Benjamin W. P. Ramsey

PHY foundation for multi-factor ZigBee node authentication

The ZigBee specification builds upon IEEE 802.15.4 low-rate wireless personal area standards by adding security and mesh networking functionality. ZigBee networks may be secured through 128-bit encryption keys and by MAC address access control lists, yet these credentials are vulnerable to interception and spoofing via free software tools available over the Internet. This work proposes a multi-factor PHY-MAC-NWK security framework for ZigBee that augments bit-level security using radio frequency (RF) PHY features. These features, or RF fingerprints, can be used to differentiate between dissimilar or like-model wireless devices. Previous PHY-based works on mesh network device differentiation predominantly exploited the signal turn-on region, measured in nanoseconds. For an arbitrary benchmark of 90% or better classification accuracy, this work shows that reliable PHY-based ZigBee device discrimination can be achieved at SNR ≥ 8 dB. This is done using the entire transmission preamble, which is less technically challenging to detect and is over 1000 times longer than the signal turn-on region. This work also introduces a statistical, pre-classification feature ranking technique for identifying relevant features that dramatically reduces the number of RF fingerprint features without sacrificing classification performance.

Improved tools for indoor ZigBee warwalking

Secure ZigBee wireless sensor and control networks use 128-bit AES encryption to defend against message sniffing and unauthorized access. However, the low cost and low complexity of ZigBee devices makes them vulnerable to physical attacks such as tampering and network key extraction. Network administrators and penetration testers require tools such as Zbfind to accurately locate ZigBee hardware and evaluate physical security. The open source Zbfind tool estimates distance to ZigBee devices in real time using received signal strength and a distance prediction model. We collect 4500 signal strength measurements along nine walking paths toward ZigBee transmitters in three office buildings. We find that the log-distance path loss model used by Zbfind predicts transmitter distance with 92.5% mean absolute percentage error. We construct an alternative linear model that reduces error to 21%.

Subjective audio quality over a secure IEEE 802.11n network

This paper presents an empirical evaluation of audio quality generated by a G.711 codec and transmitted over IEEE 802.11n, IEEE 802.11b, and IEEE 802.11g Wireless Local Area Networks (WLANs). Audio quality decline due to additional calls or by securing the WLAN with Internet Protocol Security (IPsec) is quantified. Results suggest that audio quality over an IEEE 802.11n WLAN is not higher than over an IEEE 802.11b WLAN for up to 10 simultaneous calls. The data strongly suggest that toll quality audio (MOS ≥ 4.0) is not currently practical over IEEE 802.11 WLANs secured with WPA2, even using the G.711 codec.

Dimensional reduction analysis for Physical Layer device fingerprints with application to ZigBee and Z-Wave devices

Radio Frequency RF Distinct Native Attribute (RF-DNA) Fingerprinting is a PHY-based security method that enhances device identification (ID). ZigBee 802.15.4 security is of interest here given its widespread deployment in Critical Infra-structure (CI) applications. RF-DNA features can be numerous, correlated, and noisy. Feature Dimensional Reduction Analysis (DRA) is considered here with a goal of: (1) selecting appropriate features (feature selection) and (2) selecting the appropriate number of features (dimensionality assessment). Five selection methods are considered based on Generalized Relevance Learning Vector Quantization-Improved (GRLVQI) feature relevance ranking, and p-value and test statistic rankings from both the two-sample Kolmogorov-Smirnov (KS) Test and the one-way Analysis of Variance (ANOVA) F-test. Dimensionality assessment is considered using previous qualitative (subjective) methods and quantitative methods developed herein using data covariance matrices and the KS and F-test p-values. ZigBee discrimination (classification and ID verification) is evaluated under varying signal-to-noise ratio (SNR) conditions for both authorized and unauthorized rogue devices. Test statistic approaches emerge as superior to p-value approaches and offer both higher resolution in selecting features and generally better device discrimination. With appropriate feature selection, using only 16% of the data is shown to achieve better classification performance than when using all of the data. Preliminary first-look results for Z-Wave devices are also presented and shown to be consistent with ZigBee device fingerprinting performance.

A framework for incorporating insurance in critical infrastructure cyber risk strategies

Smart critical infrastructure owners and operators are always looking for ways to minimize cyber risk while keeping a lid on cyber security expenditures. The insurance industry has been quantitatively assessing risk for hundreds of years to minimize risk and maximize profits. To achieve these goals, insurers continuously gather and analyze statistical data to improve their predictions, incentivize client investments in self-protection and periodically refine their models to improve the accuracy of risk estimates.This paper presents a framework that incorporates the operating principles of the insurance industry to provide quantitative estimates of cyber risk. The framework uses optimization techniques to suggest levels of investment in cyber security and insurance for critical infrastructure owners and operators. This analysis can be used to quantitatively formulate strategies to minimize cyber risk.

Wireless infrastructure protection using low-cost radio frequency fingerprinting receivers

Low-data-rate wireless networks incorporated in critical infrastructure applications can be protected through 128-bit encryption keys and address-based access control lists. However, these bit-level credentials are vulnerable to interception, extraction and spoofing using software tools available free of charge on the Internet. Recent research has demonstrated that wireless physical layer device fingerprinting can be used to defend against replay and spoofing attacks. However, radio frequency (RF) fingerprinting typically uses expensive signal collection systems; this is because fingerprinting wireless devices with low-cost receivers has been reported to have inconsistent accuracy. This paper demonstrates a robust radio frequency fingerprinting process that is consistently accurate with both high-end and low-cost receivers. Indeed, the results demonstrate that low-cost software-defined radios can be used to perform accurate radio frequency fingerprinting and to identify spoofing attacks in critical IEEE 802.15.4-based infrastructure networks such as ZigBee.

ZigBee Device Verification for Securing Industrial Control and Building Automation Systems

Improved wireless ZigBee network security provides a means to mitigate malicious network activity due to unauthorized devices. Security enhancement using RF-based features can augment conventional bit-level security approaches that are solely based on the MAC addresses of ZigBee devices. This paper presents a device identity verification process using RF fingerprints from like-model CC2420 2.4 GHz ZigBee device transmissions in operational indoor scenarios involving line-of-sight and through-wall propagation channels, as well as an anechoic chamber representing near-ideal conditions. A trained multiple discriminant analysis model was generated using normalized multivariate Gaussian test statistics from authorized network devices. Authorized device classification and ID verification were assessed using pre-classification Kolmogorov-Smirnov (KS) feature ranking and post-classification generalized relevance learning vector quantization improved (GRLVQI) relevance ranking. A true verification rate greater than 90% and a false verification rate less than 10% were obtained when assessing authorized device IDs. When additional rogue devices were introduced that attempted to gain unauthorized network access by spoofing the bit-level credentials of authorized devices, the KS-test feature set achieved a true verification rate greater than 90% and a rogue reject rate greater than 90% in 29 of 36 rogue scenarios while the GRLVQI feature set was successful in 28 of 36 scenarios.

Rogue Z-Wave controllers: A persistent attack channel

The popularity of Wireless Sensor Networks (WSN) is increasing in critical infrastructure, smart metering, and home automation. Of the numerous protocols available, Z-Wave has significant potential for growth in WSNs. As a proprietary protocol, there are few research publications concerning Z-Wave, and thus little is known about the security implications of its use. Z-Wave networks use a gateway controller to manage and control all devices. Vulnerabilities have been discovered in Z-Wave gateways, all of which rely on the gateway to be consistently connected to the Internet. The work herein introduces a new vulnerability that allows the injection of a rogue controller into the network. Once injected, the rogue controller maintains a stealthy, persistent communication channel with all inadequately defended devices. The severity of this type of attack warrants mitigation steps, presented herein.

Evaluating the readiness of cyber first responders responsible for critical infrastructure protection

Abstract First responders go through rigorous training and evaluation to ensure that they are adequately prepared for emergencies. For example, fire departments continually evaluate the readiness of their firefighting personnel using a defined set of criteria that measures their performance in fire suppression and rescue procedures. However, in the cyber security domain, similar evaluation criteria and rigor are severely lacking for professionals who help detect, respond to and recover from cyber-based attacks against critical infrastructure assets. To address the gap, this paper provides a framework for evaluating the readiness of cyber first responders responsible for critical infrastructure protection. The evaluation criteria are conceptually based on the NFPA 1410 standards that are used to assess the readiness of firefighter first responders. The utility of the framework is illustrated using a military cyber training exercise that evaluated the readiness of professionals who respond to real-world cyber attack scenarios.

Comparison of parametric and non-parametric statistical features for Z-Wave fingerprinting

The number of internet connected devices by all accounts is set to increase dramatically in coming years as Internet of Things technologies become cheaper and more convenient. Z-Wave devices have found application in building control, smart energy, health care and equipment monitoring. Its closed standard ensures interoperability of devices and this stability has led to its popularity among consumers. As use of these devices becomes more widespread, the need to protect them becomes more important. In this research, the RF-DNA fingerprinting method is examined to protect these devices using their physical layer attributes. In particular, the traditional method of using parametric features such as variance, skewness, and kurtosis is challenged with the use of non-parametric features mean, median, mode and linear regression coefficient estimates. With careful analysis of variables, a 71% reduction in features is achieved while attaining >94% correct classification rate at an 8 dB lower SNR than using traditional parametric features.