SDR for wireless and network security assessment

SDR for wireless and network security assessment

Written by Brendon McHugh and Kaue Mocellas

Friday, April 29, 2022 | Comments

With the exponential growth of the Internet of Things (IoT), the world is becoming increasingly interconnected with the possibility that most devices, from home electronics to self-driving cars, will be wirelessly connected to the network in the near future. Although the huge connectivity of devices is great for technological advances towards more intelligent and automated devices, it raises many questions and concerns about the security aspect of RF connections as devices become more susceptible to signal interception, eavesdropping, forgery, unauthorized command and other security threats. This problem ranges from user equipment (UE), small cell base stations, and the large core radio access network (RAN) itself.

Program-defined radio (SDR) is not only capable of executing such threats, but also provides the means to detect vulnerabilities in the physical (PHY) layer of protocol stacks. In this article, we discuss various tools for assessing / troubleshooting device security using SDR. Discussion includes RF fuzz testing using SDR software to debug low-level RF and hardware protocols, and PHY / MAC analysis; and penetration testing in which wireless receivers are forged or attacked to assess vulnerability. Using SDR, these techniques can be easily achieved by developing algorithms in GNU Radio and / or Python.

Why the US needs a single cyber security framework

It is not too early to prepare for 6G

Technology-based hybrid warfare: the need for cybersecurity endpoint

Vulnerabilities of RF devices

RF signals are a fundamental part of wireless communication and are used in satellite signals (GPS), mobile network towers, LAN modems for Wi-Fi, and everyday gadgets such as garage door controllers. The principle is quite simple: a modulated carrier signal is used to transmit information via electromagnetic waves. There are several modulation techniques in both the market and scientific literature, including amplitude shift (ASK), quadrature amplitude modulation (QAM), and phase shift (PSK). The general configuration of the RF transmitter and receiver is shown in Figure 1. In the receiver, the antenna receives the signal, amplifies it to obtain a manageable amplitude, and demodulates to obtain information. On the transmitter side, the carrier is modulated using digital data, amplified to optimize RF transmission, and sent to the antenna.

Because radio frequency signals are not bound to a limited physical medium, they are available through the air and can be easily picked up by anyone with an antenna and receiver, creating a very risky scenario for malicious threats. This problem has increased with the rapid development of receivers and demodulators, which have become cheap for the average user in a way that almost anyone can intercept and track RF signals. In addition, the Bluetooth Low Energy (BLE) and IoT communication protocols have only recently been adopted by industry, so developers and security tools are not yet fully ready for devices with multiple RF inputs / outputs. Some examples of radio-based device vulnerabilities include Philips Hue (Zigbee Worm), Keysniffer, SweynTooth, BlueBorne Exploitation, BleedingBit, and Mouse Jack.

Frequent RF attacks

The most obvious attack in RF-based communication systems is espionage. It consists of detecting, reading (eavesdropping) and monitoring wireless devices for malicious purposes. It can be used to obtain private information about individuals by intercepting mobile phones, wearables and health performance monitors. In addition, the highly interconnected Internet of Things infrastructure of modern businesses is a critical vulnerability, as virtually any compromised IoT device can serve as a gateway for leaking confidential information and access to a company’s network. Looking ahead, even wireless mice and keyboards can be used to access remote PCs using an attack called MouseJack, which works by sending fake command packets to exploit unencrypted USB keys and retrieve the victim’s computer.

The problem becomes even more critical in the context of the Industrial Internet of Things (IIoT). This term is widely used in the technology industry to denote highly interconnected structures of sensors, actuators, computers, and manufacturing equipment that communicate with each other wirelessly. Common attacks in IIoT structures include device hijacking, data extraction, and denial of service. The first attack, device hijacking, describes the unauthorized control of an IoT device by a malicious person. Data extraction, also called data siphoning, is an attack aimed at obtaining confidential data transmitted over the IIoT network. Finally, a denial-of-service attack is used to disable end devices and the network itself by flooding communication links with useless data traffic.

In any case, network attacks will always take advantage of the wireless network architecture implemented in the IIoT structure, so it is important to contextualize attacks with the most common wireless technologies in the industry. One of the most widely used technologies today is Long Range (LoRA), a low-power WAN (LPWAN) technology that uses a modulation scheme based on a scattered chirp spectrum. LoRA is used in several industrial applications, including smart meters, detection and tracking, the Internet of Things, smart agriculture, and climate monitoring. Other examples of technologies are mobile networks, including 4G / LTE and 5G, and Zigbee, which is used to create network networks based on the Advanced Encryption Standard (AES) -128 encryption scheme. With regard to cellular networks in particular, the IIoT market is divided into LTE-M and narrowband IoT (NB-IoT). In addition, access to the Global Navigation Satellite System (GNSS) / GPS, which is required by several IoT devices in the industry, can be used for counterfeiting and disruption attacks, causing malfunctions and jeopardizing basic operations.

To better understand and prepare for RF attacks, it is important to implement a threat classification and description model. This model can be combined with a network system model to assist in decision making and threat detection / classification. One of the most commonly used systems is the STRIDE model, which is described in Table 1. The STRIDE model classifies threats into six different categories, each threatening a specific network property desired in the system. By categorizing security threats in the IoT network using STRIDE, we can identify potential schemes to prevent and mitigate their effects before they occur. The table below shows a description of each STRIDE threat and a property that will be compromised if the attack materializes. From an Internet of Things perspective, the description of each threat should be contextualized for the application. For example, in RFID-based systems, an attack aimed at changing the serial number in a tag to match another person’s number is classified as tampering, and tracking someone’s position using RFID tags falls into the category of information disclosure.

SDR to attack wireless devices

SDRs are amazing versatile radio devices that perform most complex computer operations on the software side instead of on the hardware side. The emergence of SDR was a shift in the analogue radio paradigm that significantly improved the flexibility, reliability, robustness, and cost-effectiveness of complex and well-structured radio systems. SDRs can be designed in a variety of forms, from USB keys to full 3U shelving units and several different prices ranging from 10 to a few hundred dollars. Regardless of price and design factor, however, SDR can generally be divided into three parts: radio interface (RFE), digital backend, and mixed-signal interface (Figure 1). RFE consists of an irreplaceable analog circuit required to perform basic functions such as amplification, antenna impedance matching, and radio tuning. A typical RFE channel consists of a receiver (Rx) and a transmitter (Tx), and one RFE can have multiple channels in multiple inputs and multiple outputs (MIMO) SDRs. In high-end SDRs, RFE modules can achieve 3 gigahertz of current bandwidth over multiple MIMO channels with a tuning range from close DC to 18 GHz.

The digital background consists of a programmable port array (FPGA) to perform highly parallel data calculation that provides high-performance digital signaling process (DSP) functions (sewerage, sampling rate conversion) and network operations (routing, encryption, modem error correction, etc.). In addition, the use of the FPGA allows a complete reconfiguration of the digital processing circuit without replacing the hardware with simple FPGA programming. This means that SDRs are extremely flexible and can work with several different protocols in the same unit. This is desirable when testing network security, as the same device can be used on different networks. The digital background also communicates with the host computer, and the higher-end SDRs provide high-speed optical connections (qSFP +) for high-performance data communication. Finally, the mixed-signal interface is responsible for connecting the RFE to the digital background and is implemented by the ADC and DAC. Figure 1 shows the basic architecture.

Due to the programmable nature of FPGAs, SDRs can be used in RF attacks. For example, very simple SDRs are used to hack into car keys by exploiting security threats in popular models. For example, to prevent replay attacks where an attacker copies the last code sent by the pendant, modern vehicles use a security code to never use the same code twice. However, some Subaru models do not use any sophisticated code generator to replace the current code after use, but simply increase the code. This can be easily exploited by hackers: the SDR built into the USB key, combined with the Raspberry-Pi, can read code sent by the original user, decode the packet using SDR, augment one unit in the code, and retransmit the augmented code to fool car receiver. Therefore, detecting and mitigating network security threats is a fundamental step in designing any IoT device.

In a more general sense, SDRs can be used to break into any IoT system, and a typical process can be divided into four stages:

• Capture / record. At this stage, the signal is simply measured with RFE, digitized and stored in digital background memory cells.

• Demodulation. The demodulation scheme, symbol speed and other basic communication properties must be obtained. If these properties are already known, it is easy to implement a demodulator in SDR. If not, sophisticated algorithms, which sometimes perform artificial intelligence, must be implemented to obtain a modulation scheme.

• Decoding. Most confidential data is encrypted; therefore, it is important that the SDR or host has the means to decode the binary data after demodulation.

• Exploitation of information. Finally, the decrypted information is used to achieve the purpose. This goal may be to obtain sensitive information, interfere with the data sent, or use the data to gain control of the device. In the case of some car key fobs, the data obtained was used in a replay attack where the decoded code was simply augmented and retransmitted.

Protection, prevention, testing

As already mentioned, replay attacks can pose significant threats to the security of the Internet of Things. The most basic algorithm to combat this threat is the current code algorithm, also called the jump code. It basically consists of re-generating the command code after each download, making it impossible for a hacker to use the old code to exploit. The most basic current code algorithms use pseudo-random number (PRNG) generators in both the transmitter and receiver, so that new code can be compared. For Wi-Fi, the most popular algorithm is Wi-Fi Protected Access (WPA). WPA uses the Key Time Integrity Protocol (TKIP) as an encryption protocol, based on keys that change after each packet transmission. WPA2 is a version that can implement Extensible Authentication Protocol (AES), which is a more sophisticated encryption scheme than TKIP (although significantly more difficult). WPA also uses the Pre-Shared Encryption Protocol (PSK) to protect the communication line, which is easily implemented with personal passwords.

In IoT networks, especially in IIoT infrastructures, authentication is significantly more demanding due to the heterogeneity of devices in the same network. Therefore, more dedicated security systems are needed. One example is time-based one-time password authentication (TOTP), where a single-use password is created by adding the uniqueness of the current time in advance to a shared secret key. Of course, latency and clock synchronization must be taken into account when developing basic TOTP networks.

While it may be naive to think that an IoT network can become completely threat-free, this should be the main goal of designers. One idea is to combine more than one security protocol to increase robustness. For example, a key move algorithm can be combined with a two-way handling protocol to obtain key security and a synchronized communication line. The principle of operation is simple: the key rotation algorithm provides a different key after each transmission, and a two-way handshake prevents desynchronization between the transmitter and receiver by external agents.

What message request does CoAP uses for updates?

SDR for device security testing See the article : 5G research by DARPA will lead to commercial applications.

One of the most popular wireless protocols is the LoRA network. It defines the physical (PHY) layer of the network and leaves the top layers to other technologies such as Long Range WAN (LoRAWAN). To assess the safety of LoRA systems, the test should focus on the first identification of the carrier frequency, which for most LoRA applications is below the GHz; modulation scheme; and encryption standard. In this context, the combination of SDRs with GNU radio libraries provides a powerful and convenient framework for evaluating LoRA networks. Since most operations are programmed in the FPGA, the SDR can be easily adapted to any LoRA specification. The test module can capture and decode LoRA PHY signals and implement an interpreter in GNU Radio for data analysis and exploitation.

What message does CoAP use for updates?

SDRs can also be used to perform penetration tests. These tests are designed to simulate a cyber attack on a computer or IoT device to check for network vulnerabilities. The information gained from the tests is then used to configure applications to overcome potential threats and increase network security. An interesting tool for penetration tests has recently been developed using GNU Radio and the Scapy framework. To see also : Global 5G Infrastructure Equipment Market. Scapy-radio is basically a generic wireless control device / injector used to assess penetration in various applications. In a case study, Scapy-radio was validated in systems using the Z-Wave wireless protocol commonly used in home automation systems. SDR-based penetration tests have also been validated in the BLE and Zigbee RF protocols, demonstrating its versatility and wide impact in the Internet of Things community. The study showed that SDRs are an important tool for experiments involving penetration attacks.

Which is the request response layer message present in CoAP?

Fuzzing, fuzz testing, is a well-known liability check in software. This is an automated method that simply enters random, invalid, or unexpected data into the software input, and the results are monitored to diagnose problems such as errors, crashes, and memory leaks. In the context of a wireless network, fusing can be performed using an SDR-based module to expose the physical layer as well as the Media Access Control (MAC) layer of the structure, which is essential for finding contingent liabilities.

Which of the message requests is used in CoAP to update get delete put push?

SDRs can also be implemented to evaluate the effectiveness of the IEEE 802.15.6 standard in wireless body networks (WBANs). WBAN is gaining a lot of attention in the IoT community with the recent boom in wearable technology and the adoption of public health monitoring. However, IEEE 802.15.6 accepts three different types of communication: narrowband (NB), ultra wideband (UWB) and human body communication (HBC), so different WBANs represent different modulation, encryption and frequency specifications, which affects performance and complicates create a generalized evaluator for all WBAN implementations. In this case, SDRs can be extremely useful, as the digital background FPGA can be easily configured to meet the WBAN specifications being tested. This means that with a single ready device, almost any WBAN implementation can be evaluated with minimal hardware adjustments. The general architecture of the SDR used in safety assessment can be seen in Figure 4.

What is CoAP SMS?

This article discusses the main aspects of network security and the potential threats that can jeopardize the proper functioning of wireless networks, including the Internet of Things, the Internet of Things, and mobile communications. We also discussed modeling threats with the STRIDE standard. In addition, we reviewed the key features of SDRs, their potential role as key agents of RF attacks, and why they are so important in testing and measuring security. SDRs can be used in penetration tests, LoRA network validation, WBAN standards assessment, and fuzz testing. SDRs are fundamental tools in designing secure and robust wireless networks that provide flexible and reliable network algorithms to validate your security schemes. They also provide a wide range of size, weight and power (SWaP) characteristics to suit most RF structures. High-end SDRs are available on the market with configurations designed to satisfy even the most demanding applications.

Which methods are used in CoAP?

Would you like to comment on this story? Find our comment system below. See the article : Rafael networks Python-5 short-range air-to-air missile with Global Link SDR.

Which model does CoAP use?

Brendon McHugh is a field application engineer and technical writer at Per Vices, who has extensive experience in the development, construction and integration of software-defined radio stations. Brandon is responsible for helping current and future customers configure the right SDR solutions for their unique needs. He holds a bachelor’s degree in theoretical and mathematical physics from the University of Toronto. Kaue Morcelles is a PhD student in electrical engineering and a technical writer.

What are CoAP options?

While MQTT has some support for persistence, it works best as a communication guide for live data. CoAP is primarily a one-to-one protocol for transmitting status information between a client and a server. Although it has support for resource observation, CoAP is best suited to a state-of-the-art transfer model.

Which of the message request is used in co AP to update?

3. Message formats. CoAP uses three types of messages – request, notification and response, using a simple binary header format. This base header can be followed by Type-Length-Value (TLV) options.

Which is the request response layer message present in CoAP?

How many types of messages does CoAP specify? The CoAP defines four types of messages: Acknowledgment, Acknowledgment, Acknowledgment, Reset; the method codes and response codes included in some of these messages allow requests or responses to be transmitted.

How many messages types are there in CoAP?

CoAP message formats use three types of messages – request, notification and response, using a simple binary header format. This base header can be followed by Type-Length-Value (TLV) options. CoAP is tied to UDP as described in Section 4.

What is meant by message layer in CoAP?

The CoAP request / response interaction model over TCP is the same as CoAP over UDP. The primary differences are in the message layer. The CoAP message layer over UDP supports optional reliability by defining four types of messages: acknowledgment, persistent, acknowledgment, and reset.

What are the various features of CoAP explain any two types of messages in CoAP?

A separate mode is used when a server response occurs in a message separate from the ACK. It may take some time for the server to send it. Like HTTP, CoAP uses GET, PUT, PUSH and DELETE messages to retrieve, create, update or delete.

CoAP is also used through other mechanisms such as SMS in mobile communication networks. CoAP is a service layer protocol designed for use in Internet devices with limited resources, such as wireless sensor network nodes.

What is the function of CoAP?

CoAP supports basic methods GET, POST, PUT, DELETE, which are easy to map to HTTP. In this section, each method is defined along with its behavior. A one-way request with an unknown or unsupported method code MUST create a message with a response method “Method 405 not allowed”.

What are the different CoAP messages?

COAP uses UDP as the basic network protocol. COAP is basically an IoT client-server protocol where the client makes a request and the server sends back a response, as happens in HTTP. The methods used by COAP are the same as HTTP.

Which message requests is used in CoAP to update?

CoAP uses two types of messages, requests and responses, using a simple, binary, basic header format. The base header can be followed by options in an optimized Type-Length-Value format. CoAP is tied to UDP by default and optionally to DTLS, which ensures a high level of communication security.

What is piggybacking and the separate message in the CoAP?

A separate mode is used when a server response occurs in a message separate from the ACK. It may take some time for the server to send it. Like HTTP, CoAP uses GET, PUT, PUSH and DELETE messages to retrieve, create, update or delete.

What is meant by message layer in CoAP?

CoAP over TCP The CoAP request / response interaction model over TCP is the same as CoAP over UDP. The primary differences are in the message layer. The CoAP message layer over UDP supports optional reliability by defining four types of messages: acknowledgment, persistent, acknowledgment, and reset.

What is CoAP SMS?

The CoAP defines four types of messages: Acknowledgment, Acknowledgment, Acknowledgment, Reset; the method codes and response codes included in some of these messages allow requests or responses to be transmitted. The basic exchanges of the four types of messages are transparent to request / response interactions.

What is difference between CoAP and MQTT?

CoAP message model This is the lowest layer of CoAP. This layer deals with the exchange of UDP messages between endpoints. Each CoAP message has a unique ID; this is useful for detecting duplicate messages. The CoAP message consists of the following parts: the binary head.

What is CoAP MQ?

CoAP uses two types of messages, requests and responses, using a simple, binary, basic header format. The base header can be followed by options in an optimized Type-Length-Value format.

What is CoAP message format?

What is CoAP? A process-acceptable court order (COAP) is a legal decision that gives a former spouse or dependent federal employee the right to receive all or part of the benefits of a state pension plan in the event of divorce, separation, or annulment.

What are the features of CoAP?

The key role of CoAP is to act as HTTP wherever restricted devices are part of communication. While filling the HTTP gap, it allows devices such as actuators and sensors to interact over the Internet. The devices involved in the process are managed and controlled by treating the data as a component of the system.

• CoAP uses two types of messages, requests and responses, using a simple, binary, basic header format. The base header can be followed by options in an optimized Type-Length-Value format. CoAP is tied to UDP by default and optionally to DTLS, which ensures a high level of communication security.
• A separate mode is used when a server response occurs in a message separate from the ACK. It may take some time for the server to send it. Like HTTP, CoAP uses GET, PUT, PUSH and DELETE messages to retrieve, create, update or delete.
• One of the capabilities of CoAP is to respond to a message using feedback. The feedback is accompanied by a response to the ACK message if the message is acknowledged. The feedback does not need to be confirmed, as the client will resend the message when the expected feedback is lost.
• CoAP message model This is the lowest layer of CoAP. This layer deals with the exchange of UDP messages between endpoints. Each CoAP message has a unique ID; this is useful for detecting duplicate messages. The CoAP message consists of the following parts: the binary head.
• CoAP is also used through other mechanisms such as SMS in mobile communication networks. CoAP is a service layer protocol designed for use in Internet devices with limited resources, such as wireless sensor network nodes.
• COAP stands for Restricted Application Protocol. MQTT stands for Telemetric Message Query Transport. It uses a request-response prototype for communication. It uses a publish-subscribe prototype to communicate.

CoAP-MQ. â € ¢ Message queuing protocol using proxy and. Resource Directory (RD) â € ¢ The role of CoAP endpoints as client and server.

What are CoAP options?

The CoAP messaging model is based on the exchange of messages via UDP between endpoints. CoAP uses a short binary head with a fixed length (4 bytes), which can be followed by compact binary options and payload. This message format is shared by requests and responses.

What is CoAP and its features?

CoAP has the following main features:

What is the purpose of CoAP?

Restricted web protocol that meets M2M requirements.

Which methods are used in CoAP?

UDP binding with optional reliability that supports single and multiple broadcast requirements.

What are main functions of CoAP protocol?

Asynchronous messaging.

What is CoIoT protocol?

Low overhead complexity and parsing.

URI and content type support.

What is Matt protocol?

Simple proxy and caching capabilities.

What is difference between HTTP and MQTT?

What is not a feature of CoAP? 7. CoAP does not provide any security. Explanation: The Internet of Things cannot spread as long as hackers may want to exploit it.

What MQTT means?

CoAP uses two types of messages, requests and responses, using a simple, binary, basic header format. The base header can be followed by options in an optimized Type-Length-Value format. CoAP is tied to UDP by default and optionally to DTLS, which ensures a high level of communication security.

What is MQTT in WIFI?

The CoAP defines four types of messages: Acknowledgment, Acknowledgment, Acknowledgment, Reset; the method codes and response codes included in some of these messages allow requests or responses to be transmitted. The basic exchanges of the four types of messages are transparent to request / response interactions.

What is difference between CoAP and MQTT?

The key role of CoAP is to act as HTTP wherever restricted devices are part of communication. While filling the HTTP gap, it allows devices such as actuators and sensors to interact over the Internet.

What type of protocol is CoAP?

CoAP supports basic methods GET, POST, PUT, DELETE, which are easy to map to HTTP. In this section, each method is defined along with its behavior. A one-way request with an unknown or unsupported method code MUST create a message with a response method “Method 405 not allowed”.

What is the difference between CoAP?

CoAP acts as a kind of HTTP for limited devices, allowing equipment such as sensors or actuators to communicate in IoT. These sensors and actuators are controlled and contribute by transmitting their data as part of the system.

What is better than MQTT?

The CoIoT protocol is another protocol for IoT communication and integration. CoIoT is based on CoAP with some additions as the new code requires 0.30 to publish status. All payloads are JSON encoded. All responses are sent back with confirmation to further simplify CoAP implementation.

What is CoAP protocol explain briefly?

What is the purpose of CoAP? The key role of CoAP is to act as HTTP wherever restricted devices are part of communication. While filling the HTTP gap, it allows devices such as actuators and sensors to interact over the Internet.

What is CoAP message format in IoT?

The Telemetric Message Query Transport Protocol is a communication protocol used for IoT devices. This protocol is based on a publication-ordering methodology, in which customers receive information through an intermediary only for the ordered topic.

What is the function of CoAP?

MQTT is data-focused, while HTTP is document-focused. HTTP is a request-response protocol for client-server computing and is not always optimized for mobile devices.

How is CoAP different from HTTP?

MQTT (MQ Telemetry Transport) is a lightweight open messaging protocol that provides low-resource network clients with an easy way to distribute telemetry information in low-bandwidth environments.

The MQTT (Message Queue Telemetry Transport) protocol is a lightweight protocol for connectivity between machines and machines. It is based on the publication / subscription messaging model and is designed for use at the top of the TCP / IP protocol. Key benefits of this protocol include low code footprint and low network bandwidth requirement.

Can a CoAP device communicate with a HTTP device?

COAP stands for Restricted Application Protocol. MQTT stands for Telemetric Message Query Transport. It uses a request-response prototype for communication. It uses a publish-subscribe prototype to communicate.

How the CoAP protocol works similar to the HTTP state?

CoAP, the Constrained Application Protocol, is a RESTful application protocol running over UDP that is used for devices with limited resources and low power consumption in lossy networks, especially optimized for deployment with a large number of end devices in the network.

Will CoAP connects to the internet?

HTTP is mainly used to view web pages. Coap is a simplified version of HTTP for IoT or WSN. Although COAP is based on UDP, it must have ACK messages for TCP emulation. Because COAP is simpler than HTTP, it will have less delay and consume less power.

How the CoAP protocol works similar to the HTTP state?

If you need to support multiple messaging patterns or anything other than a post-subscription pattern, the AMQP protocol is for you. If you need to handle a high-latency, low-bandwidth environment, MQTT is a better choice. If protocol scalability is necessary, AMQP is a clear choice.

What is CoAP and its features?

Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with limited nodes and limited networks in the Internet of Things. CoAP is designed to allow simple, limited devices to join the Internet of Things even over limited networks with low bandwidth and low availability.

Is CoAP similar to HTTP?

CoAP is a short form of limited application protocol. The CoAP protocol is defined in RFC 7252. It is a web transfer protocol used in restricted nodes or networks such as WSN, IoT, M2M, and so on. Hence the name Restricted Application Protocol.