Assessing cybersecurity risks in BLE-based asset management systems
| Autor(a) principal: | |
|---|---|
| Data de Publicação: | 2024 |
| Tipo de documento: | Dissertação |
| Idioma: | eng |
| Título da fonte: | Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| Texto Completo: | http://hdl.handle.net/20.500.11960/3949 |
Resumo: | In the current era of digital transformation, Asset Management (AM) systems using Bluetooth Low Energy (BLE) beacons are being applied across various domains, allowing for the detection of individuals or objects within a building. While the impact of a compromised Indoor Positioning System (IPS) may not be significant in certain domains, in others it can pose risks and potentially lead to the loss of human lives or other significant consequences. This work starts with a literature review on vulnerabilities that target BLE beacon devices. With the gathered knowledge from the review, a risk assessment of cyber-attacks targeting AM systems using BLE devices in two specific scenarios is presented: health- care and industry. The aim is to estimate the attacks that pose the greatest risk in each application area. An experimental setup was also created with a focus on testing a set of vulnerabilities, such as replay attack, device cloning, jamming, battery exhaustion at- tack and physical hijacking. Lastly, mitigation measures and a list of best practices and guidelines are proposed to help harden these systems. Results show that, risk levels vary depending on the targeted scenario. Replay, battery exhaustion, jamming, fuzzing, blue-smack, and physical hijacking attacks are the ones that pose the greatest risk levels in the considered scenarios. Additionally, the vulnerabilities exploited in the experimental setup manifest a concerning accessibility, that can lead to irreversible damages. |
| id |
RCAP_7152f653e03fd7b3ece4daa42fe2adab |
|---|---|
| oai_identifier_str |
oai:repositorio.ipvc.pt:20.500.11960/3949 |
| network_acronym_str |
RCAP |
| network_name_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| repository_id_str |
7160 |
| spelling |
Assessing cybersecurity risks in BLE-based asset management systemsIndoor-location securityAsset managementBLE beaconsBluetoothCybersecurityLocaliza??o indoor seguraGest?o de recursosCiberseguran?aIn the current era of digital transformation, Asset Management (AM) systems using Bluetooth Low Energy (BLE) beacons are being applied across various domains, allowing for the detection of individuals or objects within a building. While the impact of a compromised Indoor Positioning System (IPS) may not be significant in certain domains, in others it can pose risks and potentially lead to the loss of human lives or other significant consequences. This work starts with a literature review on vulnerabilities that target BLE beacon devices. With the gathered knowledge from the review, a risk assessment of cyber-attacks targeting AM systems using BLE devices in two specific scenarios is presented: health- care and industry. The aim is to estimate the attacks that pose the greatest risk in each application area. An experimental setup was also created with a focus on testing a set of vulnerabilities, such as replay attack, device cloning, jamming, battery exhaustion at- tack and physical hijacking. Lastly, mitigation measures and a list of best practices and guidelines are proposed to help harden these systems. Results show that, risk levels vary depending on the targeted scenario. Replay, battery exhaustion, jamming, fuzzing, blue-smack, and physical hijacking attacks are the ones that pose the greatest risk levels in the considered scenarios. Additionally, the vulnerabilities exploited in the experimental setup manifest a concerning accessibility, that can lead to irreversible damages.Na atual era da transforma??o digital, os sistemas de gest?o de ativos que utilizam BLE descons est?o a ser aplicados em v?rias ?reas, permitindo a detec??o de indiv?duos ou objetos em ambientes interiores. Enquanto o impacto de um IPS comprometido pode n?o ser significativo em certos contextos, em aplica??es criticas, pode apresentar riscos significativos, podendo, no limite, levar ? perda de vidas humanas, entre outras consequ?ncias poss?veis Este trabalho inicia com uma revis?o sistem?tica das vulnerabilidades direcionadas aos dispositivos BLE bezcons. Com o conhecimento resultante desta revis?o, ? apresentada uma avalia??o de riscos de ciberataques direcionados a sistemas de gest?o de ativos que usam tecnologia BLE em dois dom?nios de aplica??o espec?ficos sa?de e ind?stria. O objetivo ? identificar os ataques que apresentam o maior risco em cada dom?nio de aplica??o. Foi tamb?m criado um ambiente experimental desenhado para testar um conjunto de vulnerabilidades, tais como, ataques de repeti??o, clonagem de dispositivos, interfer?ncia, exaust?o de bateria e ataque f?sico. Por fim, s?o propostas medidas de mitiga??o para os riscos identificados, bem como identificadas as melhores pr?ticas e diretrizes para refor?ar a seguran?a da utiliza??o destes sistemas nos dois dom?nios de aplica??o identificados Os resultados mostram que os n?veis de risco variam dependendo do dom?nio de aplica??o e do tipo de ataque. Os ataques de repeti??o, exaust?o de bateria, interfer?ncia, confus?o, blue-smack e ataque f?sico representam os maiores n?veis de risco nos cen?rios considerados. Al?m disso, as vulnerabilidades exploradas no ambiente experimental evidenciam uma acessibilidade preocupante, que pode levar a danos irrevers?veis.2024-03-13T15:05:18Z2024-01-08T00:00:00Z2024-01-08info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttp://hdl.handle.net/20.500.11960/3949TID:203551729engVerde, David Lu?s Malh?oinfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2024-03-14T07:12:36Zoai:repositorio.ipvc.pt:20.500.11960/3949Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-20T04:00:36.408542Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse |
| dc.title.none.fl_str_mv |
Assessing cybersecurity risks in BLE-based asset management systems |
| title |
Assessing cybersecurity risks in BLE-based asset management systems |
| spellingShingle |
Assessing cybersecurity risks in BLE-based asset management systems Verde, David Lu?s Malh?o Indoor-location security Asset management BLE beacons Bluetooth Cybersecurity Localiza??o indoor segura Gest?o de recursos Ciberseguran?a |
| title_short |
Assessing cybersecurity risks in BLE-based asset management systems |
| title_full |
Assessing cybersecurity risks in BLE-based asset management systems |
| title_fullStr |
Assessing cybersecurity risks in BLE-based asset management systems |
| title_full_unstemmed |
Assessing cybersecurity risks in BLE-based asset management systems |
| title_sort |
Assessing cybersecurity risks in BLE-based asset management systems |
| author |
Verde, David Lu?s Malh?o |
| author_facet |
Verde, David Lu?s Malh?o |
| author_role |
author |
| dc.contributor.author.fl_str_mv |
Verde, David Lu?s Malh?o |
| dc.subject.por.fl_str_mv |
Indoor-location security Asset management BLE beacons Bluetooth Cybersecurity Localiza??o indoor segura Gest?o de recursos Ciberseguran?a |
| topic |
Indoor-location security Asset management BLE beacons Bluetooth Cybersecurity Localiza??o indoor segura Gest?o de recursos Ciberseguran?a |
| description |
In the current era of digital transformation, Asset Management (AM) systems using Bluetooth Low Energy (BLE) beacons are being applied across various domains, allowing for the detection of individuals or objects within a building. While the impact of a compromised Indoor Positioning System (IPS) may not be significant in certain domains, in others it can pose risks and potentially lead to the loss of human lives or other significant consequences. This work starts with a literature review on vulnerabilities that target BLE beacon devices. With the gathered knowledge from the review, a risk assessment of cyber-attacks targeting AM systems using BLE devices in two specific scenarios is presented: health- care and industry. The aim is to estimate the attacks that pose the greatest risk in each application area. An experimental setup was also created with a focus on testing a set of vulnerabilities, such as replay attack, device cloning, jamming, battery exhaustion at- tack and physical hijacking. Lastly, mitigation measures and a list of best practices and guidelines are proposed to help harden these systems. Results show that, risk levels vary depending on the targeted scenario. Replay, battery exhaustion, jamming, fuzzing, blue-smack, and physical hijacking attacks are the ones that pose the greatest risk levels in the considered scenarios. Additionally, the vulnerabilities exploited in the experimental setup manifest a concerning accessibility, that can lead to irreversible damages. |
| publishDate |
2024 |
| dc.date.none.fl_str_mv |
2024-03-13T15:05:18Z 2024-01-08T00:00:00Z 2024-01-08 |
| dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
| dc.type.driver.fl_str_mv |
info:eu-repo/semantics/masterThesis |
| format |
masterThesis |
| status_str |
publishedVersion |
| dc.identifier.uri.fl_str_mv |
http://hdl.handle.net/20.500.11960/3949 TID:203551729 |
| url |
http://hdl.handle.net/20.500.11960/3949 |
| identifier_str_mv |
TID:203551729 |
| dc.language.iso.fl_str_mv |
eng |
| language |
eng |
| dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
| eu_rights_str_mv |
openAccess |
| dc.format.none.fl_str_mv |
application/pdf |
| dc.source.none.fl_str_mv |
reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação instacron:RCAAP |
| instname_str |
Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
| instacron_str |
RCAAP |
| institution |
RCAAP |
| reponame_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| collection |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| repository.name.fl_str_mv |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
| repository.mail.fl_str_mv |
|
| _version_ |
1799138181494341632 |