Attribute (protocol) |
BDB | ZigBee Base Device Behavior |
BLE | Bluetooth Low Energy |
CCM | Counter with CBC-MAC mode of operation |
CMAC | Cipher-based Message Authentication Code |
CoAP | Constrained Application Protocol |
CRC | Cyclic Redundancy Check |
CSRK | Connection Signature Resolving Key |
DoS | Denial of Service |
DTLS | Datagram Transport Layer Security protocol |
ECC | Elliptic Curve Cryptography |
ECDH | Elliptic Curve Diffie–Hellman |
ECMQV | Elliptic Curve Manazes-Qu-Vanstone key agreement |
EDIV | Encrypted Diversifier |
EEP | EnOcean Equipment Profiles |
ERP | EnOcean’s Radio Protocol |
EUI | IEEE Extended Unique Identifier |
FFD | ZigBee Full Function Device |
GATT | Generic Attribute |
IEEE | The Institute of Electrical and Electronics Engineers |
IoT | Internet of Things |
IRK | Identity Resolving Key |
ISM | Industrial, Scientific and Medical radio spectrum |
IV | Initialization Vector |
KEK | Key Encryption Key |
LoRaWAN | Long Range Wide Area Network |
LTK | Long Term Key LTK |
MAC | Message Authentication Code |
MANET | Mobile Ad Hoc Network |
MITM | Man-in-the Middle |
MK | Master Key |
MLE | Mesh Link Establishment protocol |
MPL | Low-Power and Lossy Networks |
NFC | Near Field Communication |
OOB | Out of Band association model |
OSI | Open Systems Interconnection model |
P2P | Peer-to-Peer |
PAKE | Password-Authenticated Key Exchange |
PAN | Personal Area Network |
PIN | Personal Identification Number |
PSK | Pre-Shared Key |
PDU | Protocol Data Unit |
QR | Quick Response code |
RAND | Random value |
REED | Thread Router-Eligible Device |
RFD | ZigBee Reduced Function Device |
RLC | EnOcean’s Rolling Code |
RSSI | Received Signal Strength Indicator |
SLF | EnOcean’s Security Level Format |
SoC | System on a Chip |
STK | Short Term Key |
TC | Trust Center |
TK | Temporary Key |
TLS | Transport Layer Security |
TLV | Type Value Length |
UUID | Universally Unique Identifier |
VAES | Variable AES |
WPAN | Wireless Personal Area Network |
ZC | ZigBee Coordinator |
ZED | ZigBee End-Device |
ZR | ZigBee Router |
ZZL | ZigBee Light Link |
References
- Internet of Things (IoT) Connected Devices Installed Base Worldwide from 2015 to 2025. Available online: https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/ (accessed on 27 February 2020).
- Rizvi, S.; Orr, R.; Cox, A.; Ashokkumar, P.; Rizvi, M.R. Identifying the Attack Surface for IoT Network. Internet Things 2020, 100162. [Google Scholar] [CrossRef]
- HaddadPajouh, H.; Dehghantanha, A.; Parizi, R.M.; Aledhari, M.; Karimipour, H. A survey on internet of things security: Requirements, challenges, and solutions. Internet Things 2019, 100129. [Google Scholar] [CrossRef]
- Kolias, C.; Kambourakis, G.; Stavrou, A.; Voas, J. DDoS in the IoT: Mirai and Other Botnets. Computer 2017, 50, 80–84. [Google Scholar] [CrossRef]
- Geneiatakis, D.; Kounelis, I.; Neisse, R.; Nai-Fovino, I.; Steri, G.; Baldini, G. Security and privacy issues for an IoT based smart home. In Proceedings of the 2017 40th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), Opatija, Croatia, 22–26 May 2017; pp. 1292–1297. [Google Scholar] [CrossRef]
- Hassija, V.; Chamola, V.; Saxena, V.; Jain, D.; Goyal, P.; Sikdar, B. A Survey on IoT Security: Application Areas, Security Threats, and Solution Architectures. IEEE Access 2019, 7, 82721–82743. [Google Scholar] [CrossRef]
- Bluetooth Core Specification v4.0. Available online: https://www.bluetooth.org/docman/handlers/downloaddoc.ashx?doc_id=456433 (accessed on 3 February 2020).
- Bluetooth Core Specification v5.2. Available online: https://www.bluetooth.org/DocMan/handlers/DownloadDoc.ashx?doc_id=286439 (accessed on 3 February 2020).
- Specification of the Bluetooth System v4.2. Available online: https://www.bluetooth.org/docman/handlers/downloaddoc.ashx?doc_id=441541 (accessed on 7 February 2020).
- ZigBee Alliance. ZigBee. Available online: https://zigbeealliance.org/solution/zigbee/ (accessed on 12 December 2019).
- IEEE. IEEE Standard for Low-Rate Wireless Networks; IEEE Std 802.15.4-2015 (Revision of IEEE Std 802.15.4-2011); IEEE: Piscataway, NJ, USA, 2016; pp. 1–709. [Google Scholar] [CrossRef]
- Morgner, P.; Mattejat, S.; Benenson, Z.; Müller, C.; Armknecht, F. Insecure to the touch: Attacking ZigBee 3.0 via touchlink commissioning. In Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Boston, MA, USA, 18–20 July 2017; pp. 230–240. [Google Scholar]
- Silicon Labs. Z-Wave Specification Documents Search Page. Available online: https://www.silabs.com/search?q=specifications;page=1;x6=searchHeader;q6=Documents (accessed on 12 December 2019).
- ITU-T. G.9959: Short Range Narrow-Band Digital Radiocommunication Transceivers—PHY, MAC, SAR and LLC Layer Specifications. Available online: https://www.itu.int/rec/T-REC-G.9959/en (accessed on 17 December 2019).
- Genkin, D.; Valenta, L.; Yarom, Y. May the Fourth Be with You: A Microarchitectural Side Channel Attack on Several Real-World Applications of Curve25519. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA, 30 October–3 November 2017; pp. 845–858. [Google Scholar] [CrossRef] [Green Version]
- Thread Group. Thread Group Support. Available online: https://www.threadgroup.org/support#specifications (accessed on 12 December 2019).
- Kushalnagar, N.; Montenegro, G.; Culler, D.E.; Hui, J.W. RFC 4944, Transmission of IPv6 Packets over IEEE 802.15.4 Networks. Available online: https://tools.ietf.org/html/rfc4944 (accessed on 3 March 2020).
- Thubert, P.; Hui, J.W. RFC 6282, Compression Format for IPv6 Datagrams over IEEE 802.15.4-Based Networks. Available online: https://tools.ietf.org/html/rfc6282 (accessed on 3 March 2020).
- Hinden, R.M.; Deering, S.E. RFC 4291, IP Version 6 Addressing Architecture. Available online: https://tools.ietf.org/html/rfc4291 (accessed on 3 March 2020).
- Kelsey, R. Mesh Link Establishment, Internet Draft. Available online: https://tools.ietf.org/html/draft-ietf-6lo-mesh-link-establishment-00 (accessed on 1 March 2020).
- Hui, J.; Kelsey, R. RFC 7731, Multicast Protocol for Low-Power and Lossy Networks (MPL). Available online: https://tools.ietf.org/html/rfc7731 (accessed on 10 February 2020).
- Shelby, Z.; Hartke, K.; Bormann, C. RFC 7252, The Constrained Application Protocol (CoAP). Available online: https://tools.ietf.org/html/rfc7252 (accessed on 10 February 2020).
- Sastry, N.; Wagner, D. Security Considerations for IEEE 802.15.4 Networks. In Proceedings of the 3rd ACM Workshop on Wireless Security, Philadelphia, PA, USA, 1 October 2004; pp. 32–42. [Google Scholar] [CrossRef] [Green Version]
- Hao, F. RFC 8236, J-PAKE: Password-Authenticated Key Exchange by Juggling. Available online: https://tools.ietf.org/html/rfc8236 (accessed on 10 February 2020).
- Hao, F. RFC 8235, Schnorr Non-interactive Zero-Knowledge Proof. Available online: https://tools.ietf.org/html/rfc8235 (accessed on 10 February 2020).
- Abdalla, M.; Benhamouda, F.; MacKenzie, P. Security of the J-PAKE Password-Authenticated Key Exchange Protocol. In Proceedings of the 2015 IEEE Symposium on Security and Privacy, San Jose, CA, USA, 17–21 May 2015; pp. 571–587. [Google Scholar] [CrossRef] [Green Version]
- Levis, P.; Clausen, T.H. RFC 6206, The Trickle Algorithm. Available online: https://tools.ietf.org/html/rfc6206 (accessed on 10 February 2020).
- ISO/IEC. ISO/IEC 14543-3-10:2012, Information Technology—Home Electronic Systems (HES) Architecture—Part 3–10: Wireless Short-Packet (WSP) Protocol Optimized for Energy Harvesting—Architecture and Lower Layer Protocols. Available online: http://www.iso.org/cms/render/live/en/sites/isoorg/contents/data/standard/05/98/59865.html (accessed on 10 February 2020).
- Oberhaching, E.G. EnOcean Technical Specifications. Available online: https://www.enocean-alliance.org/what-is-enocean/specifications/ (accessed on 12 December 2019).
- Zhang, Z.K.; Cho, M.C.Y.; Wang, C.W.; Hsu, C.W.; Chen, C.K.; Shieh, S. IoT Security: Ongoing Challenges and Research Opportunities. In Proceedings of the 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications, Matsue, Japan, 19 November 2014; pp. 230–234, ISSN: 2163-2871. [Google Scholar] [CrossRef]
- Mahmoud, R.; Yousuf, T.; Aloul, F.; Zualkernan, I. Internet of things (IoT) security: Current status, challenges and prospective measures. In Proceedings of the 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST), London, UK, 16 December 2015; pp. 336–341. [Google Scholar] [CrossRef]
- Wurm, J.; Hoang, K.; Arias, O.; Sadeghi, A.R.; Jin, Y. Security analysis on consumer and industrial IoT devices. In Proceedings of the 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC), Austin, TX, USA, 9 June 2016; pp. 519–697, ISSN: 2153-697X. [Google Scholar] [CrossRef]
- Frustaci, M.; Pace, P.; Aloi, G.; Fortino, G. Evaluating Critical Security Issues of the IoT World: Present and Future Challenges. IEEE Internet Things J. 2018, 5, 2483–2495. [Google Scholar] [CrossRef]
- Yang, Y.; Wu, L.; Yin, G.; Li, L.; Zhao, H. A Survey on Security and Privacy Issues in Internet-of-Things. IEEE Internet Things J. 2017, 4, 1250–1258. [Google Scholar] [CrossRef]
- Alaba, F.A.; Othman, M.; Hashem, I.A.T.; Alotaibi, F. Internet of Things security: A survey. J. Netw. Comput. Appl. 2017, 88, 10–28. [Google Scholar] [CrossRef]
- Mosenia, A.; Jha, N.K. A Comprehensive Study of Security of Internet-of-Things. IEEE Trans. Emerg. Top. Comput. 2017, 5, 586–602. [Google Scholar] [CrossRef]
- Ammar, M.; Russello, G.; Crispo, B. Internet of Things: A survey on the security of IoT frameworks. J. Inf. Secur. Appl. 2018, 38, 8–27. [Google Scholar] [CrossRef] [Green Version]
- Neshenko, N.; Bou-Harb, E.; Crichigno, J.; Kaddoum, G.; Ghani, N. Demystifying IoT Security: An Exhaustive Survey on IoT Vulnerabilities and a First Empirical Look on Internet-Scale IoT Exploitations. IEEE Commun. Surv. Tutor. 2019, 21, 2702–2733. [Google Scholar] [CrossRef]
- Ryan, M. Bluetooth: With Low Energy comes Low Security. In Proceedings of the 7th Usenix Workshop on Offensive Technologies, Washington, DC, USA, 13 August 2013; p. 7. [Google Scholar]
- Jasek, S. Gattacking Bluetooth Smart Devices. In Proceedings of the Black Hat USA Conference; 2016. Available online: http://gattack.io/whitepaper.pdf (accessed on 3 February 2020).
- Willingham, T.; Henderson, C.; Kiel, B.; Haque, M.S.; Atkison, T. Testing Vulnerabilities in Bluetooth Low Energy. In Proceedings of the ACMSE 2018 Conference, Richmond, KY, USA, 29–31 March 2018. [Google Scholar] [CrossRef]
- Gajbhiye, S.; Karmakar, S.; Sharma, M.; Sharma, S. Bluetooth Secure Simple Pairing with enhanced security level. J. Inf. Secur. Appl. 2019, 44, 170–183. [Google Scholar] [CrossRef]
- Sevier, S.; Tekeoglu, A. Analyzing the Security of Bluetooth Low Energy. In Proceedings of the 2019 International Conference on Electronics, Information, and Communication (ICEIC), Auckland, New Zealand, 22–25 January 2019; pp. 1–5. [Google Scholar] [CrossRef]
- Pallavi, S.; Narayanan, V.A. An Overview of Practical Attacks on BLE Based IOT Devices and Their Security. In Proceedings of the 5th International Conference on Advanced Computing Communication Systems (ICACCS), Coimbatore, India, 15–16 March 2019; pp. 694–698. [Google Scholar] [CrossRef]
- Zhang, Y.; Weng, J.; Dey, R.; Jin, Y.; Lin, Z.; Fu, X. On the (In)security of Bluetooth Low Energy One-Way Secure Connections only Mode. arXiv 2019, arXiv:1908.10497. [Google Scholar]
- Das, A.K.; Pathak, P.H.; Chuah, C.N.; Mohapatra, P. Uncovering Privacy Leakage in BLE Network Traffic of Wearable Fitness Trackers. In Proceedings of the 17th International Workshop on Mobile Computing Systems and Applications—HotMobile, St. Augustine, FL, USA, 23–24 February 2016; pp. 99–104. [Google Scholar] [CrossRef]
- Fawaz, K.; Kim, K.H.; Shin, K.G. Protecting privacy of BLE device users. In Proceedings of the 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, USA, 10–12 August 2016; pp. 1205–1221. [Google Scholar]
- Kolias, C.; Copi, L.; Zhang, F.; Stavrou, A. Breaking BLE beacons for fun but mostly profit. In Proceedings of the 10th European Workshop on Systems Security, Belgrade, Serbia, 23 April 2017; pp. 1–6. [Google Scholar]
- Zuo, C.; Wen, H.; Lin, Z.; Zhang, Y. Automatic Fingerprinting of Vulnerable BLE IoT Devices with Static UUIDs from Mobile Apps. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security—CCS ’19, London, UK, 11–15 November 2019; pp. 1469–1483. [Google Scholar] [CrossRef]
- Sivakumaran, P.; Blasco Alis, J. A Low Energy Profile: Analysing Characteristic Security on BLE Peripherals. In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy—CODASPY’18, Tempe, AZ, USA, 19–21 March 2018; pp. 152–154. [Google Scholar] [CrossRef]
- Korolova, A.; Sharma, V. Cross-App Tracking via Nearby Bluetooth Low Energy Devices. In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, Tempe, AZ, USA, 19–21 March 2018; pp. 43–52. [Google Scholar] [CrossRef]
- Sivakumaran, P.; Blasco, J. A Study of the Feasibility of Co-located App Attacks against BLE and a Large-Scale Analysis of the Current Application-Layer Security Landscape. In Proceedings of the 28th USENIX Security Symposium, Santa Clara, CA, USA, 14–16 August 2019; p. 19. [Google Scholar]
- Fouladi, B.; Ghanoun, S. Security evaluation of the Z-Wave wireless protocol. Black Hat USA 2013, 24, 1–2. [Google Scholar]
- Picod, J.M.; Lebrun, A.; Demay, J.C. Bringing software defined radio to the penetration testing community. In Proceedings of the Black Hat USA Conference, Las Vegas, NV, USA, 2–7 August 2014. [Google Scholar]
- Agosta, G.; Antonini, A.; Barenghi, A.; Galeri, D.; Pelosi, G. Cyber-security analysis and evaluation for smart home management solutions. In Proceedings of the 2015 International Carnahan Conference on Security Technology (ICCST), Taipei, Taiwan, 21–24 September 2015; pp. 1–6, ISSN: 2153-0742. [Google Scholar] [CrossRef]
- Fuller, J.D.; Ramsey, B.W. Rogue Z-Wave controllers: A persistent attack channel. In Proceedings of the 2015 IEEE 40th Local Computer Networks Conference Workshops (LCN Workshops), Clearwater Beach, FL, USA, 26–29 October 2015; pp. 734–741. [Google Scholar] [CrossRef]
- Badenhop, C.W.; Graham, S.R.; Ramsey, B.W.; Mullins, B.E.; Mailloux, L.O. The Z-Wave routing protocol and its security implications. Comput. Secur. 2017, 68, 112–129. [Google Scholar] [CrossRef]
- Munro, K.; Tierney, A. A Basic Z-Wave Hack Exposes Up to 100 Million Smart Home Devices. Available online: https://www.pentestpartners.com/security-blog/z-shave-exploiting-z-wave-downgrade-attacks/ (accessed on 3 February 2020).
- Vidgren, N.; Haataja, K.; Patiño-Andres, J.L.; Ramírez-Sanchis, J.J.; Toivanen, P. Security Threats in ZigBee-Enabled Systems: Vulnerability Evaluation, Practical Experiments, Countermeasures, and Lessons Learned. In Proceedings of the 2013 46th Hawaii International Conference on System Sciences, Maui, HI, USA, 7–10 January 2013; pp. 5132–5138. [Google Scholar] [CrossRef]
- Cao, X.; Shila, D.M.; Cheng, Y.; Yang, Z.; Zhou, Y.; Chen, J. Ghost-in-ZigBee: Energy Depletion Attack on ZigBee-Based Wireless Networks. IEEE Internet Things J. 2016, 3, 816–829. [Google Scholar] [CrossRef]
- Ďurech, J.; Franeková, M. Security attacks to ZigBee technology and their practical realization. In Proceedings of the 2014 IEEE 12th International Symposium on Applied Machine Intelligence and Informatics (SAMI), Herl’any, Slovakia, 23–25 January 2014; pp. 345–349. [Google Scholar] [CrossRef]
- Olawumi, O.; Haataja, K.; Asikainen, M.; Vidgren, N.; Toivanen, P. Three practical attacks against ZigBee security: Attack scenario definitions, practical experiments, countermeasures, and lessons learned. In Proceedings of the 2014 14th International Conference on Hybrid Intelligent Systems, Kuwait, 14–16 December 2014; pp. 199–206. [Google Scholar] [CrossRef]
- Farha, F.; Chen, H. Mitigating replay attacks with ZigBee solutions. Netw. Secur. 2018, 2018, 13–19. [Google Scholar] [CrossRef]
- Zillner, T.; Strobl, S. ZigBee Exploited—The Good, the Bad and the Ugly, Black Hat 2015. Available online: https://www.blackhat.com/docs/us-15/materials/us-15-Zillner-ZigBee-Exploited-The-Good-The-Bad-And-The-Ugly.pdf (accessed on 3 February 2020).
- Ronen, E.; Shamir, A.; Weingarten, A.O.; O’Flynn, C. IoT Goes Nuclear: Creating a ZigBee Chain Reaction. In Proceedings of the 2017 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 22–24 May 2017; pp. 195–212. [Google Scholar] [CrossRef]
- Vaccari, I.; Cambiaso, E.; Aiello, M. Remotely Exploiting AT Command Attacks on ZigBee Networks. Secur. Commun. Netw. 2017, 2017, 1–9. [Google Scholar] [CrossRef] [Green Version]
- Piracha, W.A.; Chowdhury, M.; Ray, B.; Rajasegarar, S.; Doss, R. Insider Attacks on ZigBee Based IoT Networks by Exploiting AT Commands. In Proceedings of the International Conference on Applications and Techniques in Information Security, Tamil Nadu, India, 22–24 November 2019; pp. 77–91. [Google Scholar]
- Liu, Y.; Pang, Z.; Dán, G.; Lan, D.; Gong, S. A Taxonomy for the Security Assessment of IP-Based Building Automation Systems: The Case of Thread. IEEE Trans. Ind. Inform. 2018, 14, 4113–4123. [Google Scholar] [CrossRef] [Green Version]
- Dinu, D.; Kizhvatov, I. EM Analysis in the IoT Context: Lessons Learned from an Attack on Thread. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018, 73–97. [Google Scholar] [CrossRef]
- Project Ubertooth—An Open Source 2.4 GHz Wireless Development Platform Suitable for Bluetooth Experimentation. Available online: https://github.com/greatscottgadgets/ubertooth/ (accessed on 3 March 2020).
- Santos, A.C.T.; Filho, J.L.S.; Silva, S.; Nigam, V.; Fonseca, I.E. BLE injection-free attack: A novel attack on bluetooth low energy devices. J. Ambient. Intell. Humaniz. Comput. 2019, 1–11. [Google Scholar] [CrossRef]
- Hall, J. Breaking Bulbs Briskly by Bogus Broadcasts. Available online: https://shmoo.gitbook.io/2016-shmoocon-proceedings/one_track_mind/02_breaking_bulbs_briskly_by_bogus_broadcasts (accessed on 3 February 2020).
- Fuller, J.D.; Ramsey, B.W.; Rice, M.J.; Pecarina, J.M. Misuse-based detection of Z-Wave network attacks. Comput. Secur. 2017, 64, 44–58. [Google Scholar] [CrossRef] [Green Version]
- Fuller, J.D. A Misuse-Based Intrusion Detection System for ITU-T G.9959 Wireless Networks; Technical Report AFIT-ENG-MS-16-M-016; Air Force Institute of Technology Wright-Petterson: Wright-Patterson, OH, USA, 2016. [Google Scholar]
- Bakhache, B.; Ghazal, J.M.; Assad, S.E. Improvement of the Security of ZigBee by a New Chaotic Algorithm. IEEE Syst. J. 2014, 8, 1024–1033. [Google Scholar] [CrossRef]
- Müller, C.; Armknecht, F.; Benenson, Z.; Morgner, P. On the Security of the ZigBee Light Link Touchlink Commissioning Procedure; Gesellschaft fur Informatik e.V., Lecture Notes in Informatics (LNI): Bonn, Germany, 2016. [Google Scholar]
- Rana, S.M.S.; Halim, M.A.; Kabir, M.H. Design and Implementation of a Security Improvement Framework of ZigBee Network for Intelligent Monitoring in IoT Platform. Appl. Sci. 2018, 8, 2305. [Google Scholar] [CrossRef] [Green Version]
- Rondeau, C.M.; Betances, J.A.; Temple, M.A. Securing ZigBee Commercial Communications Using Constellation Based Distinct Native Attribute Fingerprinting. Secur. Commun. Netw. 2018, 2018. [Google Scholar] [CrossRef]
- Google LLC. OpenThread. Available online: https://openthread.io/ (accessed on 12 December 2019).
- Krentz, K.F.; Rafiee, H.; Meinel, C. 6LoWPAN Security: Adding Compromise Resilience to the 802.15.4 Security Sublayer. In Proceedings of the International Workshop on Adaptive Security, Zurich, Switzerland, 8–12 September 2013. [Google Scholar] [CrossRef]
- Piro, G.; Boggia, G.; Grieco, L.A. A standard compliant security framework for IEEE 802.15.4 networks. In Proceedings of the 2014 IEEE World Forum on Internet of Things (WF-IoT), Seoul, South Korea, 6–8 March 2014; pp. 27–30. [Google Scholar] [CrossRef]
- Granjal, J.; Monteiro, E.; Sá Silva, J. Security for the Internet of Things: A Survey of Existing Protocols and Open Research Issues. IEEE Commun. Surv. Tutor. 2015, 17, 1294–1312. [Google Scholar] [CrossRef]
- Fernandes, E.; Jung, J.; Prakash, A. Security Analysis of Emerging Smart Home Applications. In Proceedings of the 2016 IEEE Symposium on Security and Privacy (SP), San Jose, CA, USA, 22–26 May 2016; pp. 636–654, ISSN: 2375-1207. [Google Scholar] [CrossRef]
- O’Flynn, C.; Chen, Z. Power Analysis Attacks Against IEEE 802.15.4 Nodes. In Constructive Side-Channel Analysis and Secure Design; Standaert, F.X., Oswald, E., Eds.; Springer International Publishing: Cham, Switzerland, 2016; pp. 55–70. [Google Scholar] [CrossRef]
- Tomić, I.; McCann, J.A. A Survey of Potential Security Issues in Existing Wireless Sensor Network Protocols. IEEE Internet Things J. 2017, 4, 1910–1923. [Google Scholar] [CrossRef]
- Marksteiner, S.; Jimenez, V.J.E.; Valiant, H.; Zeiner, H. An overview of wireless IoT protocol security in the smart home domain. In Proceedings of the 2017 Internet of Things Business Models, Users, and Networks, Copenhagen, Denmark, 23–24 November 2017; pp. 1–8. [Google Scholar] [CrossRef] [Green Version]
- Krejci, R.; Hujnak, O.; Svepes, M. Security survey of the IoT wireless protocols. In Proceedings of the 2017 25th Telecommunication Forum (TEFOR), Belgrade, Serbia, 21–22 November 2017; pp. 1–4. [Google Scholar] [CrossRef]
- Dragomir, D.; Gheorghe, L.; Costea, S.; Radovici, A. A Survey on Secure Communication Protocols for IoT Systems. In Proceedings of the 2016 International Workshop on Secure Internet of Things (SIoT), Heraklion, Greece, 26–30 September 2016; pp. 47–62. [Google Scholar] [CrossRef]
- Batalla, J.M.; Vasilakos, A.; Gajewski, M. Secure Smart Homes: Opportunities and Challenges. ACM Comput. Surv. 2017, 50, 75:1–75:32. [Google Scholar] [CrossRef]
- Celebucki, D.; Lin, M.A.; Graham, S. A security evaluation of popular Internet of Things protocols for manufacturers. In Proceedings of the 2018 IEEE International Conference on Consumer Electronics (ICCE), Las Vegas, NV, USA, 12–14 January 2018; pp. 1–6, ISSN: 2158-4001. [Google Scholar] [CrossRef]
- Unwala, I.; Taqvi, Z.; Lu, J. IoT Security: ZWave and Thread. In Proceedings of the 2018 IEEE Green Technologies Conference (GreenTech), Austin, TX, USA, 4–6 April 2018; pp. 176–182, ISSN: 2166-5478. [Google Scholar] [CrossRef]
- Heartfield, R.; Loukas, G.; Budimir, S.; Bezemskij, A.; Fontaine, J.R.J.; Filippoupolitis, A.; Roesch, E. A taxonomy of cyber-physical threats and impact in the smart home. Comput. Secur. 2018, 78, 398–428. [Google Scholar] [CrossRef] [Green Version]
- Pongle, P.; Chavan, G. A survey: Attacks on RPL and 6LoWPAN in IoT. In Proceedings of the 2015 International Conference on Pervasive Computing (ICPC), Pune, India, 8–10 January 2015; pp. 1–6. [Google Scholar]
- Hennebert, C.; Dos Santos, J. Security protocols and privacy issues into 6LoWPAN stack: A synthesis. IEEE Internet Things J. 2014, 1, 384–398. [Google Scholar] [CrossRef]
- Noura, M.; Atiquzzaman, M.; Gaedke, M. Interoperability in internet of things: Taxonomies and open challenges. Mob. Netw. Appl. 2019, 24, 796–809. [Google Scholar] [CrossRef] [Green Version]
- Di Martino, B.; Rak, M.; Ficco, M.; Esposito, A.; Maisto, S.; Nacchia, S. Internet of things reference architectures, security and interoperability: A survey. Internet Things 2018, 1, 99–112. [Google Scholar] [CrossRef]
- Elkhodr, M.; Shahrestani, S.; Cheung, H. The internet of things: New interoperability, management and security challenges. arXiv 2016, arXiv:1604.04824. [Google Scholar] [CrossRef]
- Kambourakis, G.; Kolias, C.; Stavrou, A. The Mirai botnet and the IoT Zombie Armies. In Proceedings of the MILCOM 2017—2017 IEEE Military Communications Conference (MILCOM), Baltimore, MD, USA, 23–25 October 2017; pp. 267–272, ISSN: 2155-7586. [Google Scholar] [CrossRef]
- Sayakkara, A.; Le-Khac, N.A.; Scanlon, M. A survey of electromagnetic side-channel attacks and discussion on their case-progressing potential for digital forensics. Digit. Investig. 2019, 29, 43–54. [Google Scholar] [CrossRef] [Green Version]
- Khan, H.A.; Alam, M.; Zajic, A.; Prvulovic, M. Detailed tracking of program control flow using analog side-channel signals: A promise for IoT malware detection and a threat for many cryptographic implementations. In Cyber Sensing; International Society for Optics and Photonics: Bellingham, WA, USA, 2018; Volume 10630, p. 1063005. [Google Scholar] [CrossRef]
- Khan, H.A.; Sehatbakhsh, N.; Nguyen, L.N.; Callan, R.L.; Yeredor, A.; Prvulovic, M.; Zajic, A. IDEA: Intrusion Detection through Electromagnetic-Signal Analysis for Critical Embedded and Cyber-Physical Systems. IEEE Trans. Depend. Secur. Comput. 2019. [Google Scholar] [CrossRef]
- Han, Y.; Etigowni, S.; Liu, H.; Zonouz, S.; Petropulu, A. Watch Me, but Don’T Touch Me! Contactless Control Flow Monitoring via Electromagnetic Emanations. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA, 30 October–3 November 2017; pp. 1095–1108. [Google Scholar] [CrossRef] [Green Version]
- ON World Inc. 802.15.4 IoT Markets—ZigBee, Thread, 6LoWPAN, Wi-SUN and Others—A Market Dynamics Report (15th Edition). Available online: https://onworld.com/zigbee/index.htm (accessed on 20 January 2020).
Feature | Protocols | ||||
---|---|---|---|---|---|
BLE | ZigBee | Z-Wave S2 | Thread | EnOcean | |
Confidentiality | ⊛ | • | • | • | ⊛ |
Msg. Authenticity & Integrity | • | • | • | • | ⊛ |
Anti-replay | • | • | • | • | ⊛ |
MITM protection | ⊛ | • | • | • | ⊛ |
Device authentication | ⊛ | • | • | • | • |
Protocol | Published Works per Type of Attack |
---|---|
BLE | Key derivation [39,40,41,42,43,44,45] |
User tracking [46,47,48,49] | |
Activity detection [46] | |
Person identification [46,47,48] | |
Replay attack [40,43,44] | |
Advertisement spoofing [40,48] | |
Exposed services [40,50] | |
OTP authentication token interception [40] | |
Cross-application tracking [51] | |
Eavesdropping [41,44,46,49,52] | |
Denial of Service [43,46] | |
Downgrading [45] | |
Z-Wave | Eavesdropping [53] |
Replay [54] | |
Key derivation [55] | |
Rogue controller [56] | |
Integrity vulnerabilities of the routing protocol, Black hole [57] | |
Unauthorised commands [58] | |
ZigBee | Battery drain [59,60] |
Key sniffing [59] | |
Key recovery through storage dump, Same-NONCE, Processor overloading (DoS) [61] | |
Replay [61,62,63] | |
Network discovery and device identification [12,62] | |
Eavesdropping [62] | |
Jamming [64] | |
Device takeover [12,64,65,66] | |
Reset device to factory settings, Permanent device disconnect, Network key extraction [12] | |
Network and device reconfiguration [67] | |
Thread | Jamming and flooding, Handshake flooding, Network leave, Key compromise, Replay, Same-Nonce, |
Guaranteed Time Slot, PAN ID conflict, Acknowledgment, DoS, Back-off and Clear Channel | |
Assessment manipulation, Repudiation [68] | |
Electromagnetic side-channel, Key generation [69] |
© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Kambourakis, G.; Kolias, C.; Geneiatakis, D.; Karopoulos, G.; Makrakis, G.M.; Kounelis, I. A State-of-the-Art Review on the Security of Mainstream IoT Wireless PAN Protocol Stacks. Symmetry 2020, 12, 579. https://doi.org/10.3390/sym12040579
Kambourakis G, Kolias C, Geneiatakis D, Karopoulos G, Makrakis GM, Kounelis I. A State-of-the-Art Review on the Security of Mainstream IoT Wireless PAN Protocol Stacks. Symmetry. 2020; 12(4):579. https://doi.org/10.3390/sym12040579
Chicago/Turabian StyleKambourakis, Georgios, Constantinos Kolias, Dimitrios Geneiatakis, Georgios Karopoulos, Georgios Michail Makrakis, and Ioannis Kounelis. 2020. "A State-of-the-Art Review on the Security of Mainstream IoT Wireless PAN Protocol Stacks" Symmetry 12, no. 4: 579. https://doi.org/10.3390/sym12040579