This is Part 1 of a 3-part series on IoT Wireless Security Vulnerabilities & Solutions. See a video preview here. A significant portion of this series originates from a white paper I wrote earlier this year with technical contributions from security researcher colleague RJ Brownlow. The white paper was expanded upon and customized for a technical paper and presentation for the 2016 SCTE/ISBE conference and is highlighted in the video link above.

Introduction

1. Abstract

The rapid growth of Internet of Things (IoT) has dramatically expanded the number of wireless devices & platforms in the home, business, industry and around us. In addition to Wi-Fi we see dramatic growth of Bluetooth, ZigBee, and Z-Wave, and low power enabled devices. While connected devices have many advantages, they also provide greater attack surfaces and vulnerabilities for consumers and service providers. What are the security vulnerabilities to be aware of and how can solution architects design to reduce risk? Do IoT platforms provide adequate safe-guards? Which platforms provide the most reliable security? This paper will explore real examples of open platform security risks in home & public connected environments across several protocols. We will demonstrate several tools to illustrate how hackers compromise connected wireless devices & networks along with tactics to architect and prevent intrusion risk. Readers will see solutions that actually work to improve safety, cost savings, time savings, and convenience. The audience is anyone planning or designing an IoT solution based on an open platform. Product executives, solution architects, and security professionals will be interested in understanding security differences between open platforms and methods for designing proper safe-guards. Attendees will also see tools used to help test and validate these solutions.

2. Preview

Connectivity, home automation, energy conservation, security, health monitoring, business applications, agricultural and industrial uses remain driving factors of wireless communication. All of these have varying requirements in terms of bandwidth, cost, privacy, and installation. The development of Internet-connected technologies particularly require implementing IP solutions to harness energy savings and improve one’s quality of life while staying safe from various security threats.

Several customized industry-standard-based networking protocols allow the fast growth and implementation of self-healing mesh networks, which are much more reliable network arrangements. Some of these networking protocols, including Z-Wave, ZigBee, and Bluetooth are based on the IEEE 802.15.4 protocol. They can enable cost-effective communication between devices with low latency and cheap installation costs. However, because there are several available protocols, security often suffers. Each protocol represents a new attack surface area for possible security flaws.

This paper highlights the importance of wireless security and cites some of the ways by which the lack of standards can place users at great risk. The focus is on internet-capable home & business appliances for which customized protocols were created.  It also features attack scenarios based on home automation protocols based on IEEE 802.15.4.

This paper describes several plausible attacks that target smart home & business systems, using SDR (software defined radio) platforms. We will illustrate frameworks based on existing tools for practical, readily usable and hardware independent attacks. We will demonstrate multiple attack vectors that compromise the symmetric keys used to secure these networks, where both the originator and receiver must share this same key.

Additionally, this paper includes several tools for security researchers and professionals to consider to help them be most effective in eliminating cyber security risks on wireless platforms.

IoT Impacts

As the number of connected devices multiplies each year the security risks grow as well. Estimates from Cisco, Ericsson, IDC, ABI, Forrester, and Gartner all forecast between 25-50 billion connected devices by 2020. That translates to over 26 devices per person according to Intel. The potential economic impact estimated by these same firms is estimated between $2-$5 trillion in the same time period.


Figure 1 – Global IoT/IoE Device Forecasts

In parallel, the growth of IoT devices and platforms has contributed tremendously to the increase in cybersecurity issues according to BI Intelligence and leading agencies. Executives indicate that IoT is their single biggest threat and opportunity at the same time.


Figure 2 – Cybersecurity Market Annual Forecast

A ComputerWorld survey reveals that almost half of IT leaders said they will invest more next year in access control, intrusion prevention, filtering MAC addresses, identity management, and virus & malware protection.

With the explosion of connected devices & platforms comes multiple wireless technologies. These technologies range from near field, low power solutions to global persistent technologies. The IoT space includes the full spectrum when considering home, business, industrial, transportation, health, and global applications.


Figure 3 – IoT Wireless Technologies Spectrum by Postscapes.com

The security vulnerabilities illustrated for the selected technologies may also be applied to broader platforms in a similar manner. In the following sections this technical paper will examine exploits on just a couple of the most common retail applications available to consumers today. The potential vulnerability exposure is much greater than what can be presented in this publication.

Technology Brief: Z-Wave

As one of the leading wireless protocols in smart home automation, Z-Wave stands on the forefront of many consumers’ first experiences with the IoT.  Its prevalence has grown fast – 2014-2015 saw double-digit growth in sales of Z-Wave chips, eventually surpassing 35 million units. The ecosystem now has 250 manufacturers using the protocol in over 1,200 different devices.

Z-Wave primarily allows reliable transmission of short messages from a control unit to one or more nodes in a network. Its architecture comprises five main layers—the physical (PHY), Medium Access Control (MAC), transfer, routing, and application layers. It uses two types of device—controllers and slaves. Controllers poll or send commands to slaves, which either reply to or execute the controllers’ commands.

Some homes can be fully controlled via a home automation system (e.g., sockets, TV sets, sound systems, lights, etc.). They may have started building their wireless personal area networks (WPANs) years ago so they would have various versions of Z-Wave chips (i.e., 200, 300, and 400 series).

As will be demonstrated below it’s possible to sniff all of the traffic that flows in a WPAN. Anyone can learn to use professional tools like Wireshark, Kali Linux, and Freakduino Chibi Wireless Arduino-compatible boards for an intended attack. Cybercriminals can easily view tutorials and buy tools to sniff WPAN traffic to discover a user’s daily routine, what devices are in their home and how they are controlled.


Figure 4 – Proposed Z-Wave attack blueprints

For one, knowing the day-to-day schedule of the owner of an automated home can let a thief know when the house is empty and easy to steal from. More tech-savvy thieves can also inject random commands to your WPAN, letting them turn connected devices on and off or change how these are set up. A well-examined attack scenario involves the remote sniffing of Z-wave packets and the injection of “unlock” packets on certain Z-Wave door lock products. For example, it would be possible to park across the street from a home or business and sniff packets when a person enters that building and replay those packets later to gain access. They can tinker with automated devices and/or appliances in homes and businesses, causing them to malfunction or potential harm.

Technology Brief: ZigBee

ZigBee is a low-data rate, low-power consumption, and low-cost wireless mesh networking protocol for automation and remote control applications. It comprises four basic layers—the PHY, MAC, network, and application layers— which provide additional security functionality.

Unlike Z-Wave, products based on ZigBee uses advanced encryption standard (AES) to encrypt messages. This makes it very hard to figure out possible attacks.

ZigBee has cryptographic support, which is enabled by default. Problems can only surface in the gateway between a WPAN and an internet protocol (IP) network. People normally trust ZigBee’s security but forget about their IP networks. They forget that these need to be specially configured for safety.

If an attacker gains access to a gateway due to the use of a default or weak password, a misconfiguration, or lack of security, he can bypass ZigBee authentication. This will give him full access to the network, including security cameras. He can then see daily activities. He can also change the gateway configuration so connections will route to a fake Domain Name System (DNS) or proxy server. He can respond to all of the DNS queries and sniff all of the hypertext transfer protocol (HTTP) and secure (HTTPS) requests sent out. This will allow him to steal personally identifiable information (PII), including email and bank account credentials. With uninhibited access to the router, he can change your firewall settings and get direct access to any ZigBee-compliant device of his choosing.


Figure 5 – Proposed ZigBee attack blueprints

These are just two of many common wireless technologies employed by IoT devices and platforms. There are security risks with all wireless solutions; however, some provide additional security measures and provide more timely fixes. In the next post I will illustrate several attack scenarios exploiting these common wireless technologies, before offering solutions in the final posting. Stay tuned for Part 2 next!