89  802.15.4 Quiz: Security

In 60 Seconds

IEEE 802.15.4 provides link-layer security through AES-128 CCM encryption, adding roughly 14 bytes of overhead – a small cost compared to the risks of packet injection and eavesdropping. Thread networks use adaptive channel hopping with PER-based blacklisting to automatically recover from interference within 30-60 seconds.

Key Concepts

• Interference Detection Metrics: RSSI, LQI, and PER; used together to distinguish interference from range issues
• Channel Migration: Changing the PAN’s operating channel in response to persistent interference; requires coordinator command
• Jamming vs Interference: Jamming is intentional continuous blocking; interference is typically intermittent from coexisting technologies
• Security Attack Vectors: Replay attacks (counter-based defense), eavesdropping (encryption defense), message forgery (MIC defense)
• Denial of Service: Flooding the channel with frames or jamming; 802.15.4 has limited built-in protection
• AES-CCM Authentication: CBC-MAC provides data authenticity; even without encryption, authentication detects message tampering
• Physical Layer Security: Using directional antennas, limiting transmit power, and selecting non-overlapping channels reduce attack surface
• Over-the-Air Updates: Firmware updates via radio are a critical attack vector; must use signed, encrypted update packages

89.1 Minimum Viable Understanding

This quiz covers two security and interference topics: (1) AES-128 CCM overhead – calculating the ~14-byte security cost (auxiliary header + MIC) and understanding why it is justified for safety-critical IoT applications; and (2) adaptive channel hopping in Thread networks – how PER-based monitoring detects persistent interference, blacklists degraded channels via multicast updates, and recovers within 30-60 seconds with minimal packet loss during transitions.

89.2 Learning Objectives

After completing this quiz section, you will be able to:

• Calculate security overhead for AES-128 CCM encryption across all eight security levels and MIC sizes
• Justify why link-layer security is critical for IoT applications that control physical actuators
• Analyse adaptive channel hopping mechanisms in Thread networks, including PER thresholds, detection windows, and blacklist distribution
• Evaluate PER-based channel blacklisting strategies for mitigating persistent 2.4 GHz interference sources

For Beginners: 802.15.4 Security Quiz

This quiz covers 802.15.4 security and interference management. Security protects your IoT data from eavesdropping and tampering, while interference management keeps your wireless network working reliably even when other wireless devices are nearby.

Navigation

Overview: Quiz Bank Overview - Learning objectives and study strategy

Part 2 Quiz Sections:

• Deployment and Power - 2 questions on battery life and variant selection
• Superframe and Device Types - 4 questions on timing and FFD/RFD
• Security and Interference (Current) - 2 questions on encryption and channel hopping

Study Materials:

• 802.15.4 Fundamentals - Core concepts
• 802.15.4 Topic Review - Quick reference

---

89.3 Quiz 1: AES-128 CCM Security Overhead

Worked Detail: Frame Breakdown and Security Level Summary

Frame breakdown (50-byte payload):

• PHY Header (6 bytes)
• MAC Header (11 bytes)
• Security (14 bytes)
• Payload (50 bytes)
• FCS (2 bytes)
• Total: 83 bytes (well within 127-byte limit)

Why acceptable?

(1) Prevents replay attacks via monotonically increasing Frame Counter (attacker cannot reuse old packets)

(2) Detects tampering via MIC (8-byte MIC provides 2^64 authentication space, computationally infeasible to forge)

(3) Encrypts payload using AES-128 (128-bit keys provide 2^128 security margin)

Alternative: No security saves 14 bytes but enables: - Eavesdropping (sensors leak private data) - Packet injection (attacker controls devices) - Replay attacks (unlock doors repeatedly)

Security overhead is 11% of frame capacity but critical for home automation, industrial control, and medical IoT where unauthorized access causes physical harm.

Security Level Summary:

Level	Mode	MIC Size	Description
0	None	0	No security
1	MIC-32	4	Auth only, 32-bit
2	MIC-64	8	Auth only, 64-bit
3	MIC-128	16	Auth only, 128-bit
4	ENC	0	Encryption only
5	ENC-MIC-32	4	Encrypt + auth
6	ENC-MIC-64	8	Encrypt + auth
7	ENC-MIC-128	16	Encrypt + auth

89.3.1 Knowledge Check: Security Level Selection

---

89.4 Quiz 2: Adaptive Channel Hopping in Thread Networks

89.4.1 Knowledge Check: Channel Quality Metrics

---

89.4.2 Knowledge Check: Security Overhead Trade-off

89.4.3 Knowledge Check: Channel Hopping Recovery

Worked Example: Debugging Persistent Packet Loss in a Thread Smart Home Network

Scenario: Your Thread smart home network (802.15.4-based) experiences 30-50% packet loss between 6 PM and 8 PM every evening, causing lights to respond slowly and door locks to timeout. During other times, the network performs perfectly (< 1% loss). You need to diagnose and fix the issue.

Step 1: Gather Initial Evidence

Network configuration:

• Protocol: Thread 1.3 (802.15.4 MAC/PHY)
• Channel hopping: 4 channels (15, 20, 25, 26)
• Hop interval: 30 seconds
• Devices: 15 smart lights, 3 door locks, 1 border router
• Frequency: 2.4 GHz (channels 11-26)

Observed symptoms:

• Packet loss: 30-50% during 6-8 PM, < 1% otherwise
• Affected devices: All devices equally (not isolated to one zone)
• Timing: Exactly 6-8 PM every day (weekdays and weekends)

Step 2: Hypothesize Root Causes

Hypothesis	Evidence For	Evidence Against	Likelihood
A. Interference from external source (Wi-Fi, microwave)	Time-of-day correlation	Affects all 4 channels equally	HIGH
B. Network congestion (too much traffic)	Evening activity spike	Minimal traffic (smart lights = 1 frame/sec)	Low
C. Faulty hardware (failing router)	Consistent daily pattern	Affects all devices equally, not one route	Low
D. Thread channel hopping bug	Distributed symptoms	Works perfectly outside 6-8 PM	Low

Hypothesis A (Interference) is most likely. Let’s investigate.

Step 3: Measure Channel Quality

Tool: Spectrum Analyzer (or 802.15.4 sniffer with RSSI)

Measurement approach:

1. Baseline (9 AM, no packet loss): Measure RSSI and packet error rate (PER) on each channel
2. Problem period (7 PM, 30-50% loss): Repeat measurements

Results (measured with Wireshark + TI CC2531 sniffer):

9 AM Baseline: | Channel | Frequency | RSSI (avg) | PER | Notes | |———|———–|————|—–|——-| | 15 | 2425 MHz | -65 dBm | 0.5% | Clean | | 20 | 2450 MHz | -68 dBm | 0.8% | Clean | | 25 | 2475 MHz | -67 dBm | 0.6% | Clean | | 26 | 2480 MHz | -66 dBm | 0.7% | Clean |

7 PM Problem Period: | Channel | Frequency | RSSI (avg) | PER | Notes | |———|———–|————|—–|——-| | 15 | 2425 MHz | -64 dBm | 1.2% | Still OK | | 20 | 2450 MHz | -52 dBm | 62% | INTERFERED | | 25 | 2475 MHz | -69 dBm | 1.5% | Still OK | | 26 | 2480 MHz | -68 dBm | 1.8% | Still OK |

Key finding: Channel 20 (2450 MHz) has 62% PER during evening hours, with very strong RSSI (-52 dBm is unusually high, suggesting interference, not weak signal).

Step 4: Identify Interference Source

2.4 GHz band allocation:

• 802.15.4 Channel 20 = 2450 MHz (center) +/- 1 MHz = 2449-2451 MHz
• Wi-Fi Channel 8 = 2447 MHz (center) +/- 11 MHz = 2436-2458 MHz (overlaps!)
• Microwave ovens = 2450 MHz (unlicensed ISM usage, broadband noise)

Suspect 1: Neighbor’s Wi-Fi Access Point

• Common channel for older routers: Wi-Fi Channel 6 (2437 MHz) or 11 (2462 MHz)
• But neither overlaps 2450 MHz as badly as Channel 8
• Less likely (Wi-Fi would show continuous interference, not time-of-day pattern)

Suspect 2: Microwave Oven

• Operates at exactly 2450 MHz (magnetron frequency)
• Used during dinner prep/cooking (6-8 PM window matches!)
• Broadband noise (affects +/-10 MHz around 2450 MHz)
• HIGH LIKELIHOOD

Verification test: Walk around the house at 7 PM with the spectrum analyzer. When you approach the kitchen, RSSI on 2450 MHz spikes to -45 dBm (very strong interference). The microwave is running.

Diagnosis confirmed: Neighbor’s or own microwave oven interferes with Thread Channel 20 during evening cooking hours.

Step 5: Thread Adaptive Channel Hopping – Why Didn’t It Help?

Thread implements adaptive channel hopping with PER-based blacklisting: - Each router tracks per-channel PER over a sliding window (e.g., last 100 packets) - If PER > threshold (typically 50%) for 5 consecutive hop cycles, channel is blacklisted - Network Manager distributes blacklist update via multicast

Why it didn’t fix the problem automatically:

Default Thread parameters:

• Detection window: 5 hop cycles x 30 seconds = 150 seconds = 2.5 minutes
• Blacklist distribution: 1 hop cycle = 30 seconds
• Total time to recovery: 3 minutes

But the microwave runs for 3-10 minutes at a time. By the time Channel 20 is blacklisted (after 3 minutes), the microwave might turn off, and the channel looks clean again. Then it re-enters the hopping sequence, and the cycle repeats.

Evidence: Check Thread diagnostic logs for channel blacklisting events. You see:

19:02:15 - Channel 20 PER = 58% (above 50% threshold, cycle 1/5)
19:02:45 - Channel 20 PER = 61% (cycle 2/5)
19:03:15 - Channel 20 PER = 64% (cycle 3/5)
19:03:45 - Channel 20 PER = 59% (cycle 4/5)
19:04:15 - Channel 20 PER = 62% (cycle 5/5)
19:04:15 - Channel 20 BLACKLISTED (5 consecutive high-PER cycles)
19:04:45 - Blacklist update distributed to network
19:05:15 - Network hopping on channels: 15, 25, 26 (Channel 20 removed)
19:06:30 - Microwave turns off
19:08:15 - Channel 20 PER = 1.2% (looks clean now)
19:10:15 - Channel 20 removed from blacklist (recovered)
19:10:45 - Network hopping on channels: 15, 20, 25, 26 (Channel 20 re-added)
19:12:30 - Microwave turns on again
19:14:15 - Channel 20 PER = 60% (interference returns)
[Cycle repeats...]

The problem: Adaptive hopping works but is too slow for intermittent interference sources.

Step 6: Solution Options

Option A: Manually blacklist Channel 20 permanently

# Thread CLI command (implementation-specific, e.g., OpenThread)
> channel manager exclude 20
Done
> channel manager channels
15, 25, 26

Pros:

• Immediate fix (no detection delay)
• Permanent (survives power cycles)
• Simple (one-time configuration)

Cons:

• Loses 25% of available channels (3 instead of 4)
• If Channel 20 is the only clean channel in the future (e.g., neighbors start using Ch 15/25/26 for Wi-Fi), you have no backup

Option B: Reduce detection window (faster blacklisting)

# Adjust Thread channel monitoring parameters
> channel manager threshold 40          # Lower threshold: 40% instead of 50%
> channel manager window 3               # Faster detection: 3 cycles instead of 5
> channel manager interval 15            # Shorter hop interval: 15s instead of 30s
Done

New detection time: 3 cycles x 15 seconds = 45 seconds

Pros:

• Blacklists Channel 20 within 45 seconds of interference
• Adapts to future interference patterns automatically
• Retains all 4 channels when microwave is off

Cons:

• More aggressive blacklisting may be triggered by transient interference (false positives)
• Shorter hop interval = more channel switches = slight overhead increase

Option C: Use 802.15.4 channels that don’t overlap 2.4 GHz Wi-Fi or microwave

Channel selection strategy:

802.15.4 Channel	Center Freq	Overlaps Wi-Fi?	Overlaps Microwave?	Recommended?
11	2405 MHz	Wi-Fi Ch 1 (2412 MHz)	No	Marginal
15	2425 MHz	Wi-Fi Ch 4 (2427 MHz)	No	Good
20	2450 MHz	Wi-Fi Ch 8 (2447 MHz)	YES (2450 MHz)	Avoid
25	2475 MHz	Wi-Fi Ch 13 (2472 MHz)	No	Good
26	2480 MHz	Outside Wi-Fi (Ch 13 ends 2483 MHz)	No	Best

Wi-Fi channels to avoid:

• Wi-Fi Ch 1, 6, 11 are most common in North America
• 802.15.4 Ch 15, 25, 26 have minimal overlap

Recommendation: Use 802.15.4 channels 15, 20, 25, 26, but manually blacklist Ch 20 if microwave interference persists.

Alternatively, switch to channels: 11, 15, 25, 26 (skipping Ch 20 entirely).

Option D: Coordinate with Wi-Fi (hybrid approach)

If you control the Wi-Fi network: 1. Move Wi-Fi to 5 GHz band (no interference with 2.4 GHz 802.15.4) 2. Use Wi-Fi Channel 1 or 11 (avoids overlap with Thread Ch 15, 25, 26) 3. Reduce Wi-Fi transmit power (lowers interference floor)

Step 7: Implement and Verify Fix

Selected solution: Option A + Option B hybrid

1. Manually blacklist Channel 20 immediately (stops current issue)
2. Tune adaptive hopping parameters (faster response to future issues)

> channel manager exclude 20
> channel manager threshold 45
> channel manager window 3
> channel manager interval 20
Done

Verification (7 PM test):

Before fix:

• Hopping channels: 15, 20, 25, 26
• PER during 7 PM: 32% (average across all channels, dragged down by Ch 20’s 62%)
• User experience: Lights respond in 2-5 seconds, some commands timeout

After fix:

• Hopping channels: 15, 25, 26 (Ch 20 blacklisted)
• PER during 7 PM: 1.5% (average across 3 clean channels)
• User experience: Lights respond in < 500 ms, no timeouts

Success! Packet loss dropped from 32% to 1.5% during peak interference hours.

Step 8: Document and Monitor

Created network health dashboard:

• Per-channel PER tracking (5-minute buckets)
• Blacklist event log
• Alert if any channel exceeds 10% PER for > 5 minutes

Ongoing monitoring:

• If channels 15, 25, or 26 start showing high PER, investigate new interference sources (e.g., neighbor adds Wi-Fi access point)
• Re-enable Channel 20 if interference pattern changes (e.g., microwave replaced, different usage times)

Key Lessons:

1. Time-of-day correlation is the strongest clue for identifying interference sources (microwave = cooking time, Wi-Fi = evening streaming)
2. Adaptive channel hopping works but is reactive, not proactive – it takes 2-3 minutes to detect and blacklist a bad channel
3. Manual blacklisting is appropriate for known persistent interference (e.g., microwave at 2450 MHz)
4. Always verify fixes with real measurements – don’t trust “it should work” – capture packets and measure PER before/after
5. 802.15.4 Ch 26 (2480 MHz) is the safest – outside Wi-Fi Ch 1-11 range and above microwave peak frequency

Concept Relationships

Security/Interference Concept	Cost	Benefit	Decision Threshold
AES-128 CCM	14 bytes overhead	Prevents injection/replay/eavesdropping	Always enable for actuators (door locks, alarms)
MIC-32 vs MIC-64	4 vs 8 bytes	2^32 vs 2^64 brute-force resistance	MIC-64 minimum for home automation (GPU attacks feasible on 32-bit)
Frame counter	4 bytes in security header	Replay attack prevention (monotonic check)	Automatic when security enabled
Adaptive channel hopping	30-60 second detection delay	Self-healing from persistent interference	Enable for 2.4 GHz deployments (Wi-Fi/microwave coexistence)
PER-based blacklisting	1-2 lost packets during transition	Removes 25% throughput loss from bad channel	Threshold: 50-70% PER over 5 consecutive hops

89.5 See Also

• 802.15.4 Review: Security - AES-128 CCM encryption and channel management
• 802.15.4 Fundamentals - Core standard and security levels
• Device Types and Security Quiz - FFD/RFD and AES-128 deep dive
• Zigbee Security - Security in Zigbee networks
• 802.15.4 Comprehensive Review - Complete specification coverage

Common Pitfalls

1. Diagnosing Interference by RSSI Alone

RSSI measures total received signal power including interference. Stable RSSI with degraded LQI indicates the desired signal is strong but corrupted by interference. Only RSSI dropping indicates range or obstruction issues. Using RSSI alone misses many interference scenarios.

2. Trusting Authentication Without Encryption

AES-CCM with only authentication (no encryption) prevents tampering but exposes plaintext data. In medical or industrial IoT, plaintext sensor readings may reveal operational patterns or patient information. Always assess whether authentication alone is sufficient for your confidentiality requirements.

3. Forgetting That Channel Migration Requires Coordinator Coordination

Changing channels is not a device-level decision. The PAN coordinator must broadcast a channel change command and all devices must execute it together. Devices that miss the command continue operating on the old channel and effectively leave the network.

4. Ignoring Physical Access Threats

802.15.4 security focuses on over-the-air threats. Physical access to a device allows key extraction from unprotected flash memory. Security architecture must address physical tamper resistance for devices deployed in accessible locations.

🏷️ Label the Diagram

💻 Code Challenge

89.6 Summary

This quiz section tested your understanding of:

1. Security Overhead: How AES-128 CCM encryption adds ~14 bytes overhead for authentication and confidentiality
2. Channel Hopping: How Thread networks adaptively blacklist interfered channels based on PER monitoring

Key Takeaways:

• Security overhead (14 bytes) is a small price for preventing injection, replay, and eavesdropping attacks
• 64-bit MIC provides 2^64 authentication space, computationally infeasible to forge
• Thread’s adaptive channel hopping recovers from interference within 30-60 seconds
• PER-based blacklisting prevents persistent throughput loss from 2.4 GHz interference sources

89.7 What’s Next

Chapter	Focus	Why Read It Next
Deployment and Power Quiz	Battery life calculations and variant selection	Apply security overhead knowledge to constrained device power budgets
Superframe and Device Types Quiz	GTS allocation and FFD/RFD capabilities	Examine how superframe timing interacts with security processing on FFDs vs RFDs
802.15.4 Comprehensive Review	Complete specification coverage	Consolidate security, interference, and protocol knowledge into a unified review
Zigbee Security	Network-layer key management and trust centres	Compare Zigbee’s application-layer security with the link-layer AES-128 CCM covered here
802.15.4 Review: Security	AES-128 CCM encryption and channel management deep dive	Reinforce security level selection with additional worked examples and frame analysis