From the ?smart grid? to healthcare to national security systems, wireless devices are playing an increasing role in technological solutions. Their security and trustworthiness should be a major concern.
Fingerprinting is an important technique in the cyber-defender arsenal, because it helps expose deceptions essential to modern multi-step network attacks. We develop methods and tools for wireless physical (PHY) layer testing, thus improving trustworthiness of wireless devices and equipping cyber-defenders with the tools they need to protect wireless networks.
Active fingerprinting methods are the most direct and effective ones, because they allow the administrators to initiate fingerprinting when necessary, probe for a broader range of expected behaviors (thus increasing the attacker?s workload to fake behaviors in order to escape detection), and are easily tweaked (further increasing said workload).
We develop robust fingerprinting techniques for wireless devices that are based on active probing -- in the physical layer of 802.11 and 802.15.4 networks.
To empower exploration of the attack surface of actual wireless networks and to facilitate active physical-layer testing of wireless devices, we also will develop a framework for crafting and injecting "marginally" malformed physical layer signals that correspond to common 802.11 and 802.15.4 frames. In particular, we will facilitate fuzz-testing of wireless devices.
Both fingerprintable responses and (possibly exploitable) vulnerabilities of wireless devices amount to differences in implementations of protocol logic. We will develop methods for testing this logic in the wireless PHY layer, and look for potentially harmful security vulnerabilities in its common implementations.
We developed robust fingerprinting methods for 802.15.4 digital radio receivers that identify popular commodity digital radio chips. These methods are also applicable to other digital radio PHY layers. We also demonstrated that these methods have clear implications for WIDS/WIPS evasion, which WIDS/WIPS vendors should take into account when building their systems. We demonstrated that fingerprintable differences in digital radio receivers can lead to effective attack techniques that are limited to a specific brand of of a digital radio and may remain invisible to other brands. These findings are immediately applicable to security of industrial automation and control systems using 802.15.4/ZigBee and similar digital radio protocols. Faced with a lack of cheap, available 802.15.4 radios and in the interest of having our research continued by others, we designed and manufactured a commodity digital radio peripheral that is capable of producing fingerprinting stmuli on PHY and LNK layers, including but not limited to manipulating the preamble and the Start-of-Frame-Delimiter. We made the design of this peripheral, the APImote, publicly available on GutHub (https://github.com/riverloopsec/apimote), and distributed manufactured hardware to a number of industry researchers working on SCADA and ICS security. We demonstated that commodity radios such CC2420 are capable of producing not only crafted frames (used as stimuli by our fingerprinting methods but also arbitrary sequences of RF symbols surrounding these frames. Thus effective fin gerprinting is possible with cheap commodity radios and does not require expensive equipment such as software defined radios. Consequently, our fingerpriting techniques can be easily productized by defense tool suites and products. Besides fingerpriting, we showed that the classes of techniques we discovered can reveal weaknesses in 802.15.4 protocol and can be used by attackers to target specific chips and to bypass the wireless intrusion prevention and monitoring systems. One of our technques, the Packet-in-packet technique, has received wide resonance in the security community and already lead to academic work to protect targets against it. We openend a promising direction of research in both digital radio cyber-defense and offense which is by far not limited to 802.15.4. Thus our activities also promote further research into security of 802.15.4 stacks. We developed and validated effective techniques for fingerpriting 802.15.4 digital radios. With these techniques, we can fingerpritint all common brands of such digital radio chips. Our results are gathered in the Dartmouth Technical Reports TR2014-746 and TR2014-749 (www.cs.dartmouth.edu/reports/abstracts/TR2014-746/, www.cs.dartmouth.edu/reports/abstracts/TR2014-749/) and have been published in USENIX WOOT 2011, HICSS 2012, and submited to the WiSec 2014 conference (currently under review). Our research and released tools advanced the state of the art in understanding the low-level security issues of 802.15.4 and similar PHY layers. We anticipate our latest batch of results to strongly affect the practice of WIDS/WIPS engineering, informing the vendors of "blind spots" in their monitoring and leading them to incorporating several kinds of digitial radio monitors as a necessary measure for complete coverage of monitored communications. We also expect existing WIDS/WIPS systems to be tested for such blind spots. Together, our fingerpriting and testing tools in combination with the hardware we designed and released should become the new standard for 802.15.4 network assessments, especially in ICS and SCADA where such digital radio links may be mission-critical.
