weaponizing wireless networks
play

Weaponizing Wireless Networks: An Attack Tool for Launching Attacks - PowerPoint PPT Presentation

Apr 19, 2023 •226 likes •700 views

Weaponizing Wireless Networks: An Attack Tool for Launching Attacks against Sensor Networks Thanassis Giannetsos and Tassos Dimitriou Athens Information Technology Algorithms & Security (agia@ait.edu.gr) Black Hat Spain, 2010 Barcelona

  1. Weaponizing Wireless Networks: An Attack Tool for Launching Attacks against Sensor Networks Thanassis Giannetsos and Tassos Dimitriou Athens Information Technology Algorithms & Security (agia@ait.edu.gr) Black Hat Spain, 2010 Barcelona 1

  2. Outline Wireless Sensor Networks Security Challenges Network Confidentiality Threats and Wireless Attacks Setup of deployed toy network An Attack Tool Passive monitoring of transactional data Discharge of various attacks Application to different sensor network operating systems 2

  3. Brief Overview: Wireless Sensors Mote Cricket Using Smart Tmote Sky (Berkeley) (MIT) Antennas (AIT) Radio + MCU = NES Ultra low power Mesh Networking Tmote Sky Only chosen for a concrete example 3

  4. Brief Overview: Sensor Networks Set of sensor nodes deployed in large areas of interest Self-Configuration, adaptability and node cooperation Multi-hop and many-to-one communication Applications Smart Grid Military Wildlife Monitoring 4

  5. Brief Overview: Why Sensor Nets Unique characteristics Coverage: Distance/area covered, number of events, number of active queries Survivability: Robust against node/link failures Ubiquity: Quick/flexible deployment, ubiquitous access, info timeliness Particularly suited for detecting, classifying, tracking Non-local spatio-temporal events/objects Low-observable events Distributed information aggregation & validation 5

  6. Part 1: - Security Challenges - Network Confidentiality Threats exploited by our Tool - Supported Wireless Attacks 6

  7. Security Challenges Wireless medium: Eavesdropping, Interception, Alteration, Replay or Injection of malicious packets Unattended Operation: Exposed to physical attacks. Easily compromised Random Topology: No prior knowledge of topology Hard to protect against insider attacks: Physical Attacks Exploiting memory related vulnerabilities 7

  8. Disclaimers Attacks – DOS, JAM, Replay, Sybil, …. Secure Aggregation Secure Localization Several defense mechanisms have been proposed against Other security issues: Privacy, Authentication specific attacks Secure Routing Intrusion Detection , … Security holes always exist Intrusion Detection protocols Key-Management implementation Access Control Crypto-algorithms Cryptanalysis Identifying risks posed by availability of transactional data is EXTREMELY VITAL 8

  9. Network Confidentiality Threats Have implement a Sniffer: Overhear network traffic Process transmitted packets (traffic analysis) Extract info about a network’s nodes and usage Sniffer can be used to compromise network confidentiality Carrier frequency Identify network’s sensor hardware platform Message rate and size Kind of application, frequency of monitored events and distance estimation to the sensed event Routing Information Routing Protocol, Topology graph and Message Stream Trace 9

  10. Supported Wireless Attacks Confidentiality attacks: Intercept private info sent over the wireless medium Eavesdropping, Data Replay, Selective Forwarding Integrity attacks: Send forged data frames Program Image Dissemination, Data Injection, Malicious Code Injection Availability attacks: Impede delivery of wireless messages Sinkhole, HELLO Flood attack 10

  11. Part 2: Setup of SENSYS Attack TOOL Demo 11

  12. Sensor Platform used TI MSP 430 (16 bit RISC) 8 MHz, 10 KB RAM, 48 KB code, 1 MB flash Von Neumann architecture No memory protection Heap space unused!!! Chipcon CC2420 radio, on-board antenna IEEE 802.15.4 compliant 50 m. range indoor, 250 m. range outdoor, bandwidth 250 kbits/s 12

  13. Stored Program Images Delta application Multihop data collection application. Devices sample their internal temperature sensor and report readings using MultihopLQI routing prtotocol Oscilloscope application Senses all of the sensors on MoteIV Tmote Sky module and sends back its values Channel assignment [Humidity(0), Temp(1), TSR(2), PAR(3), InternalTemp(4), InternalVoltage(5), Moisture(6)] Packs 10 channel readings into a message Simple Radio demonstration application Exploits for demonstrating Malware Injection 13

  14. Part 3: SENSYS Attack TOOL Description 14

  15. Why bother ? By compromising overall sensor network security: Reveal wireless networking vulnerabilities Describe the “best” ways to perform existing attacks and study their effects Come up with novel attacks Shed light on the weaknesses of underlying protocols Highlight and motivate the need to come up with more efficient security protocols MOST IMPORTANT…Because it’s fun 15

  16. Architecture Layout Network Sniffer for passive monitoring and logging of radio packets Network Attack Tool that provides functionalities for compromising a sensor network’s security profile Network Visualization for displaying overheard neighborhood topology, network traffic, node states and status of any performed attack 16

  17. Network Sniffer Local Packet Monitoring module Gathers audit data to be forwarded over the serial port Listening promiscuously to neighboring nodes’ transmissions Packet Storage module Logging of messages to the attached host Offline analysis is possible Packet Description Database module Decodes overheard messages Contains annotated message structures Extendable configuration Access and manipulating operators 17

  18. Network Sniffer (cont…) Capturing and decoding unprotected network traffic (eavesdropping) 18

  19. Network Sniffer (cont…) 19

  20. Network Attack Tool Core component…It provides a number of attacks to be performed Data Stream Framework (DSF) Configured by network information (hardware platform, underlying routing protocol, message rate) Upon request constructs and transmits specially crafted packets Attack Launcher Handled by the user Depending on the kind of attacks provides the DSF with suitable requests 20

  21. Data Replay Attack Valid data transmission is maliciously repeated Tool enables transparent data access and alteration upon selection Replay original Replay modified Fetch the message from Packet Description Database Alter its content Actual fields (if message structure is known) Payload byte array (if unknown) 21

  22. Sinkhole Attack Draw all or as much traffic as possible from a particular area by making yourself look attractive to the surrounding nodes with respect to the underlying routing metric 22

  23. Routing Layer Model Great diversity in routing protocols (RP) for sensor nets Link quality calculations as routing cost metric (RCM) Choose as your parent the node with best LQ (smallest cost) in order to build the routing tree towards the BS MintRoute Link quality estimates Based on the packet loss of periodic Route Update transmissions Changes in Neighborhood Table triggers parent changing mech MultihopLQI Link Quality based on their own hardware (LQI) Periodic transmission of Beacons and extraction of path cost 23

  24. Ways to Launch Sinkholes Advertise high LQ for itself + Make current parents look like they have poor LQ Impersonate other nodes and transmit fake Route Updates Only for RPs with LQ estimates Easy to detect – not implemented Advertise minimum cost (15) to the BS Find the node with smallest Path Cost Choose it as your parent node Add minimum cost and advertise it Legitimate actions - Impossible to detect IMPORTANT …Configurable transmission period 24

  25. Selective Forwarding Refuse to forward certain messages Especially severe after Sinkhole All message traverse through the attacker Leading to Denial of Service attacks Do not OVERDO it as you will get caught Results visible at the GUI…Many retransmissions of the same message 25

  26. Program Image Dissemination Take advantage of network programming capabilities Dissemination of code updates, reprogramming of nodes Over-the-air programming (OAP) – Deluge protocol Uses reliable broadcasting for flooding the network inject 26

  27. Ok, so what? Subvert such protocols Modify or replace the real code image Inject new code application Reprogram the network to DO your work Use other functionalities provided by OAP Pinging – Request info from a node about its state (stored program images, currently executing image) Reboot Erase Inject 27

  28. How it works… CRC Page 0 Packet 0 Metadata Packet 1 0s Page 1 Length … Packet N-1 … Packet 0 Image Packet 1 Page P-2 … Packet N-1 0s Page P-1 Padding 0s Program Images are big – Suppose to happen few time during network lifetime Drain network’s energy 28

  29. Program Image Dissemination 6 places for storing images Golden Image (0) cannot be manipulated or changed 29

  30. Malicious Code Injection Take advantage of memory related vulnerabilities Buffer and stack overflow Send crafted packets and execute malicious code on the target system In embedded systems like sensor nodes Malware is rare No one looks for it Simple malware is undetected – Can be converted to an actual self-propagating worm 30

  31. History Travis Goodspeed was the first to author a WSN exploit Targeting devices following the Von Neumann architecture Francillon and Castelluccia demonstrated code injection on devices with Harvard architecture We took it one step further Inject and execute arbitrarily long code Used radio capabilities to create a self-replicating worm that propagates the carried malware to the whole network By infecting one node – Compromise the entire network 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Wireless networks 1 Overview Wireless networks basics IEEE 802.11 (Wi-Fi) a/b/g/n ad

Wireless networks 1 Overview Wireless networks basics IEEE 802.11 (Wi-Fi) a/b/g/n ad

Wireless networks 1 Overview Wireless networks basics IEEE 802.11 (Wi-Fi) a/b/g/n ad Hoc MAC protocols ad Hoc routing DSR AODV 2 Wireless Networks Autonomous systems of mobile hosts connected by wireless links Nodes are

1.3k views • 102 slides
Weaponizing BGP Using Communities Florian Streibelt, Franziska Lichtblau, Robert Beverly,

Weaponizing BGP Using Communities Florian Streibelt, Franziska Lichtblau, Robert Beverly,

Weaponizing BGP Using Communities Florian Streibelt, Franziska Lichtblau, Robert Beverly, Cristel Pelsser, Georgios Smaragdakis, Randy Bush, Anja Feldmann 2018.11.04 Weaponizing BGP Creative Commons: Attribution & Share Alike 1

445 views • 22 slides
1 Wireless standards Path Loss Phenomena Wireless standards Path Loss Phenomena Open

1 Wireless standards Path Loss Phenomena Wireless standards Path Loss Phenomena Open

Outline Outline What is wireless? Overview Wireless parameters Cellular architecture Wireless Networks Wireless Networks Media multiple access Wireless LAN 802.11 MANET Mobile Ad-hoc NETworks Amnon Jonas

525 views • 13 slides
Wireless Sensor Wireless Sensor Networks (WSNs) Networks (WSNs) Technological Revolution

Wireless Sensor Wireless Sensor Networks (WSNs) Networks (WSNs) Technological Revolution

Wireless Sensor Wireless Sensor Networks (WSNs) Networks (WSNs) Technological Revolution Computer Networking 1. 1990 LAN Internet Wireless Communications 2. 2000 GSM/UMTS WLAN Wireless Sensing Technologies 2010

617 views • 60 slides
Upcoming Wireless Networks and New Challenges Generalities Mesh networks Vehicular

Upcoming Wireless Networks and New Challenges Generalities Mesh networks Vehicular

Upcoming Wireless Networks and New Challenges Generalities Mesh networks Vehicular networks Security and Cooperation in Wireless Networks Georg-August University Gttingen Introduction Upcoming wireless networks: Personal

904 views • 42 slides
Wireless and Mobile Networks Wireless and 802.11 LANs wireless links: shared, fading,

Wireless and Mobile Networks Wireless and 802.11 LANs wireless links: shared, fading,

Wireless and Mobile Networks Wireless and 802.11 LANs wireless links: shared, fading, interference, hidden terminal problem IEEE 802.11 ( wi-fi ) CSMA/CA reflects wireless channel characteristics DIFS, SIFS,

1.43k views • 83 slides
4G Wireless Networks 4G Wireless Networks Need for Improved Loss Tolerance K. K. Ramakrishnan

4G Wireless Networks 4G Wireless Networks Need for Improved Loss Tolerance K. K. Ramakrishnan

4G Wireless Networks 4G Wireless Networks Need for Improved Loss Tolerance K. K. Ramakrishnan AT&T L b R AT&T Labs Research, NJ h NJ Thanks to: Robert Miller(AT&T), Vijay Subramanian and Shiv Kalyanaraman (RPI) Adaptive W

428 views • 15 slides
The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs

The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs

The security of existing wireless networks Cellular networks GSM o UMTS o WiFi LANs Bluetooth Security and Cooperation in Wireless Networks Georg-August University Gttingen Security in Wireless Networks Wireless networks are

519 views • 48 slides
Web Caching Web Caching and wireless networks Next generation Wireless Networks Helsinki

Web Caching Web Caching and wireless networks Next generation Wireless Networks Helsinki

Web Caching Web Caching and wireless networks Next generation Wireless Networks Helsinki university of technology Csar Fernndez Gago Jean-Baptiste Escoyez 1 Index Web caching concepts Web caching issues How does it works?

417 views • 18 slides
Topic 2b Wireless MAC Chapter 7 Wireless and Mobile Networks Computer Networking: A Top Down

Topic 2b Wireless MAC Chapter 7 Wireless and Mobile Networks Computer Networking: A Top Down

Topic 2b Wireless MAC Chapter 7 Wireless and Mobile Networks Computer Networking: A Top Down Approach 7 th edition Jim Kurose, Keith Ross Pearson/Addison Wesley April 2016 Wireless and Mobile Networks 7-1 Ch. 7: Wireless and Mobile

331 views • 29 slides
Linux Chapter 8: Wireless Networks Joseph Livesay Julian Richen Wireless networks have

Linux Chapter 8: Wireless Networks Joseph Livesay Julian Richen Wireless networks have

Linux Chapter 8: Wireless Networks Joseph Livesay Julian Richen Wireless networks have become prevalent in almost every aspect of our everyday lives However as the amount of wireless communication Introduction increases, the

817 views • 65 slides
Wireless Sensor Networks CMPSCI 677, 5/10/07 Peter Desnoyers Wireless Sensor Networks This

Wireless Sensor Networks CMPSCI 677, 5/10/07 Peter Desnoyers Wireless Sensor Networks This

Wireless Sensor Networks CMPSCI 677, 5/10/07 Peter Desnoyers Wireless Sensor Networks This lecture will answer: What are building blocks of a WSN? What is a WSN used for? Structure: Hardware platforms (motes) Sensing

362 views • 18 slides
CS 4453 Computer Networks Chapter 5 Wireless and Mobile Networks 2015 Winter A wireless network

CS 4453 Computer Networks Chapter 5 Wireless and Mobile Networks 2015 Winter A wireless network

CS 4453 Computer Networks Chapter 5 Wireless and Mobile Networks 2015 Winter A wireless network communication takes place over a wireless channel (which is usually a radio channel, or sometimes an infrared channel). The challenges for wireless

1.42k views • 113 slides
Application Layer Protocols Applications: communicating distributed processes end-user

Application Layer Protocols Applications: communicating distributed processes end-user

Wireless Networks III: advanced concepts Hans-Peter Schwefel and Tatiana K. Madsen Mm1 IP Mobility Support (HPS) Mm2 Wireless TCP (HPS) Mm3 Wireless applications, SIP & IMS (HPS) Mm4 Ad-hoc Networks I (TKM) Mm5

544 views • 37 slides
Outline Wireless Ad Hoc & Sensor Networks Introduction (Wireless Sensor Networks - Part

Outline Wireless Ad Hoc & Sensor Networks Introduction (Wireless Sensor Networks - Part

Outline Wireless Ad Hoc & Sensor Networks Introduction (Wireless Sensor Networks - Part 1) Challenges in WSNs Differences MANET vs. WSN Basic Node Architecture Operating Systems for WSNs O ti S t f WSN

911 views • 14 slides
Wireless Networks Lecture 20 : Managing Wireless Networks Peter Steenkiste CS and ECE, Carnegie

Wireless Networks Lecture 20 : Managing Wireless Networks Peter Steenkiste CS and ECE, Carnegie

Wireless Networks Lecture 20 : Managing Wireless Networks Peter Steenkiste CS and ECE, Carnegie Mellon University Peking University, Summer 2016 1 Peter A. Steenkiste Outline WiFi deployments and channel selection Rate adaptation 2

126 views • 12 slides
A Blue print fo r Chang e make rs c ha ng e la b so lutio ns.o rg / b lue print Our la unc h we b

A Blue print fo r Chang e make rs c ha ng e la b so lutio ns.o rg / b lue print Our la unc h we b

A Blue print fo r Chang e make rs c ha ng e la b so lutio ns.o rg / b lue print Our la unc h we b ina r will sta rt a t 11:00a m PT / 2:00 pm E T . T he a udio will stre a m thro ug h yo ur c o mpute r spe a ke rs yo u sho uld b e he a

710 views • 24 slides
Launching Your VISTA Service Audio by phone: 866-609-4997 Connecting to Audio Dial: 866-609-4997

Launching Your VISTA Service Audio by phone: 866-609-4997 Connecting to Audio Dial: 866-609-4997

You will need an Well begin soon. While youre Oath of Service form for this waiting, please share your answer webinar. Download and print the in the chat panel on the right: form from the Handouts panel, Why did you join VISTA? but

720 views • 22 slides
Designing and launching the next-generation database system: from whiteboard to production Guido

Designing and launching the next-generation database system: from whiteboard to production Guido

April 25, 2018 Designing and launching the next-generation database system: from whiteboard to production Guido Iaquinti $whoami Guido Iaquinti Operations Engineer in Dublin Member of the storage team No previous DBA experience

3.28k views • 99 slides
LAUNCHING RCS THINGS TO CONSIDER KOBUS SMIT, STRATEGIC ENGAGEMENT DIRECTOR GSMA RCS

LAUNCHING RCS THINGS TO CONSIDER KOBUS SMIT, STRATEGIC ENGAGEMENT DIRECTOR GSMA RCS

LAUNCHING RCS THINGS TO CONSIDER KOBUS SMIT, STRATEGIC ENGAGEMENT DIRECTOR GSMA RCS Deployment Options Operators face a number of choices in deploying RCS: RCS Infrastructure: on premises or hosted? Which vendor?

235 views • 11 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
Kotlin Puzzlers, vol 2 KotlinConf 2018, Amsterdam #kotlinpuzzlers @antonkeks Tallinn, Estonia

Kotlin Puzzlers, vol 2 KotlinConf 2018, Amsterdam #kotlinpuzzlers @antonkeks Tallinn, Estonia

Kotlin Puzzlers, vol 2 KotlinConf 2018, Amsterdam #kotlinpuzzlers @antonkeks Tallinn, Estonia (Estland) Kotlin island How can we save Java? Why not use Kotlin :-) Kotlin? A new type-safe JVM language Very good Java interop Now also

371 views • 12 slides
Launching Enterprise Risk Management in Your Agency A Senior Leadership Workshop Aug. 24-25,

Launching Enterprise Risk Management in Your Agency A Senior Leadership Workshop Aug. 24-25,

Launching Enterprise Risk Management in Your Agency A Senior Leadership Workshop Aug. 24-25, 2015 NCHRP 20-24 (105) StarIsis Welcome and Introduction Tim Henkel Launching Enterprise Risk Management in Your Agency NCHRP 20-24 (105) Host,

595 views • 15 slides
Launching e-FRRR Step 1 in achieving STP Andrew Sheng Chairman Securities and Futures

Launching e-FRRR Step 1 in achieving STP Andrew Sheng Chairman Securities and Futures

Launching e-FRRR Step 1 in achieving STP Andrew Sheng Chairman Securities and Futures Commission Agenda Launch e-FRRR Linking SDNet to form FinNet Recognising contribution of pilot registrants e-FRRR Straight through

335 views • 18 slides

More recommend