Wireless Sensor Networks: Nothing is Out of Reach

1. 11th Annual Security & Compliance Summit | Washington D.C. Prepared by : Daniel Lance Wireless Sensor Networks Nothing is out of reach ^

2. WSN Nothing is out of reach^ By: Daniel C Lance LARGE ARROW TO EMPHASIZE

3. WSN Nothing is out of reach^ By: Daniel C Lance OUR AGENDA KINDA 1 History/Design Conceptual implementation Pratical implementation 2 What is it? What are WSN’s as a whole. 4 Social Engineering Cognitive biases Pretexting Baiting 3 SDR Software Deﬁned Radio Software and hardware overview Hack Matrix 5 What can be done A ﬁx for all wireless systems. After years of installing wireless sensor networks in homes and businesses we are now faced with a question “How is this all secure? Or is it?”

4. ABOUT ME

5. WSN Nothing is out of reach^ By: Daniel C Lance HISTORY TACTICAL TO PRACTICAL 1949 Start Sound Surveillance System (SOSUS) developed by the United States Military 1978 Growth Distributed Sensor Network Work shop DSN’s birth place of the common WSN 1980 Innovation Distributed Sensor Network (DSN) DARPA formally explores the challenges in implementing distributed/wireless sensor networks.

6. WSN Nothing is out of reach^ By: Daniel C Lance 1993 Innovation UCLA Wireless Integrated Network Sensors 1999 Innovation University of California at Berkeley PicoRadio program 2000 Innovation Adaptive Multi-domain Power Aware Sensors program MIT 2001 Innovation NASA Sensor Webs

7. WSN Nothing is out of reach^ By: Daniel C Lance Today 2002 Alliance ZigBee Alliance 2002 Innovation Center for Embedded Network Sensing 2005 Alliance Zwave alliance

8. WSN Nothing is out of reach^ By: Daniel C Lance < < APPLICATION & DEBUT 1949-PRESENT DAY Military Scientiﬁc Industry Consumer Cost and energy needed to build a sensor Total market size Past Present day

9. WSN Nothing is out of reach^ By: Daniel C Lance

10. WSN Nothing is out of reach^ By: Daniel C Lance SO WHAT IS A WSN? Design in a nutshell • • • • Sender and Receiver (Node & Gatherer) (Node & Gatherer) Sensor component Analog and/or digital io Modulation Protocols OOK, FSK, ASK, ect.. Power management How can the device report longer

11. WSN Nothing is out of reach^ By: Daniel C Lance TOPOLOGY OF A NETWORK Sender and Receiver (Node & Gatherer) Sender Receiver One way Sender Receiver Bi directional Receiver MeshMesh MeshMesh Mesh Receiver Star StarStar Star Star

12. WSN Nothing is out of reach^ By: Daniel C Lance SENSORS A TON OF THEM Accelerometers Accessories Amplifiers Capacitive Touch Sensors, Proximity Sensor ICs Color Sensors Current Transducers Dust Sensors Encoders Flex Sensors Float, Level Sensors Flow Sensors Force Sensors Gas Sensors Gyroscopes Image Sensors, Camera Inclinometers IrDA Transceiver Modules LVDT Transducers (Linear Variable Differential Transformer) Magnetic Sensors - Compass, Magnetic Field (Modules) Magnetic Sensors - Hall Effect, Digital Switch, Linear, Compass (ICs) Magnetic Sensors - Position, Proximity, Speed (Modules) Magnets Moisture Sensors, Humidity Motion Sensors, Detectors Multifunction Optical Sensors - Ambient Light, IR, UV Sensors Optical Sensors - Distance Measuring Optical Sensors - Photo Detectors - CdS Cells Optical Sensors - Photo Detectors - Logic Output Optical Sensors - Photo Detectors - Remote Receiver Optical Sensors - Photodiodes Optical Sensors - Photoelectric, Industrial Optical Sensors - Photointerrupters - Slot Type - Logic Output Optical Sensors - Photointerrupters - Slot Type - Transistor Output Optical Sensors - Phototransistors Optical Sensors - Reflective - Analog Output Optical Sensors - Reflective - Logic Output Position Sensors - Angle, Linear Position Measuring Pressure Sensors, Transducers Proximity Sensors Proximity/Occupancy Sensors - Finished Units RTD (Resistance Temperature Detector) Shock Sensors Solar Cells Specialized Sensors Strain Gages Temperature Regulators Temperature Sensors, Transducers Temperature Switches Thermistors - NTC Thermistors - PTC Thermocouple, Temperature Probe Tilt Sensors Ultrasonic Receivers, Transmitters Vibration Sensors

13. WSN Nothing is out of reach^ By: Daniel C Lance Phase-shift keying (PSK) PSK uses a finite number of phases, each assigned a unique pattern of binary digits. Usually, each phase encodes an equal number of bits. Frequency-shift keying (FSK) Frequency modulation scheme in which digital information is transmitted through discrete frequency changes of a carrier wave. The simplest FSK is binary FSK (BFSK). BFSK uses a pair of discrete frequencies to transmit binary (0s and 1s) information. With this scheme, the "1" is called the mark frequency and the "0" is called the space frequency. The time domain of an FS K m o d u l a t e d c a r r i e r i s illustrated in the figures to the right. Amplitude-shift keying (ASK) A form of amplitude modulation that represents digital data as variations in the amplitude of a carrier wave. In an ASK system, t h e b i n a r y s y m b o l 1 i s represented by transmitting a fixed-amplitude carrier wave and fixed frequency for a bit duration of T seconds. If the signal value is 1 then the carrier signal will be transmitted; otherwise, a signal value of 0 will be transmitted. Quadrature amplitude modulation (QAM) Both an analog and a digital modulation scheme. It c o n v e y s t w o a n a l o g message signals, or two digital bit streams, by changing (modulating) the amplitudes of two carrier waves, using the amplitude- shift keying (ASK) digital modulation scheme or amplitude modulation (AM) analog modulation scheme. Continuous phase modulation (CPM) For modulation of data commonly used in wireless modems. In contrast to other coherent digital phase modulation techniques where the carrier phase abruptly resets to zero at the start of every symbol (e.g. M-PSK), with CPM the carrier phase is modulated in a continuous manner.

14. WSN Nothing is out of reach^ By: Daniel C Lance 100% 1 2 3 4 Battery powered Wake/speed modes Alarm vs. trouble vs. tamper (10tx 5tx 3tx) PM schedule POWER MANAGEMENT

15. WSN Nothing is out of reach^ By: Daniel C Lance SDR HERE TO STAY Started as a TV tuner Size of a stick of gum Supported on all OS’s O F W A RT E E I N EF D S D R A D I O $20.95 /w free shipping Software & Hardware

16. WSN Nothing is out of reach^ By: Daniel C Lance THE SOFTWARE OPENSOURCE Pentoo GNU Radio Companion GNU Radio Companion (GRC) is a graphical tool for creating signal flow graphs and generating flow-graph source code. Gqrx SDR Gqrx is a software defined radio receiver powered by the GNU Radio SDR framework and the Qt graphical toolkit. Pentoo The SDR distro of choice! Audacity® Cross-platform software for recording and editing sounds is great for figuring out protocols.

17. WSN Nothing is out of reach^ By: Daniel C Lance THE HARDWARE LOWCOST Dongle time HackRF One Great Scott Gadgets is a Software Deﬁned Radio peripheral capable of transmission or reception of radio signals from 10 MHz to 6 GHz. RTL2832U Elonics E4000 52 - 2200 MHz with a gap from 1100 MHz to 1250 MHz (varies) Ubertooth One 2.4 GHz wireless development platform suitable for Bluetooth experimentation. Commercial Bluetooth monitoring equipment can be found for over $10,000. Upgradeable Antenna Everything from RFID to Satellite

18. WSN Nothing is out of reach^ By: Daniel C Lance START SOME HACKING WHAT THE HECK DO WE KNOW Perimeter device MSP430F2132IRHB Data sheet is public We know it’s OOK FCC listed THE DEVICE

19. WSN Nothing is out of reach^ By: Daniel C Lance THE TYPICAL REPLAY ATTACK GQRX and Audacity Start by finding the device, then sample the audio, then define the audio files. We know It is at 345mhz We know we have the correct device because of the on-off times We can now do replay attacks at will We can try our hand at jamming

20. WSN Nothing is out of reach^ By: Daniel C Lance THE TYPICAL REPLAY ATTACK HOW DO WE SEND THE FILE? RTL2832U Has failed RTL2832U isn’t a good send device We know we have a good attack, we have the data

21. WSN Nothing is out of reach^ By: Daniel C Lance GLASS STAGE ON THE CHEAP SIDE Half Full Tap the audio output from you’re sound card to the Carrier Signal and send the ﬁle Find the Carrier Signal

22. WSN Nothing is out of reach^ By: Daniel C Lance SPEND A LITTLE CASH HACK RF TO THE RESCUE Without the device Start by finding the device, then sample the audio, then define the audio files, then repeat. We can replay attack with little programing We can RF jam with little effort We can RF jam intermittently to make the receiver think it is over hearing.

23. WSN Nothing is out of reach^ By: Daniel C Lance GOING A STEP FURTHER BINARY Why we don’t care about the little bits We only know what we are told Good for baiting Its faster just to make-stuﬀ-up 10101010101010 xxxxxx IDPreamble xx Net xxxxxx Payload 16 CRC

24. WSN Nothing is out of reach^ By: Daniel C Lance WHAT IS AT RISK TODAY? Sender and Receiver (Node & Gatherer) Sender Receiver One way Sender Receiver Bi directional Receiver MeshMesh MeshMesh Mesh Receiver Star StarStar Star Star

25. WSN Nothing is out of reach^ By: Daniel C Lance Extract the ﬁrmware via bus and capture the key of the WSN Session Keys | Fixed Encryption RECEIVERS ARE THE DOWN FALL Hack Matrix Layer Capture the device in the-last-mile before installation Session Keys | No-Pass Key Encryption Attack the programing device Session Keys | Dynamic Encryption Jam and emulate Mesh Jam and emulate Star Jam and emulate Bi directional Jam and emulate One way

26. WSN Nothing is out of reach^ By: Daniel C Lance WHAT THE HECK DOES THIS MEAN? WRITE YOUR RELEVANT TEXT HERE Wireless sensors can be: • Taken hostage • Emulated • Jammed Receivers can be: • Jammed even with jam detection • Used against the facility staﬀ

27. WSN Nothing is out of reach^ By: Daniel C Lance Baiting Getting one or more people to act Cognitive biases All of our own personal experience plays a huge part SOCIAL ENGINEERING WORKING FOR YOU 24 HOURS A DAY Pretexting eﬀecting a whole group

28. WSN Nothing is out of reach^ By: Daniel C Lance < < COGNITIVE BIASES THE INDIVIDUAL Military Scientiﬁc Industry Consumer Cost and energy needed to build a sensor Total market size Past Present day

29. WSN Nothing is out of reach^ By: Daniel C Lance PRETEXTING ALL TOGETHER NOW ` Receiver ` Malicious MiniVan

30. WSN Nothing is out of reach^ By: Daniel C Lance BAITING Always a bigger fish Case tampers Speeding up fault conditions Low battery signaling 5 π

31. WSN Nothing is out of reach^ By: Daniel C Lance BRING IT ALL TOGETHER

32. WSN Nothing is out of reach^ By: Daniel C Lance “EVERYTHING WE HEAR IS AN OPINION, NOT A FACT. EVERYTHING WE SEE IS A PERSPECTIVE, NOT THE TRUTH.” -MARCUS AURELIUS

33. WSN Nothing is out of reach^ By: Daniel C Lance

34. WSN Nothing is out of reach^ By: Daniel C Lance q THE SOLUTION WHAT DO WE REALLY NEED? Verify Signals Acquisition of data Attack Response Attribution of Attack

35. WSN Nothing is out of reach^ By: Daniel C Lance VERIFY SIGNALS TRIANGULATION OF SIGNALS Receiver ReceiverReceiver Signal from wireless sensor ` ` `^ 70 %40 %

36. WSN Nothing is out of reach^ By: Daniel C Lance ACQUISITION OF DATA TRACK RADIO ACTIVITY When a radio starts spectrum analysis A so called “Spike happens” New DC Spike Wait and see what happens Log the Rfeq Log the DB level of the radio at its Rfeq Track changes in power Warn if the center Rfeq comes close the the WSN Warning This radio log can then be shared if an attack happens Long term storage

37. WSN Nothing is out of reach^ By: Daniel C Lance ATTRIBUTION OF ATTACK FINGER POINTING Receiver ReceiverReceiver Signal from Attacker ` ` `` 70 %40 %

38. WSN Nothing is out of reach^ By: Daniel C Lance ATTACK RESPONSE TALK TO ME GOOSE Receiver ReceiverReceiver Signal from Attacker ` ` ``x

39. WSN Nothing is out of reach^ By: Daniel C Lance WHAT CAN WE START TODAY? USING APPLIED TECHNOLOGY Need tools for verifying binary’s and need to be able to hash a sensor and receiver System Integrators Need to develop complex adaptive networks using the above methods Manufacturers Need to outline when a WSN can and can’t be used on mission critical equipment based on real risk. Compliance Harden there understanding of WSN’s and limit use on mission critical installations. Customer (

40. WSN Nothing is out of reach^ By: Daniel C Lance One more thing…

41. WSN Nothing is out of reach^ By: Daniel C Lance ` ` TRY IT FOR YOURSELF! Download the Vm from the link! Will be posted shortly! Check list! Buy a radio on amazon! Load the VM Click on FMstations.grc on the desktop Tune to your favorite radio station after executing the script Tell me about it on twitter! @DanielCLance ^

42. Thanks for Watching This Presentation See You Next Time !!! http://hyperphysics.phy-astr.gsu.edu/hbase/sound/interf.html#c4 https://upload.wikimedia.org/wikipedia/commons/8/8d/Illustration_of_Amplitude_Modulation.png http://www.silabs.com/Support%20Documents/TechnicalDocs/evolution-of-wireless-sensor-networks.pdf https://funoverip.net/2014/11/reverse-engineer-a-verisure-wireless-alarm-part-1-radio-communications/

Wireless Sensor Networks: Nothing is Out of Reach

Esté a ler uma amostra.

Confira estes a seguir

Wireless Sensor Networks: Nothing is Out of Reach

Mais Conteúdo rRelacionado

Diapositivos para si (12)

Semelhante a Wireless Sensor Networks: Nothing is Out of Reach (20)

Mais de EnergySec (20)

Mais recentes (20)

Wireless Sensor Networks: Nothing is Out of Reach