SenSys Attack Tool

David WellingJon Silliman

Project Organization

• Three step procedure– Reading paper and research sensor networks– Setting up SenSys– Exploiting a protocol using the tool• Implementation• API• SenSys Extension!

SenSys

• Tool for monitoring and attacking sensor networks– Active vs. Passive attacks– Security not built into many protocols

• Open to Attacks• SenSys provides platform for executing attacks• Split into 3 components– Sniffer, Attack, Network Visualization

Sniffer Component

Attack Component

Network Visualization

Our Protocol

• Next node and Cost for that node set during install– Cost base on physical distance

• Admin message for updating individual node• Legitimate method– Relatively Static network topology– Efficient, low overhead

• Inherently insecure

SenSys Installation

• Pain-stacking Process!• Tinyos 1.x Requirement– Cygwin Installation Instructions– AVR AND MSP430 Tools Required for FULL

functionality– Comm Libraries• Installation into System directories, Properties file into

build directories and java path

SenSys Installation Cont.

• Get the tool from SenSys Site• Download libraries– Place Comm.jar in libraries

• Load into NetBeans– Build path and command line arguments

• TOSBase on your sensor node

Protocol API

• Split into separate client and base TinyOS Programs– Client sends to closest path on timer– Sends random 8 bit values as data

• Common message type– Handled over same radio ‘channel’– Different meanings for different data types based on

message types• Constants to handle important values

Data Flow Diagram

Client Program Base Program

CustomMsg

Listen for CustomMsgListen/Send CustomMsg

Send Data

Send Data

Protocol API Cont.Client_Program{

uint8_t next_nodeuint8_t cost

send()receive()

}

Base_Program{

send()receive()

}

typedef struct CustomMsg {uint8_t source;uint8_t destination;uint8_t cost;

uint8_t msgtype;uint8_t pos_x; uint8_t pos_y;} CustomMsg;

uint8_t ADMIN_MSG = 0xff;uint8_t REGULAR_MSG = 0x00;

SenSys Modifications

• Message Incorporation via mig• Sinkhole Modification– Implement our special Admin message to trick

protocol• Replay Modification– Send custom messages of our type

• Sniffer Modification– Ability to detect messages of our types

Demo One

• Initial Network Setup and viewing in sniffing tool and topology

• Replay message to change the topology• Sinkhole attack on network

Other Functionality -- Deluge• Deluge– Network Dissemination– Easy network image maintenance vs. safety – Built on-top of TOSBoot Bootloader

• SenSys provides GUI for this and nothing more• Deluge Demo

TOSBoot

Golden Image

Image 1

Image 2

DelugeBasic

Our View on SenSys

• Many of the tools already available– Nice GUI on top of them

• Well documented code, Easily extendible• First tool for attacking sensor networks• Hacking networks is difficult

Sensor Networks

• Lack of standard protocols– Hard to learn about protocols from hex dumps

• Easier to hack if you can take a physical node– Then dump image and reverse engineer

• Hard to implement Sinkhole– Some protocols based on radio strength or timers

• Motivation to hack

Installation Problems

• Oracle doesn’t provide Comm Libraries anymore• Can’t use any form of TinyOS 2.x– Protocols changed– Program requires TOSBase from 1.x

• Problems compiling tools without AVR-GCC– Export MOTECOM=serial@COM5:telos

• Baud Rate • Group ID• Boomerang For Dispatchers• Endian-ness