Upload
energysec
View
724
Download
7
Embed Size (px)
Citation preview
11th Annual Security & Compliance Summit |
Washington D.C.Prepared by : Daniel Lance
Wireless Sensor NetworksNothing is out of reach
^
WSNNothing is out of reach ^By: Daniel C Lance
OUR AGENDAKINDA
1
History/DesignConceptual implementation
Pratical implementation
2
What is it? What are WSN’s as a whole.
4
Social Engineering Cognitive biases
Pretexting
Baiting
3
SDRSoftware Defined Radio
Software and hardware overview
Hack Matrix
5
What can be doneA fix for all wireless systems.
After years of installing wireless sensor networks in homes and businesses we are now faced with a question “How is this all secure? Or is it?”
WSNNothing is out of reach ^By: Daniel C Lance
HISTORYTACTICAL TO PRACTICAL
1949Start
S o u n d S u r ve i l l a n ce S y s t e m (SOSUS) developed by the United States Military
1978Growth
Distributed Sensor Network Work shop DSN’s birth place of the common WSN
1980Innovation
Distributed Sensor Network (DSN) DARPA formally explores the challenges in implementing distributed/wireless sensor networks.
WSNNothing is out of reach ^By: Daniel C Lance
1993Innovation
UCLA Wireless Integrated Network Sensors
1999Innovation
University of California at Berkeley PicoRadio program
2000Innovation
Adaptive Multi-domain Power Aware Sensors program MIT
2001Innovation
NASA Sensor Webs
WSNNothing is out of reach ^By: Daniel C Lance
Today
2002Alliance
ZigBee Alliance
2002Innovation
Center for Embedded Network Sensing
2005Alliance
Zwave alliance
WSNNothing is out of reach ^By: Daniel C Lance
<<
APPLICATION & DEBUT1949-PRESENT DAY
Military Scientific Industry Consumer
Cost and energy needed to build a sensor
Total market size
Past
Present day
WSNNothing is out of reach ^By: Daniel C Lance
SO WHAT IS A WSN?Design in a nutshell
•
•
•
•
Sender and Receiver (Node & Gatherer) (Node & Gatherer)
Sensor component Analog and/or digital io
Modulation Protocols OOK, FSK, ASK, ect..
Power management How can the device report longer
WSNNothing is out of reach ^By: Daniel C Lance
TOPOLOGY OF A NETWORKSender and Receiver (Node & Gatherer)
Sender Receiver
One way
Sender Receiver
Bi directional
Receiver
MeshMesh
MeshMesh
Mesh
Receiver
Star
StarStar
Star
Star
WSNNothing is out of reach ^By: Daniel C Lance
SENSORSA TON OF THEM
Accelerometers Accessories Amplifiers Capacitive Touch Sensors, Proximity Sensor ICs Color Sensors Current Transducers Dust Sensors Encoders Flex Sensors Float, Level Sensors Flow Sensors Force Sensors Gas Sensors Gyroscopes Image Sensors, Camera Inclinometers IrDA Transceiver Modules LVDT Transducers (Linear Variable Differential Transformer) Magnetic Sensors - Compass, Magnetic Field (Modules) Magnetic Sensors - Hall Effect, Digital Switch, Linear, Compass (ICs) Magnetic Sensors - Position, Proximity, Speed (Modules) Magnets Moisture Sensors, Humidity Motion Sensors, Detectors Multifunction Optical Sensors - Ambient Light, IR, UV Sensors Optical Sensors - Distance Measuring Optical Sensors - Photo Detectors - CdS Cells
Optical Sensors - Photo Detectors - Logic Output Optical Sensors - Photo Detectors - Remote Receiver Optical Sensors - Photodiodes Optical Sensors - Photoelectric, Industrial Optical Sensors - Photointerrupters - Slot Type - Logic Output Optical Sensors - Photointerrupters - Slot Type - Transistor Output Optical Sensors - Phototransistors Optical Sensors - Reflective - Analog Output Optical Sensors - Reflective - Logic Output Position Sensors - Angle, Linear Position Measuring Pressure Sensors, Transducers Proximity Sensors Proximity/Occupancy Sensors - Finished Units RTD (Resistance Temperature Detector) Shock Sensors Solar Cells Specialized Sensors Strain Gages Temperature Regulators Temperature Sensors, Transducers Temperature Switches Thermistors - NTC Thermistors - PTC Thermocouple, Temperature Probe Tilt Sensors Ultrasonic Receivers, Transmitters Vibration Sensors
WSNNothing is out of reach ^By: Daniel C Lance
Phase-shift keying (PSK)
PSK uses a finite number of phases, each assigned a unique pattern of binary digits . Usually, each phase encodes an equal number of bits.
Frequency-shift keying (FSK)
Frequency modulation scheme in which digital information is transmitted through discrete frequency changes of a carrier wave. The simplest FSK is binary FSK (BFSK). BFSK uses a pair of discrete frequencies to transmit binary (0s and 1s) information. With this scheme, the "1" is called the mark frequency and the "0" is called the space frequency. The time domain of an F S K m o d u l a t e d c a r r i e r i s illustrated in the figures to the right.
Amplitude-shift keying (ASK)
A form of amplitude modulation that represents digital data as variations in the amplitude of a carrier wave. In an ASK system, t h e b i n a r y s y m b o l 1 i s represented by transmitting a fixed-amplitude carrier wave and fixed frequency for a bit duration of T seconds. If the signal value is 1 then the carrier signal will be transmitted; otherwise, a signal value of 0 will be transmitted.
Quadrature amplitude modulation (QAM)
Both an analog and a digital modulat ion scheme. I t c o n v e y s t w o a n a l o g message signals, or two digital bit streams, by changing (modulating) the amplitudes of two carrier waves, using the amplitude-shift keying (ASK) digital modulat ion scheme or amplitude modulation (AM) analog modulation scheme.
Continuous phase modulation (CPM)
For modulation of data commonly used in wireless modems. In contrast to other coherent digital phase modulation techniques where the carrier phase abruptly resets to zero at the start of every symbol (e.g. M-PSK), with CPM the carrier phase is modulated in a continuous manner.
WSNNothing is out of reach ^By: Daniel C Lance
100%
1
2
3
4
Battery powered
Wake/speed modes
Alarm vs. trouble vs. tamper (10tx 5tx 3tx)
PM schedule
POWER MANAGEMENT
WSNNothing is out of reach ^By: Daniel C Lance
SDRHERE TO STAY
Started as a TV tuner
Size of a stick of gum
Supported on all OS’s
O F W A RT E
E I N EF D
S
D
R A D I O$20.95 /w free shipping
Software & Hardware
WSNNothing is out of reach ^By: Daniel C Lance
THE SOFTWAREOPENSOURCE
Pentoo
GNU Radio Companion
GNU Radio Companion (GRC) is a graphical tool for creating signal flow graphs and generating flow-graph source code.
Gqrx SDR
Gqrx is a software defined radio receiver powered by the GNU Radio SDR framework and the Qt graphical toolkit.
Pentoo
The SDR distro of choice!
Audacity®
Cross-platform software for recording and editing sounds is great for figuring out protocols.
WSNNothing is out of reach ^By: Daniel C Lance
THE HARDWARELOWCOST
Dongle time
HackRF One
Great Scott Gadgets is a Software Defined Radio peripheral capable of transmission or reception of radio signals from 10 MHz to 6 GHz.
RTL2832U
Elonics E4000 52 - 2200 MHz with a gap from 1100 MHz to 1250 MHz (varies)
Ubertooth One
2.4 GHz wireless development platform suitable for Bluetooth experimentation. Commercial Bluetooth monitoring equipment can be found for over $10,000.
Upgradeable Antenna
Everything from RFID to Satellite
WSNNothing is out of reach ^By: Daniel C Lance
START SOME HACKINGWHAT THE HECK DO WE KNOW
Perimeter device
MSP430F2132IRHB
Data sheet is public
We know it’s OOK
FCC listed
THE DEVICE
WSNNothing is out of reach ^By: Daniel C Lance
THE TYPICAL REPLAY ATTACK
GQRX and Audacity
Start by finding the device, then sample the audio, then define the audio files.
We know It is at 345mhz
We know we have the correct device because of the on-off times
We can now do replay attacks at will
We can try our hand at jamming
WSNNothing is out of reach ^By: Daniel C Lance
THE TYPICAL REPLAY ATTACK HOW DO WE SEND THE FILE?
RTL2832U Has failed
RTL2832U isn’t a good send device
We know we have a good attack, we have the data
WSNNothing is out of reach ^By: Daniel C Lance
GLASS STAGEON THE CHEAP SIDE
Half Full
Tap the audio output from you’re sound card to the Carrier Signal and send the file
Find the Carrier Signal
WSNNothing is out of reach ^By: Daniel C Lance
SPEND A LITTLE CASHHACK RF TO THE RESCUE
Without the device
Start by finding the device, then sample the audio, then define the audio files, then repeat.
We can replay attack with little programing
We can RF jam with little effort
We can RF jam intermittently to make the receiver think it is over hearing.
WSNNothing is out of reach ^By: Daniel C Lance
GOING A STEP FURTHERBINARY
Why we don’t care about the little bits
We only know what we are told
Good for baiting
Its faster just to make-stuff-up
10101010101010 xxxxxx
IDPreamble
xx
Net
xxxxxx
Payload
16
CRC
WSNNothing is out of reach ^By: Daniel C Lance
WHAT IS AT RISK TODAY? Sender and Receiver (Node & Gatherer)
Sender Receiver
One way
Sender Receiver
Bi directional
Receiver
MeshMesh
MeshMesh
Mesh
Receiver
Star
StarStar
Star
Star
WSNNothing is out of reach ^By: Daniel C Lance
Extract the firmware via bus and capture the key of the WSNSession Keys | Fixed Encryption
RECEIVERS ARE THE DOWN FALLHack Matrix Layer
Capture the device in the-last-mile before installationSession Keys | No-Pass Key Encryption
Attack the programing deviceSession Keys | Dynamic Encryption
Jam and emulateMesh
Jam and emulateStar
Jam and emulateBi directional
Jam and emulateOne way
WSNNothing is out of reach ^By: Daniel C Lance
WHAT THE HECK DOES THIS MEAN? WRITE YOUR RELEVANT TEXT HERE
Wireless sensors can be:
• Taken hostage
• Emulated
• Jammed
Receivers can be:
• Jammed even with jam detection
• Used against the facility staff
WSNNothing is out of reach ^By: Daniel C Lance
BaitingGetting one or more people to act
Cognitive biasesAll of our own personal experience
plays a huge part
SOCIAL ENGINEERINGWORKING FOR YOU 24 HOURS A DAY
Pretextingeffecting a whole group
WSNNothing is out of reach ^By: Daniel C Lance
<<
COGNITIVE BIASESTHE INDIVIDUAL
Military Scientific Industry Consumer
Cost and energy needed to build a sensor
Total market size
Past
Present day
WSNNothing is out of reach ^By: Daniel C Lance
PRETEXTINGALL TOGETHER NOW
(`
Receiver
`Malicious MiniVan
WSNNothing is out of reach ^By: Daniel C Lance
BAITINGAlways a bigger fish
Case tampers
Speeding up fault conditions
Low battery signaling
5
π
WSNNothing is out of reach ^By: Daniel C Lance
“EVERYTHING WE HEAR IS AN OPINION, NOT A FACT. EVERYTHING WE SEE IS A
PERSPECTIVE, NOT THE TRUTH.” -MARCUS AURELIUS
WSNNothing is out of reach ^By: Daniel C Lance
q
THE SOLUTIONWHAT DO WE REALLY NEED?
Verify Signals
Acquisition of data
Attack Response
Attribution of Attack
WSNNothing is out of reach ^By: Daniel C Lance
VERIFY SIGNALS TRIANGULATION OF SIGNALS
Receiver
Receiver Receiver
Signal from wireless sensor
`
`
`^
70 %40 %
WSNNothing is out of reach ^By: Daniel C Lance
ACQUISITION OF DATA TRACK RADIO ACTIVITY
When a radio starts spectrum analysis A so called “Spike happens”
New DC Spike
Wait and see what happens
Log the Rfeq
Log the DB level of the radio at its Rfeq
Track changes in power
Warn if the center Rfeq comes close the the WSN
Warning This radio log can then be shared if an attack happens
Long term storage
WSNNothing is out of reach ^By: Daniel C Lance
ATTRIBUTION OF ATTACK FINGER POINTING
Receiver
Receiver Receiver
Signal from Attacker
`
`
``
70 %40 %
WSNNothing is out of reach ^By: Daniel C Lance
ATTACK RESPONSETALK TO ME GOOSE
Receiver
Receiver Receiver
Signal from Attacker
`
`
`x̀
WSNNothing is out of reach ^By: Daniel C Lance
WHAT CAN WE START TODAY?USING APPLIED TECHNOLOGY
Need tools for verifying binary’s and need to be able to hash a sensor and receiver
System Integrators
Need to develop complex adaptive networks using the above methods
Manufacturers
Need to outline when a WSN can and can’t be used on mission critical equipment based on real risk.
Compliance
Harden there understanding of WSN’s and limit use on mission critical installations.
Customer
(
WSNNothing is out of reach ^By: Daniel C Lance
`
`TRY IT FOR YOURSELF!
Download the Vm from the link!Will be posted shortly!
Check list!
Buy a radio on amazon!
Load the VM
Click on FMstations.grc on the desktop
Tune to your favorite radio station after executing the script
Tell me about it on twitter!
@DanielCLance^
Thanks for Watching This Presentation
See You Next Time !!!
http://hyperphysics.phy-astr.gsu.edu/hbase/sound/interf.html#c4
https://upload.wikimedia.org/wikipedia/commons/8/8d/Illustration_of_Amplitude_Modulation.png
http://www.silabs.com/Support%20Documents/TechnicalDocs/evolution-of-wireless-sensor-networks.pdf
https://funoverip.net/2014/11/reverse-engineer-a-verisure-wireless-alarm-part-1-radio-communications/