Design, Implementation, and Evaluation of Secure Cyber-Physical and Wireless Systems


The first part of the dissertation presents our contributions in the area of cyber-physical system security. CPS are composed or sensors, actuators and controllers, and they are used to manage different processes such as industrial plants. Securing CPS is an open challenge and attacks such as Stuxnet and TRITON have reiterated the importance of securing CPS. In this work we focus on three (intertwined) problems to advance the security of CPS, namely technologies and processes, multi-disciplinary communities, and threat models and incentives. To address these problems we present the design, implementation, and evaluation of MiniCPS, an open-source toolkit for lightweight and real-time simulation of CPS. MiniCPS is built on top of Mininet, a network emulator based on Linux containers. We explore the usability of MiniCPS to develop defense mechanisms for CPS, with a particular emphasis on honeypots. A honeypot is a virtual or physical replica of a real system deployed to detect, mitigate and counteract cyber attacks. We leverage MiniCPS to design, implement and evaluate a novel high-interaction honeypot for industrial control systems. In addition, we test the effectiveness of MiniCPS as an educational and experimentation tool to help cybersecurity researchers and professionals. In particular, we used MiniCPS to design novel cybersecurity challenges based on real-time simulations of CPS. The challenges were proposed in a gamified security competition that we designed called SWaT Security Showdown (S3). The second part of the dissertation presents our contributions in the area of wireless systems security. Wireless systems are used to transmit (sensitive) information and to manage and monitor systems remotely. In this work we focus on three problems to advance the security of wireless systems, namely effectiveness of deployed physical layer features as defense mechanisms, complexity and accessibility of wireless technologies, and security evaluations of wireless protocols. Firstly, we present a comparison between b/n/ac amendments of IEEE 802.11 (WLAN) where we theoretically estimate and empirically measure that recent physical layer features, such as MIMO and beamforming, could be used to mitigate passive eavesdropping attacks. These features are already present in commercial devices and they are complementary to the other (upper-layer) security mechanisms. Then, we present the first security analysis of Nearby Connections, an API for proximity-based services developed by Google. The API uses a combination of Bluetooth and Wi-Fi, and it is included in all Android devices since version 4.0 and all Android Things devices. Our analysis uncovers the proprietary (security) mechanisms of Nearby Connections and it is based on our reverse-engineering of its implementation. We demonstrate attacks where we maliciously manipulate Nearby Connections, and we extend the connection range to devices that are not nearby. Prior to publication we disclosed our findings to Google and we suggested them effective countermeasures. Finally, we describe how we found and exploited an architectural vulnerability of Bluetooth BR/EDR. We show how an attacker can downgrade the entropy any Bluetooth BR/EDR encryption key to 1 byte without being detected, and brute force the low entropy key in real time. We call our attack the Key Negotiation Of Bluetooth (KNOB) attack. We implement the attack and evaluate it on 21 Bluetooth vulnerable devices and we recommended to the Bluetooth SIG effective countermeasures.

Singapore University of Technology and Design (SUTD)