making and breaking an 802 15 4 wireless ids
play

MAKING (AND BREAKING) AN 802.15.4 WIRELESS IDS RYAN SPEERS, JAVIER - PowerPoint PPT Presentation

Sep 25, 2022 •333 likes •1.01k views

MAKING (AND BREAKING) AN 802.15.4 WIRELESS IDS RYAN SPEERS, JAVIER VAZQUEZ - RIVER LOOP SECURITY LLC. SERGEY BRATUS - DARTMOUTH COLLEGE Tuesday, March 18, 14 why care about 802.15.4 and ZigBee? interface with the physical environment

  1. MAKING (AND BREAKING) AN 802.15.4 WIRELESS IDS RYAN SPEERS, JAVIER VAZQUEZ - RIVER LOOP SECURITY LLC. SERGEY BRATUS - DARTMOUTH COLLEGE Tuesday, March 18, 14

  2. why care about 802.15.4 and ZigBee? interface with the physical environment communications technology gaining adoption across markets http://www.zigbee.org/Standards/Overview.aspx Tuesday, March 18, 14

  3. why care about 802.15.4 and ZigBee? ATTACK interface with the physical environment SURFACES communications technology gaining adoption across markets http://www.zigbee.org/Standards/Overview.aspx Tuesday, March 18, 14

  4. Wright’s Principle “Security won’t get better until tools for practical exploration of the attack surface are made available” --Joshua Wright, 2011 Tuesday, March 18, 14

  5. 802.15.4 frame (PHY+LNK) Length 00 00 00 00 a7 0f 01 08 82 ff ff ff ff ... Preamble Sync Body Tuesday, March 18, 14

  6. how a frame is received [t]6679 6427 3 7582 4 6632 0 5 2.4 GHz (or 868/915/etc MHz) uC SPI bus (or similar) Tuesday, March 18, 14

  7. it gets messy… Tuesday, March 18, 14

  8. it gets messy… Tuesday, March 18, 14

  9. it gets messy… Tuesday, March 18, 14

  10. All layers together “self-configuring, self-healing system of redundant, low-cost, very low-power nodes” (zigbee.org) daintree.net topologies device classes security suites Tuesday, March 18, 14

  11. All layers together “self-configuring, self-healing system of redundant, low-cost, very low-power nodes” (zigbee.org) daintree.net topologies device classes security suites Tuesday, March 18, 14

  12. past work Joshua Wright - original KillerBee framework Travis Goodspeed - local key extraction, PIP , fingerprinting Ricky Melgares / Ryan - KillerBee 2.x framework, PIP , fingerprinting support for more devices geotagging, multiple channel capture Scapy packet construction / parsing Sergey, bx Shapiro, David Dowd, Ray Jenkins - fingerprinting Ben Ramsey, et al - survey of real world network traffic Kevin Finistere - war walking rig and more Tuesday, March 18, 14

  13. YOU NEED TO BE ABLE TO SNIFF BEFORE YOU CAN MONITOR FOR ATTACKS Tuesday, March 18, 14

  14. the state of hardware: existing hardware Atmel RZUSBTICK Zena Packet Analyzer Freakduino Chibi SDRs: USRP/etc Sewio Open Sniffer Tmote Sky/TelosB Tuesday, March 18, 14

  15. the state of hardware: existing hardware Atmel RZUSBTICK Zena Packet Analyzer Freakduino Chibi SDRs: USRP/etc Sewio Open Sniffer Tmote Sky/TelosB Tuesday, March 18, 14

  16. ok, what’s new? hardware: ApiMote v4 beta PCB CC2420 Radio Antenna IEEE 802.15.4 Compliant external antenna 2.4 GHz SMA Coax CC2420 radio GoodFET SPI Compatible UART SPI Header Flash SPI USB programming (Optional) TI MSP430 Microcontroller onboard storage ADC USB 2.0 Expansion GPIO USB To UART Header UART Functionality GPIO INT RST expansion/additional Battery Voltage Power Reset User headers Header Regulation Switch Switch Switch support for battery or USB power Tuesday, March 18, 14

  17. APIMOTE V4 BETA PCB FRONT Tuesday, March 18, 14

  18. NOW WE CAN SNIFF, LET’S DETECT SOME ATTACKS! Tuesday, March 18, 14

  19. [t]1383-9513-3032-4837-9938 KILLERBEEWIDS ARCHITECTURE OVERVIEW OF THE SYSTEM Tuesday, March 18, 14

  20. Full PCAP Filtered PCAP Extracted Attributes KILLERBEEWIDS ARCHITECTURE OVERVIEW OF DRONE (REMOTE) COMPONENT Tuesday, March 18, 14

  21. drone demo Tuesday, March 18, 14

  22. drone demo Tuesday, March 18, 14

  23. intro/review of attacks sniffing exhaustion injection (and “packet- unfairness in-packet”) greed, homing, tampering (“forging”) misdirection, black holes jamming flooding, collision (“reflexive desynchronization jamming”) Tuesday, March 18, 14

  24. denial of service with AES-CTR security mode 802.15.4 AES-CTR: simple ACL entry encryption sequential freshness issue: doesn’t know if decrypted payload makes sense updates frame counter / Silva, Nunes 2006 external key sequence counter every time Tuesday, March 18, 14

  25. it allows a one-frame DoS we’ve previously presented zbForge to easily exploit this condition: today, let’s try defending against it! Tuesday, March 18, 14

  26. KILLERBEEWIDS ARCHITECTURE OVERVIEW OF ZBWIDS (CONTROLLER) COMPONENT Tuesday, March 18, 14

  27. startup on the drone (or multiple) zbdrone -run on the wids controller zbwids -run zbwids -monitoralerts Tuesday, March 18, 14

  28. analytic module demo Tuesday, March 18, 14

  29. analytic module demo Tuesday, March 18, 14

  30. network reconnaissance with beacon requests legitimately used for network discovery broadcast a beacon request get a beacon frame analogous to a TCP SYN scan but, beacon frame also discloses: PANID extended PAN ID (typically coordinator’s extended address) info about version of network and security modes Daintree ZigBee Primer: “ Note that MAC association is an unsecured protocol since all the associated frames are sent in the clear (with no security) .” Tuesday, March 18, 14

  31. it’s easy to perform manual >> b = Dot15d4()/Dot15d4Cmd() >> b.cmd_id = “BeaconReq” >> b.seqnum = 150 >> kb = KillerBee() >> kb.inject(str(b)) automated $ zbstumbler Tuesday, March 18, 14

  32. analytic module Tuesday, March 18, 14

  33. analytic module Tuesday, March 18, 14

  34. analytic module Tuesday, March 18, 14

  35. analytic module Tuesday, March 18, 14

  36. analytic module Tuesday, March 18, 14

  37. magic Tuesday, March 18, 14

  38. magic Tuesday, March 18, 14

  39. disassociation frames 802.15.4 (MAC) and ZigBee can attack: (NWK) each have ways to using a targeted frame request a device to leave the based on recon network or by flooding the network with attempts IEEE 802.15.4 Command, Dst: NetvoxTe_00:00:00:18:5b, Src: Jennic_00:00:0a:05:27 Frame Control Field: Command (0xcc63) .... .... .... .011 = Frame Type: Command (0x0003) .... .... .... 0... = Security Enabled: False .... .... ...0 .... = Frame Pending: False .... .... ..1. .... = Acknowledge Request: True .... .... .1.. .... = Intra-PAN: True .... 11.. .... .... = Destination Addressing Mode: Long/64-bit (0x0003) ..00 .... .... .... = Frame Version: 0 11.. .... .... .... = Source Addressing Mode: Long/64-bit (0x0003) Sequence Number: 13 Destination PAN: 0xd9c6 Destination: NetvoxTe_00:00:00:18:5b (00:13:7a:00:00:00:18:5b) Extended Source: Jennic_00:00:0a:05:27 (00:15:8d:00:00:0a:05:27) Command Identifier: Disassociation Notification (0x03) Disassociation Notification Disassociation Reason: 0x01 (Coordinator requests device to leave) FCS: 0xd94b (Correct) 0000 63 cc 0d c6 d9 5b 18 00 00 00 7a 13 00 27 05 0a c....[....z..'.. 0010 00 00 8d 15 00 03 01 4b d9 .......K. Tuesday, March 18, 14

  40. attack simulation: zbdisassocation flood we made a script to produce demo frames: $ sudo ./zbdisassociationflood -c 15 -p 0xD9C6 --coordinator 00:15:8d:00:00:0a: 05:27 --deviceshort 0x44a7 --device 00:13:7a:00:00:00:18:5b --numloops=5 -q 10 --zblayer Expecting 0x158d00000a0527 to be the coordinator on network (PAN ID) 0xd9c6, located on channel 15. The device to disassociate is 0x137a000000185b with short address 0x44a7. -c is the channel -p is the PAN ID (get from zbstumbler or any PCAP) --coordinator is the 64bit address of the coordinator (get from PCAP of a join or from zbstumbler as the "extended PAN ID" if you get a beacon directly from a coordinator) --deviceshort is the short address of the endpoint, only used for —zblayer (can come from any PCAP of the device communicating) --device is the long address of the endpoint (usually get this from PCAP of the device joining the network) --zblayer, creates ZigBee NWK layer disassociation frames. else, IEEE 802.15.4 MAC layer frames are sent. Tuesday, March 18, 14

  41. analytic module Tuesday, March 18, 14

  42. analytic module Tuesday, March 18, 14

  43. analytic module Tuesday, March 18, 14

  44. analytic module Tuesday, March 18, 14

  45. magic Tuesday, March 18, 14

  46. magic Tuesday, March 18, 14

  47. SO, DETECTING IS GOOD, BUT CAN WE EVADE IT? Tuesday, March 18, 14

  48. diving into the PHY layer Tuesday, March 18, 14

  49. how a frame is received [t]6679 6427 3 7582 4 6632 0 5 2.4 GHz (or 868/915/etc MHz) uC SPI bus (or similar) Tuesday, March 18, 14

  50. Packet-in-packet 00 00 00 00 a7 0f 01 08 82 ff ff ff ff ... Preamble Sync Body 00 00 00 00 a7 .. 00 00 00 00 a7 0f 01 ... Preamble Sync Body What if this gets damaged by noise? What if we purposefully modify this? Tuesday, March 18, 14

  51. Packet-in-packet in Hex Outer Hex Inner Preamble 00 00 00 00 Sync a7 Body 19 01 08 82 ca fe ba be Preamble 00 00 00 00 Sync a7 0a 01 08 82 ff ff ff ff c9 d1 Body 15 e8 Tuesday, March 18, 14

  52. Game plan Modify the sync in the “outer” packet so that we can send arbitrary symbols (including preambles, SFDs, “inner” PIP packets, “packet-out-of-packet”, etc.) Use our Isotope 802.15.4 active fingerprinting to find out what corruptions work. http://www.cs.dartmouth.edu/reports/abstracts/TR2014-746/ Profit: capability to send packets that some radios see, and others don’t! ( Separate from signal strength, range, etc.) Tuesday, March 18, 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security in Pervasive Wireless Security in Pervasive Wireless Systems Systems Wade Trappe

Security in Pervasive Wireless Security in Pervasive Wireless Systems Systems Wade Trappe

Security in Pervasive Wireless Security in Pervasive Wireless Systems Systems Wade Trappe Breaking Down the Issues (summary) Breaking Down the Issues (summary) Wireless is easy to sniff. We still need encryption services and key management.

533 views • 13 slides
Making the Most of Wi-Fi Op3misa3ons for Robust Wireless

Making the Most of Wi-Fi Op3misa3ons for Robust Wireless

Making the Most of Wi-Fi Op3misa3ons for Robust Wireless Live Music Performance Thomas Mitchell University of the West of England, Bristol, UK

383 views • 21 slides
Tie-breaking approaches for collective decision making . r c Gabriella Pigozzi i \ \ : p

Tie-breaking approaches for collective decision making . r c Gabriella Pigozzi i \ \ : p

Workshop and Meeting of the COST Action ICO602 Universit Paris Dauphine 28, 29, 30 and 31 October 2008 Tie-breaking approaches for collective decision making . r c Gabriella Pigozzi i \ \ : p Marija Slavkovik t t h Leon van der

839 views • 80 slides
Making a Splash; Breaking a Neck: The Development of Complexity in Physical Systems Leo P.

Making a Splash; Breaking a Neck: The Development of Complexity in Physical Systems Leo P.

Making a Splash; Breaking a Neck: The Development of Complexity in Physical Systems Leo P. Kadanoff University of Chicago e-mail: LeoP@UChicago.edu Edgarton picture Toronto Talks--On Complexity page 1 10/24/05 summary of talk: The

530 views • 29 slides
Unlocking the Value in Applications Agenda Environment is Right for Industrial Wireless

Unlocking the Value in Applications Agenda Environment is Right for Industrial Wireless

Honeywell is Making Industrial Wireless Real Unlocking the Value in Applications Agenda Environment is Right for Industrial Wireless Exciting Opportunities/Benefits from Wireless Choosing a Wireless Solution Why Honeywell?

851 views • 38 slides
Unlocking the Value in Applications Agenda Environment is Right for Industrial Wireless

Unlocking the Value in Applications Agenda Environment is Right for Industrial Wireless

Honeywell is Making Industrial Wireless Real Unlocking the Value in Applications Agenda Environment is Right for Industrial Wireless Exciting Opportunities/Benefits from Wireless Choosing a Wireless Solution Why Honeywell?

763 views • 35 slides
S7750 - THE MAKING OF DGX SATURNV: BREAKING THE BARRIERS TO AI SCALE Presenter: Louis Capps,

S7750 - THE MAKING OF DGX SATURNV: BREAKING THE BARRIERS TO AI SCALE Presenter: Louis Capps,

S7750 - THE MAKING OF DGX SATURNV: BREAKING THE BARRIERS TO AI SCALE Presenter: Louis Capps, Solution Architect, NVIDIA, lcapps@nvidia.com A TALE OF ENLIGHTENMENT Basic OK 1 FPS List 10 for x = 1 to 3 20 print x 30 next x Run 1 1 2 2

743 views • 24 slides
Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Dr Nick Saville Breaking out of the box Understanding rela5onships between learning and assessment Breaking out of the box - a metaphor for thinking about rela5onships and interpreta5ons breaking out breaking out of the box of the

895 views • 68 slides
Breaking the hierarchy How Spotify enables engineer decision making Kristian Lindwall, Spotify

Breaking the hierarchy How Spotify enables engineer decision making Kristian Lindwall, Spotify

Breaking the hierarchy How Spotify enables engineer decision making Kristian Lindwall, Spotify Introduction 3 Section name Our employees are our most valued resource So where does it go wrong? 6 Section name Lets do this! 7

571 views • 44 slides
Coexistence Decision Making for Spectrum Sharing among Heterogeneous Wireless Systems Authors: B.

Coexistence Decision Making for Spectrum Sharing among Heterogeneous Wireless Systems Authors: B.

INFONET, GIST Journal Club Coexistence Decision Making for Spectrum Sharing among Heterogeneous Wireless Systems Authors: B. Bahrak, and J.M.J. Park Publication: IEEE Trans. on W.Com., Mar. 2014 Speaker: Asif Raza Short summary: In this paper

402 views • 9 slides
Wireless and Mobile Networks Wireless and 802.11 LANs wireless links: shared, fading,

Wireless and Mobile Networks Wireless and 802.11 LANs wireless links: shared, fading,

Wireless and Mobile Networks Wireless and 802.11 LANs wireless links: shared, fading, interference, hidden terminal problem IEEE 802.11 ( wi-fi ) CSMA/CA reflects wireless channel characteristics DIFS, SIFS,

1.43k views • 83 slides
Wireless Usage Measurement: Research Needs and Support for National Policy and Rule Making Dr.

Wireless Usage Measurement: Research Needs and Support for National Policy and Rule Making Dr.

Wireless Usage Measurement: Research Needs and Support for National Policy and Rule Making Dr. Rangam Subramanian, MBA Office of Spectrum Management Chief Technology and Spectrum Policy Strategist National Telecommunication Information

601 views • 8 slides
1 Wireless standards Path Loss Phenomena Wireless standards Path Loss Phenomena Open

1 Wireless standards Path Loss Phenomena Wireless standards Path Loss Phenomena Open

Outline Outline What is wireless? Overview Wireless parameters Cellular architecture Wireless Networks Wireless Networks Media multiple access Wireless LAN 802.11 MANET Mobile Ad-hoc NETworks Amnon Jonas

525 views • 13 slides
BREAKING INTO SOFTWARE DEFINED RADIO Presented by Kelly Albrink WHOAMI Kelly Albrink

BREAKING INTO SOFTWARE DEFINED RADIO Presented by Kelly Albrink WHOAMI Kelly Albrink

BREAKING INTO SOFTWARE DEFINED RADIO Presented by Kelly Albrink WHOAMI Kelly Albrink Pentester at Bishop Fox Specialize in network, wireless, and hardware security Member of Noisebridge Hackerspace in San Francisco Loves 3D

659 views • 40 slides
Aspects of Networking in Introduction Multiplayer Computer Games Internet + wireless making

Aspects of Networking in Introduction Multiplayer Computer Games Internet + wireless making

Aspects of Networking in Introduction Multiplayer Computer Games Internet + wireless making multiplayer computer games (MCGs) more popular Commercial computer games increasingly J. Smed, T. Kaukoranta and H. Hakonen having mutiplayer

191 views • 6 slides
Wireless networks 1 Overview Wireless networks basics IEEE 802.11 (Wi-Fi) a/b/g/n ad

Wireless networks 1 Overview Wireless networks basics IEEE 802.11 (Wi-Fi) a/b/g/n ad

Wireless networks 1 Overview Wireless networks basics IEEE 802.11 (Wi-Fi) a/b/g/n ad Hoc MAC protocols ad Hoc routing DSR AODV 2 Wireless Networks Autonomous systems of mobile hosts connected by wireless links Nodes are

1.3k views • 102 slides
NEST Kali Linux Tutorial: Maltego Maltego is an open source intelligence and forensics

NEST Kali Linux Tutorial: Maltego Maltego is an open source intelligence and forensics

NEST Kali Linux Tutorial: Maltego Maltego is an open source intelligence and forensics application. It will offer you timeous mining and gathering of information as well as the representation of this information in an easy to understand

477 views • 23 slides
Anno Accademico 2007-2008 Laboratorio di Tecnologie Web Sviluppo di applicazioni web HTML, CSS e

Anno Accademico 2007-2008 Laboratorio di Tecnologie Web Sviluppo di applicazioni web HTML, CSS e

Universita degli Studi di Bologna Facolta di Ingegneria Anno Accademico 2007-2008 Laboratorio di Tecnologie Web Sviluppo di applicazioni web HTML, CSS e Javascript http://www-lia.deis.unibo.it/Courses/TecnologieWeb0708/ |Tecnologie Web

363 views • 17 slides
Is it safe to run applications in Linux Containers? Jrme Petazzoni @jpetazzo Docker Inc.

Is it safe to run applications in Linux Containers? Jrme Petazzoni @jpetazzo Docker Inc.

Is it safe to run applications in Linux Containers? Jrme Petazzoni @jpetazzo Docker Inc. @docker Is it safe to run applications in Linux Containers? And, can Docker do anything about it? Question: Is it safe to run applications in

803 views • 59 slides
Hiding @ Depth: Exploring & Subverting NAND Flash memory Josh m0nk Thomas (A DARPA CFT

Hiding @ Depth: Exploring & Subverting NAND Flash memory Josh m0nk Thomas (A DARPA CFT

Hiding @ Depth: Exploring & Subverting NAND Flash memory Josh m0nk Thomas (A DARPA CFT Project by MonkWorks, LLC) RIP 4.1.13 - Long Live CFT Thx Mudge Saturday, June 22, 13 My Path, And You Can Too! Saturday, June 22, 13 My Path,

379 views • 16 slides
Key Management CS461/ECE422 Fall 2009 1 Reading Handbook of Applied Cryptography

Key Management CS461/ECE422 Fall 2009 1 Reading Handbook of Applied Cryptography

Key Management CS461/ECE422 Fall 2009 1 Reading Handbook of Applied Cryptography http://www.cacr.math.uwaterloo.ca/hac/ Section 11.3.2 attack on RSA signature Section 13.8.3 Key Escrow Chapter 10 in Computer Security: Art

985 views • 83 slides
Lecture 8 - Applied Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security

Lecture 8 - Applied Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security

Lecture 8 - Applied Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

596 views • 18 slides
DomainKeys Identified Mail Overview (-01) Eric Allman Sendmail, Inc. Overview of DKIM

DomainKeys Identified Mail Overview (-01) Eric Allman Sendmail, Inc. Overview of DKIM

DomainKeys Identified Mail Overview (-01) Eric Allman Sendmail, Inc. Overview of DKIM Cryptography-based protocol, signs selected header fields and message body Intended to: Enable reliable domain name based reputation lookups

432 views • 15 slides
Dynamic Threshold Public-Key Encryption C ecile Delerabl ee David Pointcheval Ecole

Dynamic Threshold Public-Key Encryption C ecile Delerabl ee David Pointcheval Ecole

Dynamic Threshold Public-Key Encryption C ecile Delerabl ee David Pointcheval Ecole normale sup Orange Labs erieure CRYPTO 2008 August 20th, 2008 Formal Model Our Construction Conclusion Threshold Cryptography When one cannot

286 views • 11 slides

More recommend