SenSys Attack Tool David Welling Jon Silliman
Project Organization Three step procedure – Reading paper and research sensor networks – Setting up SenSys – Exploiting a protocol using the tool Implementation API SenSys Extension!
SenSys Tool for monitoring and attacking sensor networks – Active vs. Passive attacks – Security not built into many protocols Open to Attacks SenSys provides platform for executing attacks Split into 3 components – Sniffer, Attack, Network Visualization
Sniffer Component
Attack Component
Network Visualization
Our Protocol Next node and Cost for that node set during install – Cost base on physical distance Admin message for updating individual node Legitimate method – Relatively Static network topology – Efficient, low overhead Inherently insecure
SenSys Installation Pain-stacking Process! Tinyos 1.x Requirement – Cygwin Installation Instructions Cygwin Installation Instructions – AVR AND MSP430 Tools Required for FULL functionality – Comm Libraries Installation into System directories, Properties file into build directories and java path
SenSys Installation Cont. Get the tool from SenSys SiteSenSys Site Download libraries – Place Comm.jar in libraries Load into NetBeans – Build path and command line arguments TOSBase on your sensor node
Protocol API Split into separate client and base TinyOS Programs – Client sends to closest path on timer – Sends random 8 bit values as data Common message type – Handled over same radio ‘channel’ – Different meanings for different data types based on message types Constants to handle important values
Data Flow Diagram Client Program Base Program CustomMsg Listen for CustomMsgListen/Send CustomMsg Send Data
Protocol API Cont. Client_Program { uint8_t next_node uint8_t cost send() receive() } Client_Program { uint8_t next_node uint8_t cost send() receive() } Base_Program { send() receive() } Base_Program { send() receive() } typedef struct CustomMsg { uint8_t source; uint8_t destination; uint8_t cost; uint8_t msgtype; uint8_t pos_x; uint8_t pos_y; } CustomMsg; typedef struct CustomMsg { uint8_t source; uint8_t destination; uint8_t cost; uint8_t msgtype; uint8_t pos_x; uint8_t pos_y; } CustomMsg; uint8_t ADMIN_MSG = 0xff; uint8_t REGULAR_MSG = 0x00; uint8_t ADMIN_MSG = 0xff; uint8_t REGULAR_MSG = 0x00;
SenSys Modifications Message Incorporation via mig Sinkhole Modification – Implement our special Admin message to trick protocol Replay Modification – Send custom messages of our type Sniffer Modification – Ability to detect messages of our types
Demo One Initial Network Setup and viewing in sniffing tool and topology Replay message to change the topology Sinkhole attack on network
Other Functionality -- Deluge Deluge – Network Dissemination – Easy network image maintenance vs. safety – Built on-top of TOSBoot Bootloader SenSys provides GUI for this and nothing more Deluge Demo TOSBoot Golden Image Image 1 Image 2 DelugeBasic
Our View on SenSys Many of the tools already available – Nice GUI on top of them Well documented code, Easily extendible First tool for attacking sensor networks Hacking networks is difficult
Sensor Networks Lack of standard protocols – Hard to learn about protocols from hex dumps Easier to hack if you can take a physical node – Then dump image and reverse engineer Hard to implement Sinkhole – Some protocols based on radio strength or timers Motivation to hack
Installation Problems Oracle doesn’t provide Comm Libraries anymore Can’t use any form of TinyOS 2.x – Protocols changed – Program requires TOSBase from 1.x Problems compiling tools without AVR-GCC – Export Baud Rate Group ID Boomerang For Dispatchers Endian-ness