Security in Wireless

Personal Area Network

(WPAN)
Chapter-14 (Text Book)
Lecture 34-Lecture-35
Dr. Rahul Saha
 What is WPAN ?
Wireless personal area networks (WPANs) connect devices within
•Bluetooth radio
a small area, somewhere around within a person's reach.
•Bluetooth Low Energy
A WPAN has a typical range of about 30 feet. They are commonly
•ZigBee
used to interconnect compatible devices near a central location,
•Z-Wave
such as a desk.
•Thread
With billions of wireless devices on the air already, and many
billions more projected to join them in the next few years, many IEEE 802.15 family

radio frequency bands are becoming crowded, and interference is a

growing problem. You should consider this when designing your
next product. https://internetofthingsagenda.techtarget.com/feature/WPAN-standards-for-IoT-continue-to-develop-use-
cases#:~:text=The%20IEEE%20WPAN%20standards%20offer,operating%20power%20or%20long%20range.&text=IT
%20pros%20should%20be%20familiar,architecture%20choice%20in%20IoT%20deployments.
Example
ZIGBEE PARAMETERS
https://opentechdiary.wordpress.com/2015/07/18/part-4-a-walk-through-internet-of-things-iot-basics/
 Bluetooth detailed specifications
 Bluetooth supports point-to-point (unicast) and point-to-multipoint(multicast) transmission with a variety of data
rates.

 The initial Bluetooth standard specified a transmission rate of 1 Mbps. At the low end, Task Group 4 in IEEE
802.15 supports low data rates, with low complexity and long battery life (lasting from months to years), of 20, 40, and
250 kbps. At the high end, Task Group 3 supports high data rates of 11 to 55 Mbps.

 TG3A uses an alternative physical layer, including ultra wideband (UWB) radio, with data rates beyond 100 Mbps.

 Bluetooth networks transmit on the 2.4-GHz band, which is an unlicensed frequency range. It uses 79 channels
between 2.402 and 2.480 GHz (in the United States and most of Europe).

 In addition, microwave ovens operate on that frequency. While they generally are shielded properly, testing shows that
poorly shielded ovens can jam radios and reduce throughput by 75 percent (although an owner of such a leaky oven
probably has bigger problems to worry about than reduced throughput).

 Bluetooth uses a fast-frequency-hopping algorithm, which switches frequencies at a rate of 1600 times per second.
Packets are short, typically around 350 bytes, and forward error correction (FEC) provides data integrity.
Bluetooth Network Terminologies
 Piconet : 3 bit address, 1 master – 7 slaves

 Master and Slave : 1 master always in the piconet, others are slaves, responsibility of FFHS, swapping of
parked node

 Scatternet: collection of piconets, device (that is a master in one piconet and a slave in another)

 States of Bluetooth device:

 Standby
 Active paging, inquiry by the willing node
Power  Hold: complete inactive
saver mode  Park: synchornization with master, master can allow or disallow, supports more than nodes
 Sniff
https://www.researchgate.net/publication/3973602_RF_Rendez-Blue_Reducing_power_and_inquiry_costs_in_Bluetooth-en
abled_mobile_systems
https://flylib.com/books/en/4.215.1.116/1/
Bluetooth security mechanisms
 The transmitters use the lowest power required for their data to be received.

 Channel hopping provides additional protection, making it difficult to snoop on the data stream. The
fast rate of hopping makes it hard for a casual observer to “sniff ” the data stream off of one channel or
guess the hopping sequence.

 Data are protected by the optional use of encryption. The encryption algorithm is, essentially, a stream
cipher that XORs the data stream with a stream of numbers from a pseudorandom-number
generator (PRNG) seeded by an encryption key. The keys are created and distributed by a key exchange
algorithm, so keys are not sent as plaintext.

 Finally, nodes can perform authentication and authorization to verify the identity and access of both
parties that are communicating.
Bluetooth Security Modes and Levels
Three modes of security for devices: nonsecure,
service level enforced security, and link-level
enforced security.
Nonsecure: A device in the nonsecure mode does not
initiate any security procedure. This is intended for
public use devices, such as walkup printer.
Service-level enforced security: A device in the
service-level enforced security mode permits access to
itself depending on the service request. For example, a
PC may allow a user to download files to it but does
not allow its own files to be read.
Link-level enforced security: A device in the link-
level enforced security mode requires authentication
and authorization for use, e.g., cell phones.
It defines two security levels for devices: trusted
and untrusted.
Trusted devices allow unrestricted access to all
services, whereas untrusted devices do not.
Services can be in one of three security levels:
1) open, 2) authentication 3) authentication and
authorization.
In the first, the services are open to all devices.
The second requires authentication from the
devices, whereas the third requires both
authentication and authorization for the device.
Bluetooth basic security mechanism
 Bluetooth uses encryption and link-layer keys

 Encryption keys protect the data in a session, whereas link-layer keys provide authentication and serve
as a parameter when deriving the encryption keys.

 Link layer keys can be semipermanent or temporary.

 Four entities are used for link-layer security:

A 48-bit publicly available device address, fixed and unique for each device
A 128-bit pseudorandom private key for authentication
An 8- to 128-bit private key for encryption (The variable length accommodates different
countries’ export restrictions.)
A 128-bit pseudorandom number generated by the device

 Four types of link layer keys: initialization, unit, combination, master

 Link layer keys
The unit key is generated in The combination key is
The initialization key is used as a The master key is a temporary
link-layer key when there are noteach device when the device derived from information key that replaces the current
yet any unit or combination keys.is installed. from two devices that linklayer key.
This key is used only during communicate with each
It is 128 bits and is other.
installation and typically requires The master device generates
the user to enter a personal generated with the E21 it using the E22 algorithm with
identification number (PIN) on the
algorithm using the A different combination two 128-bit random numbers.
unit. Bluetooth device address key is generated for each A random number is sent to
and a random number, both pair of communicating slaves, which use it and the
Combination of PIN (1-128 bits) 128 bits long. devices. current link-layer key to
and Bluetooth device address (48 generate an overlay. The
bits), and a random 128-bit The device creates the key master key is XORed with the
number using the E22 algorithm. the first time it is operated, overlay by the master and sent
stores the unit key in non- to the slaves, which can extract
volatile memory. the master key from it.
Combination key
Master key
Bluetooth encryption mode
Bluetooth encryption The packet payload is encrypted when encryption is
enabled. Encryption is performed with the E0 stream
cipher and is resynchronized for each payload. The E0
stream cipher consists of a payload key generator, a key
stream generator, and the encryption/decryption part.

Essentially, the algorithm consists of XORing the data

payload stream with a stream of pseudorandom
numbers. The pseudorandom-number generator is
initialized with an encryption key. This key is generated
from the current link-layer key, a 96-bit ciphering offset
number (COF), and a 128-bit random number. The COF is
based on the authenticated ciphering offset (ACO), which
is generated during the authentication process.

When the link manager (LM) activates encryption, it

generates the encryption key. This key automatically
changes every time the Bluetooth device enters the
encryption mode.
Bluetooth Authentication
Limitations and problems
Jamming and interference:
 intentional and unintentional
 2.4Ghz operation may create interference due to other devices that operate in the same
band, including some 802.11 and home/RF devices, as well as microwave ovens
 intentionally by transmitters that are nearby or significantly stronger than the Bluetooth
transmitters.
Key management:
 Until a secure link is established, the keys and data used to derive them are sent in the clear.
 use a PIN code entered into each device, but this can be cumbersome.
 Bluetooth supports only device authentication, not user authentication. Thus, a stolen device,
such as a PDA, could gain unauthorized access to data and resources

Finally, like any wireless device, care must be used when connecting it to an existing network because it might be
unintentionally exposing part of the internal network that had been protected behind a firewall
Bluetooth attacks
 If two sites, A and B, communicate with each other using A’s unit key (KA) because of limited memory
on A, then afterwards site B can impersonate A as well as eavesdrop on A’s communications because B
knows that the key that will be used. Variations of a man-in-the-middle attack are possible. If an
attacker can synchronize with the frequency-hopping sequence, then it can eavesdrop.

 Brute force on PINs

 Cipher attacks : reducing the search space of brute force

 Location and movement tracking

 Bluesanrfing, Bluejacking, bluesnipping, bluebailing

[https://en.wikipedia.org/wiki/Bluesnarfing#Bluesniping]
Other reading (beyond the book, interesting, out of
IP)
https://www.youtube.com/watch?v=ZpOmzx-pyns

https://www.youtube.com/watch?v=8vjIrCaFOfU

https://www.bluetooth.com/bluetooth-resources/building-a-sensor-driven-lighting-control-system-based-on-bluetooth-
mesh/

https://www.silabs.com/whitepapers/advantages-of-wireless-human-machine-interface-for-industrial-automation

https://global-carconnectivity.org/wpcontent/uploads/2020/04/CCC_Digital_Key_2.0.pdf
https://www.lairdconnect.com/resources/white-papers/bluetooth-deployment-hospital-settings

https://www.atmosic.com/2020-trends-for-battery-free-bluetooth-5-0-internet-of-things/

https://www.bluetooth.com/blog/wireless-connectivity-options-for-iot-applications-indoor-navigation/