Lecture4 - PKI Trust System and Bluetooth Technology

Questions and Answers

What can a device in a Piconet do?

Only act as a master in multiple Piconets

Be both a slave and master in the same Piconet

Participate in multiple Piconets simultaneously (correct)

Synchronize with multiple masters at once

Which Bluetooth state is characterized by a device being less active and listening for transmissions at set intervals?

Active Mode

Park Mode

Sniff Mode (correct)

Hold Mode

What technique does Bluetooth use to ensure robustness against interference?

Frequency Hopping Spread Spectrum (FHSS) (correct)

Direct Sequence Spread Spectrum (DSSS)

Amplitude Modulation (AM)

Time Division Multiple Access (TDMA)

How many channels does Bluetooth operate within the 2.4GHz ISM band?

79 channels of 1MHz width

What is the slot duration for Bluetooth packet transmission?

625 microseconds

What is the maximum number of slaves that a master device can connect to in a Bluetooth piconet?

7 simultaneous slaves

What is a key characteristic of a scatternet in Bluetooth technology?

It links multiple piconets through shared devices.

Which version of Bluetooth was released in 2010?

Bluetooth 4.0

How does a master device determine the hopping pattern in a Bluetooth piconet?

Determined by the device ID of the master.

What does the Active Member Address (AMA) in Bluetooth addressing signify?

A 3-bit identifier for active members in the network.

Physical security is often easy to implement for constrained devices in remote locations.

False

An attacker can gain access to IoT device firmware using a standard SD card reader and by soldering wires to the eMMC flash chip.

True

Smart sensors are designed to lose calibration if they are moved from their original position.

True

Implementing battery backup for IoT devices is unnecessary if there are no power outages.

False

Physical damage to an IoT device cannot be classified as a potential vulnerability.

False

How long will it take a slave to transmit 450 bytes of information at a Bluetooth basic rate of 1Mb/s?

It will take 4,265 microseconds.

What is the total bit overhead for a Bluetooth frame containing an access code, header, and CRC for transmitting 450 bytes?

The total overhead is 142 bits (72 bits access code + 54 bits header + 16 bits CRC).

When using five slots for transmission, what is the maximum payload that can be sent in a single Bluetooth packet?

The maximum payload is 2,744 bits.

What must be done if the total data exceeds the maximum payload for a Bluetooth packet?

A subsequent transmission is required to send the remaining data.

Describe the difference in channel utilization between standard Bluetooth and Bluetooth Low Energy (BLE).

BLE operates on 40 channels and employs reduced power consumption without sacrificing range.

What is the primary function of the Edge (Fog) Computing layer in the IoT reference model?

Evaluate and reformat data for higher-level processing

Which layer of the IoT reference model is primarily responsible for securing processes and devices?

IoT Security

What role does the Connectivity layer serve in the IoT reference model?

Facilitates communication between IoT devices

What is a key advantage of using IPv6 in home automation systems?

It enables multiple Thread networks to communicate over a backbone.

What does the Data Accumulation layer do in the IoT reference model?

Captures and stores data for later use

Which characteristic distinguishes a Reduced Function Device (RFD) from a Full Function Device (FFD)?

RFDs are limited to star topology communication.

What is a significant disadvantage of IEEE 802.15.4 technology?

Unbounded latency issues that affect communication.

In the context of the ETSI M2M model, what is primarily managed within the Application Domain?

Data analytics and connectivity management

What is one of the main features of devices using the Thread standard for home automation?

Devices have an expected long battery life.

What is a characteristic of IEEE 802.15.4 that aids in its implementation?

It supports reliable data transfer with low power consumption.

Study Notes

PKI Trust System

• Bob receives a digital certificate from a Certificate Authority (CA)
• When Alice receives Bob's certificate, she contacts the CA to validate his identity
• This system is challenging to manage with a large number of IoT devices

Bluetooth

• Bluetooth was developed by Dr. Jaap Haartsen at Ericsson in 1994
• Bluetooth 1.0 was released in 1999 and the first mobile device with Bluetooth was the Sony Ericsson T36
• Bluetooth uses a network topology called Piconet which can connect to 7 simultaneous or 200+ active slaves for each piconet
• Piconets use a unique frequency hopping pattern and ID
• Bluetooth networks can be combined into a Scatternet which can connect up to 10 piconets within range
• Piconets connect in an ad hoc manner with one master device and several slave devices
• Each piconet has a unique frequency hopping pattern determined by the master
• Each piconet can have one master, up to 7 simultaneous slaves, and up to 255 parked slaves
• Bluetooth devices use a 3-part addressing system: Non-Significant Address Part (NAP), Upper Address Part (UAP), and Lower Address Part (LAP)
• NAP is used for frequency hopping synchronization, UAP is used for seeding Bluetooth algorithms, and LAP identifies the device
• Bluetooth devices can exist in four connection states: Active Mode, Sniff Mode, Hold Mode, and Park Mode
• Active Mode allows the device to actively transmit and receive data
• Sniff Mode allows the device to sleep and only listen at set intervals to reduce power consumption
• Hold Mode allows the device to temporarily sleep for a defined period before returning to active mode
• Park Mode allows a master to put a slave into a deep sleep until it is woken up
• Bluetooth operates on the 2.4GHz ISM band which is unlicensed but shared with other applications
• To avoid interference, Bluetooth signals are transmitted using Frequency Hopping Spread Spectrum (FHSS)
• Bluetooth uses 79 channels with a 1MHz width and up to 1600 hops per second
• The hopping sequence is dictated by the master and derived from the master clock and part of the master device address
• Each packet on Bluetooth can occupy 1, 3, or 5 slots
• IV (initialization vector) reuse and small size can make messages easier to retrieve

WiFi

• Wi-Fi Protected Access (WPA) is an improvement over WEP that provides stronger data encryption and user authentication
• WPA minimizes the shared secret key used in frame transmission
• WPA uses the RC4 algorithm to encrypt data
• WPA2 is an improvement over WPA and uses the Advanced Encryption Standard (AES) algorithm
• WPA2 has two versions: Personal and Enterprise
• WPA2 Enterprise mode requires users to be separately authenticated using the EAP protocol

IEEE 802.15.4

• The IEEE 802.15.4 protocol was originally developed for use in Personal Area Networks (PANs)
• It consists of a media access layer (MAC) and physical layer (PHY)
• IEEE 802.15.4 devices can be either Full Function Devices (FFDs) or Reduced Function Devices (RFDs)
• FFDs can act as a PAN coordinator and communicate with any other device
• RFDs are simpler devices that can only communicate with FFDs or the PAN coordinator
• IEEE 802.15.4 networks can be structured in three topologies: Star, Mesh, and Cluster Tree
• Star topology has all devices communicating with the centralized PAN coordinator
• Mesh topology allows any device to communicate with any other device in range
• Cluster Tree topology has most devices as FFDs with RFDs connecting as leaf nodes at the end of a branch
• IEEE 802.15.4 uses symmetric key cyphers for encryption
• Symmetric keys are less secure than asymmetric or public key cryptography
• IEEE 802.15.4 uses encryption to provide access control, message integrity, message confidentiality, and replay protection

Wireless Protocols that use IEEE 802.15.4

• 6LoWPAN provides IPv6 services to low power devices in PANs
• WirelessHART is an international specification for the Industrial Internet of Things (IIoT)
• ISA 100.11a is a U.S. standard for communication on the IoT

Other Wireless Options

• LoRa is a popular LPWAN technology due to its low cost and wide implementation
• The Things Network is an international organization that enables development of IoT systems using LoRa technology
• Cellular data standards (3GPP) are implemented to extend IoT networks
• 5G cellular specifications include LTE Advanced for Machine-Type Communication (LTE MTC)
• NB-IoT is a low-power low-bandwidth protocol for indoor applications

Chapter Summary

• Network access control concepts include different basic access control models
• The OAuth 2.0 Authorization Framework can be used to make IoT devices more secure
• IoT device identity management is important to handle access to resources
• Encryption for IoT data is critical because some data is sensitive
• Most IoT devices lack the processing power for more robust encryption algorithms

Hardware Security

• Security is difficult to implement when devices are situated in remote locations.
• Vulnerabilities include:
  • Theft
  • Physical harm (disabling the device, removing power source, or communication disruption)
• Implement tamper-proof or tamper-resistant housing.
• Sensors can be moved and lose calibration, but many trigger alarms if not in proper adjustment.
• Always have access to the device, and implement battery backup to protect against power outages.
• SD cards may hold data that could be stolen or destroyed by an attacker.
• Standard surveillance and security protocols should be implemented as a first layer of defense.

Hardware Vulnerabilities

• Code vulnerabilities are often found through examination of software for the device.
• Wired magazine printed an article in 2017 about gaining access to firmware on numerous IoT devices using eMMC flash and a $10 SD card reader.
• A smart refrigerator provided root shell access when rebooted.
• UART connection to an IoT doorbell allows shell access.

Encryption

• Encryption provides data confidentiality and is the process of applying an algorithm to data to make it unreadable.
• Encrypting data such as passwords and sensitive information is key.
• Encryption is important to protect sensitive data being transmitted.
• Many older IoT devices don't support encryption.

Public Key Cryptography

• Symmetric cryptography allows the sender and receiver to use the same secret key for encryption and decryption.
• Public-key cryptography was introduced in 1976 by Whitfield Diffie and Martin Hellman as a solution to managing secure keys.
• It uses a pair of keys: a public key and a private key.
• The public key is published, while the private key is kept secret.

Authorities and the PKI Trust System

• Public Key Infrastructure (PKI) and its Certificate Authority (CA) are necessary for large-scale distribution and identification of public encryption keys.
• A PKI Certificate contains an entity's or individual's public key.
• A Certificate Store resides on a local computer and stores issued certificates and private keys.
• A PKI Certificate Authority signs these certificates using its private key.
• A Certificate Database stores all certificates issued by the CA.

Bluetooth

• Devices have a Bluetooth Address with the following parts:
  • Non-significant Address Part (NAP): Contains the first 16 bits of the OUI and is used for Frequency Hopping Synchronization frames.
  • Upper Address Part (UAP): Contains the remaining 8 bits of the OUI and is used for seeding in various Bluetooth specification algorithms.
  • Lower Address Part (LAP): Allocated by the device vendor.
• Bluetooth states:
  • Inquiry - discovering other devices
  • Paging (Connecting) - forming a connection between two devices, need to know the address from the inquiry process
    • Active Mode - actively transmitting or receiving data
    • Sniff Mode - power-saving, device sleeps and only listens for transmissions at set intervals
    • Hold Mode - temporary power-saving, device sleeps for a defined period then returns to active mode
    • Park Mode - deep sleep, inactive until the master wakes it up
• Bluetooth Radio Layer
  • Operates in the 2.4GHz ISM band, unlicensed but shared with other applications.
  • Uses Frequency Hopping Spread Spectrum (FHSS) for robustness against interference.
  • Each transmission uses a different channel, hopping rapidly between them.
  • 79 channels of 1MHz width, up to 1600 hops/sec.
  • Packet may occupy 1, 3, or 5 slots.
  • Pseudo-random hopping sequence is determined by the master, derived from the master clock and master device address.

IEEE 802.15.4

• Topologies:
  • Star Topology - all devices communicate with PAN Coordinator, coordinator has a fixed power supply and other devices are battery powered.
  • Mesh Topology - any device can communicate with any other in range, ad hoc, self-organizing, and self-healing.
  • Cluster Tree Topology - most devices are FFDs, RFDs connect as a leaf node, any FFD can act as a coordinator, only one PAN coordinator.
• Uses symmetric key ciphers for encryption.
• Security:
  • Access Control - prevents unauthorized devices from joining the network.
  • Message Integrity - protects data alteration while in transit.
  • Message Confidentiality - prevents malicious actors from reading data transmissions.
  • Replay Protection - Prevents legitimate messages from being captured and sent out at a later time.

Mesh Protocols that use 802.15.4

• 6LoWPAN provides IPv6 services to low power devices in PANs. It can be added to protocol stacks such as Zigbee and Thread. It enables header compression and IPv6 addressing services.
• WirelessHART is an international wireless standard (IEC 62591) for the Industrial Internet of Things (IIoT).
• ISA 100.11a is a U.S. standard for IoT communication, it does not stipulate an application layer and uses 6LoWPAN and User Datagram Protocol (UDP) for network and transport layers.

Other Wireless Options

• Other wireless protocols were developed to support low power wide area networks (LPWAN).
• LoRa is a popular LPWAN technology due to its low cost and wide implementation.
• LoRaWAN uses LoRa radio, and The Things Network is an organization that enables IoT proof-of-concept systems with LoRaWAN gateways.
• Cellular data standards (3GPP) are used to extend IoT networks but are not well suited for IoT applications due to power constraints.
• The fifth generation (5G) cellular specifications include LTE Advanced for Machine-Type Communication (LTE MTC), which improves power consumption and simplifies data transmission.
• Narrowband IoT (NB-IoT) is a low-power, low-bandwidth protocol for indoor applications that utilizes a portion of a wireless LTE carrier’s frequency spectrum.

Chapter Summary

• IoT device identity management should handle access to a device's resources and access to other information from other resources.
• Encryption is critical for IoT data, as it is often sensitive, but many IoT devices lack the processing power or resources for stronger encryption methods.

Network Access Control Concepts

• Security analysts should understand access control models to understand how attackers could exploit them.
• The OAuth 2.0 Authorization Framework enables secure IoT device access by allowing an authorization server to handle resource authorization.

Bluetooth Link Layer

• Data is transmitted at a basic rate of 1Mb/s, preceded by a 72-bit access code and a 54-bit header.
• A 16-bit CRC is computed based on the payload.
• Payload and header are scrambled with a 'whitening' word to avoid long sequences of zeros or ones.
• The sync word includes the Bluetooth address.

Bluetooth Frame Format

• Packet length is 72 bits (access code) + 54 bits (header) + 450 x 8 bits (payload) + 16 bits (CRC) = 3,742 bits.
• 1Mb/s transmission rate equates to 3,742 microseconds (μs).
• Slot size: 625 μs.
• Transmissions can occupy 1, 3, or 5 slots, corresponding to 625 μs, 1875 μs, or 3125 μs respectively.

Bluetooth Low Energy (BLE)

• Master devices are referred to as Central devices, while slaves are Peripheral devices.
• Utilizes 40 channels within the 2.4 GHz radio frequency range.
• Offers significantly reduced power consumption compared to traditional Bluetooth without compromising range.

BLE Connection Setup

• Device discovery is faster, with a periodic advertisement interval ranging from 20 ms to 10.24 s, plus a random delay of 0 to 10 ms to minimize collisions.
• Four types of advertisement packets:
  • ADV_IND - Peripheral requests connection to any Central device.
  • ADV_DIRECT_IND - Connection request targeted at a specific Central device.
  • ADV_NONCONN_IND - Non-connectable devices advertise information to any listening device (beacons).
  • ADV_SCAN_IND - Similar to ADV_NONCONN_IND, with optional additional information via scan responses.

BLE Connection Setup Steps

• Once a connection request is accepted, a hop increment is agreed upon, and both devices change their channel by adding the increment to their current channel index.
• A channel map can be established to avoid certain channel scans.
• The Central device assigns a random private address to the connecting Peripheral device.
• This access address uniquely identifies the physical channel between the two devices.
• The hopping interval can be re-negotiated after connection setup to optimize energy savings.

WiFi

• Adheres to IEEE 802.11 standards for wireless protocols.
• Basic Service Set (BSS): the smallest building block, comprising multiple devices connected to an Access Point (AP).
• Extended Service Set (ESS): two or more BSSs connected together.

WiFi Security

• Security levels increase in order: WEP < WPA < WPA2.

Wired Equivalent Privacy (WEP)

• Original security mechanism for WLAN.
• Aims to protect wireless communication from eavesdropping, prevent unauthorized network access, and tamper with transmitted messages.
• Weaknesses include vulnerable keys, IV reuse, and small IV size, making it susceptible to attacks.

Wi-Fi Protected Access (WPA)

• Replaces WEP, addressing its vulnerabilities.
• Enhances data encryption, strengthens user authentication.
• Minimizes shared secret key usage, uses RC4 algorithm effectively for data transmission.

WPA2 - Wi-Fi Protected Access 2

• Available in Personal and Enterprise versions.
• Primarily enhanced by the use of the AES (Advanced Encryption Standard) algorithm.
• Personal mode employs a Pre-Shared Key (PSK), requiring no separate user authentication.
• Enterprise mode necessitates separate user authentication using the EAP protocol.

IEEE 802.15.4 Overview

• Developed to enable low-power communication between IoT devices.
• Consists of the Media Access Layer (MAC) and Physical Layer (PHY) specifications.

IEEE 802.15.4 Device Roles

• Full Function Device (FFD): Operates as a PAN coordinator and communicates with any other device.
• Personal Area Network (PAN) Coordinator: One FFD designated as the coordinator for the WSN.
• Reduced Function Device (RFD): Simple devices that can only communicate with FFDs or the PAN coordinator. RFDs cannot act as the coordinator.

IEEE 802.15.4 Topologies

• Star Topology:
  • All devices communicate with the PAN coordinator.
  • PAN coordinator: fixed power supply.
  • Other devices: battery-powered.
• Mesh Topology:
  • Any device can communicate with any other device in range.
  • Self-organizing, self-healing.
• Cluster Tree Topology:
  • Most devices are FFDs.
  • RFDs connect as leaf nodes at the end of branches.
  • Any FFD can act as a coordinator and provide synchronization services.
  • Only one PAN coordinator.

IEEE 802.15.4 Security

• Utilizes symmetric key ciphers for encryption, providing access control, message integrity, confidentiality, and replay protection.

Mesh Protocols using 802.15.4

• 6LoWPAN:
  • Enables IPv6 services for low-power devices in PANs.
  • Can be integrated with other protocol stacks like Zigbee and Thread.
  • Provides header compression and IPv6 addressing.
• WirelessHART:
  • International wireless specification (IEC 62591) for the Industrial Internet of Things (IIoT).
• ISA 100.11a:
  • U.S. standard for IoT communication.
  • Does not specify an application layer, leveraging 6LoWPAN and User Datagram Protocol (UDP) for network and transport layers.

Other Wireless Options

• LoRa:
  • Low-power wide area network (LPWAN) technology known for its low cost and widespread adoption.
• LoRaWAN:
  • The Things Network facilitates the development of IoT proof-of-concept systems using LoRa radio physical layer and LoRaWAN data link and network layer elements.
• Cellular (3GPP):
  • Used for extending IoT networks with devices having fixed power supplies.
  • Not ideally suited for IoT applications due to power constraints.
• LTE Advanced for Machine-Type Communication (LTE MTC):
  • 5G cellular specification that improves power consumption and simplifies device capability for small, periodic data transmissions.
• Narrowband IoT (NB-IoT):
  • Low-power, low-bandwidth protocol for indoor applications.
  • Uses a portion of an LTE carrier's frequency spectrum.

Network Access Control (NAC) Concepts

• Understanding basic NAC models helps understand how attackers can exploit them.
• OAuth 2.0 Authorization Framework enhances IoT device security by providing an authorization server for managing resource access.
• IoT device identity management ensures secure access to both the device's resources and other external resources.

Encryption for IoT

• Crucial for securing sensitive data transmitted by IoT devices.
• Many IoT devices lack the processing power for robust encryption algorithms.

Thread

• A home automation standard using IPv6 for routing on top of an IEEE 802.15.4 wireless network
• Devices are secure, only joining the network if authorized
• All communication is encrypted
• Typical devices cover the range of a normal home
• Thread Domain model allows multiple networks to communicate over a backbone
• Devices are low power, delivering an enhanced user experience and years of battery life under normal conditions
• Compatible chipsets and software stacks are available from several vendors

IEEE 802.15.4

• A wireless networking technology specifying technical specifications for low-rate wireless personal area networks (LR-WPANs)
• Allows devices to communicate in industrial and commercial settings
• Extremely low cost, ease of implementation, reliable data transfer, short range operation, and very low power consumption
• Disadvantages include interference and multipath fading, and it does not employ a frequency-hopping approach.
• Unbounded latency, and susceptibility to interference

Device Classes

• Full Function Device (FFD)
  • Can implement any topology
  • Capable of being a network coordinator
  • Can communicate with any other device
• Reduced Function Device (RFD)
  • Limited to star topology
  • Cannot be a network coordinator
  • Can only communicate with the network coordinator
  • Very simple implementation

IoT Reference Model

• Consists of 7 layers, each with a specific function
• Layer 1 - Physical Devices & Controllers, generate data and are capable of being controlled over the network
• Layer 2 - Connectivity, communication between layer 1 devices
• Layer 3 - Edge (Fog) Computing, evaluate and reformat data for processing
• Layer 4 - Data Accumulation, captures and stores data to be used by applications
• Layer 5 - Data Abstraction, reconciles multiple data formats and ensures consistency for diverse sources
• Layer 6 - Application, interprets data through software applications
• Layer 7 - Collaboration & Processes, consumes and shares the application information
• Includes security measures securing each device connected to the network, the processes, and between each level

ETSI M2M

• Purpose is to provide a common understanding of standards and protocols
• Application Domain - Management functions such as data analytics, connectivity management take place
• Network Domain - Where data exits the local network and is transported to the Application Domain through wired and wireless protocols
• M2M Devices Domain - Where end devices such as sensors, actuators, and controllers connect to the network via M2M gateways

IoT Simplified Model

• Consists of functional and data management layers
• Functional layers
  • Layer 1 - Devices Layer, consists of all connected end devices
  • Layer 2 - Communication Layer, connects devices to a local control panel, monitoring system state
  • Layer 3 - Application Layer, connects the control panel to a remote data center, aggregating all the control panels
• Data Management layers
  • Layer 1 - Mist Layer, close to the ground, connecting things to the network
  • Layer 2 - Fog Layer, on a local device with more power, such as an irrigation system’s control panel
  • Layer 3 - Cloud Layer, allows the supervisor to remotely override autonomous actions of the control panel through a mobile or desktop application in the Cloud

Threat Model Analysis

• Consists of a set of components connected to the network
• Each component has its own vulnerabilities that must be mitigated
• These vulnerabilities can be exploited by attackers to gain access to the network
• To prevent attacks, security measures must be implemented

Zigbee

• A suite of protocols using low-power digital radios based on the IEEE 802.15.4 wireless standard
• Consists of the following roles:
  • Coordinator - sets up the network, one per network, and is the central point
  • Router - full function device, powered, non-battery, repeats/forwards signal
  • End-Device - reduced function, battery powered, does not repeat/forward signals
• Pros include the ability to create better remotes, power efficiency, security, and a stable network
• Cons include the need for a hub, limited range, and not all smart devices support Zigbee

Mesh Network

• A network where multiple devices in the network take on the role of a router or repeater
• Repeat signals and forward them to other network devices within range instead of sending them back to the originator

Description

This quiz explores the concepts of PKI Trust System and the technical aspects of Bluetooth technology. It covers digital certificates, Certificate Authorities, and the unique network topology of Bluetooth known as Piconet. Test your knowledge on the functionalities and features of these two vital technologies.