Presenter: Daniel Lance, Layered Integration
After years of installing wireless sensor networks in homes and businesses we are now faced with a question “How is this all secure? Or is it?” A look into WSN (Wireless Sensor Networks) history and original design concepts that paved the road to us using these in our every day life.
This presentation will be a deep dive into wireless and reveal new challenges we have in protecting our perimeter when all of our core monitoring devices are riding a wave into the public space as most industrial control providers look to capitalize on fast installation times and inexpensive adaptive solutions. This research shows us start to finish how anyone with a laptop and SDR (Software Defined Radio) can hack into and take control of WSN’s from outside the front gate.
The presentation will demonstrate how a device inside your facility might reveal itself through spectrum analysis than how a hacker might flank the security of the device and own the network with very simple replay attacks that can grant them physical access, and how social engineering pre-installation and post-installation will cause you to disregard warning signs that someone is tampering with the network. A high level understanding of radio is no longer needed for packet analysis with open source tools, proper implementation has never been more important as even a encrypted device can be compromised by the last mile before installation. We will talk about the tools security professionals are lacking from the manufactures of these devices to scan for a compromised device and what can be done in the future to protect WSN’s.
3. WSN
Nothing is out of reach^ By: Daniel C Lance
OUR AGENDA
KINDA
1
History/Design
Conceptual implementation
Pratical implementation
2
What is it?
What are WSN’s as a whole.
4
Social Engineering
Cognitive biases
Pretexting
Baiting
3
SDR
Software Defined Radio
Software and hardware overview
Hack Matrix
5
What can be done
A fix for all wireless systems.
After years of installing wireless sensor networks in homes and businesses we are now faced with a question “How is this all secure? Or is it?”
5. WSN
Nothing is out of reach^ By: Daniel C Lance
HISTORY
TACTICAL TO PRACTICAL
1949
Start
Sound Surveillance System
(SOSUS) developed by the United
States Military
1978
Growth
Distributed Sensor Network Work
shop DSN’s birth place of the
common WSN
1980
Innovation
Distributed Sensor Network (DSN)
DARPA formally explores the challenges
in implementing distributed/wireless
sensor networks.
6. WSN
Nothing is out of reach^ By: Daniel C Lance
1993
Innovation
UCLA Wireless Integrated Network
Sensors
1999
Innovation
University of California at Berkeley
PicoRadio program
2000
Innovation
Adaptive Multi-domain Power
Aware Sensors program MIT
2001
Innovation
NASA Sensor Webs
7. WSN
Nothing is out of reach^ By: Daniel C Lance
Today
2002
Alliance
ZigBee Alliance
2002
Innovation
Center for Embedded Network
Sensing
2005
Alliance
Zwave alliance
8. WSN
Nothing is out of reach^ By: Daniel C Lance
<
<
APPLICATION & DEBUT
1949-PRESENT DAY
Military Scientific Industry Consumer
Cost and energy needed to build a sensor
Total market size
Past
Present day
10. WSN
Nothing is out of reach^ By: Daniel C Lance
SO WHAT IS A WSN?
Design in a nutshell
•
•
•
•
Sender and Receiver (Node & Gatherer)
(Node & Gatherer)
Sensor component
Analog and/or digital io
Modulation Protocols
OOK, FSK, ASK, ect..
Power management
How can the device report longer
11. WSN
Nothing is out of reach^ By: Daniel C Lance
TOPOLOGY OF A NETWORK
Sender and Receiver (Node & Gatherer)
Sender Receiver
One way
Sender Receiver
Bi directional
Receiver
MeshMesh
MeshMesh
Mesh
Receiver
Star
StarStar
Star
Star
12. WSN
Nothing is out of reach^ By: Daniel C Lance
SENSORS
A TON OF THEM
Accelerometers
Accessories
Amplifiers
Capacitive Touch Sensors, Proximity Sensor ICs
Color Sensors
Current Transducers
Dust Sensors
Encoders
Flex Sensors
Float, Level Sensors
Flow Sensors
Force Sensors
Gas Sensors
Gyroscopes
Image Sensors, Camera
Inclinometers
IrDA Transceiver Modules
LVDT Transducers (Linear Variable Differential Transformer)
Magnetic Sensors - Compass, Magnetic Field (Modules)
Magnetic Sensors - Hall Effect, Digital Switch, Linear, Compass (ICs)
Magnetic Sensors - Position, Proximity, Speed (Modules)
Magnets
Moisture Sensors, Humidity
Motion Sensors, Detectors
Multifunction
Optical Sensors - Ambient Light, IR, UV Sensors
Optical Sensors - Distance Measuring
Optical Sensors - Photo Detectors - CdS Cells
Optical Sensors - Photo Detectors - Logic Output
Optical Sensors - Photo Detectors - Remote Receiver
Optical Sensors - Photodiodes
Optical Sensors - Photoelectric, Industrial
Optical Sensors - Photointerrupters - Slot Type - Logic Output
Optical Sensors - Photointerrupters - Slot Type - Transistor Output
Optical Sensors - Phototransistors
Optical Sensors - Reflective - Analog Output
Optical Sensors - Reflective - Logic Output
Position Sensors - Angle, Linear Position Measuring
Pressure Sensors, Transducers
Proximity Sensors
Proximity/Occupancy Sensors - Finished Units
RTD (Resistance Temperature Detector)
Shock Sensors
Solar Cells
Specialized Sensors
Strain Gages
Temperature Regulators
Temperature Sensors, Transducers
Temperature Switches
Thermistors - NTC
Thermistors - PTC
Thermocouple, Temperature Probe
Tilt Sensors
Ultrasonic Receivers, Transmitters
Vibration Sensors
13. WSN
Nothing is out of reach^ By: Daniel C Lance
Phase-shift keying (PSK)
PSK uses a finite number of
phases, each assigned a unique
pattern of binary digits.
Usually, each phase encodes an
equal number of bits.
Frequency-shift keying (FSK)
Frequency modulation scheme in
which digital information is
transmitted through discrete
frequency changes of a carrier
wave. The simplest FSK is binary
FSK (BFSK). BFSK uses a pair of
discrete frequencies to transmit
binary (0s and 1s) information.
With this scheme, the "1" is
called the mark frequency and
the "0" is called the space
frequency. The time domain of an
FS K m o d u l a t e d c a r r i e r i s
illustrated in the figures to the
right.
Amplitude-shift keying (ASK)
A form of amplitude modulation
that represents digital data as
variations in the amplitude of a
carrier wave. In an ASK system,
t h e b i n a r y s y m b o l 1 i s
represented by transmitting a
fixed-amplitude carrier wave
and fixed frequency for a bit
duration of T seconds. If the
signal value is 1 then the carrier
signal will be transmitted;
otherwise, a signal value of 0
will be transmitted.
Quadrature amplitude modulation (QAM)
Both an analog and a digital
modulation scheme. It
c o n v e y s t w o a n a l o g
message signals, or two
digital bit streams, by
changing (modulating) the
amplitudes of two carrier
waves, using the amplitude-
shift keying (ASK) digital
modulation scheme or
amplitude modulation (AM)
analog modulation scheme.
Continuous phase modulation (CPM)
For modulation of data
commonly used in wireless
modems. In contrast to
other coherent digital phase
modulation techniques
where the carrier phase
abruptly resets to zero at
the start of every symbol
(e.g. M-PSK), with CPM the
carrier phase is modulated
in a continuous manner.
14. WSN
Nothing is out of reach^ By: Daniel C Lance
100%
1
2
3
4
Battery powered
Wake/speed modes
Alarm vs. trouble vs. tamper (10tx 5tx 3tx)
PM schedule
POWER MANAGEMENT
15. WSN
Nothing is out of reach^ By: Daniel C Lance
SDR
HERE TO STAY
Started as a TV tuner
Size of a stick of gum
Supported on all OS’s
O F W A RT E
E I N EF D
S
D
R A D I O
$20.95 /w free shipping
Software & Hardware
16. WSN
Nothing is out of reach^ By: Daniel C Lance
THE SOFTWARE
OPENSOURCE
Pentoo
GNU Radio Companion
GNU Radio Companion (GRC) is a graphical tool for creating signal flow
graphs and generating flow-graph source code.
Gqrx SDR
Gqrx is a software defined radio receiver powered by the GNU Radio SDR
framework and the Qt graphical toolkit.
Pentoo
The SDR distro of choice!
Audacity®
Cross-platform software for recording and editing sounds is great for
figuring out protocols.
17. WSN
Nothing is out of reach^ By: Daniel C Lance
THE HARDWARE
LOWCOST
Dongle time
HackRF One
Great Scott Gadgets is a Software Defined Radio peripheral capable of
transmission or reception of radio signals from 10 MHz to 6 GHz.
RTL2832U
Elonics E4000 52 - 2200 MHz with a gap from 1100 MHz to 1250 MHz
(varies)
Ubertooth One
2.4 GHz wireless development platform suitable for Bluetooth
experimentation. Commercial Bluetooth monitoring equipment can be
found for over $10,000.
Upgradeable Antenna
Everything from RFID to Satellite
18. WSN
Nothing is out of reach^ By: Daniel C Lance
START SOME HACKING
WHAT THE HECK DO WE KNOW
Perimeter device
MSP430F2132IRHB
Data sheet is public
We know it’s OOK
FCC listed
THE DEVICE
19. WSN
Nothing is out of reach^ By: Daniel C Lance
THE TYPICAL REPLAY ATTACK
GQRX and Audacity
Start by finding the device, then sample the audio, then define the audio files.
We know It is at 345mhz
We know we have the correct device because of the on-off times
We can now do replay attacks at will
We can try our hand at jamming
20. WSN
Nothing is out of reach^ By: Daniel C Lance
THE TYPICAL REPLAY ATTACK
HOW DO WE SEND THE FILE?
RTL2832U Has failed
RTL2832U isn’t a good send device
We know we have a good attack, we have the data
21. WSN
Nothing is out of reach^ By: Daniel C Lance
GLASS STAGE
ON THE CHEAP SIDE
Half
Full
Tap the audio output from you’re sound card to the Carrier Signal and send the file
Find the Carrier Signal
22. WSN
Nothing is out of reach^ By: Daniel C Lance
SPEND A LITTLE CASH
HACK RF TO THE RESCUE
Without the device
Start by finding the device, then sample the audio, then define the audio files, then repeat.
We can replay attack with little programing
We can RF jam with little effort
We can RF jam intermittently to make the receiver think it is over hearing.
23. WSN
Nothing is out of reach^ By: Daniel C Lance
GOING A STEP FURTHER
BINARY
Why we don’t care about the little bits
We only know what we are told
Good for baiting
Its faster just to make-stuff-up
10101010101010 xxxxxx
IDPreamble
xx
Net
xxxxxx
Payload
16
CRC
24. WSN
Nothing is out of reach^ By: Daniel C Lance
WHAT IS AT RISK TODAY?
Sender and Receiver (Node & Gatherer)
Sender Receiver
One way
Sender Receiver
Bi directional
Receiver
MeshMesh
MeshMesh
Mesh
Receiver
Star
StarStar
Star
Star
25. WSN
Nothing is out of reach^ By: Daniel C Lance
Extract the firmware via bus and capture the key of the WSN
Session Keys | Fixed Encryption
RECEIVERS ARE THE DOWN FALL
Hack Matrix Layer
Capture the device in the-last-mile before installation
Session Keys | No-Pass Key Encryption
Attack the programing device
Session Keys | Dynamic Encryption
Jam and emulate
Mesh
Jam and emulate
Star
Jam and emulate
Bi directional
Jam and emulate
One way
26. WSN
Nothing is out of reach^ By: Daniel C Lance
WHAT THE HECK DOES THIS MEAN?
WRITE YOUR RELEVANT TEXT HERE
Wireless sensors can be:
• Taken hostage
• Emulated
• Jammed
Receivers can be:
• Jammed even with jam detection
• Used against the facility staff
27. WSN
Nothing is out of reach^ By: Daniel C Lance
Baiting
Getting one or more people to act
Cognitive biases
All of our own personal experience
plays a huge part
SOCIAL ENGINEERING
WORKING FOR YOU 24 HOURS A DAY
Pretexting
effecting a whole group
28. WSN
Nothing is out of reach^ By: Daniel C Lance
<
<
COGNITIVE BIASES
THE INDIVIDUAL
Military Scientific Industry Consumer
Cost and energy needed to build a sensor
Total market size
Past
Present day
29. WSN
Nothing is out of reach^ By: Daniel C Lance
PRETEXTING
ALL TOGETHER NOW
`
Receiver
`
Malicious MiniVan
30. WSN
Nothing is out of reach^ By: Daniel C Lance
BAITING
Always a bigger fish
Case tampers
Speeding up fault conditions
Low battery signaling
5
π
32. WSN
Nothing is out of reach^ By: Daniel C Lance
“EVERYTHING WE HEAR IS AN OPINION,
NOT A FACT. EVERYTHING WE SEE IS A
PERSPECTIVE, NOT THE TRUTH.”
-MARCUS AURELIUS
34. WSN
Nothing is out of reach^ By: Daniel C Lance
q
THE SOLUTION
WHAT DO WE REALLY NEED?
Verify Signals
Acquisition of data
Attack Response
Attribution of Attack
35. WSN
Nothing is out of reach^ By: Daniel C Lance
VERIFY SIGNALS
TRIANGULATION OF SIGNALS
Receiver
ReceiverReceiver
Signal from wireless sensor
`
`
`^
70 %40 %
36. WSN
Nothing is out of reach^ By: Daniel C Lance
ACQUISITION OF DATA
TRACK RADIO ACTIVITY
When a radio starts
spectrum analysis A so
called “Spike happens”
New DC Spike
Wait and see what happens
Log the Rfeq
Log the DB level of the
radio at its Rfeq
Track changes in power
Warn if the center Rfeq
comes close the the WSN
Warning
This radio log can then be
shared if an attack happens
Long term storage
37. WSN
Nothing is out of reach^ By: Daniel C Lance
ATTRIBUTION OF ATTACK
FINGER POINTING
Receiver
ReceiverReceiver
Signal from Attacker
`
`
``
70 %40 %
38. WSN
Nothing is out of reach^ By: Daniel C Lance
ATTACK RESPONSE
TALK TO ME GOOSE
Receiver
ReceiverReceiver
Signal from Attacker
`
`
``x
39. WSN
Nothing is out of reach^ By: Daniel C Lance
WHAT CAN WE START TODAY?
USING APPLIED TECHNOLOGY
Need tools for verifying binary’s and
need to be able to hash a sensor
and receiver
System Integrators
Need to develop complex adaptive
networks using the above methods
Manufacturers
Need to outline when a WSN can
and can’t be used on mission critical
equipment based on real risk.
Compliance
Harden there understanding of
WSN’s and limit use on mission
critical installations.
Customer
(
41. WSN
Nothing is out of reach^ By: Daniel C Lance
`
`
TRY IT FOR YOURSELF!
Download the Vm from the link!
Will be posted shortly!
Check list!
Buy a radio on amazon!
Load the VM
Click on FMstations.grc on the desktop
Tune to your favorite radio station after executing the script
Tell me about it on twitter!
@DanielCLance
^
42. Thanks for Watching
This Presentation
See You Next Time !!!
http://hyperphysics.phy-astr.gsu.edu/hbase/sound/interf.html#c4
https://upload.wikimedia.org/wikipedia/commons/8/8d/Illustration_of_Amplitude_Modulation.png
http://www.silabs.com/Support%20Documents/TechnicalDocs/evolution-of-wireless-sensor-networks.pdf
https://funoverip.net/2014/11/reverse-engineer-a-verisure-wireless-alarm-part-1-radio-communications/