Field of the Invention
The present invention generally relates to wireless networks and, more particularly, to wireless intrusion detection.
Description of the Related Art
Low-rate Wireless Personal Area Networks (WPANs) enable energy-efficient connectivity among large numbers of devices. The IEEE 802.15.4 specification is an industry standard for low-power, low-rate, WPANs. Low implementation costs associated with WPAN interconnectivity has led to widespread adoption, particularly in critical infrastructure and military applications. For instance, ZigBee standards built upon this WPAN foundation operate advanced utility meters, 65 million of which will be deployed in the United States by 2015. Building automation WPANs interface with the smart grid to significantly reduce energy costs through intelligent appliance and lighting control. WPANs may be utilized in such varied applications as health care networks, indoor localization, and critical process control.
Data confidentiality, message integrity, and device authentication are all important security considerations for wireless networks, given the vulnerable transmission medium. Fortunately, the IEEE 802.15.4 specification includes optional protection using the Advanced Encryption Standard for data confidentiality, message integrity codes (MICs), or both. Sensitive information such as utility billing, patient data, and control messages should all be encrypted while traversing a WPAN, but research has found that the Advanced Encryption Standard (AES) Counter mode (encryption without MIC) should be avoided because an attacker may be able to modify the cyphertext and the unprotected cyclic redundancy check such that unauthorized packets may be accepted. Protecting WPANs from unauthorized access may be accomplished with a shared network key and establishing source node authentication through end-to-end Link Keys.
Properly securing low-rate WPANs is challenging due to tight resource constraints. WPAN hardware is generally designed to be as inexpensive as possible, and tamper resistance was not an early vendor priority. For example, first and second-generation ZigBee chips were found to be vulnerable to encryption key extraction. Flash memory available for application development is typically limited to less than 100 kB, e.g., 48 kB on the TmoteSky mote and 60 kB on the Freescale MC13213. With flash at a premium, some application developer guides discourage the use of security—“Do not use a secure network unless required. ZigBee security is about 8K.” (Freescale BeeStack™ Application Development Guide, Document Number: BSADG, Rev. 1.1, January 2008, p. 5-5). Security headers increase packet overhead, expending additional wireless transmission energy and presenting a trade-off for WPANs reliant upon battery power. IEEE 802.15.4 leaves key establishment to higher layers, such as the ZigBee stack, yet the entire WPAN can be compromised if keys are mishandled. Support for access control lists varies substantially among WPAN chipsets as well. For example, a CC2420 only supports two device entries.
Any network keys wirelessly distributed in plain text to end nodes can be intercepted by eavesdroppers. The open source KillerBee framework for exploiting IEEE 802.15.4 WPANs includes a script (zbdsniff) that extracts any observed keys from wireless capture files. KillerBee also includes tools for message replay attacks (zbreplay), transmitter tracking (zbfind), and denial of service attacks (zbassocflood).
The consequence of a successful denial of service attack by zbassocflood is shown at 10 in FIG. 1. All available WPAN network addresses have been allocated to devices that do not exist, as reported in the ‘PAN full’ line highlighted 10. The zbassocflood tool made repeated association requests using spoofed MAC addresses, exhausting the network address pool, and thus, no new legitimate devices are able to join the network. Continual improvements to the quality and capabilities of WPAN attack tools motivate the need for novel defenses.
Accordingly, there is a need in the art for improved intrusion detection and defenses for attacks on WPANs.