Wireless Sensor Networks: Nothing is Out of Reach

11th Annual Security & Compliance Summit |

Washington D.C.Prepared by : Daniel Lance

Wireless Sensor NetworksNothing is out of reach

^

WSNNothing is out of reach ^By: Daniel C Lance

LARGE ARROWTO EMPHASIZE


OUR AGENDAKINDA

1

History/DesignConceptual implementation

Pratical implementation

2

What is it? What are WSN’s as a whole.

4

Social Engineering Cognitive biases

Pretexting

Baiting

3

SDRSoftware Defined Radio

Software and hardware overview

Hack Matrix

5

What can be doneA fix for all wireless systems.

After years of installing wireless sensor networks in homes and businesses we are now faced with a question “How is this all secure? Or is it?”

ABOUT ME


HISTORYTACTICAL TO PRACTICAL

1949Start

S o u n d S u r ve i l l a n ce S y s t e m (SOSUS) developed by the United States Military

1978Growth

Distributed Sensor Network Work shop DSN’s birth place of the common WSN

1980Innovation

Distributed Sensor Network (DSN) DARPA formally explores the challenges in implementing distributed/wireless sensor networks.


1993Innovation

UCLA Wireless Integrated Network Sensors

1999Innovation

University of California at Berkeley PicoRadio program

2000Innovation

Adaptive Multi-domain Power Aware Sensors program MIT

2001Innovation

NASA Sensor Webs


Today

2002Alliance

ZigBee Alliance

2002Innovation

Center for Embedded Network Sensing

2005Alliance

Zwave alliance


<<

APPLICATION & DEBUT1949-PRESENT DAY

Military Scientific Industry Consumer

Cost and energy needed to build a sensor

Total market size

Past

Present day



SO WHAT IS A WSN?Design in a nutshell

•

•

•

•

Sender and Receiver (Node & Gatherer) (Node & Gatherer)

Sensor component Analog and/or digital io

Modulation Protocols OOK, FSK, ASK, ect..

Power management How can the device report longer


TOPOLOGY OF A NETWORKSender and Receiver (Node & Gatherer)

Sender Receiver

One way

Sender Receiver

Bi directional

Receiver

MeshMesh

MeshMesh

Mesh

Receiver

Star

StarStar

Star

Star


SENSORSA TON OF THEM

Accelerometers Accessories Amplifiers Capacitive Touch Sensors, Proximity Sensor ICs Color Sensors Current Transducers Dust Sensors Encoders Flex Sensors Float, Level Sensors Flow Sensors Force Sensors Gas Sensors Gyroscopes Image Sensors, Camera Inclinometers IrDA Transceiver Modules LVDT Transducers (Linear Variable Differential Transformer) Magnetic Sensors - Compass, Magnetic Field (Modules) Magnetic Sensors - Hall Effect, Digital Switch, Linear, Compass (ICs) Magnetic Sensors - Position, Proximity, Speed (Modules) Magnets Moisture Sensors, Humidity Motion Sensors, Detectors Multifunction Optical Sensors - Ambient Light, IR, UV Sensors Optical Sensors - Distance Measuring Optical Sensors - Photo Detectors - CdS Cells

Optical Sensors - Photo Detectors - Logic Output Optical Sensors - Photo Detectors - Remote Receiver Optical Sensors - Photodiodes Optical Sensors - Photoelectric, Industrial Optical Sensors - Photointerrupters - Slot Type - Logic Output Optical Sensors - Photointerrupters - Slot Type - Transistor Output Optical Sensors - Phototransistors Optical Sensors - Reflective - Analog Output Optical Sensors - Reflective - Logic Output Position Sensors - Angle, Linear Position Measuring Pressure Sensors, Transducers Proximity Sensors Proximity/Occupancy Sensors - Finished Units RTD (Resistance Temperature Detector) Shock Sensors Solar Cells Specialized Sensors Strain Gages Temperature Regulators Temperature Sensors, Transducers Temperature Switches Thermistors - NTC Thermistors - PTC Thermocouple, Temperature Probe Tilt Sensors Ultrasonic Receivers, Transmitters Vibration Sensors


Phase-shift keying (PSK)

PSK uses a finite number of phases, each assigned a unique pattern of binary digits . Usually, each phase encodes an equal number of bits.

Frequency-shift keying (FSK)

Frequency modulation scheme in which digital information is transmitted through discrete frequency changes of a carrier wave. The simplest FSK is binary FSK (BFSK). BFSK uses a pair of discrete frequencies to transmit binary (0s and 1s) information. With this scheme, the "1" is called the mark frequency and the "0" is called the space frequency. The time domain of an F S K m o d u l a t e d c a r r i e r i s illustrated in the figures to the right.

Amplitude-shift keying (ASK)

A form of amplitude modulation that represents digital data as variations in the amplitude of a carrier wave. In an ASK system, t h e b i n a r y s y m b o l 1 i s represented by transmitting a fixed-amplitude carrier wave and fixed frequency for a bit duration of T seconds. If the signal value is 1 then the carrier signal will be transmitted; otherwise, a signal value of 0 will be transmitted.

Quadrature amplitude modulation (QAM)

Both an analog and a digital modulat ion scheme. I t c o n v e y s t w o a n a l o g message signals, or two digital bit streams, by changing (modulating) the amplitudes of two carrier waves, using the amplitude-shift keying (ASK) digital modulat ion scheme or amplitude modulation (AM) analog modulation scheme.

Continuous phase modulation (CPM)

For modulation of data commonly used in wireless modems. In contrast to other coherent digital phase modulation techniques where the carrier phase abruptly resets to zero at the start of every symbol (e.g. M-PSK), with CPM the carrier phase is modulated in a continuous manner.


100%

1

2

3

4

Battery powered

Wake/speed modes

Alarm vs. trouble vs. tamper (10tx 5tx 3tx)

PM schedule

POWER MANAGEMENT


SDRHERE TO STAY

Started as a TV tuner

Size of a stick of gum

Supported on all OS’s

O F W A RT E

E I N EF D

S

D

R A D I O$20.95 /w free shipping

Software & Hardware


THE SOFTWAREOPENSOURCE

Pentoo

GNU Radio Companion

GNU Radio Companion (GRC) is a graphical tool for creating signal flow graphs and generating flow-graph source code.

Gqrx SDR

Gqrx is a software defined radio receiver powered by the GNU Radio SDR framework and the Qt graphical toolkit.

Pentoo

The SDR distro of choice!

Audacity®

Cross-platform software for recording and editing sounds is great for figuring out protocols.


THE HARDWARELOWCOST

Dongle time

HackRF One

Great Scott Gadgets is a Software Defined Radio peripheral capable of transmission or reception of radio signals from 10 MHz to 6 GHz.

RTL2832U

Elonics E4000 52 - 2200 MHz with a gap from 1100 MHz to 1250 MHz (varies)

Ubertooth One

2.4 GHz wireless development platform suitable for Bluetooth experimentation. Commercial Bluetooth monitoring equipment can be found for over $10,000.

Upgradeable Antenna

Everything from RFID to Satellite


START SOME HACKINGWHAT THE HECK DO WE KNOW

Perimeter device

MSP430F2132IRHB

Data sheet is public

We know it’s OOK

FCC listed

THE DEVICE


THE TYPICAL REPLAY ATTACK

GQRX and Audacity

Start by finding the device, then sample the audio, then define the audio files.

We know It is at 345mhz

We know we have the correct device because of the on-off times

We can now do replay attacks at will

We can try our hand at jamming


THE TYPICAL REPLAY ATTACK HOW DO WE SEND THE FILE?

RTL2832U Has failed

RTL2832U isn’t a good send device

We know we have a good attack, we have the data


GLASS STAGEON THE CHEAP SIDE

Half Full

Tap the audio output from you’re sound card to the Carrier Signal and send the file

Find the Carrier Signal


SPEND A LITTLE CASHHACK RF TO THE RESCUE

Without the device

Start by finding the device, then sample the audio, then define the audio files, then repeat.

We can replay attack with little programing

We can RF jam with little effort

We can RF jam intermittently to make the receiver think it is over hearing.


GOING A STEP FURTHERBINARY

Why we don’t care about the little bits

We only know what we are told

Good for baiting

Its faster just to make-stuff-up

10101010101010 xxxxxx

IDPreamble

xx

Net

xxxxxx

Payload

16

CRC


WHAT IS AT RISK TODAY? Sender and Receiver (Node & Gatherer)

Sender Receiver

One way

Sender Receiver

Bi directional

Receiver

MeshMesh

MeshMesh

Mesh

Receiver

Star

StarStar

Star

Star


Extract the firmware via bus and capture the key of the WSNSession Keys | Fixed Encryption

RECEIVERS ARE THE DOWN FALLHack Matrix Layer

Capture the device in the-last-mile before installationSession Keys | No-Pass Key Encryption

Attack the programing deviceSession Keys | Dynamic Encryption

Jam and emulateMesh

Jam and emulateStar

Jam and emulateBi directional

Jam and emulateOne way


WHAT THE HECK DOES THIS MEAN? WRITE YOUR RELEVANT TEXT HERE

Wireless sensors can be:

• Taken hostage

• Emulated

• Jammed

Receivers can be:

• Jammed even with jam detection

• Used against the facility staff


BaitingGetting one or more people to act

Cognitive biasesAll of our own personal experience

plays a huge part

SOCIAL ENGINEERINGWORKING FOR YOU 24 HOURS A DAY

Pretextingeffecting a whole group


<<

COGNITIVE BIASESTHE INDIVIDUAL

Military Scientific Industry Consumer

Cost and energy needed to build a sensor

Total market size

Past

Present day


PRETEXTINGALL TOGETHER NOW

(`

Receiver

`Malicious MiniVan


BAITINGAlways a bigger fish

Case tampers

Speeding up fault conditions

Low battery signaling

5

π


BRING IT ALL TOGETHER


“EVERYTHING WE HEAR IS AN OPINION, NOT A FACT. EVERYTHING WE SEE IS A

PERSPECTIVE, NOT THE TRUTH.” -MARCUS AURELIUS



q

THE SOLUTIONWHAT DO WE REALLY NEED?

Verify Signals

Acquisition of data

Attack Response

Attribution of Attack


VERIFY SIGNALS TRIANGULATION OF SIGNALS

Receiver

Receiver Receiver

Signal from wireless sensor

`

`

`^

70 %40 %


ACQUISITION OF DATA TRACK RADIO ACTIVITY

When a radio starts spectrum analysis A so called “Spike happens”

New DC Spike

Wait and see what happens

Log the Rfeq

Log the DB level of the radio at its Rfeq

Track changes in power

Warn if the center Rfeq comes close the the WSN

Warning This radio log can then be shared if an attack happens

Long term storage


ATTRIBUTION OF ATTACK FINGER POINTING

Receiver

Receiver Receiver

Signal from Attacker

`

`

``

70 %40 %


ATTACK RESPONSETALK TO ME GOOSE

Receiver

Receiver Receiver

Signal from Attacker

`

`

`x̀


WHAT CAN WE START TODAY?USING APPLIED TECHNOLOGY

Need tools for verifying binary’s and need to be able to hash a sensor and receiver

System Integrators

Need to develop complex adaptive networks using the above methods

Manufacturers

Need to outline when a WSN can and can’t be used on mission critical equipment based on real risk.

Compliance

Harden there understanding of WSN’s and limit use on mission critical installations.

Customer

(


One more thing…


`

`TRY IT FOR YOURSELF!

Download the Vm from the link!Will be posted shortly!

Check list!

Buy a radio on amazon!

Load the VM

Click on FMstations.grc on the desktop

Tune to your favorite radio station after executing the script

Tell me about it on twitter!

@DanielCLance^

Thanks for Watching This Presentation

See You Next Time !!!

http://hyperphysics.phy-astr.gsu.edu/hbase/sound/interf.html#c4

https://upload.wikimedia.org/wikipedia/commons/8/8d/Illustration_of_Amplitude_Modulation.png

http://www.silabs.com/Support%20Documents/TechnicalDocs/evolution-of-wireless-sensor-networks.pdf

https://funoverip.net/2014/11/reverse-engineer-a-verisure-wireless-alarm-part-1-radio-communications/

Technology

Wireless Sensor Networks: Nothing is Out of Reach