Weaponizing Wireless Networks: An Attack Tool for Launching Attacks Against Sensor Networks (Thanassis Giannetsos)
Abstract (source: Blackhat.com)
The pervasive interconnection of autonomous sensor devices has given birth to a broad class of exciting new applications. At the same time, however, the unattended nature and the limited resources of sensor nodes have created an equal number of vulnerabilities that attackers can exploit in order to gain access in the network and the information transferred within. While much work has been done on trying to defend these networks, little has been done on suggesting sophisticated tools for proving how vulnerable sensor networks are. This work demonstrates a tool that allows both passive monitoring of transactional data in sensor networks, such as message rate, mote frequency, message routing, etc., but also discharge of various attacks against them. To the best of our knowledge, this is the first instance of an attack tool that can be used by an adversary to penetrate the confidentiality and functionality of a sensor network. Results show that our tool can be flexibly applied to different sensor network operating systems and protocol stacks giving an adversary privileges to which she is not entitled to. We hope that our tool will be used proactively, to study the weaknesses of new security protocols, and, hopefully, to enhance the level of security provided by these solutions even further.
Talk Abstract –> Weaponizing Wireless Networks: An Attack Tool for Launching Attacks Against Sensor Networks
Speaker Bio –> Thanassis Giannetsos
Set of sensor nodes deployed in large areas of interest
- Self-Configuration, adaptability and node cooperation
- Multi-hop and many-to-one communication
Sensor networks are deployed in thousands of areas used for a range of different purposes including:
- Smart Grid
Why sensor nets ?
- Exposed to physical attacks
- No prior knowledge of topology
- Physical attacks
- Exploiting memory related vulnerabilities
Several layers of protection, including implementation of IDS techniques to detect attacks.
Supported Wireless Attacks
- Confidentiality attacks:
- Intercept private info sent over the wireless medium
- Eavesdropping, Data Replay, Selective Forwarding
- Integrity attacks:
- Send forged data frames
- Program Image Dissemination, Data Injection, Malicious Code Injection
- Availability attacks:
- Impede delivery of wireless messages
- Sinkhole, HELLO Flood attack
SENSYS Attack TOOL
- Network Sniffer – For passive monitoring and logging of radio packets
- Network Attack Tool – Provides functionalities for compromising a sensor network’s security profile
- Network Visualization – Displays overheard neighborhood topology, network traffic, node states and status of any performed attack
Gathers audit data to be forwarded over the serial port. Listens in promiscuous mode to discover neighboring nodes.
Can decode overheard messages.
Network Attack Tool
Core component of the tool. Contains a number of attacks.
Data Stream Framework
- Configured by network information (hardware platform, underlying routing protocol, message rate)
- Upon request constructs and transmits specially crafted packets
- Totally controlled by the user
- Depending on the kind of attack provides DSF with suitable requests
- Data Replay Attack
- Transparent data access and alteration (replay original/modified)
- Sinkhole Attack
- Draw traffic to your system by making your system appear attractive to other nodes (routing metrics)
- Routing Layer Module
- Attack routing calculations (RCM) of routing protocols (MintRoute/MultihopLQI)
- The attack tool calculates the correct values for such an attack
- Selective Forwarding
- Refuse to forward specific traffic (Denial of Service)
- Nodes may move to a new parent if you fail to forward packets
- Program Image Dissemination
- Code updates
- Over the Air Programming (OAP) – Deluge Protocol
- Pinging (request information from a node)
If it’s possible to become a parent of another node using the Sinkhole attack, the child will send the encryption key to ensure the parent can route the traffic correctly.
When performing sinkhole attacks it is important to avoid routing loops. If another node detects a loop, it will move to another parent in an attempt to correct the issue.
Malicious Code Injection:
Possibly take advantage of memory related vulnerabilities, such as buffer or stack overflows. Send crafted packets and execute malicious code on the node.
Malware within sensor networks is rare, and not often looked for. Simple malware could go unnoticed. Possibility to create a self propagating worm.
By infecting a single node, it is possible to compromise an entire sensor network.
PoC targeting devices following the Von Neumann architecture. Malware stored in the heap as it remains empty for the lifetime of the device.
- Understand the memory map of the sensor device
- Transmission of a series of mal-packets containing the code to be copied onto the heap
- Send a specially crafted packet for setting the PC to the starting memory address of the malware
Network Data Injection
- Construction and injection of fake messages
- High powered transmission
- HELLO Flood Attack
- Insert Ghost nodes
- Create the illusion of being a neighbor
Goals of SENSYS Attack Tool:
- Reveal vulnerabilities of sensor networks
- Study the effects of severe attacks
- Motivate a better design of security protocols and put them to
- the test against adversaries
Tool will be released open-source within the next few weeks
For more information please see the Blackhat Europe website