CN114978566A - Security apparatus for protecting power-saving wireless device from attack - Google Patents

Security apparatus for protecting power-saving wireless device from attack Download PDF

Info

Publication number
CN114978566A
CN114978566A CN202111159048.3A CN202111159048A CN114978566A CN 114978566 A CN114978566 A CN 114978566A CN 202111159048 A CN202111159048 A CN 202111159048A CN 114978566 A CN114978566 A CN 114978566A
Authority
CN
China
Prior art keywords
wireless communication
client device
notification
security
notification mode
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111159048.3A
Other languages
Chinese (zh)
Inventor
C·蒙泰亚努
B·森特
G·法尔卡斯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bitdefender IPR Management Ltd
Original Assignee
Bitdefender IPR Management Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US17/248,909 external-priority patent/US11696138B2/en
Application filed by Bitdefender IPR Management Ltd filed Critical Bitdefender IPR Management Ltd
Publication of CN114978566A publication Critical patent/CN114978566A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

The present disclosure relates to a security apparatus for protecting a power saving wireless device from attacks. The described systems and methods allow multiple wireless internet of things (IoT) devices to be protected from impersonation attacks. In some embodiments, the security appliance detects an availability notification issued as part of a protocol to establish a wireless connection between two devices (e.g.,
Figure DDA0003289399080000011
low energy consumption advertisements). The security device may then determine whether the detected notification is appropriate for a baseline notification pattern of the apparent sender. If not, the security apparatus may attack the sender device by replying to the respective availability notification and initiating a handshake.

Description

Security apparatus for protecting power-saving wireless device from attack
Related application
The present application claims benefit of the filing date of U.S. provisional patent application No. 62/705,044 entitled Security application for Protecting Power-Saving Wireless Devices Against attacks, filed on 9/6/2020, the entire contents of which are incorporated herein by reference.
Technical Field
The present invention relates to computer security systems and methods, and in particular, to protecting electronic equipment from malicious device attacks.
Background
A wide variety of devices, colloquially referred to as the internet of things (IoT), are currently connected to communication networks and the internet. Such devices include, inter alia, smartphones, smartwatches, TVs and other multimedia devices, gaming machines and household appliances, such as door locks, household robots, refrigerators, surveillance cameras, various sensors, thermostats, sprinklers, etc. As more of these devices come online, they become the target of security threats such as malware and hacking.
Another recent consumer trend includes the use of a variety of small and portable electronic devices to facilitate everyday tasks such as scanning bar codes, paying for groceries, unlocking doors and doors, and starting cars, among others. In a typical example, a point-of-sale device of a supermarket may establish a temporary wireless connection with a customer's mobile phone or electronic wallet device to automatically perform a payment transaction. In another example, the computer of the car may establish a temporary wireless connection with the owner's key and automatically open the doors or start the engine. In yet another example, a smart door lock may automatically unlock a house keeper in response to sensing the proximity of a target device, such as a cell phone or key fob token.
Yet another trend includes the use of a variety of electronic devices for marketing and/or affecting consumer behavior. Examples include marketing beacons that can establish a temporary wireless connection with a customer's mobile phone, causing the mobile phone to display an availability notification. Some such devices may have difficulty perceivably collecting data about the respective customer and/or the respective mobile phone, such as registering the location, schedule, purchasing habits, contacts, etc. of the respective person. Such devices may thus expose the public to significant privacy risks if left unprotected.
In view of the foregoing, there is an increasing need to protect wireless electronic devices from malware and malicious manipulation, as well as to protect communications to and from such devices.
Disclosure of Invention
According to one aspect, a security apparatus is configured to protect a client device from computer security threats. The security apparatus comprises at least one hardware processor configured to, in response to detecting a first wireless communication comprising an availability notification issued in preparation for establishing a peer-to-peer connection with a management device, determine whether the first wireless communication is appropriate for a notification mode specific to the client device. The at least one hardware processor is further configured to transmit a second wireless communication configured to mimic a response of the management device to the first wireless communication when the first wireless communication does not fit in the notification mode. The at least one hardware processor is further configured to, in response to transmitting the second wireless communication, perform a security action to secure the client device or the management device.
According to another aspect, a method of protecting a client device from computer security threats includes, in response to detecting a first wireless communication comprising an availability notification issued in preparation for establishing a peer-to-peer connection with a management device, employing at least one hardware processor of a security apparatus to determine whether the first wireless communication is appropriate for a notification mode specific to the client device. The method further includes transmitting, with the at least one hardware processor, a second wireless communication configured to mimic a response of the management device to the first wireless communication when the first wireless communication does not fit in the notification mode. The method further includes performing a security action with the at least one hardware processor to secure the client device or the management device in response to transmitting the second wireless communication.
According to another aspect, a non-transitory computer-readable medium stores instructions that, when executed by at least one hardware processor of a security apparatus, cause the security apparatus to determine, in response to detecting a first wireless communication comprising an availability notification issued in preparation for establishing a peer-to-peer connection with a management device, whether the first wireless communication is appropriate for a notification mode specific to the client device. The instructions further cause the security apparatus to transmit a second wireless communication configured to mimic a response of the management device to the first wireless communication when the first wireless communication does not fit in the notification mode. The instructions further cause the security apparatus to perform a security action to secure the client device or the management device in response to transmitting the second wireless communication.
Drawings
The foregoing aspects and advantages of the invention will become better understood upon reading the following detailed description and upon reference to the drawings in which:
fig. 1 shows a security apparatus for protecting a plurality of client wireless devices from attacks, in accordance with some embodiments of the present invention.
Fig. 2 shows a typical message exchange between two electronic devices according to a power-saving communication protocol.
Fig. 3 illustrates an exemplary message exchange that occurs during an attack in which a malicious device impersonates a legitimate device.
Fig. 4 shows an exemplary message exchange in an embodiment configured to be protected from attacks, according to some embodiments of the invention.
FIG. 5 illustrates exemplary components of a security device according to some embodiments of the invention.
Fig. 6 shows an exemplary sequence of steps performed by a security device, according to some embodiments of the invention.
Fig. 7 shows an exemplary hardware configuration of a security device according to some embodiments of the present invention.
Detailed Description
In the following description, it is understood that all enumerated connections between structures may be direct operative connections or indirect operative connections through intermediate structures. A set of elements includes one or more elements. Any enumeration of elements should be understood to mean at least one element. The plurality of elements includes at least two elements. Unless otherwise required, any described method steps need not necessarily be performed in the particular illustrated order. A first element (e.g., data) derived from a second element encompasses a first element that is equal to the second element, as well as first elements generated by processing the second element and optionally other data. Making a decision or decision based on a parameter encompasses making a decision or decision based on a parameter and optionally based on other data. Unless otherwise specified, some indicators of quantity/data may be the quantity/data itself, or an indicator different from the quantity/data itself. A computer program is a sequence of processor instructions that carry out tasks. The computer programs described in some embodiments of the invention may be separate software entities or sub-entities (e.g., subroutines, libraries) of other computer programs. The term 'database' is used herein to mean any organized collection of data. An availability notification is a communication issued by a device as part of a protocol for connecting with other devices, the availability notification issued in preparation for initiating a connection. Computer-readable media encompasses non-transitory media such as magnetic, optical, and semiconductor storage media such as hard drives, optical disks, flash memory, DRAM, and communication links such as conductive cables and fiber optic links, among others, the present invention provides, according to some embodiments, hardware (e.g., one or more processors) programmed to perform the methods described herein and computer-readable media encoding instructions for performing the methods described herein.
The following description illustrates embodiments of the invention by way of example and not necessarily by way of limitation.
Fig. 1 shows an exemplary set of power save client devices 12a-e protected from attack by a security apparatus 20, according to some embodiments of the invention. Each client device 12a-e may comprise an electronic device having a processor and memory and capable of exchanging electronic messages with other client devices and/or management device 16. Exemplary client devices 12a-e include personal computers, tablet computers, smartphones, gaming machines, home appliances (e.g., smart TVs, media players, home robots, thermostats, lighting appliances, door locks), and wearable computer devices (e.g., smart watches, virtual reality headsets, health and/or fitness devices, etc.). Another category of exemplary client devices 12a-e includes payment terminals, such as point-of-sale devices, and commercial proximity advertising devices, among others.
The term 'power saving' is used herein to indicate devices and/or communication strategies/protocols specifically aimed at reducing the energy cost of communication. Some power saving devices are relatively small and battery operated; their hardware specifications and communication protocols are carefully chosen to extend battery life and thus increase autonomy of the respective devices. One exemplary power saving strategy includes limiting the transmit power and thus the communication range (e.g.,
Figure BDA0003289399060000041
low power consumption devices can be up to 100 meters,
Figure BDA0003289399060000042
up to 10 to 20 meters, etc.). Another power saving strategy limits the communication data rate (e.g.,
Figure BDA0003289399060000043
the device is up to 250 kbit/s). Some power saving devices intentionally use power saving communication protocols where communication occurs in concentrated intermittent bursts. The respective power saving device may be in a low power/sleep mode most of the time and may occasionally wake up to advertise its presence, location and/or service. Other devices, such as the management device 16 (fig. 1), may negotiate connections in response to respective availability notifications and engage respective power saving devices. The communicating parties may then exchange data over the established connection, and after the exchange is complete, the power saving device may return to a low power state. Exemplary power saving protocols include
Figure BDA0003289399060000044
Low energy consumption (BLE) protocol family. For simplicity and clarity, the following description will assume that communication is carried out according to the BLE protocol. However, BLE is used as an example only and is not meant to limit the scope of the present invention. In the field ofThe skilled person will appreciate that the present teachings may be adapted to any communication protocol in which a protected device announces its presence/availability by broadcasting an availability notification, and in which a connection is initiated by a partner device in response to a respective availability notification.
Each client device 12a-e may communicate with a partner device, such as management device 16, over a wireless connection illustrated as items 14a-e in fig. 1. Connections 14a-e represent peer-to-peer links/communication channels characterized by a mutually agreed set of parameters, such as carrier band and a pair of physical addresses (e.g., medium access control-MAC addresses) of the respective communication partners. The term 'peer' is used herein to denote a communication mode in which data is exchanged directly between the connecting endpoints, i.e. not routed via a third party such as a network controller. In the Open Systems Interconnection (OSI) model of computer networks, connections 14a-e may represent the data link layer, i.e., the functional and programmatic means by which data is transferred between endpoints of the respective connections. Individual wireless connections 14a-e may be established and operated according to a power saving communication protocol such as BLE.
In some embodiments, the management device 16 includes a computing apparatus (e.g., a smartphone, a personal computer) that manages the connections and/or services provided by the selected client devices 12 a-e. Managing connections (e.g., connections 14a-e in fig. 1) may include setting/negotiating connection parameters, such as network address, frequency band, and password parameters, among others. Managing services may include, for example, configuring parameters of the respective service and/or client device and transmitting commands to the respective client device that cause the respective device to perform specific tasks (e.g., setting a desired temperature on a thermostat, opening a door lock, registering payment, etc.). In some embodiments implementing BLE protocol(s), management device 16 may represent a master/central device, while client devices may represent slave/peripheral devices. Although fig. 1 shows a single management device 16, the skilled artisan will appreciate that not all client devices 12a-e may be connected to the same management device; in an embodiment, distinct client devices may be connected to distinct management devices. However, in an exemplary embodiment, a single management device 16 (e.g., a smartphone) may actually connect with and manage multiple client devices 12a-e, such as thermostats, door locks, and exercise bands.
A malicious device 18 may attempt to attack a selected client device and/or management device 16. An attack in this context means an attempt to connect to a target device with an illegal/malicious purpose, such as interfering with the normal operation of the target device and/or sniffing data received or sent by the target device. The attack target device may further include a legitimate partner that impersonates the target device in order to trick the target device into accepting a connection from the malicious device 18 or initiating a connection with the malicious device 18. Examples of attacks are detailed further below.
In some embodiments, the security apparatus 20 comprises an electronic device configured to detect electronic communications from the client devices 12a-e, the management device 16, and/or the malicious device 18 and/or participate in electronic communications with the client devices 12a-e, the management device 16, and/or the malicious device 18 for the purpose of protecting the client devices 12a-e from attacks, as described below. Apparatus 20 may comprise any electronic device having a processor and wireless communication hardware (e.g., an antenna and associated interface, etc.). The exemplary security apparatus 20 comprises a separate dedicated apparatus comprising electronic circuitry enclosed in a container sized and configured to be placed on a bookshelf, fixed to a wall, or the like. In other embodiments, the security device 20 may comprise a portable battery powered device integrated into an accessory such as a key fob, watch, wallet, or other wearable object.
In an alternative embodiment, the security apparatus 20 shares hardware with a host device, such as a general purpose computer or a mobile telecommunications device (e.g., a smartphone). The security apparatus 20 may thus be incorporated into the protected client devices 12a-e, the management device 16, and/or a third party device. One such exemplary security apparatus comprises a set of software modules that execute on a hardware processor of the smartphone and connect with protected client devices 12a-e and potentially malicious devices using the communication hardware of the respective smartphone. Another exemplary apparatus 20 may be embodied as a set of separate electronic components (e.g., an integrated circuit) soldered or otherwise connected to a motherboard of a host device. For example, the security apparatus 20 may be embodied as a Peripheral Component Interconnect (PCI) express card having any of the form factors known in the art. Another exemplary embodiment includes a dongle connected to a client device via a Universal Serial Bus (USB) interface. One such exemplary card/dongle may include communication hardware such as a radio antenna and associated interface, and may or may not have a dedicated hardware processor distinct from the main processor of the respective host device.
FIG. 2 shows a method according to
Figure BDA0003289399060000051
(BLE) low energy power saving protocol for exemplary data exchange between selected client devices 12 and management device 16. The illustrated client device 12 generally represents any of the client devices 12a-e in fig. 1. To advertise its presence/availability, the client device 12 may wirelessly broadcast an availability notification 22. In BLE embodiments, the availability notification 22 may include a BLE advertisement.
The availability notification 22 includes a communication issued by the respective device in preparation for establishing the connection. The notification 22 may be distinguished from other kinds of communications by dedicated data fields/flags. In the exemplary BLE embodiment, a particular segment of each data packet (referred to as a protocol data unit-PDU) indicates whether the respective data packet/communication is an availability notification (referred to in BLE terminology as an advertisement). The PDU may further specify a notification type of the corresponding availability notification. Exemplary BLE notification types include non-specific (the device may be connected with any available partner), oriented (the device may be connected with a specific central/management device), and non-connectable (the device may not be used for connection), among others. The availability notification 22 may further include a device identifier, such as a Universally Unique Identifier (UUID), a MAC address, a manufacturer ID, and/or a device name, among others. Some availability notifications 22 may include a set of indicators/flags indicating various aspects of the functionality of the client device 12, such as an indicator of a device type, an indicator of a type of service provided by a respective client device (e.g., thermostat, point-of-sale device, etc.), a set of frequencies/channels available for communication, and so forth.
At the same time, the management device 16 may scan for availability notifications. In response to detecting the availability notification 22, the management device 16 may initiate a connection with the client device 12 via a handshake exchange 24 during which the devices 12 and 16 may negotiate a set of communication parameter values (e.g., encryption keys, frequency bands, etc.). In response, the devices 12 and 16 may exchange a set of payload messages 28 formatted according to the negotiated parameter values, the payload messages 28 including, for example, an indicator of the current state of the client device 12 (e.g., the current temperature, in the case of a thermostat), an encoding of a command transmitted from the management device 16 to the client device 12, and so forth.
A malicious attacker may break into such communications between the client device and the management device 16 to passively eavesdrop and/or actively participate in the attack. Several kinds of attacks are known in the art. In one example illustrated in fig. 3, a malicious device 18 may be used to initiate a connection to the client device 12 and/or the management device 16 (see, e.g., connections 14f-g in fig. 1). The malicious device 18 may impersonate the client device 12 by broadcasting the poor availability notification 122 and thus, by engaging in the poor handshake exchange 124a, enticing the management device 16 to establish a connection with the malicious device 18. After a successful handshake, the malicious device 18 may read the communication destined for the client device 12. In another example, the malicious device 18 may impersonate the management device 16 and respond to the availability notification broadcast by the client device 12, thereby participating in the bad handshake exchange 124b with the client device 12. Thus, the malicious device 18 may trick the respective client device into connecting to the malicious device 18 instead of the management device 16. If successful, such an attack policy may place the malicious device 18 in a man-in-the-middle position, where it may snoop, suppress, and/or alter legitimate data exchanges between the client device 12 and the management device 16.
Fig. 4 shows an exemplary exchange of communications between malicious device 18 and security apparatus 20, carried out to protect client device 12 and/or management device 16 from malicious device 18, according to some embodiments of the present invention. In some embodiments, the security apparatus 20 may listen for and reply to the poor availability notification 222 issued by the malicious device 18, thus initiating a connection with the malicious device 18. To initiate the connection, some embodiments of the security apparatus 20 engage in a bad handshake exchange 224 with the malicious device 18 while impersonating the management device 16. In other words, some embodiments trick the malicious device 18 into believing that it is communicating with the management device 16 (e.g., connection 14g in fig. 1), while the corresponding connection is actually established with the security apparatus 20 (e.g., connection 14h in fig. 1). In some embodiments, the security apparatus 20 impersonates the management device 16 by performing a bad handshake 224 using device identification data and/or other features of the device 16 (e.g., same frequency band, same frequency hopping pattern, same network address, etc.). In response to establishing the connection, the security apparatus 20 may conduct a bad payload exchange 228 with the malicious device 18, for example, by sending proxy data to the device 18, as shown in more detail below. Alternate embodiments may simply keep the respective connection active indefinitely or for a predetermined amount of time, thus preventing the malicious device 18 from attempting to make other connections.
Fig. 5 shows exemplary components of security apparatus 20, including device monitoring module 62 communicatively coupled to attack module 64, according to some embodiments of the invention. Modules 62 and/or 64 may be embodied as software (computer programs) stored in a memory of apparatus 20 and executed on at least one hardware processor of apparatus 20. However, the software embodiments are given herein only as examples and are not intended to limit the scope of the invention. Those skilled in the art will appreciate that the functionality of modules 62 and/or 64 may be implemented in firmware or even special purpose hardware modules, such as a set of Application Specific Integrated Circuits (ASICs) or Field Programmable Gate Arrays (FPGAs) configured to perform the described methods.
In some embodiments, monitoring module 62 is configured to monitor wireless communications occurring in the vicinity of security apparatus 20. Monitoring may include detecting communications and analyzing the respective communications to extract a set of characteristic features. Monitoring may further include determining whether the selected communication is appropriate for a baseline communication mode of the sender on the surface of the respective communication. Some embodiments are further configured to determine such a baseline communication pattern specific to each client device 12a-e and/or management device 16.
A baseline communication pattern of a device herein comprises a set of data that collectively characterize an electronic communication transmitted by the respective device, wherein the characteristic data is not extracted or determined from the content/payload of a message contained by the respective communication. Instead, the characteristic data may be extracted and/or determined from the communication metadata and/or other features, such as a count and/or frequency of occurrences of communications from the respective device, a calendar, a schedule, or other measure of the time distribution of such communications, a time delay between successive communications originating from the respective device, an indicator of the strength/power/amplitude of the signal carrying the respective communication (e.g., received signal strength indicator-RSSI), the strength/power/amplitude measured at a reference location such as the security apparatus 20 or some external sensor, a signal-to-noise ratio of the signal carrying the respective communication, a wave frequency of the signal carrying the respective communication, an originating network address (e.g., BLE address), and an identifier of the sender device identifier (e.g., device name, MAC address), and so forth. Some embodiments may extract and/or determine such characteristic features from the content of the header and/or from metadata contained in each intercepted communication.
A preferred embodiment of the monitoring module 62 is configured to determine whether the detected availability notification is appropriate for the baseline notification mode of the sender device on its surface, as described in detail below. The baseline notification pattern of a device herein includes a baseline communication pattern that characterizes availability notifications broadcast by the respective device (see, e.g., item 22 in fig. 2). Notification pattern data is extracted from and/or determined from communication characteristics other than the content/payload of the individual notification. The exemplary notification mode of the apparatus may include, among other things, a characteristic length of a time interval between consecutive availability notifications, a characteristic notification frequency (i.e., a count of availability notifications per unit time), a characteristic RSSI of a carrier signal received from the respective client and measured at the security device 20 or at another reference location, a characteristic wave frequency of a signal carrying an availability notification issued by the respective client, and a characteristic signal-to-noise ratio calculated for availability notifications received from the respective client. In one example, each characterization feature of the baseline notification pattern may be expressed as an average (e.g., mean, median, etc.) of a set of measurements or determinations carried out for individual availability notifications received from the respective device. For example, a client device may be characterized by an average advertisement frequency of 2Hz (i.e., an average of 2 availability notifications per second, or 0.5 seconds between successive availability notifications). The typical advertisement frequency may be further characterized by a measure of variability, such as a standard deviation. Some characterization features may be expressed as a range of values (e.g., a typical range of network addresses). Other characterization features may be boolean values; other characterization features may be non-numeric (e.g., device name).
In an alternative embodiment, the baseline notification pattern determined for the selected client device 12 may comprise a set of records, each record corresponding to a distinct availability notification 22 received from a respective client device 12, each record comprising a set of data characterizing the respective availability notification. An exemplary characteristic data set of availability notifications may include, for example, a timestamp, a frequency band, a signal strength, and an originating network address of the respective availability notification, and may further include a device identifier of the originating device.
In some embodiments, the notification patterns characterizing a set of protected client devices may be collected and/or determined by the security apparatus 20 itself. In one such example, for each client device within range thereof, apparatus 20 may spend a training period listening for availability notifications and gradually establishing/determining a baseline notification pattern that characterizes the respective device. In an alternative embodiment, the baseline notification pattern may be determined by the service provider and subsequently provisioned to the security device 20. In one such example, the service provider may determine a catalog of baseline notification patterns that characterize various brands and models of IoT devices. The security apparatus 20 may transmit an identifier (e.g., MAC address, make, and model) of the selected client device to the service provider and, in response, receive an encoding of the baseline notification pattern for the respective client device. The corresponding schema may be kept up-to-date via a software update mechanism.
The baseline notification pattern data may be stored in the device profile database 60, such as on a non-volatile computer-readable storage medium that is part of (or communicatively coupled with) the security apparatus 20. This data may be encoded in any computer-readable format known in the art, for example as a numeric array, in a version of the extensible markup language (XML) or in JavaScript object notation (JSON).
In some embodiments, attack module 64 is configured to initiate a connection with malicious device 18 (see, e.g., connection 14h in fig. 1). Initiating the connection may include a handshake exchange with the device 18 to negotiate a set of connection parameters. During handshaking, some embodiments may impersonate the management device 16 or a protected client device to trick the malicious device 18 into believing that it is currently connected to the appliance 16 or respective client. Attack module 64 may be further configured to carry out denial of service attacks on the device 18, such as by keeping the established connection indefinitely active by bombarding the malicious device 18 with data packets (e.g., ping), thereby preventing it from performing its malicious activities.
Fig. 6 shows an exemplary sequence of steps performed by the security apparatus 20 to protect a set of client devices from attack, according to some embodiments of the invention. Some embodiments rely on the following observations: to trick the management device 16 into connecting with the malicious device 18 instead of the client device 12, the device 18 may need to send the poor availability notifications 222 (fig. 4) at other times and/or in a much larger number than the corresponding client devices. For example, the malicious device 18 may issue an availability notification at a time interval less than the target client device, hoping that the management device 16 may pick up and respond to at least one of these messages rather than a legitimate availability notification from the target device. In other words, the malicious device 18 may need to advertise in a manner that deviates from the baseline notification pattern of the protected client device. Thus, some embodiments determine a baseline notification pattern for each protected client device 12, and then check whether the current availability notification that appears to originate from the client device fits into the baseline pattern of the respective client device. A deviation from the baseline pattern may indicate that a malicious device is currently impersonating the respective client device, so in response to identifying this suspicious availability notification, some embodiments may automatically attack the source of the respective suspicious availability notification.
In the sequence of step 402-404, device 20 may listen for availability notifications. When an availability notification is detected, step 406 may identify the sender of the respective message, for example, according to a network address and/or according to a device identifier (e.g., MAC address, device name, device manufacturer, etc.). Some embodiments may use other identifying characteristics such as amplitude, strength, or signal-to-noise ratio of the carrier signal for the respective availability notification. The sequence of steps 408-410 may determine whether baseline pattern data is available for the identified sender device. When not, step 411 may create a new baseline notification pattern and associate the new pattern with the respective client device.
Step 411 may include extracting a set of features from the intercepted availability notification and computing a set of baseline pattern data characterizing the respective client from the extracted features. Exemplary baseline notification pattern data may include an average time interval separating consecutive availability notifications issued by respective clients, an average strength of a carrier signal of the respective clients, a frequency band in which the respective clients issue availability notifications, and so forth. Step 411 may further include creating a new database entry/record associated with the current availability notification, populating the record with data extracted from the respective availability notification, and storing the respective record in profile database 60 along with an association indicator associating the respective record with the client device identified in step 406. In an alternative embodiment, step 411 may include obtaining baseline notification pattern data from a third party (e.g., a service providing server).
When notification pattern data is available for the identified device, in step 412, the security apparatus 20 may determine whether the current availability notification fits into the baseline notification pattern of the respective device. Such a determination may include comparing selected features extracted from the current availability notification with characteristic features of availability notifications previously received from respective clients. In some embodiments, step 412 includes calculating a similarity between the quantified current availability notification and a previous availability notification received from the same client device or from the same device (e.g., same make and model) as the respective client device.
In one exemplary embodiment, step 412 may comprise determining the length of the time interval that has elapsed since the same client device received the most recent availability notification and comparing it to a typical (e.g., average, median) time delay between successive availability notifications broadcast by the respective devices. Some embodiments may determine that the current availability notification is appropriate for the baseline notification mode of the respective client device when a difference between the current time delay and the recorded characteristic time delay is less than a predetermined threshold, and is otherwise not appropriate. When step 412 returns yes, some embodiments may further proceed to step 420, wherein existing baseline notification patterns of respective client devices are updated to include data extracted and/or calculated according to the current availability notification.
Alternate embodiments may determine whether the current availability notification fits the baseline mode of the respective device according to other criteria. For example, some embodiments may detect a change in RSSI of wireless signals carrying current availability notifications relative to a baseline RSSI of other communications received from the respective client device. Some embodiments may detect a difference in signal-to-noise ratio between transmission noise or a current availability notification and a baseline determined for the respective client device. A relatively large deviation from the baseline may indicate that the sender of the current availability notification is another device masquerading as a protected client device 12. Other exemplary criteria include the frequency band used to transmit the current availability notification. For example, some embodiments may determine a baseline pattern of hops between band characteristics of protected client devices, and determine whether a current availability notification is appropriate for the baseline pattern according to a frequency band of the current availability notification and further according to a frequency band of a set of previous availability notifications received from the respective client device.
In some embodiments, the similarity measure/score may combine multiple characteristic features of the availability notifications received from the respective devices (e.g., average time interval and average signal strength between availability notifications). In one such example, an individual similarity score may be calculated from each of a set of characteristic features. Then, an aggregate similarity score may be determined from the individual scores, for example as a weighted average:
S A =∑ i W i σ i , [1]
wherein sigma i Represent individual similarity scores (e.g., a score determined from a time interval between successive availability notifications, a score derived from RSSI, etc.) and w i Representing e.g. normalized so that the aggregate similarity score S A An individual weight that falls within a predetermined limit (e.g., between 0 and 1). The weights w can be adjusted independently i To reflect each individual feature and the aggregated score S A The correlation of (c). Some embodiments may then be based on S A The comparison with the predetermined threshold determines whether the current availability notification is appropriate for the baseline notification mode of the respective client device.
Some embodiments may apply more sophisticated methods to determine whether the current availability notification fits the baseline notification pattern of the respective client device. In one such example, the security device 20 may include a set of neural networks trained using various machine learning procedures on a corpus of legitimate availability notifications. After training, such neural networks may be used to determine whether a currently detected availability notification fits into a learned legal pattern. In such embodiments, the baseline pattern may be encoded via a set of parameters (e.g., synaptic weights) of the trained neural network. Another exemplary embodiment may train a Support Vector Machine (SVM) to learn the baseline notification pattern for each protected client device 12a-e and then apply the respective SVM to determine whether the current availability notification fits the baseline pattern(s). Yet another exemplary embodiment may represent each availability notification as a vector in an abstract space of message features. The baseline pattern of the client device may then be represented as a cluster of vectors in a respective abstract space. Some embodiments may then determine whether the current availability notification is appropriate for the baseline mode based on a distance between the vector representing the current message and a center/centroid of the cluster representing the respective client device.
When the current availability notification does not fit into the baseline mode of the respective device, apparatus 20 may employ attack module 64 to attack the sender of the respective notification (which may be a malicious device 18, see fig. 4). Step 414 may include mimicking the management device 16 response to the current notification, such as initiating a handshake with the sender device to establish a peer-to-peer connection. Impersonation herein encompasses an action that the rendering device 16 would take under the respective circumstances, and performing another set of actions that produce the same effect. The impersonation may further include impersonating the management device 16 by using credentials (e.g., network address, device identifier, etc.) and/or communication characteristics (e.g., band/channel, signal strength) of the management device 16.
Once the handshake exchange is successfully completed and a connection is established with the sender of the current availability notification, some embodiments may perform security actions to protect the management device 16 and/or client devices 12a-e from attack by the malicious device 18 in step 416. One exemplary security action includes keeping the connection established in step 414 active for a predetermined period of time or indefinitely by bombarding the malicious device 18 with data (e.g., ping). Another exemplary security action includes a bad payload exchange with the sender device by way of the established connection, such as transmitting proxy data to the respective device to mimic a legitimate command or other legitimate communication. The term 'proxy data' herein denotes replacement data having the same data type, format and/or scope as legitimate data that the management device 16 may transmit under a given circumstance. Proxy data may be generated temporarily (e.g., randomly) or predefined.
In yet another example, step 416 may include issuing a security alert 25 (FIG. 4) to notify the user/administrator of the occurrence of the suspicious event. The alert may include an identifier of the respective protected client device 12 (i.e., the apparent sender of the suspicious availability notification) and/or a description of the event. The alert 25 may be transmitted directly to the management device 16 using a local wireless connection, or transmitted to a remote server computer over an extended network such as the internet for further transmission to the management device 16 or to another device configured to process and/or display the alert 25.
Fig. 7 shows an exemplary hardware configuration of the security apparatus 20 according to some embodiments of the invention. The illustrated configuration corresponds to an embodiment in which the functionality of the apparatus 20 is implemented in software. For example, fig. 7 may represent a personal computer performing some of the methods described herein. Other computing systems, such as servers, tablets, smartphones, etc., may have architectures that differ from that shown in fig. 7. In alternative embodiments, the described functionality of modules 62 and/or 64 (FIG. 5) may be implemented in dedicated hardware or may be divided between hardware and software. Furthermore, in some embodiments, some of the illustrated components may be grouped together on separate circuit boards that are connected to a personal computer using a standard interface such as a PCI express bus.
The processor 72 comprises a physical device (e.g., a microprocessor, a multi-core integrated circuit formed on a semiconductor substrate) configured to perform computations and/or logical operations with a set of signals and/or data. Such signals or data may be encoded in the form of processor instructions, such as machine code, or delivered to the processor 72. Processor 72 may include a Central Processing Unit (CPU) and/or an array of Graphics Processing Units (GPUs).
Memory unit 74 may include a volatile computer-readable medium (e.g., dynamic random access memory-DRAM) that stores data/signal/instruction code that is accessed or generated by processor 72 in the course of performing operations. Input devices 76 may include a keyboard, mouse, and microphone, among others, including respective hardware interfaces and/or adapters that allow a user to introduce data and/or instructions into apparatus 20. Output devices 78 may include display devices, such as monitors and speakers, etc., as well as hardware interfaces/adapters, such as graphics cards, to enable the respective computing systems to communicate data to users. In some embodiments, the input and output devices 76-78 share a common hardware (e.g., a touch screen). Storage 82 includes a computer readable medium capable of non-volatile storage, reading, and writing of software instructions and/or data. Exemplary storage devices include magnetic and optical disks and flash memory devices, as well as removable media such as CD and/or DVD disks and drives. Communication interface(s) 84 enable secure apparatus 20 to connect to an electronic communication network, client devices 12a-e, and/or other electronic devices. In the Open Systems Interconnection (OSI) model of telecommunications, interface(s) 84 may implement elements of the data link and/or network layers. Interface 84 may enable multiple carrier media and protocols, such as Ethernet, Wi-Fi, and
Figure BDA0003289399060000121
and so on. The apparatus 20 may further include an antenna 90, which generally represents the hardware of the elements of the physical layer implementing the communication herein.
Some embodiments of the security apparatus 20 may further include a battery 92 configured to power the illustrated hardware components, and a power manager 88 including hardware configured to manage power consumption and charging of the battery 92. For example, power manager 88 may switch apparatus 20 from an active state to a sleep state to conserve energy, and may wake apparatus 20 in response to an incoming communication. The power manager 88 may further include a solar cell or any other device configured to convert an external energy source into electricity in order to charge the battery 92.
Controller hub 80 generally represents a plurality of system, peripheral, and/or chipset buses, and/or all other circuitry enabling communication between processor 72 and the remaining hardware components of secure device 20. For example, the controller hub 80 may include a memory controller, an input/output (I/O) controller, and an interrupt controller. Depending on the hardware manufacturer, some such controllers may be incorporated into a single integrated circuit, and/or may be integrated with the processor 72. In another example, the controller hub 80 may include a north bridge that connects the processor 72 to the memory 74 and/or a south bridge that connects the processor 72 to the devices 76, 78, 82, 84, and 88.
The exemplary systems and methods described above enable protection of various internet of things (IoT) devices from attacks and malicious manipulation. Exemplary protected devices include smart locks, electronic car keys, point of sale and advertising beacon devices, household appliances such as thermostats and lighting fixtures, and wearable devices such as fitness sensors and smart watches, among others. Some embodiments are particularly suitable for protecting power-saving wireless devices, i.e. configured to use, for example
Figure BDA0003289399060000122
Low Energy (BLE) power saving communication protocol, and the like. Such devices are typically in a sleep state and occasionally wake up to advertise their presenceAnd a service.
Typical attacks include a malicious device impersonating a legitimate IoT device to trick a communication partner into believing that it is exchanging data with a corresponding IoT device. In some embodiments, protecting a client device includes determining a baseline notification pattern for a protected device by listening for availability notifications of the device and determining a set of features characterizing respective availability notifications. Exemplary characteristic features include, among others, typical signal strength (e.g., RSSI) and typical length of time separating two consecutive availability notifications issued by the respective devices. Once the notification mode has been established, the security device may scan for availability notifications. In response to detecting the availability notification, some embodiments of the security apparatus may attempt to identify the sender device and determine whether the current availability notification fits into a baseline notification pattern specific to the identified device. A mismatch may indicate that the current availability notification was transmitted by a malicious device masquerading as an identified device. Some embodiments thus attack the sender of a respective availability notification by responding to the availability notification and initiating a connection with the sender device when the current availability notification does not fit into the baseline notification pattern of the identified protected device. The connection may then remain active for a long period of time and/or may be used to poison the sender device with proxy data, thus preventing the sender device from performing its intended malicious activities.
In some embodiments, determining whether the current availability notification is appropriate for the protected device's baseline notification pattern includes calculating a similarity measure between the current availability notification and typical availability notifications issued by the respective protected device. For example, some embodiments determine a difference between a measured signal strength of a current availability notification and an average signal strength measured for other availability notifications received from the respective protected device. Another exemplary similarity metric may be determined from the difference between the time elapsed since the previous availability notification of the protected device and the typical mutual availability notification time interval specific to the protected device. A relatively strong similarity (small difference) may indicate that the current availability notification is appropriate for the baseline mode. In contrast, a substantial deviation from the typical value may indicate that the current availability notification does not fit into the baseline pattern.
Some embodiments may employ more sophisticated methods to determine whether the current availability notification is appropriate for the baseline notification mode. In one computer experiment, a Support Vector Machine (SVM) with a radial basis function kernel was trained on RSSI and notification frequency data for a plurality of BLE devices, and then used to distinguish legitimate availability notifications from notifications generated by counterfeiters. Tests have shown that this SVM is able to identify malicious availability notifications with at least 80% accuracy when trained on a window of only 20-30 seconds of data. In other words, after listening for a protected device for 20 to 30 seconds, the exemplary SVM classifier is able to learn the baseline notification pattern of the respective device with sufficient reliability to allow detection of a spoofing attack with 80% accuracy. Accuracy can be further increased by extending the time period for training the SVM classifier. Those skilled in the art will understand that this example is not meant to limit the scope of the present disclosure, and that some of the methods described herein may be adapted to other classifier architectures (e.g., neural networks, etc.) and other training data beyond RSSI and advertising frequency.
The following description outlines several use case scenarios of some embodiments of the invention.
Protective BLE door lock
Criminals may attempt to break into premises protected by a BLE door lock by using a malicious BLE device to impersonate the lock and thus trick master devices (lock actuators, home security systems, etc.) into connecting to the malicious device rather than the lock itself. After a successful handshake with the master, the malicious device may prevent the master from actuating the door lock by intercepting the lock command. At the same time, the user may have the impression that the door is locked. In some embodiments, a security apparatus as disclosed herein may be installed within BLE range of a door lock and lock actuator device. The security apparatus may detect that a malicious device is attempting to connect to the lock actuator and instead entice the malicious device to connect to the security apparatus, thus preventing malicious manipulation of the lock. For example, such a security apparatus may be integrated into a home security system.
Protecting intelligent power plugs or lighting systems
A thief may attempt to turn off power and/or lights in a particular portion of the target premises. A security apparatus as described herein may be placed within range of a smart lamp or power switch and fool a malicious device into connecting to the security apparatus rather than a switch actuator device, preventing the malicious device from controlling the respective power plug or lighting system.
Protecting an intelligent pill dispenser
An exemplary smart pill dispenser may be configured to send a notification to a patient's smartphone, for example to tell the patient to take a particular medication. The notification may indicate the type and count of the pill and, optionally, its manner of administration (e.g., taken with food, taken dissolved in water, etc.). An attacker may use the attack to trick the smartphone into connecting to a malicious device that spoofs the pill dispenser, and then manipulate the medication schedule at will. The security apparatus as described herein may be embodied, for example, as a small battery operated device (e.g., a key fob) that may be carried in a patient's pocket or placed on a bedside table within range of the patient's smartphone and pill dispenser. The security device may detect a significant change in the advertising behavior of the pill dispenser and in response attack the device sending the suspicious availability notification (possibly a malicious device masquerading as a protected pill dispenser).
Pressure sensor for protecting tyre
The exemplary tire pressure sensor may send an alert to the vehicle's computer when the air pressure in the respective tire falls below a trigger value. Criminals may use malicious devices to impersonate tire pressure sensors and trick the vehicle's computer into connecting to the malicious device instead of the pressure sensor. The attacker can then send a bad signal to the computer of the car indicating that the tyres of the car are flat, forcing the driver to stop at the side. The security apparatus as described herein may be embodied as a small portable device, such as a dongle configured to be inserted into a Universal Serial Bus (USB) interface or an on-board diagnostic (OBD) data port of an automobile. The exemplary apparatus may even be integrated into a power adapter/battery charger configured to plug into the cigarette lighter of an automobile. In yet another exemplary embodiment, the security apparatus 20 may be integrated into or connected as an add-on to an existing car alarm system. The security device may detect a suspicious availability notification that appears to originate from the pressure sensor and, in response, attack the sender of the corresponding message (possibly a malicious device masquerading as a pressure sensor), thus defeating the malicious device.
Protecting devices with positioning beacons
Some anti-theft systems attach a locating beacon device to the valuable asset, the beacon device being configured to transmit a signal indicative of the current physical location of the valuable asset or indicative of whether the respective asset is currently within range of the detector. A thief may use a malicious device to attack the probe and masquerade as a locating beacon. The malicious device may then transmit a bad signal to the detector indicating that everything is ok, while in fact the valuable asset has been removed from its assumed safe location. A security apparatus as described herein may detect suspicious notifications and connect to malicious devices, thus thwarting an attack. In an exemplary embodiment, the security device may be integrated into the detector arrangement or connected to the detector arrangement as an add-on.
It will be clear to a person skilled in the art that the above embodiments may be varied in many ways without departing from the scope of the invention. Accordingly, the scope of the invention should be determined by the appended claims and their legal equivalents.

Claims (23)

1. A security apparatus configured to protect a client device from a computer security threat, the security apparatus comprising at least one hardware processor configured to:
in response to detecting a first wireless communication comprising an availability notification issued in preparation for establishing a peer-to-peer connection with a management device, determining whether the first wireless communication is eligible for a notification mode specific to the client device;
in response, transmitting a second wireless communication configured to mimic a response of the management device to the first wireless communication when the first wireless communication does not fit in the notification mode; and
in response to transmitting the second wireless communication, performing a security action to secure the client device or the management device.
2. The security apparatus of claim 1, wherein the at least one hardware processor is configured to determine whether the first wireless communication is suitable for the notification mode according to a time interval separating the first wireless communication from a previously detected wireless communication comprising another availability notification issued by the client device.
3. The security apparatus of claim 2, wherein the at least one hardware processor is configured to:
comparing a size of the time interval to a predetermined reference value associated with the client device; and
in response, it is determined that the first wireless communication is not suitable for the notification mode when the time interval is much shorter than the reference value.
4. The security apparatus of claim 1, wherein the at least one hardware processor is configured to determine whether the first wireless communication is appropriate for the notification mode according to a count of availability notifications issued by the client device.
5. The security apparatus of claim 1, wherein the at least one hardware processor is configured to determine whether the first wireless communication is suitable for the notification mode according to an indicator of a strength of a carrier signal of the first wireless communication.
6. The security apparatus of claim 1, wherein the at least one hardware processor is configured to determine whether the first wireless communication is suitable for the notification mode according to a frequency of a carrier signal of the first wireless communication.
7. The security apparatus of claim 6, wherein the at least one hardware processor is configured to determine whether the first wireless communication is suitable for the notification mode further according to another frequency of another carrier signal of a previously detected communication comprising another availability notification issued by the client device.
8. The security apparatus of claim 1, wherein the at least one hardware processor is further configured to, in preparation for determining whether the first wireless communication is appropriate for the notification mode:
detecting a plurality of availability notifications issued by the client device; and
in response, the notification mode is determined from the plurality of availability notifications.
9. The security apparatus of claim 1, wherein impersonating the response of the management device comprises initiating another peer-to-peer connection with a sender of the first wireless communication while impersonating the management device.
10. The security apparatus of claim 9, wherein the security action comprises maintaining the other peer-to-peer connection active for a predetermined amount of time.
11. The security device of claim 9, wherein the security action comprises transmitting a set of proxy data to the sender of the first wireless communication over the other peer-to-peer connection.
12. A method of protecting a client device from computer security threats, the method comprising using at least one hardware processor of a security appliance to:
in response to detecting a first wireless communication comprising an availability notification issued in preparation for establishing a peer-to-peer connection with a management device, determining whether the first wireless communication is appropriate for a notification mode specific to the client device;
in response, transmitting a second wireless communication configured to mimic a response of the management device to the first wireless communication when the first wireless communication does not fit in the notification mode; and
in response to transmitting the second wireless communication, performing a security action to secure the client device or the management device.
13. The method of claim 12, comprising employing the at least one hardware processor to determine whether the first wireless communication is appropriate for the notification mode according to a time interval separating the first wireless communication from a previously detected wireless communication comprising another availability notification issued by the client device.
14. The method of claim 13, further comprising using the at least one hardware processor to:
comparing a size of the time interval to a predetermined reference value characteristic of the client device; and
in response, it is determined that the first wireless communication is not suitable for the notification mode when the time interval is much shorter than the reference value.
15. The method of claim 12, comprising using the at least one hardware processor to determine whether the first wireless communication is appropriate for the notification mode as a function of a count of availability notifications issued by the client device.
16. The method of claim 12, comprising employing the at least one hardware processor to determine whether the first wireless communication is suitable for the notification mode as a function of an indicator of a strength of a carrier signal of the first wireless communication.
17. The method of claim 12, comprising employing the at least one hardware processor to determine whether the first wireless communication is appropriate for the notification mode as a function of a frequency of a carrier signal of the first wireless communication.
18. The method of claim 17, comprising employing the at least one hardware processor to determine whether the first wireless communication is appropriate for the notification mode further according to another frequency of another carrier signal of a previously detected communication comprising another availability notification issued by the client device.
19. The method of claim 12, further comprising employing the at least one hardware processor to, in preparation for determining whether the first wireless communication is appropriate for the notification mode:
detecting a plurality of availability notifications issued by the client device; and
in response, the notification mode is determined from the plurality of availability notifications.
20. The method of claim 12, wherein impersonating the response of the management device comprises initiating another peer-to-peer connection with a sender of the first wireless communication while impersonating the management device.
21. The method of claim 20, wherein the security action comprises maintaining the other peer-to-peer connection active for a predetermined amount of time.
22. The method of claim 20, wherein the security action comprises transmitting a set of proxy data to the sender of the first wireless communication over the other peer-to-peer connection.
23. A non-transitory computer-readable medium storing instructions that, when executed by at least one hardware processor of a security apparatus, cause the security apparatus to:
in response to detecting a first wireless communication comprising an availability notification issued in preparation for establishing a peer-to-peer connection with a management device, determining whether the first wireless communication is appropriate for a notification mode specific to the client device;
in response, transmitting a second wireless communication configured to mimic a response of the management device to the first wireless communication when the first wireless communication does not fit in the notification mode; and
in response to transmitting the second wireless communication, performing a security action to secure the client device or the management device.
CN202111159048.3A 2021-02-12 2021-09-30 Security apparatus for protecting power-saving wireless device from attack Pending CN114978566A (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US17/248,909 US11696138B2 (en) 2020-06-09 2021-02-12 Security appliance for protecting power-saving wireless devices against attack
US17/248,909 2021-02-12
EPPCT/EP2021/064591 2021-06-01
EP2021064591 2021-06-01

Publications (1)

Publication Number Publication Date
CN114978566A true CN114978566A (en) 2022-08-30

Family

ID=82974474

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111159048.3A Pending CN114978566A (en) 2021-02-12 2021-09-30 Security apparatus for protecting power-saving wireless device from attack

Country Status (1)

Country Link
CN (1) CN114978566A (en)

Similar Documents

Publication Publication Date Title
US11463241B2 (en) Transmitting or receiving blockchain information
CN107852410B (en) Dissect rogue access point
US9369476B2 (en) System for detection of mobile applications network behavior-netwise
EP3276527B1 (en) Electromagnetic threat detection and mitigation in the internet of things
US20200265438A1 (en) Systems and methods for estimating authenticity of local network of device initiating remote transaction
US11573313B2 (en) Method for performing distance measurement and authentication concurrently and electronic device thereof
US20130298208A1 (en) System for mobile security
Tang et al. Exploiting wireless received signal strength indicators to detect evil-twin attacks in smart homes
Jin et al. A survey on edge computing for wearable technology
Chekina et al. Detection of deviations in mobile applications network behavior
US20210195415A1 (en) Electronic device for performing authentication by using accessory, and electronic device operating method
US9549319B1 (en) Presence verification within a wireless environment
US20220377553A1 (en) Electronic device and method for performing peer to peer service in electronic device
CN107710714A (en) Dispose the risk case of mobile device
JP4191737B2 (en) Mobile storage device and mobile storage system
WO2018176670A1 (en) Handshake method and device for wireless communication
CN110536304B (en) Internet of things communication attack test platform for environment detection
US11696138B2 (en) Security appliance for protecting power-saving wireless devices against attack
US20230276240A1 (en) Security Appliance for Protecting Power-Saving Wireless Devices Against Attack
EP4044646A1 (en) Security appliance for protecting power saving wireless devices against attack
CN114978566A (en) Security apparatus for protecting power-saving wireless device from attack
CN111261827A (en) Battery anti-theft method and device
CN109345236A (en) A kind of code key access method being remotely isolated, apparatus and system
WO2019138850A1 (en) Information processing device, information processing method, information processing program, and electronic device
US8850609B1 (en) Conditional integration of a satellite device into an authentication process involving a primary device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40073075

Country of ref document: HK

SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination