skip to main content
10.1145/3507657.3528544acmconferencesArticle/Chapter ViewAbstractPublication PageswisecConference Proceedingsconference-collections
research-article
Open access

On the Security of Thread Networks: Experimentation with OpenThread-Enabled Devices

Published: 16 May 2022 Publication History

Abstract

The Thread networking protocol is expected to be utilized by a plethora of smart home devices as one of the IP-based networking technologies that will be supported by the Matter standard that is being developed by members of the Connectivity Standards Alliance. Thread has been developed by the Thread Group as an application-agnostic protocol that builds on top of the IEEE 802.15.4 standard to enable IPv6-based low-power wireless mesh networking. However, unlike other IEEE 802.15.4-based protocols like Zigbee, the security of Thread networks has been relatively less analyzed in the literature. Given that commercial Thread devices are expected to interact with the physical world, vulnerabilities in their communication protocols could impact the physical security of end users. In this work we analyze the security of Thread networks by repurposing hardware and software tools that have been used for the security analysis of Zigbee networks. We used development boards that were flashed with OpenThread binaries to gain insight into the nature of Thread traffic and to study their susceptibility to a set of energy depletion attacks and online password guessing attacks. Lastly, we are publicly releasing our software enhancements as well as our dataset of captured Thread packets.

References

[1]
Adafruit Industries. [n.,d.]. Adafruit Feather nRF52840 Express. https://www.adafruit.com/product/4062 Retrieved April 4, 2022 from
[2]
Dimitrios-Georgios Akestoridis. [n.,d.] a. A collection of GNU Radio Companion flow graphs for the inspection of IEEE 802.15.4-based networks. https://github.com/akestoridis/grc-ieee802154 Retrieved April 4, 2022 from
[3]
Dimitrios-Georgios Akestoridis. [n.,d.] b. Modified ATUSB firmware that supports selective jamming and spoofing attacks. https://github.com/akestoridis/atusb-attacks Retrieved April 4, 2022 from
[4]
Dimitrios-Georgios Akestoridis. [n.,d.] c. Zigator: A security analysis tool for Zigbee and Thread networks. https://github.com/akestoridis/zigator Retrieved April 4, 2022 from
[5]
Dimitrios-Georgios Akestoridis, Madhumitha Harishankar, Michael Weber, and Patrick Tague. 2020. Zigator: Analyzing the Security of Zigbee-Enabled Smart Homes. In Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec). 77--88. https://doi.org/10.1145/3395351.3399363
[6]
Dimitrios-Georgios Akestoridis and Patrick Tague. 2021 a. CRAWDAD dataset cmu/zigbee-eda (v. 2021-10-22). https://doi.org/10.15783/t8mt-a674
[7]
Dimitrios-Georgios Akestoridis and Patrick Tague. 2021 b. HiveGuard: A Network Security Monitoring Architecture for Zigbee Networks. In Proceedings of the 2021 IEEE Conference on Communications and Network Security (CNS). 209--217. https://doi.org/10.1109/CNS53000.2021.9705043
[8]
Luigi Atzori, Antonio Iera, and Giacomo Morabito. 2010. The Internet of Things: A survey. Computer Networks, Vol. 54, 15 (2010), 2787--2805. https://doi.org/10.1016/j.comnet.2010.05.010
[9]
Bastian Bloessl. [n.,d.] a. IEEE 802.15.4 ZigBee Transceiver. https://github.com/bastibl/gr-ieee802-15-4 Retrieved April 4, 2022 from
[10]
Bastian Bloessl. [n.,d.] b. Some GNU Radio blocks that I use. https://github.com/bastibl/gr-foo Retrieved April 4, 2022 from
[11]
Bastian Bloessl, Christoph Leitner, Falko Dressler, and Christoph Sommer. 2013. A GNU Radio-based IEEE 802.15.4 Testbed. In Proceedings of the 12th GI/ITG KuVS Fachgespräch "Drahtlose Sensornetze&" (FGSN). 37--40.
[12]
Francis Brown and Matthew Gleason. 2019. ZigBee Hacking: Smarter Home Invasion with ZigDiggity. Presented at Black Hat USA 2019.
[13]
Blake D. Bryant and Hossein Saiedian. 2017. A novel kill-chain framework for remote security log analysis with SIEM software. Computers & Security, Vol. 67 (2017), 198--210. https://doi.org/10.1016/j.cose.2017.03.003
[14]
Xianghui Cao, Devu Manikantan Shila, Yu Cheng, Zequ Yang, Yang Zhou, and Jiming Chen. 2016. Ghost-in-ZigBee: Energy Depletion Attack on ZigBee-Based Wireless Networks. IEEE Internet of Things Journal, Vol. 3, 5 (2016), 816--829. https://doi.org/10.1109/JIOT.2016.2516102
[15]
Connectivity Standards Alliance. [n.,d.] a. Amazon, Apple, Google, and the Alliance and Its Board Members Form Industry Working Group to Develop a New, Open Standard for Smart Home Device Connectivity. https://csa-iot.org/newsroom/connectedhomeip/ Retrieved April 4, 2022 from
[16]
Connectivity Standards Alliance. [n.,d.] b. Connectivity Standards Alliance Matter Update. https://csa-iot.org/newsroom/matter-march-update/ Retrieved April 4, 2022 from
[17]
Connectivity Standards Alliance. [n.,d.] c. The Connectivity Standards Alliance Unveils Matter, Formerly Known as Project CHIP. https://csa-iot.org/newsroom/chip-is-now-matter/ Retrieved April 4, 2022 from
[18]
Connectivity Standards Alliance. [n.,d.] d. Matter (formerly Project CHIP) is creating more connections between more objects, simplifying development for manufacturers and increasing compatibility for consumers, guided by the Connectivity Standards Alliance (formerly Zigbee Alliance). https://github.com/project-chip/connectedhomeip Retrieved April 4, 2022 from
[19]
Connectivity Standards Alliance. [n.,d.] e. Zigbee. https://csa-iot.org/all-solutions/zigbee/ Retrieved April 4, 2022 from
[20]
CRAWDAD. [n.,d.]. CRAWDAD: A Community Resource for Archiving Wireless Data At Dartmouth. https://crawdad.org/ Retrieved April 4, 2022 from
[21]
Daniel Dinu and Ilya Kizhvatov. 2018. EM Analysis in the IoT Context: Lessons Learned from an Attack on Thread. IACR Transactions on Cryptographic Hardware and Embedded Systems, Vol. 2018, 1 (2018), 73--97. https://doi.org/10.13154/tches.v2018.i1.73-97
[22]
Morris Dworkin. 2007. Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality. https://doi.org/10.6028/NIST.SP.800-38C NIST Special Publication 800--38C.
[23]
Ettus Research. [n.,d.]. USRP N210 Software Defined Radio (SDR). https://www.ettus.com/all-products/un210-kit/ Retrieved April 4, 2022 from
[24]
GNU Radio. [n.,d.]. GNU Radio -- the Free and Open Software Radio Ecosystem. https://github.com/gnuradio/gnuradio Retrieved April 4, 2022 from
[25]
Feng Hao. 2017a. J-PAKE: Password-Authenticated Key Exchange by Juggling. RFC 8236. https://doi.org/10.17487/rfc8236
[26]
Feng Hao. 2017b. Schnorr Non-interactive Zero-Knowledge Proof. RFC 8235. https://doi.org/10.17487/rfc8235
[27]
Jonathan W. Hui and Pascal Thubert. 2011. Compression Format for IPv6 Datagrams over IEEE 802.15.4-Based Networks. RFC 6282. https://doi.org/10.17487/rfc6282
[28]
Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin. 2010. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. White Paper. https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf Retrieved April 4, 2022 from
[29]
IEEE Computer Society. 2006. IEEE Standard for Information technology--Telecommunications and information exchange between systems--Local and metropolitan area networks--Specific requirements--Part 15.4: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for Low-Rate Wireless Personal Area Networks (WPANs). IEEE Std 802.15.4-2006. https://doi.org/10.1109/IEEESTD.2006.232110
[30]
Chris Karlof and David Wagner. 2003. Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures. Ad Hoc Networks, Vol. 1, 2 (2003), 293--315. https://doi.org/10.1016/S1570-8705(03)00008-8
[31]
Richard Kelsey. 2015. Mesh Link Establishment. Internet-Draft draft-ietf-6lo-mesh-link-establishment-00. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/draft-ietf-6lo-mesh-link-establishment-00 Retrieved April 4, 2022 from
[32]
Hyung-Sin Kim, Sam Kumar, and David E. Culler. 2019. Thread/OpenThread: A Compromise in Low-Power Wireless Multihop Network Architecture for the Internet of Things. IEEE Communications Magazine, Vol. 57, 7 (2019), 55--61. https://doi.org/10.1109/MCOM.2019.1800788
[33]
Hugo Krawczyk, Mihir Bellare, and Ran Canetti. 1997. HMAC: Keyed-Hashing for Message Authentication. RFC 2104. https://doi.org/10.17487/rfc2104
[34]
Yu Liu, Zhibo Pang, György Dán, Dapeng Lan, and Shaofang Gong. 2018. A Taxonomy for the Security Assessment of IP-Based Building Automation Systems: The Case of Thread. IEEE Transactions on Industrial Informatics, Vol. 14, 9 (2018), 4113--4123. https://doi.org/10.1109/TII.2018.2844955
[35]
Gabriel Montenegro, Nandakishore Kushalnagar, Jonathan W. Hui, and David E. Culler. 2007. Transmission of IPv6 Packets over IEEE 802.15.4 Networks. RFC 4944. https://doi.org/10.17487/rfc4944
[36]
National Institute of Standards and Technology. 2001. Advanced Encryption Standard (AES). https://doi.org/10.6028/NIST.FIPS.197 FIPS 197.
[37]
National Institute of Standards and Technology. 2002. Secure Hash Standard (SHS). FIPS 180--2.
[38]
OpenThread. [n.,d.] a. Build a Thread network with nRF52840 boards and OpenThread. https://openthread.io/codelabs/openthread-hardware Retrieved April 4, 2022 from
[39]
OpenThread. [n.,d.] b. IPv6 Addressing. https://openthread.io/guides/thread-primer/ipv6-addressing Retrieved April 4, 2022 from
[40]
OpenThread. [n.,d.] c. Network Discovery and Formation. https://openthread.io/guides/thread-primer/network-discovery Retrieved April 4, 2022 from
[41]
OpenThread. [n.,d.] d. Node Roles and Types. https://openthread.io/guides/thread-primer/node-roles-and-types Retrieved April 4, 2022 from
[42]
OpenThread. [n.,d.] e. OpenThread on Nordic nRF528xx examples. https://github.com/openthread/ot-nrf528xx Retrieved April 4, 2022 from
[43]
OpenThread. [n.,d.] f. OpenThread released by Google is an open-source implementation of the Thread networking protocol. https://github.com/openthread/openthread Retrieved April 4, 2022 from
[44]
Qi Hardware Inc. [n.,d.]. Ben-WPAN Overview. http://downloads.qi-hardware.com/people/werner/wpan/web/ Retrieved April 4, 2022 from
[45]
Eric Rescorla and Nagendra Modadugu. 2012. Datagram Transport Layer Security Version 1.2. RFC 6347. https://doi.org/10.17487/rfc6347
[46]
Naveen Sastry and David Wagner. 2004. Security Considerations for IEEE 802.15.4 Networks. In Proceedings of the 3rd ACM Workshop on Wireless Security (WiSe). 32--42. https://doi.org/10.1145/1023646.1023654
[47]
SecDev. [n.,d.]. Scapy: the Python-based interactive packet manipulation program & library. https://github.com/secdev/scapy Retrieved April 4, 2022 from
[48]
Thread Group. [n.,d.] a. Thread Group: Member Benefits. https://www.threadgroup.org/thread-group#Membershipbenefits Retrieved April 4, 2022 from
[49]
Thread Group. [n.,d.] b. What is Thread: Overview. https://www.threadgroup.org/What-is-Thread/Overview Retrieved April 4, 2022 from
[50]
Thread Group. 2015a. Battery-Operated Devices. White Paper. https://www.threadgroup.org/Portals/0/documents/support/BatteryOperatedDevicesWhitePaper_656_2.pdf Retrieved April 4, 2022 from
[51]
Thread Group. 2015b. Thread Commissioning. White Paper. https://www.threadgroup.org/Portals/0/documents/support/CommissioningWhitePaper_658_2.pdf Retrieved April 4, 2022 from
[52]
Thread Group. 2015c. Thread Usage of 6LoWPAN. White Paper. https://www.threadgroup.org/Portals/0/documents/support/6LoWPANUsage_632_2.pdf Retrieved April 4, 2022 from
[53]
Thread Group. 2020. Thread Network Fundamentals. White Paper. https://www.threadgroup.org/Portals/0/documents/support/Thread%20Network%20Fundamentals_v3.pdf Retrieved April 4, 2022 from
[54]
Wireshark Foundation. [n.,d.]. Wireshark's official Git repository. https://gitlab.com/wireshark/wireshark Retrieved April 4, 2022 from
[55]
Anthony D. Wood and John A. Stankovic. 2002. Denial of Service in Sensor Networks. Computer, Vol. 35, 10 (2002), 54--62. https://doi.org/10.1109/MC.2002.1039518
[56]
Wenyuan Xu, Wade Trappe, Yanyong Zhang, and Timothy Wood. 2005. The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks. In Proceedings of the 6th ACM International Symposium on Mobile Ad Hoc Networking and Computing (MobiHoc). 46--57. https://doi.org/10.1145/1062689.1062697
[57]
Zigbee Alliance. 2016. Base Device Behavior Specification. ZigBee Document 13-0402--13.
[58]
Tobias Zillner and Sebastian Strobl. 2015. ZigBee Exploited - The Good, the Bad and the Ugly. Presented at Black Hat USA 2015.

Cited By

View all
  • (2025)A Survey on Cybersecurity in IoTFuture Internet10.3390/fi1701003017:1(30)Online publication date: 11-Jan-2025
  • (2024)Demo: Battery Depletion Attack Through Packet Injection on IoT Thread Mesh Network2024 16th International Conference on COMmunication Systems & NETworkS (COMSNETS)10.1109/COMSNETS59351.2024.10426916(318-320)Online publication date: 3-Jan-2024
  • (2023)One Standard to Rule Them All? Assessing the Disruptive Potential of Jamming Attacks on Matter Networks2023 IEEE International Workshop on Information Forensics and Security (WIFS)10.1109/WIFS58808.2023.10374874(1-6)Online publication date: 4-Dec-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
WiSec '22: Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks
May 2022
314 pages
ISBN:9781450392167
DOI:10.1145/3507657
  • General Chair:
  • Murtuza Jadliwala,
  • Program Chairs:
  • Yongdae Kim,
  • Alexandra Dmitrienko
This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 May 2022

Check for updates

Author Tags

  1. energy depletion attacks
  2. ieee 802.15.4
  3. online password guessing attacks
  4. openthread
  5. thread

Qualifiers

  • Research-article

Funding Sources

  • Carnegie Mellon CyLab Security and Privacy Institute

Conference

WiSec '22

Acceptance Rates

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)684
  • Downloads (Last 6 weeks)43
Reflects downloads up to 17 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2025)A Survey on Cybersecurity in IoTFuture Internet10.3390/fi1701003017:1(30)Online publication date: 11-Jan-2025
  • (2024)Demo: Battery Depletion Attack Through Packet Injection on IoT Thread Mesh Network2024 16th International Conference on COMmunication Systems & NETworkS (COMSNETS)10.1109/COMSNETS59351.2024.10426916(318-320)Online publication date: 3-Jan-2024
  • (2023)One Standard to Rule Them All? Assessing the Disruptive Potential of Jamming Attacks on Matter Networks2023 IEEE International Workshop on Information Forensics and Security (WIFS)10.1109/WIFS58808.2023.10374874(1-6)Online publication date: 4-Dec-2023
  • (2023)Two-Factor Commissioning for Thread Protocol2023 3rd International Conference on Advanced Research in Computing (ICARC)10.1109/ICARC57651.2023.10145748(190-195)Online publication date: 23-Feb-2023

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media