Weaponizing Wireless Networks:An Attack Tool for Launching Attacks against

Sensor Networks

Thanassis GiannetsosTassos DimitriouNeeli R. Prasad

Outline

• Background• Network Threats and Wireless Attacks• Tool Architecture Overview • Implemented Attacks and Actions• Conclusion• Reference

Background• Network Threats and Wireless Attacks• Tool Architecture Overview • Implemented Attacks and Actions• Conclusion• Reference

Background

• Wireless sensor network– Monitor physical or environmental conditions,

such as temperature, sound, vibration, pressure, motion or pollutants.

• Equip with a radio transceiver, a microcontroller, and a battery.

• BackgroundNetwork Threats and Wireless Attacks• Tool Architecture Overview • Implemented Attacks and Actions• Conclusion• Reference

Network Threats and Wireless Attacks

• Inadequate physical protection– Energy and Cost

• Through the air– Easy to be intercepted

• Wireless Attack– Interception– Alteration– Disruption– Injection

• Background• Network Threats and Wireless AttacksTool Architecture Overview • Implemented Attacks and Actions• Conclusion• Reference

Tool Architecture Overview

• Three Main Conceptual Modules:– Network Sniffer:• Monitoring and logging of radio packets.

– Network Attack Tool:• Provides a number of actions for attack.

– Network Visualization:• Display topology、 Traffic、 Nodes State and Status of

attack.

Tool Architecture Overview

Network Sniffer (1/3)

• The network sniffer relies on packets that are overheard in a sensor's node neighborhood.

• It captures them and logs them for later analysis.

• Components:– Local Packet Monitoring– Packet Storage– Packet Description Database

Network Sniffer (2/3)

• Local Packet Monitoring:– To gather audit data

• Packet Storage:– Logging and analysis– Construct graph of neighborhood topology

• Packet Description Database– User can specify msg content as C structs which

automatically added to DB

Network Sniffer (3/3)

Network Attack Tool

Analysis & Graph

Network Attack Tool (1/3)

• Provide a number of actions for compromising the sensor network's security profile.

• Components:– Data Stream Framework– Attack Launcher

Network Attack Tool (2/3)

• Data Stream Framework:– Identified info as its configuration record– Basis msg for Attack Launcher

• Attack Launcher:– 6 types of attacks:

① Data Replay② Malicious Code Injection③ Sinkhole Attack④ Selective Forwarding⑤ Flooding⑥ Program Image Dissemination & Ping Operation

Network Attack Tool (3/3)

Network Sniffer

• Background• Network Threats and Wireless Attacks• Tool Architecture Overview Implemented Attacks and Actions• Conclusion• Reference

Implemented Attacks and Actions (1/3)

• Data Replay– Msg are stored into the Packet Description

Database.• Malicious Code Injection– Buffer overflow– Create self-replicating worm and broadcast it.

• Selective Forwarding

Implemented Attacks and Actions (2/3)

• Sinkhole Attack– Use link quality (LQ) calculations as the routing cost

metric to build the routing tree towards the base station.

– Broadcast a beacon message.– Advertise a very good LQ in order for all neighboring

nodes to choose the tools' attached node as their parent.

• Flooding– Send HELLO messages with high transmission power.

Send Msg

Implemented Attacks and Actions (2/3)

• Program Image Dissemination & Ping Operation– The ping action sends a message to a specific

sensor node to request about its state, its currently executing program image and what other images are stored in that node.

– Program Image dissemination is a fundamental service in sensor networks that relies upon reliable broadcast of image updates.

• Background• Network Threats and Wireless Attacks• Tool Architecture Overview • Implemented Attacks and ActionsConclusion• Reference

Conclusion

• To reveal the vulnerabilities of such networks• To study the effects of severe attacks on the

network itself • To motivate a better design of security

protocols .

Reference

• http://www.exploit-db.com/download_pdf/15365

• http://en.wikipedia.org/wiki/Wireless_sensor_network

• http://ics.stpi.org.tw/Treatise/doc/73.pdf