Date of Award


Document Type


Degree Name

Master of Science


Department of Electrical and Computer Engineering

First Advisor

Barry E. Mullins, PhD.


Low-Rate Wireless Personal Area Networks are a prevalent solution for communication among embedded devices. ZigBee is a leading network protocol stack based on the low-rate IEEE 802.15.4 standard that operates smart utility meters, residential and commercial building automation, and heath care networks. Such networks are essential, but low-rate, low-cost hardware is challenging to protect because end devices have tight limitations on hardware cost, memory use, and power consumption. KillerBee is a python-based framework for attacking ZigBee and other 802.15.4 networks that makes traffic eavesdropping, packet replay, and denial of service attacks straightforward to conduct. Recent works investigate software-defined radios as an even more versatile attack platform. Software defined radios can operate with greater flexibility and at greater transmit power than traditional network hardware. Software-defined radios also enable novel physical-layer attacks including reflexive jamming and synchronization header manipulation that are not possible with traditional hardware. This research implements a replay attack against a ZigBee device using a software defined radio. Replay attacks consist of an attacker recording legitimate traffic on a network and then replaying that traffic at will to cause malicious effects. Replay attacks can be very disruptive to operational systems, from turning valves in industrial controls systems to disarming door locks. Specifically, how software-defined radios can extend the effective attack range far beyond what is possible with hardware currently utilized by KillerBee is investigated. A software defined radio is tested with both directed and omnidirectional antennas and the effective attack range is compared to that of a USB radio. Tests are conducted both line-of-sight outdoors and through interior walls. The replay attack is implemented with beacon request frames.

AFIT Designator


DTIC Accession Number