Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
11th Annual Security &
Compliance Summit |
Washington D.C.
Prepared by : Daniel Lance
Wireless Sensor Networks
Nothing is ...
WSN
Nothing is out of reach^ By: Daniel C Lance
LARGE ARROW
TO EMPHASIZE
WSN
Nothing is out of reach^ By: Daniel C Lance
OUR AGENDA
KINDA
1
History/Design
Conceptual implementation
Pratical imple...
ABOUT ME
WSN
Nothing is out of reach^ By: Daniel C Lance
HISTORY
TACTICAL TO PRACTICAL
1949
Start
Sound Surveillance System
(SOSUS)...
WSN
Nothing is out of reach^ By: Daniel C Lance
1993
Innovation
UCLA Wireless Integrated Network
Sensors
1999
Innovation
U...
WSN
Nothing is out of reach^ By: Daniel C Lance
Today
2002
Alliance
ZigBee Alliance
2002
Innovation
Center for Embedded Ne...
WSN
Nothing is out of reach^ By: Daniel C Lance
<
<
APPLICATION & DEBUT
1949-PRESENT DAY
Military Scientific Industry Consu...
WSN
Nothing is out of reach^ By: Daniel C Lance
WSN
Nothing is out of reach^ By: Daniel C Lance
SO WHAT IS A WSN?
Design in a nutshell
•
•
•
•
Sender and Receiver (Node &...
WSN
Nothing is out of reach^ By: Daniel C Lance
TOPOLOGY OF A NETWORK
Sender and Receiver (Node & Gatherer)
Sender Receive...
WSN
Nothing is out of reach^ By: Daniel C Lance
SENSORS
A TON OF THEM
Accelerometers
Accessories
Amplifiers
Capacitive Tou...
WSN
Nothing is out of reach^ By: Daniel C Lance
Phase-shift keying (PSK)
PSK uses a finite number of
phases, each assigned ...
WSN
Nothing is out of reach^ By: Daniel C Lance
100%
1
2
3
4
Battery powered
Wake/speed modes
Alarm vs. trouble vs. tamper...
WSN
Nothing is out of reach^ By: Daniel C Lance
SDR
HERE TO STAY
Started as a TV tuner
Size of a stick of gum
Supported on...
WSN
Nothing is out of reach^ By: Daniel C Lance
THE SOFTWARE
OPENSOURCE
Pentoo
GNU Radio Companion
GNU Radio Companion (GR...
WSN
Nothing is out of reach^ By: Daniel C Lance
THE HARDWARE
LOWCOST
Dongle time
HackRF One
Great Scott Gadgets is a Softw...
WSN
Nothing is out of reach^ By: Daniel C Lance
START SOME HACKING
WHAT THE HECK DO WE KNOW
Perimeter device
MSP430F2132IR...
WSN
Nothing is out of reach^ By: Daniel C Lance
THE TYPICAL REPLAY ATTACK
GQRX and Audacity
Start by finding the device, th...
WSN
Nothing is out of reach^ By: Daniel C Lance
THE TYPICAL REPLAY ATTACK
HOW DO WE SEND THE FILE?
RTL2832U Has failed
RTL...
WSN
Nothing is out of reach^ By: Daniel C Lance
GLASS STAGE
ON THE CHEAP SIDE
Half
Full
Tap the audio output from you’re s...
WSN
Nothing is out of reach^ By: Daniel C Lance
SPEND A LITTLE CASH
HACK RF TO THE RESCUE
Without the device
Start by findi...
WSN
Nothing is out of reach^ By: Daniel C Lance
GOING A STEP FURTHER
BINARY
Why we don’t care about the little bits
We onl...
WSN
Nothing is out of reach^ By: Daniel C Lance
WHAT IS AT RISK TODAY?
Sender and Receiver (Node & Gatherer)
Sender Receiv...
WSN
Nothing is out of reach^ By: Daniel C Lance
Extract the firmware via bus and capture the key of the WSN
Session Keys | ...
WSN
Nothing is out of reach^ By: Daniel C Lance
WHAT THE HECK DOES THIS MEAN?
WRITE YOUR RELEVANT TEXT HERE
Wireless senso...
WSN
Nothing is out of reach^ By: Daniel C Lance
Baiting
Getting one or more people to act
Cognitive biases
All of our own ...
WSN
Nothing is out of reach^ By: Daniel C Lance
<
<
COGNITIVE BIASES
THE INDIVIDUAL
Military Scientific Industry Consumer
C...
WSN
Nothing is out of reach^ By: Daniel C Lance
PRETEXTING
ALL TOGETHER NOW
`
Receiver
`
Malicious MiniVan
WSN
Nothing is out of reach^ By: Daniel C Lance
BAITING
Always a bigger fish
Case tampers
Speeding up fault conditions
Low...
WSN
Nothing is out of reach^ By: Daniel C Lance
BRING IT ALL TOGETHER
WSN
Nothing is out of reach^ By: Daniel C Lance
“EVERYTHING WE HEAR IS AN OPINION,
NOT A FACT. EVERYTHING WE SEE IS A
PERS...
WSN
Nothing is out of reach^ By: Daniel C Lance
WSN
Nothing is out of reach^ By: Daniel C Lance
q
THE SOLUTION
WHAT DO WE REALLY NEED?
Verify Signals
Acquisition of data
...
WSN
Nothing is out of reach^ By: Daniel C Lance
VERIFY SIGNALS
TRIANGULATION OF SIGNALS
Receiver
ReceiverReceiver
Signal f...
WSN
Nothing is out of reach^ By: Daniel C Lance
ACQUISITION OF DATA
TRACK RADIO ACTIVITY
When a radio starts
spectrum anal...
WSN
Nothing is out of reach^ By: Daniel C Lance
ATTRIBUTION OF ATTACK
FINGER POINTING
Receiver
ReceiverReceiver
Signal fro...
WSN
Nothing is out of reach^ By: Daniel C Lance
ATTACK RESPONSE
TALK TO ME GOOSE
Receiver
ReceiverReceiver
Signal from Att...
WSN
Nothing is out of reach^ By: Daniel C Lance
WHAT CAN WE START TODAY?
USING APPLIED TECHNOLOGY
Need tools for verifying...
WSN
Nothing is out of reach^ By: Daniel C Lance
One more thing…
WSN
Nothing is out of reach^ By: Daniel C Lance
`
`
TRY IT FOR YOURSELF!
Download the Vm from the link!
Will be posted sho...
Thanks for Watching
This Presentation
See You Next Time !!!
http://hyperphysics.phy-astr.gsu.edu/hbase/sound/interf.html#c...
Upcoming SlideShare
Loading in …5
×

Wireless Sensor Networks: Nothing is Out of Reach

1,120 views

Published on

Presenter: Daniel Lance, Layered Integration

After years of installing wireless sensor networks in homes and businesses we are now faced with a question “How is this all secure? Or is it?” A look into WSN (Wireless Sensor Networks) history and original design concepts that paved the road to us using these in our every day life.

This presentation will be a deep dive into wireless and reveal new challenges we have in protecting our perimeter when all of our core monitoring devices are riding a wave into the public space as most industrial control providers look to capitalize on fast installation times and inexpensive adaptive solutions. This research shows us start to finish how anyone with a laptop and SDR (Software Defined Radio) can hack into and take control of WSN’s from outside the front gate.

The presentation will demonstrate how a device inside your facility might reveal itself through spectrum analysis than how a hacker might flank the security of the device and own the network with very simple replay attacks that can grant them physical access, and how social engineering pre-installation and post-installation will cause you to disregard warning signs that someone is tampering with the network. A high level understanding of radio is no longer needed for packet analysis with open source tools, proper implementation has never been more important as even a encrypted device can be compromised by the last mile before installation. We will talk about the tools security professionals are lacking from the manufactures of these devices to scan for a compromised device and what can be done in the future to protect WSN’s.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Wireless Sensor Networks: Nothing is Out of Reach

  1. 1. 11th Annual Security & Compliance Summit | Washington D.C. Prepared by : Daniel Lance Wireless Sensor Networks Nothing is out of reach ^
  2. 2. WSN Nothing is out of reach^ By: Daniel C Lance LARGE ARROW TO EMPHASIZE
  3. 3. WSN Nothing is out of reach^ By: Daniel C Lance OUR AGENDA KINDA 1 History/Design Conceptual implementation Pratical implementation 2 What is it? What are WSN’s as a whole. 4 Social Engineering Cognitive biases Pretexting Baiting 3 SDR Software Defined Radio Software and hardware overview Hack Matrix 5 What can be done A fix for all wireless systems. After years of installing wireless sensor networks  in homes and businesses we are now faced with a question “How is this all secure? Or is it?”
  4. 4. ABOUT ME
  5. 5. WSN Nothing is out of reach^ By: Daniel C Lance HISTORY TACTICAL TO PRACTICAL 1949 Start Sound Surveillance System (SOSUS) developed by the United States Military 1978 Growth Distributed Sensor Network Work shop DSN’s birth place of the common WSN 1980 Innovation Distributed Sensor Network (DSN) DARPA formally explores the challenges in implementing distributed/wireless sensor networks.
  6. 6. WSN Nothing is out of reach^ By: Daniel C Lance 1993 Innovation UCLA Wireless Integrated Network Sensors 1999 Innovation University of California at Berkeley PicoRadio program 2000 Innovation Adaptive Multi-domain Power Aware Sensors program MIT 2001 Innovation NASA Sensor Webs
  7. 7. WSN Nothing is out of reach^ By: Daniel C Lance Today 2002 Alliance ZigBee Alliance 2002 Innovation Center for Embedded Network Sensing 2005 Alliance Zwave alliance
  8. 8. WSN Nothing is out of reach^ By: Daniel C Lance < < APPLICATION & DEBUT 1949-PRESENT DAY Military Scientific Industry Consumer Cost and energy needed to build a sensor Total market size Past Present day
  9. 9. WSN Nothing is out of reach^ By: Daniel C Lance
  10. 10. WSN Nothing is out of reach^ By: Daniel C Lance SO WHAT IS A WSN? Design in a nutshell • • • • Sender and Receiver (Node & Gatherer) (Node & Gatherer) Sensor component Analog and/or digital io Modulation Protocols OOK, FSK, ASK, ect.. Power management How can the device report longer
  11. 11. WSN Nothing is out of reach^ By: Daniel C Lance TOPOLOGY OF A NETWORK Sender and Receiver (Node & Gatherer) Sender Receiver One way Sender Receiver Bi directional Receiver MeshMesh MeshMesh Mesh Receiver Star StarStar Star Star
  12. 12. WSN Nothing is out of reach^ By: Daniel C Lance SENSORS A TON OF THEM Accelerometers Accessories Amplifiers Capacitive Touch Sensors, Proximity Sensor ICs Color Sensors Current Transducers Dust Sensors Encoders Flex Sensors Float, Level Sensors Flow Sensors Force Sensors Gas Sensors Gyroscopes Image Sensors, Camera Inclinometers IrDA Transceiver Modules LVDT Transducers (Linear Variable Differential Transformer) Magnetic Sensors - Compass, Magnetic Field (Modules) Magnetic Sensors - Hall Effect, Digital Switch, Linear, Compass (ICs) Magnetic Sensors - Position, Proximity, Speed (Modules) Magnets Moisture Sensors, Humidity Motion Sensors, Detectors Multifunction Optical Sensors - Ambient Light, IR, UV Sensors Optical Sensors - Distance Measuring Optical Sensors - Photo Detectors - CdS Cells Optical Sensors - Photo Detectors - Logic Output Optical Sensors - Photo Detectors - Remote Receiver Optical Sensors - Photodiodes Optical Sensors - Photoelectric, Industrial Optical Sensors - Photointerrupters - Slot Type - Logic Output Optical Sensors - Photointerrupters - Slot Type - Transistor Output Optical Sensors - Phototransistors Optical Sensors - Reflective - Analog Output Optical Sensors - Reflective - Logic Output Position Sensors - Angle, Linear Position Measuring Pressure Sensors, Transducers Proximity Sensors Proximity/Occupancy Sensors - Finished Units RTD (Resistance Temperature Detector) Shock Sensors Solar Cells Specialized Sensors Strain Gages Temperature Regulators Temperature Sensors, Transducers Temperature Switches Thermistors - NTC Thermistors - PTC Thermocouple, Temperature Probe Tilt Sensors Ultrasonic Receivers, Transmitters Vibration Sensors
  13. 13. WSN Nothing is out of reach^ By: Daniel C Lance Phase-shift keying (PSK) PSK uses a finite number of phases, each assigned a unique pattern of binary digits. Usually, each phase encodes an equal number of bits. Frequency-shift keying (FSK) Frequency modulation scheme in which digital information is transmitted through discrete frequency changes of a carrier wave. The simplest FSK is binary FSK (BFSK). BFSK uses a pair of discrete frequencies to transmit binary (0s and 1s) information. With this scheme, the "1" is called the mark frequency and the "0" is called the space frequency. The time domain of an FS K m o d u l a t e d c a r r i e r i s illustrated in the figures to the right. Amplitude-shift keying (ASK) A form of amplitude modulation that represents digital data as variations in the amplitude of a carrier wave. In an ASK system, t h e b i n a r y s y m b o l 1 i s represented by transmitting a fixed-amplitude carrier wave and fixed frequency for a bit duration of T seconds. If the signal value is 1 then the carrier signal will be transmitted; otherwise, a signal value of 0 will be transmitted. Quadrature amplitude modulation (QAM) Both an analog and a digital modulation scheme. It c o n v e y s t w o a n a l o g message signals, or two digital bit streams, by changing (modulating) the amplitudes of two carrier waves, using the amplitude- shift keying (ASK) digital modulation scheme or amplitude modulation (AM) analog modulation scheme. Continuous phase modulation (CPM) For modulation of data commonly used in wireless modems. In contrast to other coherent digital phase modulation techniques where the carrier phase abruptly resets to zero at the start of every symbol (e.g. M-PSK), with CPM the carrier phase is modulated in a continuous manner.
  14. 14. WSN Nothing is out of reach^ By: Daniel C Lance 100% 1 2 3 4 Battery powered Wake/speed modes Alarm vs. trouble vs. tamper (10tx 5tx 3tx) PM schedule POWER MANAGEMENT
  15. 15. WSN Nothing is out of reach^ By: Daniel C Lance SDR HERE TO STAY Started as a TV tuner Size of a stick of gum Supported on all OS’s O F W A RT E E I N EF D S D R A D I O $20.95 /w free shipping Software & Hardware
  16. 16. WSN Nothing is out of reach^ By: Daniel C Lance THE SOFTWARE OPENSOURCE Pentoo GNU Radio Companion GNU Radio Companion (GRC) is a graphical tool for creating signal flow graphs and generating flow-graph source code. Gqrx SDR Gqrx is a software defined radio receiver powered by the GNU Radio SDR framework and the Qt graphical toolkit. Pentoo The SDR distro of choice! Audacity® Cross-platform software for recording and editing sounds is great for figuring out protocols.
  17. 17. WSN Nothing is out of reach^ By: Daniel C Lance THE HARDWARE LOWCOST Dongle time HackRF One Great Scott Gadgets is a Software Defined Radio peripheral capable of transmission or reception of radio signals from 10 MHz to 6 GHz. RTL2832U Elonics E4000 52 - 2200 MHz with a gap from 1100 MHz to 1250 MHz (varies) Ubertooth One 2.4 GHz wireless development platform suitable for Bluetooth experimentation. Commercial Bluetooth monitoring equipment can be found for over $10,000. Upgradeable Antenna Everything from RFID to Satellite
  18. 18. WSN Nothing is out of reach^ By: Daniel C Lance START SOME HACKING WHAT THE HECK DO WE KNOW Perimeter device MSP430F2132IRHB Data sheet is public We know it’s OOK FCC listed THE DEVICE
  19. 19. WSN Nothing is out of reach^ By: Daniel C Lance THE TYPICAL REPLAY ATTACK GQRX and Audacity Start by finding the device, then sample the audio, then define the audio files. We know It is at 345mhz We know we have the correct device because of the on-off times We can now do replay attacks at will We can try our hand at jamming
  20. 20. WSN Nothing is out of reach^ By: Daniel C Lance THE TYPICAL REPLAY ATTACK HOW DO WE SEND THE FILE? RTL2832U Has failed RTL2832U isn’t a good send device We know we have a good attack, we have the data
  21. 21. WSN Nothing is out of reach^ By: Daniel C Lance GLASS STAGE ON THE CHEAP SIDE Half Full Tap the audio output from you’re sound card to the Carrier Signal and send the file Find the Carrier Signal
  22. 22. WSN Nothing is out of reach^ By: Daniel C Lance SPEND A LITTLE CASH HACK RF TO THE RESCUE Without the device Start by finding the device, then sample the audio, then define the audio files, then repeat. We can replay attack with little programing We can RF jam with little effort We can RF jam intermittently to make the receiver think it is over hearing.
  23. 23. WSN Nothing is out of reach^ By: Daniel C Lance GOING A STEP FURTHER BINARY Why we don’t care about the little bits We only know what we are told Good for baiting Its faster just to make-stuff-up 10101010101010 xxxxxx IDPreamble xx Net xxxxxx Payload 16 CRC
  24. 24. WSN Nothing is out of reach^ By: Daniel C Lance WHAT IS AT RISK TODAY? Sender and Receiver (Node & Gatherer) Sender Receiver One way Sender Receiver Bi directional Receiver MeshMesh MeshMesh Mesh Receiver Star StarStar Star Star
  25. 25. WSN Nothing is out of reach^ By: Daniel C Lance Extract the firmware via bus and capture the key of the WSN Session Keys | Fixed Encryption RECEIVERS ARE THE DOWN FALL Hack Matrix Layer Capture the device in the-last-mile before installation Session Keys | No-Pass Key Encryption Attack the programing device Session Keys | Dynamic Encryption Jam and emulate Mesh Jam and emulate Star Jam and emulate Bi directional Jam and emulate One way
  26. 26. WSN Nothing is out of reach^ By: Daniel C Lance WHAT THE HECK DOES THIS MEAN? WRITE YOUR RELEVANT TEXT HERE Wireless sensors can be: • Taken hostage • Emulated • Jammed Receivers can be: • Jammed even with jam detection • Used against the facility staff
  27. 27. WSN Nothing is out of reach^ By: Daniel C Lance Baiting Getting one or more people to act Cognitive biases All of our own personal experience plays a huge part SOCIAL ENGINEERING WORKING FOR YOU 24 HOURS A DAY Pretexting effecting a whole group
  28. 28. WSN Nothing is out of reach^ By: Daniel C Lance < < COGNITIVE BIASES THE INDIVIDUAL Military Scientific Industry Consumer Cost and energy needed to build a sensor Total market size Past Present day
  29. 29. WSN Nothing is out of reach^ By: Daniel C Lance PRETEXTING ALL TOGETHER NOW ` Receiver ` Malicious MiniVan
  30. 30. WSN Nothing is out of reach^ By: Daniel C Lance BAITING Always a bigger fish Case tampers Speeding up fault conditions Low battery signaling 5 π
  31. 31. WSN Nothing is out of reach^ By: Daniel C Lance BRING IT ALL TOGETHER
  32. 32. WSN Nothing is out of reach^ By: Daniel C Lance “EVERYTHING WE HEAR IS AN OPINION, NOT A FACT. EVERYTHING WE SEE IS A PERSPECTIVE, NOT THE TRUTH.” -MARCUS AURELIUS
  33. 33. WSN Nothing is out of reach^ By: Daniel C Lance
  34. 34. WSN Nothing is out of reach^ By: Daniel C Lance q THE SOLUTION WHAT DO WE REALLY NEED? Verify Signals Acquisition of data Attack Response Attribution of Attack
  35. 35. WSN Nothing is out of reach^ By: Daniel C Lance VERIFY SIGNALS TRIANGULATION OF SIGNALS Receiver ReceiverReceiver Signal from wireless sensor ` ` `^ 70 %40 %
  36. 36. WSN Nothing is out of reach^ By: Daniel C Lance ACQUISITION OF DATA TRACK RADIO ACTIVITY When a radio starts spectrum analysis A so called “Spike happens” New DC Spike Wait and see what happens Log the Rfeq Log the DB level of the radio at its Rfeq Track changes in power Warn if the center Rfeq comes close the the WSN Warning This radio log can then be shared if an attack happens Long term storage
  37. 37. WSN Nothing is out of reach^ By: Daniel C Lance ATTRIBUTION OF ATTACK FINGER POINTING Receiver ReceiverReceiver Signal from Attacker ` ` `` 70 %40 %
  38. 38. WSN Nothing is out of reach^ By: Daniel C Lance ATTACK RESPONSE TALK TO ME GOOSE Receiver ReceiverReceiver Signal from Attacker ` ` ``x
  39. 39. WSN Nothing is out of reach^ By: Daniel C Lance WHAT CAN WE START TODAY? USING APPLIED TECHNOLOGY Need tools for verifying binary’s and need to be able to hash a sensor and receiver System Integrators Need to develop complex adaptive networks using the above methods Manufacturers Need to outline when a WSN can and can’t be used on mission critical equipment based on real risk. Compliance Harden there understanding of WSN’s and limit use on mission critical installations. Customer (
  40. 40. WSN Nothing is out of reach^ By: Daniel C Lance One more thing…
  41. 41. WSN Nothing is out of reach^ By: Daniel C Lance ` ` TRY IT FOR YOURSELF! Download the Vm from the link! Will be posted shortly! Check list! Buy a radio on amazon! Load the VM Click on FMstations.grc on the desktop Tune to your favorite radio station after executing the script Tell me about it on twitter! @DanielCLance ^
  42. 42. Thanks for Watching This Presentation See You Next Time !!! http://hyperphysics.phy-astr.gsu.edu/hbase/sound/interf.html#c4 https://upload.wikimedia.org/wikipedia/commons/8/8d/Illustration_of_Amplitude_Modulation.png http://www.silabs.com/Support%20Documents/TechnicalDocs/evolution-of-wireless-sensor-networks.pdf https://funoverip.net/2014/11/reverse-engineer-a-verisure-wireless-alarm-part-1-radio-communications/

×