Security Tools for Attacking and Monitoring Low-Power Wireless Personal Area Networks

Smart homes and smart buildings are applications of the Internet of Things (IoT), where everyday devices are connected to the Internet as either sensors, actuators, or both. While IoT devices provide several benefits to their end users, they also raise serious security concerns, primarily because they interact with the physical world. This is especially concerning in cases where the IoT devices have critical capabilities, such as unlocking doors, because vulnerabilities in their communication protocols could affect the physical security of their end users. The focus of this dissertation is on the security of two communication protocols that are designed for low-power wireless personal area networks: Zigbee and Thread. Zigbee is an IEEE 802.15.4-based protocol that has been developed by the Zigbee Alliance (now known as the Connectivity Standards Alliance) and has been used in smart environments for several years. Thread is an IEEE 802.15.4-based protocol that has been developed by the Thread Group and is expected to be used by numerous smart home devices as one of the IP-based networking technologies that will be supported by the Matter standard that is being developed by members of the Connectivity Standards Alliance. However, the security of centralized Zigbee networks and Thread networks has received limited attention in the literature. In this dissertation we present a security analysis tool for Zigbee and Thread networks, called Zigator, which enabled us to gain insight into the nature of their traffic. This led to the development of novel selective jamming and spoofing attacks that we implemented by modifying the firmware of an IEEE 802.15.4 USB adapter, including energy depletion attacks, that we validated by testing them against commercial Zigbee devices and OpenThread-enabled development boards. Furthermore, we present a network security monitoring system for Zigbee networks, called HiveGuard, which follows a rule-based approach for the detection of attacks. The vulnerabilities we discovered were responsibly disclosed to the appropriate working groups or organizations, along with our mitigation recommendations, prior to their publication.