中文 English

Securing Short-Range Communications

More electronic conveniences open door to more hacking.


Short-range wireless communication technology is in widespread use and growing rapidly, adding conveniences for consumers while also opening the door to a whole range of cyberattacks.

This technology is common across a variety of applications, from wireless key fobs to unlock a car and start the ignition, to tags used to help drivers find misplaced items such as car keys. RFID also is starting to be used in grocery stores to speed up self-checkout. And credit cards equipped with near field communication (NFC) technology make paying for purchases possible with a tap, eliminating the need to touch keypads or have cashiers touch their cards, which is a especially useful during a pandemic.

While we all enjoy these modern conveniences, modern-day thieves are tapping into short-range communications to clone that data and steal cars. Hackers also can drive by a neighborhood, monitoring the signals from Wi-Fi to steal personal information. But there also are solutions to many of these vulnerabilities, and some of them are beginning to reach the market as these new features are rolling out.

Short-range communication threats
Short-range communication covers a range from a few feet to about 300 feet. The good news is there are lots of these standards to choose from — Wi-Fi (IEEE 802.11a/b/g/n); Bluetooth (IEEE 802.15); Zigbee, which has changed to be the Connectivity Standards Alliance (CSA); Z-Wave; Thread; RFID; dedicated short-range communications (DSRC) for V2X; ultra-wide band (UWB); NFC; Ant+, and other proprietary technologies.

The FCC has decimated the 5.9 GHz band for the dedicated short-range communications (DSRC) service. The Department of Transportation Joint Program Office wants automakers to incorporate DSRC to make V2V and V2I a reality. When this happens, vehicles will be able to communicate with each other without the cellular network.

The bad news is this many standards also opens the door for short-range communication hacking. And attackers exploiting short-range communication can carry out cyberattacks in ways not available to thieves relying on long-distance communications.

Among the numerous types of cyberattacks relying on short-range communication protocols are man-in-the-middle attacks, illicit connections, device cloning, side-channel attacks, packet sniffing resulting in modification and fabrication of codes, interception and cloning of codes, Distributed Denial of Service (DDoS), and worst of all, ransomware attacks. New cyberattack methods are being invented regularly.

Fig. 1: Man in the middle scenario. Source: Rambus

Below are some of the common attack scenarios:

  • Equipment for eavesdropping on Wi-Fi signals enables hackers to drive by houses to steal residents’ personal information.
  • “Man-in-the-middle” attacks to steal identities and other data when devices such as Bluetooth are being paired. The attacker can interrupt a data transfer and insert itself in the middle of the transfer and pretend to be a legitimate participant.
  • Using wireless devices to unlock automobile doors and other electronic door locks.
  • Using NFC devices to steal the identities of other NFC devices that victims have with them — in a pocket while walking, for instance.

Side-channel attacks are commonplace. In close proximity, hackers can detect a transmission’s electrical parameters — such as supply current, execution time, and electromagnetic emissions — to steal information. In a short period of time time, an attacker can collect enough data to develop a pattern, which can be used to create its own security key.

Security solutions
Protecting oneself from hackers who drive by houses with equipment to listen in on Wi-Fi signals and steal identities requires more than a Wi-Fi password. That password is, by definition, a shared value. Application-level security, such as Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS), is necessary for sensitive data.

Likewise, reducing the Bluetooth communication range and thus forcing the attacker to be too close to avoid notice can help counter “man-in-the-middle” attacks during device pairing. But this is not an ideal solution. The pairing phase is a known vulnerability for Bluetooth. However, when both the device being paired and the pairing device have a PIN pad, the user can insert a PIN and increase the security of the pairing process. Inserting a PIN makes it difficult for an eavesdropper to intercept traffic without knowing the PIN.

The signal emitted by a key fob to open a car also can be “recorded” using some technologies and replayed by a rogue device to open the car. Some solutions rely on a sophisticated key fob that issues a different encrypted but valid code every time it is used, with the car recording past key codes to prevent replay.

NFC is more of a transmission protocol than an application-level protocol. Security must be implemented on top of NFC to provide any security properties. Say the attacker “pickpockets” an identity and/or other information from a card in the target’s possession. If the identity is protected cryptographically (e.g., by a public/private key scheme), the hacker will not be able to use it constructively because they don’t have the private key. The identity alone will not be sufficient.

For example, hackers can steal the credit card number and expiration date of an NFC, EuroPay, MasterCard, or Visa (EMV) contactless card, but that is typically not enough to complete the commercial transaction, as it sometimes requires a PIN. Transactions over the NFC link also are encrypted and protected. Using a wallet that blocks NFC signals is a very simple but also effective method to help prevent cybercriminals from doing damage.

There are useful methods to protect against side-channel attacks, as well. For instance, one defense requires the attacker to collect millions of traces in order to extract a key. Breaking the system becomes more difficult for the attacker with those mandated millions of encryption traces in the way.

There is no foolproof cybersecurity method. However, by making it as difficult as possible for hackers to steal information would increase the level of security.

Develop short-range communication cybersecurity strategies
Rambus Security pointed out the three main principles of wireless secure communications:

  • Pairing or registration of devices allowed to communicate over the network using methods such as passwords/PINs (Wi-Fi PSK mode, Bluetooth) or initialization/pre-installation of keys (e.g., Zigbee, Thread, or Z-Wave);
  • Authentication of the devices involved in a communication, and
  • Encryption of communications between two devices over the wireless link. The encryption keys can be negotiated during an initial pairing phase between two devices.

Some protocols used for home automation, like Z-Wave and Zigbee, rely on network keys exchanged during a first device registration phase. However, they also depend on additional keys used as encrypted data in point-to-point communications or within sub-networks.

“One of the main issues is to make sure the pairing or registration process is not compromised by leaking passwords or installation of keys. In all wireless communication cases, a safe practice is to implement application-level security, such as TLS or DTLS, or custom security on top of the protocol to ensure authentication, confidentiality, integrity, and sometimes forward secrecy when desirable,” said Thierry Kouthon, technical product manager at Rambus Security.

Many short-range communication applications are embedded. Taking the eFPGA approach potentially can add another layer of security.

“Short-range communication is being hacked in new ways everyday,” said Andy Jaros, vice president of IP sales and marketing at Flex Logix. “One of the best ways to keep up is to add eFPGA. This provides a future upgrade path as new cryptographic algorithms come on line to thwart hacking attempts with eFPGA as a low-cost, low-power, reconfigurable high-performance solution.”

Cybersecurity on wireless communication protocols is a complex matter. Even though short-range communication is the primary subject of discussion here, it often is connected to a network. As a result, it becomes a hybrid protocol involving both short- and long-range wireless communication. If the device used primarily for short-range communication is hacked, the stolen information or identity could compromise another endpoint if an entire network is not protected. Additionally, using a third-party certification program will increase the level of security of the overall system.

“The use of long- and short-range wireless communication mediums has evolved rapidly, said Mark Knight, director, architecture product management at Arm. “In some cases, the protocols used have not kept pace with the threats and attacks these mediums have allowed. Modern devices will frequently communicate with services or devices that are thousands of miles apart over a diverse mix of different physical mediums. For example, a smart device may communicate with a distant cloud server via a combination of Thread, Wi-Fi, Ethernet, and Very High-Speed Digital Subscriber Line (VDSL).”

Arm’s approach is to use a robust, end-to-end cryptographic protocol to establish identity and authenticity of each endpoint, which is more essential due to the fact that it’s a heterogeneous communication environment. “This ensures the integrity and confidentiality of all data and transactions, regardless of the medium,” Knight said. “Secure protocols rely on each endpoint device having a Root of Trust that cannot be cloned, stolen, or modified by an attacker. Architects must not be tempted to rely on the use of short-range mediums to mitigate attacks. To ensure endpoint devices are secure, a secure device methodology is key, such as that described by PSA Certified. That helps to guide chip and device vendors through a process that starts with a proven set of robust security goals used to build connected devices that contain a secure Root of Trust. Vendors then can submit their products for independent testing and certification via several different evaluation labs. Cryptographic protocols will use the keys that are protected within the certified Root of Trust. Once devices have used these keys to establish mutual end-to-end trust, they can communicate securely without having to place any trust in the physical mediums that the encrypted messages traverse.”

The future of short-range communication
Here are three characteristics of how the short-range communication technology will evolve in the future:

  • New applications will emerge.
  • New innovations of the technology will be developed.
  • There will not be a universal security standard for the short-range technology protocol. Each will continue to have its own security standards and updates.

New applications will be deployed in various vertical segments. In smart retailing, for example, changing or updating product price displays inside a store can be labor intensive. With a short-range wireless broadcast system to change the prices on display instantaneously, retailers can save time and costs. Today, very few stores are taking advantage of this technology, but that is expected to change. Additionally, NFC can be applied to individual product promotion.

“As it is short-range and associated with a “tap” gesture, NFC technology has several new applications on the horizon,” said Sylvain Fidelis, marketing and applications manager for ST25 NFC products at STMicroelectronics. “First, with every NFC-enabled smartphone now supporting a “reader” mode, NFC can be used to connect to previously unconnected items to enable new interactions. The latest example is the Paco Rabanne perfume bottle, where users can now access the perfume universe or purchase refills with a simple tap.”

New innovations are expected to be available. One example is Light-Fidelity (Li-Fi). Not as well-known as Wi-Fi, Li-Fi uses LED light to transmit signals. Li-Fi, a visible light communication technology, has demonstrated speeds in excess of 1 Gbps under lab conditions. It is ideal for use in buildings enclosing large obstacle-free spaces. According to Emergen Research, the Li-Fi market size is expected to reach $15 billion by 2028. Additional short range technology innovation is expected to emerge.

In a world full of cybersecurity threats, security will continue to be a critical requirement. But we won’t see a common cybersecurity standard adopted by these short-range communications technologies. Instead, each technology will continue to develop its own security protocols and standards. Finally, staying vigilant is the key to security.

“Short-range communications are here to stay, so we will need to devise effective methods to secure them,” said Rambus’ Kouthon. “In general, most rely on the right paradigm of device authentication and link encryption. The security vulnerability usually occurs during the initial pairing process between devices. This weak spot can be remediated by physically protecting the location where the process is performed from wireless signal capture. Or pairing can be guarded by assisting the process with PINs that are stored on both devices. Usually, the cryptographic basis of the protocol used is sound and effective when properly implemented. Implementing additional application-level security on top of the wireless protocol when possible is always recommended.”

Leave a Reply

(Note: This name will be displayed publicly)