Testing sensor network security with worms
At the Black Hat Europe hacker conference, which ended last week, Greek IT security expert Thanassis Giannetsos presented the Sensys tool for testing sensor network security. The tool can spy out network communication and is even capable of injecting malicious code into sensor modules.
Sensor networks are used to monitor conditions, for instance, in military environments, in buildings, in animal observation and in critical infrastructures such as the smart grid. Sensys is basically a sniffer which registers all the network nodes in the vicinity and presents them in graphical form. The tool also recognises which nodes in dynamically changing mesh networks are connected to which other nodes. Furthermore, the software records the data exchanges between nodes.
For his live demonstration, Giannetsos used the Tmote Sky "Wireless Personal Area Network" (WPAN) sensor modules by vendor Sentilla (structurally identical to Crossbow's TelosB). Talking to The H's associates at heise Security, the security expert said that Sensys also registers other types of sensors and their data transfers, for example hardware components which communicate via Zigbee.
However, Sensys doesn't just sniff, it can also actively interfere with networks and inject packets. Giannetsos says that for successful injections it is important that the network's routing protocol uses connection quality calculations for its routing cost metrics. However, Giannetsos said other types of routing protocols can also easily be implemented.
A possible attack scenario: the software causes sensors to connect to nodes which are controlled by the attacker ("sinkhole attack"). This only requires linking one sensor with the attacker's notebook via USB. This sensor then pretends to the other nodes that it has the shortest and, therefore, cheapest distance to the base station or to a node with a direct connection to base (parent), and that it is the best way of sending data to the base station. Sensys also enables attackers to launch replay attacks or DoS attacks.
However, the really clever aspect of Sensys is its ability to send program updates to sensors via "Over the Air Programming" (OAP). Here, flaws in the memory protection can be exploited to inject and execute code that is completely unrelated to the sensor's actual software image.
This is possible regardless of the respective wireless network technology used and means that, in principle, Zigbee-based networks are also vulnerable. Sensor module security specialist Travis Goodspeed already used the Tmote Sky to demonstrate the relevant exploit technology in 2008. Sensys is said to support various different hardware platforms.
The researcher said he has managed to inject self-spreading code into a sensor. Once the malicious code is executed, the sensor transmits it to all the connected sensors in its vicinity: a sensor network worm. Talking to heise Security, Giannetsos confirmed that he will offer Sensys to download from his web page in the near future.
Only recently, developer Joshua Wright had announced that he will release KillerBee, an open source collection of Linux tools for testing the security of Zigbee networks.
- ZigBee: attack of the killer bees, a report from The H.
- Software error in ZigBee radio modules facilitates eavesdropping, a report from The H.
(Uli Ries / crve)