1 INTRODUCTION Smart grid is the modernization modernization of the electric power power grid in order to achieve efficient way to distribute the electric energy sustainably and economically with guaranteeing high security. To do so all the generators, distributor and consumers are integrated by electricity network with two way electricity flow and along with digital communication communication [1]. Overview Overview of the Smart Smart Grid Power Power system system layer layer and communic communication ation layer layer is shown shown in Figure 1. The smart grid does not just decrease the price of the electricity but helps the consumer to monitor their electricity uses. With this monitoring ability consumer can control the electricity uses for instant turning off the electricity appliance on peak hour when the electricity cost is high and turn on when price is low. Additionally with the use of the smart phones application and inter on internet one can see the electricity bills and current uses of their electricity.
Figure 1: Smart Grid Power Power System layer and and Communication layer [2] With the advancement and cheap cost of technology it’s possible to connect the smart home system system with with the smart smart grid. Many Many research research projects projects are are going going on such 1
advancement advancement in smart smart grid evolution evolution and one of such project is Smart Smart House/Smart Grid. The project is test bed is in three different countries with specific aims as shown below: [3] I.
The capabi capabilit lityy to hand handle le the the large large-sc -scale ale com commun munica icatio tion, n, nego negotiat tiation ion and and information exchange between many thousands of smart energy devices at the same time (Netherlands).
II.
The capa capabil bility ity to inte intellig lligent ently ly inter interact act with with the the custo customer mer (suc (suchh as home home owners owners)) and deliver optimal home energy management as a response (Germany).
III. III.
The capa capabil bility ity to contr control ol smart smart energ energyy device devicess in a fully fully decen decentra traliz lized ed and and bottombottomup way such that optimum energy efficiency at the aggregate level is achieved, together with higher security of supply levels for the end-user. (Greece).
Such advancement in smart grid will give the ability to control the remote sensor devices by use of the internet and smart phone application and hence will be able to control the electricity uses. A typical typical Smart Home system is shown shown in Figure 2.
2
advancement advancement in smart smart grid evolution evolution and one of such project is Smart Smart House/Smart Grid. The project is test bed is in three different countries with specific aims as shown below: [3] I.
The capabi capabilit lityy to hand handle le the the large large-sc -scale ale com commun munica icatio tion, n, nego negotiat tiation ion and and information exchange between many thousands of smart energy devices at the same time (Netherlands).
II.
The capa capabil bility ity to inte intellig lligent ently ly inter interact act with with the the custo customer mer (suc (suchh as home home owners owners)) and deliver optimal home energy management as a response (Germany).
III. III.
The capa capabil bility ity to contr control ol smart smart energ energyy device devicess in a fully fully decen decentra traliz lized ed and and bottombottomup way such that optimum energy efficiency at the aggregate level is achieved, together with higher security of supply levels for the end-user. (Greece).
Such advancement in smart grid will give the ability to control the remote sensor devices by use of the internet and smart phone application and hence will be able to control the electricity uses. A typical typical Smart Home system is shown shown in Figure 2.
2
Figure Figure 2: Zigbee Zigbee HAN HAN Demon Demonstrat stration ion System System Archite Architecture cture [4]
1.1 1.1 Proj Projec ectt Moti Motiva vati tion on The Smart Grid has the complex communication infrastructure and one of the component networks is Home Area Network (HAN)/Private Area Network (PAN) where the Wireless Sensor Network (WSN) is implemented. In Smart home system the core of the communication system is WSN. The data from the electricity appliance is read by the sensor device which is then processed and finally send data via radio signal. And in smart grid each such network is connected in the grid via smart and also may be connected with internet with some gateway. Depending on the need each smart meter are connected connected using mesh mesh and and Point to many many network network topologies. topologies. The electricity electricity appliance (sensor (sensor node) is connected connected to the WSN by sensor sensor not only sends the data data but also are capable of controlling it. This availability to control the sensor node from remote location brings the risk for attack by the malicious attacker. The attack is just not about the data capture but but also of the physical control control over the sensor node. node. Such nature of the possible attack motivates me towards the security analysis of the WSN.
1.2 1.2 Proj Projec ectt Obje Object ctiv ivee The objective of the project is to analysis the possible threats concerned with WSNs. The security analysis is important to minimize the possible threats in terms of confidentiality, integrity and availability (CIA) in the WSN.
3
2 LIT LITERAT RATURE URE REVIE EVIEW W 2.1 2.1 Home Home Area Area Netw Networ orkk In general, home area network (HAN) provides communication between different digital devices that are being used in a home. This network consists of numbers of different computers and digital devices like printer. These devices are allowed to access from remote area through use of a gateway reside on the home premises. In Smart Grid Grid technology technology,, in addition addition to above, above, HAN provide provide the commu communicat nication ion between between the customers customers premise premise smart smart meter (gateway) (gateway),, in-home displays, displays, program programmabl mablee thermostat thermostatss and appli appliance ances. s. The smart smart devic devices es are connected connected by use of wireless wireless sensor network. Smart meter acts as the gateway between the utilities offices and the home premises devices. The role and feature of the HAN in Smart Grid is describe in section 2.1.1 The HAN in smart grid is the combination of sensor and ad-hoc networks. A sensor network is composed of number of nodes which are organised in close proximity. All of these nodes gather data and send the information back to a collection point. Such network need to have self-organizing ability as the locations of individual nodes are not predefine predefined. d. As sets sets of nodes nodes cooperate cooperate to send send the the data collect collected ed in their their neighbourhood to collection point, cooperation between these nodes is the main feature of sensor network. Main differences differences between between sensor sensor ad-hoc networks: networks: [5]
Number of nodes can be orders of magnitude higher.
Sensor nodes are inclined to failure. 4
Regular topology variations.
Communication is of Broadcast.
Restricted power, memory, computational and processing capabilities.
Probably lack of unique global identification per node.
2.2 2.2 Rol Role of of Home Home Area Area Netw Networ orks ks in Sma Smart rt Gri Grid The HAN is a part of Smart Grid dedicated to demand-side management (DSM), as well as demand demand response response and and energ energyy efficienc efficiencyy [6]. Real-time Real-time electri electricity city consu consumed med and and effective cost must be sent to customers customers so that they are acquainted with the amount of the electricity used at any instant and amount cost they are paying at that instant. Using these data consumer can make analysis about the electricity uses and can make instantaneous instantaneous decisions. The consumer consumer can also analysis analysis what what amount of of the electricity is being used by the individual appliances at and control the uses of the particular appliances. Also using these information’s about in what way electricity is being consumed, the utility calculate demand. At peak demand, the rate of electricity is highest and at low demand the rate is lowest. In one sentences, by use of the real-time information collected customers can control the electricity appliances and the utilities offices set electricity price according to demand. The benefits of the HAN in smart grid can be summarize as [7]
Centraliz Centralized ed control control to various various appliances appliances and devices devices
Real-time Real-time informa information tion on energy energy consump consumption tion
Proactive Proactive way of energy energy savings savings
Real-t Real-time ime energ energyy contro controlli lling ng and and monito monitorin ringg
Obtain price alarms from utility 5
Adjust energy use
2.3 Security requirement WSN is special type of network. Though WSN haves some commonalities with typical wireless network, it poses distinctive needs of its own discussion [8]. 2.3.1 Data Confidentiality
Data confidentiality is the vital subject in network security. Any security in network will usually address this issue first. Confidentiality in sensor networks implies to the following [9]:
Most applications nodes transfer sensitive data, like key distribution; hence it is essential to establish a secure channel in a sensor network.
A sensor network must not reveal sensor readings to its neighbours. In a smart grid, sensors are attached to different appliance and the data collected in the store the utilization of the electricity which shows the behaviour of electric uses by consumer.
Public sensor information, for instant public keys and sensor identity, must be encrypted to minimize attack against traffic analysis.
The normally for protecting sensitive data a secret key is used to encrypt the data so that only intended receivers possess the data, thus achieving confidentiality. 2.3.2 Data Integrity
The securing the confidentiality of data does not imply data is safe. An attacker may not be able to steal information but can modify or change the data, so as to direct sensor network into disorder. For instance, a malicious node can be added to the network or 6
changes the data inside a packet. This modified packet then can be transmitted to the original receiver. Hence, data integrity guarantees that none of the received data has been changed in transit. 2.3.3 Data Freshness
Even though data integrity and confidentiality are guaranteed, it is also required to confirm the freshness of all messages received. Data freshness means that the data received is recent and also ensures that old messages have not been replayed. This condition is particularly vital if shared-key policy is employed between the nodes. In shared-keys network design security key is not changed over time once the network is setup. Hence, an attacker can perform replay attack with ease. One of solution to such problem is to assign a nonce or a time-related counter in the packet to confirm data freshness. 2.3.4 Availability
As sensor network is connected to physical entities like water level controller, rotation controller, electricity controller and many more such devices the availability of network is prime concern. The packet size of the wireless sensor is very small and implying the encryption algorithms to suite such network devices may introduce certain extra prices to availability factor. The approaches to achieve the performance, simplify the problem and easy data access may weaken the availability of the sensor devices and sensor network. Table 1 shows the weakness that may arise with the employed approaches.
7
Table 1: Wireless sensor design approach weakness. Approach 1.
Weakness developed
Use of additional communication to Additional communication leads to the attain the secure the network.
consumption
of
more
energy.
The
consumption of more energy exists might create the weakening or even completely stop availability of data. Also with the communication increases, the chance of suffering communication conflict increases. 2.
Some approaches try to modify the Again additional computation consumes code to reuse as much as possible additional energy and result is same as and use additional computation.
3
approach 1.
Some approaches apply restricted Use of central point approach seriously data access, or use an unsuitable threatens the network availability even if a structure like a central point single point fails to work. approach so as to simplify the algorithm.
2.3.5 Authentication
An attacker can not only modifying the data packet but also can inject the whole packet stream. Thus, the receiver must ensure that the data collected is received from the 8
correct source. For such case, message authentication is essential against packet injection attack. In general, data authentication permits a receiver to check that the data received is from the authenticate sender. Adrain Perrig et al propose µTESLA mechanism to defend against the packet injection and similar attack [10]. The basic idea of the µTESLA mechanism is to accomplish asymmetric cryptography by to delay the exposé of the symmetric keys. Then sender generates a secret key and broadcast the message. The sender will reveal the secret key after a definite period of time. The receiver is buffer the packet until discloser of the secret key is done. Once disclosure of secret key is made the receiver authenticates the packet.
2.4 Wireless Sensor Network To make security analysis it is necessary to know the architecture of the communication model. The security threats lies in the design and implementation of the communication protocol. This section provides basic overview sensor node hardware design and the protocol design. 2.4.1 Component of wireless sensor device
WSN typically may compose of many sensor nodes and are usually densely deployed. Such networks have ability to collect data and direct the data to a base station. A sensor contains of four elementary parts: a sensing unit, a transceiver unit, a processing unit and a power unit [11]. It can also have extra application-dependent modules; for instance, a power generator, location finding system, and mobilizer. Components of a sensor node are shown in Figure 3.
9
Figure 3: The components of a sensor node (10) Component of sensor node:
I.
Sensing units, typically consist of sensors and analog-to-digital converters (ADCs). The analog signal is captured by sensor and is converted into digital form by ADCs convert.
II.
The processing unit is associated with small memory to store. The purpose of memory is to sample the digital signal and store the data. This unit is also responsible for control of entire node communication, communication protocol processing, data sampling and system management.
III.
A transceiver unit consist of power amplifier and transducer to connect the node to the network. Radio signal is transmitted and received by this unit.
IV.
One of the most important units is the power unit. A power unit is a vital unit of a sensor node which is responsible to supply power. Power source can either be finite like a battery or scavenging devices like solar cells.
V.
A location finding system in sensor node provides sensor network routing techniques to find a location. This unit is required if the routing is dynamic. 10
VI.
A mobilizer is needed if a sensor node is required to move. This unit depends upon the application requirement and is extra module.
2.4.2 Architecture of Wireless Sensor Network
The OSI model is reference model for any communication protocol. WSNs devices protocols function at same level as described in OSI model. However, to meet the need of small packet size the functioning layer are limited to a miniature component with only low levels: Physical, Data Link (integrating sub-layers LLC and MAC of the IEEE 802) with possibly extended capabilities of a smart sensor by the network layer based on TCP/IP model with its various routing protocols. The layer of OSI based WSNs model is shown in Figure 4 and architecture of WSN node is shown in Figure 5 [12]. It contains physical, data link, network, transport, and application layers.
Figure 4: Matching layers between OSI, TCP/IP and IEEE models [12]
11
Figure 5: Layered model for WSNs [12] 2.4.2.1 Physical layer
WSN Physical layer is responsible for carrier frequency generation, frequency selection, carrier frequency generation, modulation, signal deflection, and data encryption. This layer characterizes the system on-chip (SoC) embedded part of wireless sensor. This layer is further divided into three sub-layers based on the operations: Power Amplification, Mixer and Modulation. Wireless sensor implemented is of low frequency in order to achieve low cost and low power. 2.4.2.2 Data Link Layer
This is data link layer in reference to OSI model and contains two sub layers WSn-LC and WSn-MAC. WSn-LC manages connections between different nodes, controls the flow between nodes and ensure consistency of point-to-multi point and point-to-point connections. WSn-MAC provides several services like signal transfer, power management, assembly and re-assembly, multiplexing of data streams, medium access, data frame detection, and error control. 12
2.4.2.3 Network Layer
WSn-Network layer defines how the packet is to be transport. The network topology is defined in this layer and hence routing algorithm and data management is performed. Network layer binds the application layer and data link layer. 2.4.2.4 Application Layer
WSn-Application layer defines in what way the data are requested and provide the interface to interact with the end user. This layer is absent for most of the sensor nodes other than base station. Figure 6 shows the sensor nodes and base station with data flow represented by dotted line.
Figure 6: Sensors & BS’s communication through “WSn-layers” [12] 2.4.3 Security threats based on WSNs layer
Wireless Sensor Network is different from traditional network in protocol design (discussed in section) and so does security mechanisms. The difference in security mechanism is due to their minimal energy, communicational, computational capabilities, and threat of physical attacks like tampering and node capture.
13
WSNs security issues are based on Key-Establishment Secrecy, Denial-of-Service, Robustness, Link Layer Security, authentication, secure routing and node capture. However, organizing the attack according to the per-layer basis helps better understand the security issues concerned with such attack. 2.4.3.1 Physical Layer
The physical layer is the layer through which carrier frequency generation, frequency selection, signal detection, modulation, and data encryption is performed [11] [13]. As WSN is radio based communication there is always the threat of signal jamming and in addition if the sensor node is physically access there is threat of tampering. 2.4.3.1.1 Jamming attack
Jamming attack is the easiest attack that can be achieve on the Physical Layer [XUW05]. This attack is simple to achieve as no knowledge WSN implementation is required, except the frequency of the nodes at which signal is send. For this attack, attacker will try to interfere or prevent the signals received by the WSN nodes. This is achieved by generating continuous random signal with the frequency equivalent to the WSN. The nodes will stop receiving messages from other nodes and will be isolated until jamming attack is stopped. Countermeasure: To prevent from jamming attacks frequency hopping can be utilize. In
frequency hopping nodes continuously change frequencies in a predetermined order and the node that executes the jamming is unfamiliar of this definite sequence. [SUNHS07] Because of extra complexity in processing and calibration, frequency hopping is rarely used in WSN. The simpler way to endure a jamming attack is to use a radio communication technique like Ultra Wide-band (UWB) which is almost impossible to jam. UWB transmission is based on very short pulses (in the order of nanoseconds) and uses 14
low energy making it well suited for WSN and therefore is worthwhile for jamming countermeasure [AIELL03]. 2.4.3.1.2 Tampering
Sensor devices may operate in outdoor locations. Due to unattended and distributed nature, the nodes in a WSN are highly susceptible to physical attacks [65]. The physical attacks can result in permanent defeat to the nodes. The attacker can fetch cryptographic keys from such node, tamper with circuit, change the program codes and even exchange with a malicious sensor [61]. Sensor nodes, for instance, MICA2 motes can be hacked within one minute time [32]. Countermeasure: Only countermeasure against such attack is to keep the sensor node
out of reach of attacker. 2.4.3.2 Link layer attacks
The link layer is responsible for multiplexing of data-streams, data frame detection, medium access control, and error control [11]. At this layer attacks that can be performed are collisions, unfairness and resource exhaustion in allocation. 2.4.3.2.1 Collision
In link layer collision attack is similar to jamming attack in the physical layer. A collision occurs when two nodes transmit a signal at the same time and frequency as a legitimate message for as little as one octet (or byte) in a transmission to corrupt the entire packet [13][15]. With the collision of packets, the change in the data portion is occurred leading to a checksum mismatch at the receiving end and therefore the packet will be discarded as invalid [13]. An attacker may tactically perform collisions in definite packets, for
15
instance, ACK control messages. In certain MAC protocol such collision may result to costly exponential back-off. [16] Countermeasure: Using error correcting codes provide defence against collisions attack
[15]. However, most of these codes work great for low levels collisions caused by probabilistic or environmental errors and induce extra communicational and computational costs. Though it can detect these malicious collisions, no comprehensive defences against attack are known at this time. 2.4.3.2.2 Exhaustion
By manipulating protocol efficiency measures an attacker can perform exhaustion attack at link layer and causes nodes to consume additional energy. For example, IEEE 802.11-based attacking node can repeatedly transmit request-to-send (RTS) messages and therefore forcing the node registered in the RTS destination field to reply with a clear-to-send (CTS) message and remain alert waiting for the follow-on message [15]. An attacker can introduce repeated collisions resulting in resource exhaustion [17]. For instance, a naïve link layer employed may constantly attempt to retransmit the corrupted packets until the energy levels of the nodes would be exhausted. Countermeasure: A recommended defence for exhaustion attack is to encrypt the
control messages [15]. Another way is use Rate Limiting [16]. In Rate Limiting technique node is permitting to ignore excessive network requests from a node. Third technique is time-division multiplexing. In this technique, each node is assigned with a time slot to transmit [15]. Use of time slot not only eliminates the requirement of intercession for each frame but also solve the indeterminate delay problem in a back-off algorithm. Even though countermeasure is used, it is still vulnerable to collisions.
16
2.4.3.2.3 Unfairness
Unfairness is considered as a weak type of a DoS attack [5]. By alternatingly applying collision and exhaustion in link-layer, an attacker can cause unfairness. Also, by offensive usage of cooperative MAC layer priority mechanisms, an attacker can perform unfairness attack. Countermeasure: Defensive mechanism against unfairness attacks is to use small
frames, so that individual nodes require only small duration of time to seize the channel. This defence provide protection to certain level. An attacker can cause starvation by repeated requesting for channel, whereas some others create a random back off. 2.4.3.3 Network Layer Threats
In WSNs, network layer design principles are based on disturbing energy efficient multihop routing and data-centric. The network layer threats are mostly target at these principles. The threats and attacks in this layer are: Spoofed, replayed, or altered routing information; Selective forwarding; Sybil attack; Sinkhole attack; flooding and Wormhole attack. 2.4.3.3.1 Spoofed, replayed, or altered routing information
The most basic attacks with sensor network routing are replaying, spoofing or altering routing-control data. In such attacks, the attacker injects fake routing information, into sensor network, resulting in routing inconsistencies [5]. The inconsistencies produce are increase of end-to-end delays, shortening and extending source routes, repelling and attracting network traffic of the selected nodes, loss of packet in the network, and partitioning the network.
17
Countermeasure: Such attacks on routing information can be efficiently prevented by
use of anti-replay and authentication techniques on link-layer. 2.4.3.3.2 Sybil
Sybil attack is done against WSNs where a node represents more than one identity, that is, malicious device illegitimately taking on multiple identities as shown in Figure 7 [18]. Newsome et al. describe the Sybil attack as it relates to WSNs [18]. It was formerly defined as an attack intended to defeat the objective of redundancy mechanisms in distributed data storage systems in peer-to-peer networks [18]. In addition to attacking distributed data storage systems, Sybil attack can be used against routing algorithms, voting, data aggregation, foiling misbehaviour detection and fair resource allocation. The Sybil attack algorithm functions similarly without concern of the target (routing, voting, and aggregation). Whatever be the target mechanism, Sybil attack involves utilizing of multiple identities. For instance, in a WSN using voting scheme, the Sybil attack utilizes multiple identities of a node to create additional “votes”. Likewise, for attacking the routing algorithm, the Sybil attack utilizes the multiple identities of a node, and thus creating multiple paths through a single malicious node.
Figure 7: Sybil Attack [18] 18
Countermeasure: Detection of Sybil node is extremely difficult. Newsome et. al. [19]
used radio resource testing to detect the presence of Sybil node(s) in sensor network and showed that the probability to detect the existence of a Sybil node. [18] 2.4.3.3.3 Wormhole Attack
A wormhole attack is consists of two attacker and a wormhole tunnel. To perform a wormhole attack, a direct link is created between two nodes as shown in Figure 8 [18]. This link between two nodes is known as wormhole tunnel. Wormhole tunnels in WSNs can be created by means of a logical link using packet encapsulation or by using highquality wireless out-of-band link. Once a wormhole tunnel is build, attacker is able to receive from its neighbours. The received packets are copied and forwarded to the other conspiring attacker via wormhole tunnel. This receives tunnelled packets is then replayed into the neighbours of conspiring attacker network.
Figure 8: Wormhole attack [18] In wormhole attack if high-quality wireless out-of-band link is used, the conspiring attackers are connected directly to each other. This allows attackers with instantaneous communication but for this a special hardware is required to enable such communication. While using packet encapsulation the link communication is comparatively much slower. Packet encapsulation connection does not require any 19
special hardware and can communication can be established easily using special routing protocol. Wormhole attack is serious threat to WSN as it does not involve any compromising nodes in the network. Also such attack can be performed at the initial phase (sensors discovery) to discover the neighbouring information. Countermeasure: The routing protocols which can withstand such kind of attacks uses
the geographical location of the nodes , for example, GPSR (Greedy Perimeter Stateless Routing) [20] and GEAR (Geographic and Energy Aware Routing) [21] protocols. Such geographic routing protocols can find out the geographic location of the malicious nodes and neglect the misleading advertisements produced by them. 2.4.3.3.4 Hello Flood Attack
Most of routing protocols broadcast hello messages to state their presence in their neighbours [22]. This hello message is received by node in its signal range. An attacker utilizes a high powered antenna and broadcast hello message to convince every node that it is the neighbour. If the attacker announces a high quality route, nodes in its range will forward the data to attacker node. Nodes that are at the long distance from the attacker will be sending their messages into oblivion leaving the network in a state of confusion. Routing protocols that are dependent on localized information are seriously vulnerable to hello flood attacks. Countermeasure: Such threats can simply be avoided by authenticating bi-directionality
of a link. This technique is used by Needham-Schroeder verification protocol [22]. This attack can be prevented by limiting the number of neighbours to the base station. Nodes that are verified by base station are considered as the neighbour nodes.
20
2.4.3.3.5 Acknowledgment spoofing
In WSNs, some of routing algorithms need transmission of acknowledgment (ACK) packets. An attacker may spy the packet transmitted from its neighbouring nodes and spoof the acknowledgments there by providing false information to the nodes [13]. The attacker thus can transmit wrong information about the nodes status. Countermeasure: Broadcasting authentication mechanism using μTESLA [5]
authentication protocol can secure ACK messages between the sink and the source nodes. 2.4.3.3.6 Sinkhole Attacks
In Sinkhole attack, the attacker creates a malicious node which attracts the surrounding nodes by forging routing information. This creates a metaphorical sinkhole with the attacking node between the sink and neighbour nodes. This sinkhole makes selective forwarding of all traffic from the neighbour nodes. Sensor networks are vulnerable to such attacks when multihop routing protocol is used. Countermeasure: The countermeasure for the Sinkhole attack is same as used in the wormhole attack and is discussed in Section 2.5.3.3
2.5 Communication Protocols In Home Area Networks Because of the complexity and cost of wiring and possible retrofit of home appliances at any instant of time, variety wireless technologies are developed in order to provide flexible networking configurations suitable to residents without the concerns of physical wiring and deployment. Such wireless technologies, includes Wi-Fi, ZigBee, Bluetooth, Z-Wave etc., that works mostly in the 2.4GHz frequency range referred as Industrial Scientific Medical Bands(ISM Bands). 21
The choice of the wireless technologies depends upon the high speed, low power consumption, high cost-effectiveness, flexibility in networking and deployment as well as the coverage of a house. 2.5.1 Bluetooth
The Bluetooth is short range radio-link designed to provide a wireless connection between small mobile devices at any country. 2.5.1.1 Bluetooth architecture
The Bluetooth architecture is shown in the Figure 9 [23] The Radio (layer): This is the lowermost well-defined layer of the Bluetooth
specification. It defines the radio frequency at which it operates.
The operating
frequency of the Bluetooth is 2.4GHz Industrial, Scientific and Medical (ISM) radio bands.
Figure 9: Bluetooth architecture
22
Baseband layer: This layer defines the timing, packets, framing and flow control on the
link. Baseband establishes and manages the radio frequency (RF) link between Bluetooth units that form a piconet. Link Manager Protocol: This layer manages authentication and encryption, enforces
impartiality among slaves, power management, creates updates, removes logical transports and logical links and updates parameters for physical links of Bluetooth devices. Logical Link Control and Adaption Protocol (L2CAP): The data from the higher-level
layer are transformed into a format that is understandable by lower level of the Bluetooth controller L2CAP. The services performed by L2CAP are handling multiplexing, segmentation and reassembly of large packets and device discovery. Audio: The audio data is directly mapped to the baseband layer. Host controller interface (HCI): HCI is the interface that is responsible for controller
management, maintenance and link establishment with the Bluetooth hardware. HCI provides the Bluetooth controller to access Bluetooth stack, directly access the L2CAP layer and communicates with a Bluetooth controller. Radio Frequency Communications (RFCOMM) Serial Port Emulation: This layer
emulates RS-232 serial ports over the L2CAP layer. Service Discovery Protocol (SDP): SDP handles the discovery and publishing of
supported Bluetooth parameter and services between devices. Application Layer: This layer implements Bluetooth application functionality.
23
2.5.1.2 Security overview
The Bluetooth specification outlines four kinds of link keys (Initialization Key, Combination Key, Master Key and Encryption Key). These key are used to handle all secure communications between different nodes. The initialization key (K int) is a seed to produce all other keys. But, the security of K int depends on the privacy of personal identification number (PIN) code. PIN code is the pre-shared secret code used as a foundation for authentication [11]. The PIN code can be permanent or keyed into the devices during initialization process via a user-interface. Since, most of the sensor devices are designed without user interface hence entry of PIN code is not possible. Using fix PIN codes technique, the security is not guarantee. 2.5.1.3 Bluetooth low energy (LE) Vulnerabilities
In this section vulnerabilities concerned with Bluetooth LE is discussed. Table 2 provide overview on Bluetooth LE vulnerabilities. Table 2: Key vulnerabilities for Bluetooth LE Vulnerability
1
Authentication attempts repeatable.
Remarks
A mechanism is required to prevent indefinite authentication are requests. Between successive authentication tries, Bluetooth devices involve an exponential increase in waiting interval. An attacker could gather huge amounts encrypted packet with the secret link key. This packet can be cracked to view the secret link key.
24
2
For
broadcast Such broadcast method where secret key is shared between
encryption, master various parties can lead to impersonate attacks. key is used. 3
Bluetooth
device If BD_ADDR is capture by the attacker, user’s location and
address
activities could be tracked.
(BD_ADDR) 4
Challenge–response Challenge–response authentication for one-way-only may authentication.
5
6
leads to MITM attacks.
LE pairing does not If attacker may able to capture (eavesdrop) secret keys (that provide
is, CSRK, LTK, IRK) during LE pairing. LE devices must be
eavesdropping
paired only in a secure surroundings to reduce the threat of
protection.
eavesdropping
Just Works pairing Using MITM attack, attacker is capable to capture data technique does not communicated among trusted devices. Just Works pairing provide
MITM technique should not be used.
protection. 7
8
Improper Link keys If Link keys are not securely stored and protected using storage.
access controls, an attacker can read and modify Link keys
Pseudo-random
The PRNG may create periodic numbers reducing the
number
generator efficiency of security mechanisms.
(PRNG)
strengths 25
are not known. 8
Negotiable
Bluetooth LE can use variable key length; minimum key size
encryption
key is seven bytes.
length. 9
No
user In this case, device authentication is only security.
authentication
Application developer can add user authentication feature at
option.
Application-level security to overcome this threat.
10 No
end-to-end Only the individual links are authenticated and encrypted.
security is present.
End-to-end security can be provided on upper part of the Bluetooth stack by using additional security controls.
11 Limited services.
Security Non-repudiation, audit and other services are not included in Bluetooth standard. The application developer can add these at application-level security.
2.5.2 ZigBee/ IEEE 802.15.4
ZigBee specification is defined by the ZigBee Alliance (www.zigbee.org). The Alliance is a group of companies that are operating together to guarantee the achievement of ZigBee open global standard [25]. ZigBee was created to meet the market's requirement for a cost-effective, low power consumption, low data rates, reliability and security. ZigBee provides multi-hop and routing functions to the packet-based radio protocol. ZigBee is constructed on top of IEEE 802.15.4 standard. The ZigBee standard is 26
targeted to achieve communication in consumer electronics devices like home and building automation, smart grid, sensor applications, PC peripherals, industrial controls, medical, toys, and games. 2.5.2.1 ZigBee architecture
The ZigBee architecture is shown in Figure 10. The basic description of ZigBee architecture is as follow 2.5.2.1.1 Physical (PHY) layer
The physical layer is defined by the IEEE 802.15.4 standard. According to the IEEE 802.15.4 specification this layer consists of wireless radio receiver (rx) and transmitter (tx) compliant which operates at the frequency band of 2.4 GHz and data rate equivalent range from 1200 to 230400 bps. The transmission power is very low of 1 mW. The modulation technique used is Quadrature Phase Shift Keying (QPSK) [25].
Figure 10: ZigBee Stack Architecture [26] 27
2.5.2.1.2 Media Access Control (MAC) Layer
MAC layer use the slotted CSMA/CA and Guaranteed Time Slot Mechanism (GTS) mechanisms. The function this layer is to provide feature as network association and disassociation, frame validation, frame delivery, channel access, (GTS) for higher priority communication. The GTS data traffic is time-critical data send from the application layer. This data is stored in a buffer with a definite capacity and transmitted to the network once the corresponding GTS become active. An unbounded buffer is used to store nontime-critical information frames. This buffered information is transmitted to the network during active CAP by using slotted CSMA/CA algorithm. This layer generates beacon frames and synchronizes the network if a node performs as PAN Coordinator. This layer may also implements security mechanisms. MAC layer is also defined by the IEEE 802.15.4 standards. [27] 2.5.2.1.3 Network Layer
ZigBee Network (NWK) Layer task is to perform security, routing and network management procedures, that is, to keep the track of nodes that are joining and leaving the network. The reference model of Network layer is shown in figure. The ZigBee NWK Layer provides two service entities as follow [26]
The Network Layer Data Entity (NLDE) delivers data through Service Access Point (SAP). This service interface is known as Network Layer Data Entity Service Access Point (NLDE-SAP) NLDE-SAP.
The Network Layer Management Entity (NLME) delivers management service through SAP. This service interface is known as Network Layer Management Entity Service Access Point (NLME-SAP). 28
On the basis of functionalities present in the IEEE 802.15.4/ZigBee devices, the devices are categorised as Full Function Devices (FFD) and Reduced Function Devices (RFD). Full Function Devices (FFD) implements entire IEEE 802.15.4/ZigBee protocol stack, whereas, Reduced Function Devices (RFD) implement only certain subset of the IEEE 802.15.4/ZigBee protocol stack. According to devices role in the network, ZigBee devices are of 3 types: Coordinator: In a HAN/WSN to start a network there must be at least one coordinator. A coordinator is FFD device, that is, protocol stacks are full functional. In beacon-enabled mode coordinator sends beacon frames periodically to synchronize the nodes in network. In a Cluster-Tree network all router will receive beacon frame from their parent node and send back their own beacons frame to synchronize nodes present on their clusters. ZigBee Coordinators and Routers must support the following additional functionalities:
Authorize devices to establish communication with the network either by issuing association indications by MAC sub-layer or sending explicit connection requests from the application.
Authorize devices to leave the network either by issuing Network Leave command frames or by sending explicit leave requests from the application.
Assign logical network addresses. Maintain neighbouring devices list.
Router: Router is also a FFD device. The work of router is to route the message between coordinate and end devices. Router performs multi-hop routing in Cluster-Tree 29
networks and mesh. The function of router is same as that of coordinate except that it neither sends its own data nor uses the data from other nodes but only route the message. End Device: End device are RFD device ad does not participate in routing. Such devices are interface with sensor/actuator. The function of the end devices are:
To send the information collected from sensor to coordinator.
To give information to actuator received from coordinator.
2.5.2.1.4 Application Support Sub layer (APS)
APS provide the interface between application layer and network layer by a set of services used by both manufactured defined application object and ZigBee device object (ZDO) [25]. 2.5.2.1.5 Application Framework
The application framework is the where application objects are hosted. Application framework is capable of defining up to 240 unique application objects by a unique endpoint address from 1 to 240 [25]. 2.5.2.1.6 ZigBee device Objects (ZDO)
ZDO provides an interface between the application objects, the APS and the device profile. The ZDO is responsible for initializing the APS, the Security Service Provider and the network layer. 2.5.2.1.7 Application Layer
30
In ZigBee application layer, there are one Traffic Sink and two data traffic generators; GTS Traffic Source and Traffic Source. The Traffic Source uses slotted CSMA/CA to create acknowledged and unacknowledged data frames during the Contention Access Period (CAP) transmission The GTS Traffic Source uses GTS mechanism to create acknowledged or unacknowledged time-critical data frames. Traffic Sink receives frames from lower layers and performs network statistics. The application layer is responsible for running the applications on the network node. The functionality of the devices is defined on the application layer. In single node many applications can be defined. For instance, an environmental sensor may define different applications to measure humidity, temperature and atmospheric pressure. 2.5.2.2 ZigBee Attack
The possible attack according to the layer of the ZigBee Architecture is shown in Table 4 Table 3: ZigBee attack define on layer basis Layer
Attack
Physical Layer
Tampering, DOS – Jamming, Sybil
MAC Layer
DOS – Collision, Unfairness, Exhaustion, Interrogation Sybil – Data aggregation, Voting
Network Layer
DOS – Neglect and Greed, Homing, Spoofing, Black Holes, Flooding Sybil, Wormhole Attack
Transport Layer
DOS – Flooding, De-synchronization
The detail on the Attack is describe in Section 31
2.5.3 IEEE 802 .11/Wi-Fi
A wireless fidelity (Wi-Fi) is wireless based network connection system to provide location-independent network communication using radio waves [19]. Wi-Fi d in Smart Grid is used to provide the gateway for internet connection. 2.5.3.1 IEEE 802.11
As any IEEE 802.x, IEEE 802.11 emphases on the bottom two layers of reference OSI model; physical layer and data link layer. The IEEE 802.11 standard is broken into two main layers: the MAC or Media Access Control layer and the PHY or Physical Layer.
Figure 11: 802.11 and ISO Model [22].
32
Physical Layer: IEEE 802.11 physical layer consist of two physical medium modules as shown in Figure 12 [23]. Physical Layer Convergence Procedure (PCLP) module is responsible to communicate with MAC. Physical Medium Dependent [PMD] is responsible for actual reception and transmission via wireless medium. PMD also perform demodulation and modulation of transmission frames.
Figure 12: IEEE 802.11 Physical layer components. Physical layer uses spread spectrum technique to generate radio signal. Spread spectrum technique generate signal in a particular bandwidth which is purposely spread in frequency domain. As a result signal bandwidth is expanded. This technique provides extra resistance to signal jamming attack and natural interference.
33
MAC Layer: The data link layer within 802.11 consists of two sub-layers: Media Access Control (MAC) and Logical Link Control (LLC). The MAC layer is defines the rules for sending and receiving information whereas Logic Link Control is based on 802.2 protocols and responsible for the transmitting and receiving of the data. The MAC protocol consists of two types of frame, a data frame transmitted from source to destination and an acknowledgment frame send by destination in response to indicate frame that frame has been received correctly. If this acknowledgement frame is not received by source, data frame is resend based on CSMA/CA mechanism [17]. This minimizes the inherent error of the medium but costs additional bandwidth utilization without any help of higher layer protocols. 2.5.3.2 Exploit on Wi-Fi
There are specific attack based on technology application used. The generalized exploits that are frequently seen are as follow: I.
Spoofing (Identifying Theft): Spoofing is active attacks in which the intruder
configures the MAC address same as the device with authorized access and make itself as valid user. Countermeasure: Spoofing attack can be reduced by removing rogue access
points, properly configuring access points; and authenticating all devices. II.
Denial of Service (DoS): A DoS attack blocks the network by sending
meaningless data in huge amount. To perform a DoS attack, attacker determines an access point of wireless network and start sending continuous packets of meaningless information. These meaningless data packets overwhelm the
34
access point causing DoS. As describe in section, DoS in 802.11 can be caused by packet flooding or blocking RF signal. Countermeasure: This type of attack is hard to defend. Dos attack can be
reduce by hiding access point and removing the offending devices. III.
Replay Attacks: For performing the Replay attack valid packet of data is needed.
To capture valid packet attacker monitors the network and captures data packets. Sniffer such like Air Snort are used to capture data packet. When the packet is captured, replay attack is done by sending this packet repeatedly. Replay attack when done with huge amount of packets leads to DoS attack. Replay attack is also used to accelerate the packet movement on the network to speed up packet collection to crack a WEP encryption key. Countermeasure: Using time stamp and encryption on each packets can reduce
Replay attack. IV.
War-driving: War driving is passive form of attack. Using a wireless terminal,
attacker just walks through wireless zone and passively listens for a RF signal. If good security measure is not implemented, attacker can easily penetrate the network. Countermeasure: The simple and cost effective way to reduce this attack are to
turn off broadcasting of service set identifier (SSID); to assign cryptic SSIDs name; and reduce signal strength to just cover the sufficient area. V.
Man-in-the-Middle: In Man-in-the-middle attack, attacker inserts himself in
between a wireless terminal and access point to capture packets. The wireless terminal view the attacker as a valid access point and the access point consider 35
the attacker as a valid wireless terminal. Once such communication is established, attacker can view or modify and even can perform DoS attack. Countermeasure: Strong encryption and strong authentication of both devices
and users can reduce this attack.
2.6 ZigBee ZigBee devices are widely used in the Smart Home but very few researches on real-time security threats are available. For analysing the security of ZigBee WSNs a handful of tools are available. The security researchers like Joshua Wright, Travis Goodspeed and Kevin Finisterre have made their study and tools open-source. 2.6.1 Joshua Wright
Joshua Wright was first to present his work as open source. He developed a framework “KillerBee” based on Python. The aim of this framework is to analysis and exploiting ZigBee and IEEE 802.15.4 security [28]. This framework consist tools for discovering ZigBee/IEEE 802.15.4 networks, packet capturing and injecting, and denial of service. The aim of this framework is to provide user with better understanding of the possible threats concerned with ZigBee/IEEE 802.15.4 WSNs and discover weakness. Knowing the weakness one can take possible action to remove it. 2.6.2 Travis Goodspeed
Travis Goodspeed work is based on attacking the hardware and software cryptosystems of ZigBee/IEEE 802.15.4 based microcontrollers and radios. He has developed methods for fetching encryption keys from protected memory. When this is coupled with KillerBee framework, it can decrypt captured packet and encrypted traffic [16]. Goodspeed also
36
found PRNG vulnerability in implementation of ZigBee TI's Z-Stack. This vulnerability allows recovery of keys from remote location [17].
3 Security Assessment Methodology Security Assessment is art of finding the security breach. In digital communication, security assessment deals with security analysis of communication system in a network. The security assessment covers security analysis of network protocols, Operating System (OS), software application and evens the human factor. Security assessment is also known as penetration testing. Some of the widely used penetration testing methodologies are Information Systems Security Assessment Framework (ISSAF), Open Source Security Testing Methodology Manual (OSSTM), Guideline on Network Security Testing (GNST), National Institute of Standards and Technology (NIST) and Open Web Application Security Project (OWASP). But for sensor device communication (that is, WSN) there are no such methodologies available and even if there are, they are not open to public. When we talk about tools for security assessment of WSNs, there were no such tools before Joshua Wright’s “Killerbee”. Killer bee was first tools open to public. The works done by different people to develop ZigBee security assessment tools is disused in Section 2.6. Since there is no particular methodology, a general concept of penetration phase is considered in this project. Penetration testing phase in wireless network technology in general are: I.
Reconnaissance: This step is to discover as much information about the
technology used by the wireless component, that is, to know architecture, operating software and security issues related to them. The information are gather from the technical paper, internet 37
II.
Network Scanning: This is related to find out the network topology, the operating
systems, ports, protocols, and applications in use. III.
Vulnerability Identification: Depending on the operating systems, network
topology, applications, and port found during network scanning phase, vulnerability scanners are then used to further determine the exact test to be carried. The purpose of this phase is to recognize the exact versions, applications and configurations deployed on network devices. IV.
Exploit: The final phase is to verify vulnerabilities identified. The exploit is done
using appropriate tools based on the vulnerabilities discovered. Before going to define the methodology for WSN one important thing to consider is the tools that are available. As it is known for attacking wireless network wireless hardware interface is required. Though there are source code and software are available as open source, there are no ready to attack tools available for WSN. Therefore, such tools are need to build by own. This step can be considered as one extra phase for the WSN. On the basis of the wireless network penetration testing methodology and building hardware tools, security assessment phases for the WSN are redefined as Weaponizing Attack, Reconnaissance, Node Mapping, Vulnerability Identification and Exploit.
3.1 Weaponizing Attack In this phase the tools need to perform are built. The first task in this phase to determine the hardware required to build the wireless interface for attack. And second is to create the software platform.
38
3.2 Reconnaissance This phase is concern with gathering the information about the technology being used. The information’s are collect from publicly available. In this phase information about the hardware architecture, communication type and software used are collected as follow: Document enumeration: The document can be gathering from the vendor website and paper document that come with hardware. From these documents, information such as component datasheet and application notes, radio block diagram, schematic diagram and operation description can be gathered. Hardware overview: If the device is physically accessible, one can tamper with device revealing the additional information such as antenna size and shape; chips used and its pin configuration; identify interface of microcontroller; and organization of the circuit board. Communication RF characterization: To perform the attack, what type of radio is used is the key information. From documentation or the physical access of the device one can know frequency spectrum, frequency hopping pattern, channel selection, higher level protocol, and modulation.
3.3 Node Mapping In this phase the scanning for the node are done. The first task is to determine the communication channel.
3.4 Vulnerability Identification As the communication channel is identified, identification of the vulnerabilities can be lunched. In this phase, to identify vulnerabilities following techniques can be lunched: 39
I.
Radio Packet Analysis: Once the communication channel is determine, by
capturing few packet of data reveals the information such as presence or absence of the cryptography. If the packet is encrypted, the data bits appear random. Whereas for unencrypted packets the data bits are not random. Furthermore, if the random bits within each packet are seen and identical packet appears to be repeated, the cryptography might be threat to replay attack. II.
Schematic Capture: If the sensor device is physical access, studying the detail
architecture and circuits deign, reverse-engineering can be done. III.
Microcontroller Dumping: Each sensor devices as Electrically Erasable
Programmable Read Only Memory (EEPROM) and System-On-Chip (SOC). These units contain executable code. With physical access to the device, binary code in the chip can be downloaded and clone of the device can be made. IV.
Bus Snooping: Bus Snooping provide valuable information like radio
configuration, crypto-keys, and protocol used. This allows knowing how the device operates. In WSNs vulnerabilities identification is mostly physical tempering of the device. The detail these are describe paper “ADVANCED METERING INFRASTRUCTURE ATTACK METHODOLOGY”
3.5 Exploit Exploitation phase is to put an attack on the WSNs network from the vulnerabilities found from the Vulnerabilities Identification phase. The purpose of this is to achieve the following result. I.
Unauthorized Device Authentication: Device authentication permits different
access levels on system. The capability to avoid or deploy the authentication 40
technique to attain access to the device is prime goal. Possible techniques of unauthorized authentication are buffer overflows in serial communication or networking or detect an outlier situation that either avoids validation or the authentication. II.
Malicious Patching of Firmware: Attacker can successfully update device
firmware and take complete control over device. If this is achieve, authentication procedures are no longer an issue and other vulnerabilities are not required []. The argument straightaway turns about way to update firmware, and just how much time and work is need to update devices on large scale. III.
Manipulation of Reported Data: The attacker will manipulate the data and send
the fake information to the collection point. For instant, in smart grid attacker can send the consumption of electricity information much less than being used. IV.
Denial of Service: This exploit is done to stop all the communication between
devices. This is achieve by jamming the signal, over flooding the meaningless packets or blocking the packets.
41
4 ZigBee Based Wireless Power Measurement To perform security assessment a ZigBee based wireless network is designed. This design read the computation of the electricity and sends the data to a remote station. This design is setup to perform security assessment on WSNs. This design provides the data but is not accurate and need to be improvising in order to get accurate information.
4.1 Hardware To design the system following hardware are required: i.
1x Arduino Undo
ii.
Voltage Sensor: 1x 9V AC-ACz
iii.
Resistor: 1x 100kOhm, 5x 10kOhm, 100Ohm
iv.
Capacitor: 1x 10uF
v.
1x Current Sensor
vi.
Breadboard: 1x A
vii.
2: Zigbee
Ardunio Undo: The Arduino Uno is the ATmega328 based microcontroller board. It has
14 digital input/output pins: 6 analog inputs, 6 may be used as PWM outputs, one crystal oscillator of 16 MHz and one USB connection. It has an ICSP header, a reset button and a power connector. The detail of Ardunio Undo can be found in ardunio manual [http://.arduino.cc/en/Main/ArduinoBoardUno]. Current Sensor: Current sensor is used to measure the current current flowing through
the wire. The current sensor used is of non-invasive nature. The current is measured just by
clamping
it
around
the
live
[http://openenergymonitor.org/emon/node/59] 42
wire
of
the
electricity
line.
Voltage sensor: Voltage sensor an AC to AC adapter which convert high to low voltage.
It is just a step down transform. The purpose of using AC to AC adapter is to minimize the risk of measuring the high voltage. [http://openenergymonitor.org/emon/node/59] Zigbee: Zigbee is used as wireless communication to measure the power consumption. The ZigBee devices used are from the Digi International vendor. The detail architecture can be found on the manual provided by the vendor [].
4.2 Software Software used for system design are: Ardunio software: Ardunio software is used to program the EEPROM of the Ardunio
board. The code is written in C language. This code is then compiled and converted into binary. The binary code is uploaded on the Ardunio board using USB cable. The detail instruction to use Ardunio software is found on help menu. The software and manual can be downloaded from http://arduino.cc/en/Main/Software. X-CTU: X-CUT is interface to programme instruction set on the ZigBee device. It also
allows seeing the data received by the ZigBee device. The parameter of ZigBee device can be either enters from the Terminal menu in command form or by using Modem Configuration menu. The X-CTU can be downloaded from the Digi International website. Figure 13shows the X-CTU interface to set the ZigBee configuration.
43
Figure 13 : X-CTU Modem configuration interface
44
4.3 System design The circuit diagram of the system is shown in Figure 14. The detail design layout is found on the “OpenEnergyMonitor” website.
Figure 14 : Circuit layout of system 45
i.
Programming the Ardunio: The source code for the reading analog current and
the voltage signal is in Appendix. The code is first compiled and compiled binary code is loaded on the Ardunio board using USB connection via COM port. ii.
Configuring ZigBee device: The ZigBee devices are configured as coordinator
in API (Application Programming Interface) mode and End Device (that is, sensor node ZigBee device) in AT mode. Coordinator Configuration: The parameter need to be set for the coordinator
are PAN ID (Personal Area Network Device identity),SC (Scan Channel), AP (API Enable), EE (Encryption Enable), EO (Encryption Option) and KY (Encryption Key). Other fields are left as default. The Value sets are Pan ID=1234 SC=1FFFE AP =2 EE = 1(enable) EO= 0(Transmit security key on join) KY=A1B1C1D1 End Device: The end device is set to AT mode and the device configuration are
as follow. Pan ID=1234 SC=1FFFE AP =0 EE = 1(enable) EO= 0(Transmit security key on join) KY=A1B1C1D1 Other parameter are left default. 46
5 ATTACKING ZIGBEE NETWORK This section consists of the actual attacking of the ZigBee network build in Section 4. On the basis of the methodology mentioned in Section 3 the security assessment task is performed.
5.1 Weaponizing Attacking 5.1.1 Creating wireless attack interface
To build the attacking interface, two key hardware’s are used in this project. Two Amtel Raven USB Stick (RZUSBSTICK) are required perform the ZigBee network attack. The RZUSBSTICK are based on the IEEE 802.15.4 specification. The figure 15 shows front and back of the Raven USB Stick. This USB stick was used by Joshua Wright to develop KillerBee framework. This device interfaces to host via USB 2.0 port and operates at 2.4 GHz. RZUSBSTICK consist an AVR microprocessor, PCB antenna and IEEE 802.15.4 transceiver. One of the attractive features is that it allows modifying the firmware as required. The default firmware can be used to create ZigBee compliant network or make it use as passive packet sniffer. The firmware doesn’t include the function such as packet injection for security analysis.
Figure 15 - Atmel RZ Raven USB Stick (both sides shown) 47
In order to implement security analysis, the firmware is needed to be customized. The source code for the security analysis can be downloaded in form open source Killerbee framework. For upgrading or modifying the firmware on the RZUSBSTICK, an Atmel JTAGICE mkII On-Chip Programmer is used. Figure 16 shows Atmel Programmer.
Figure 16 - Atmel JTAGICE mkII On-Chip Programmer This JTAGICE mkII on-chip programmer is generally used by AVR developers for microprocessors such as the AT90USB1287 on RZUSBSTICK. Using 10-pin header the programmer and 100 mm pitch to 50 mm pitch JTAG adapter, RZUSBSTICK is connected with JTAG interface. Programming the RZUSBSTICK: To modify firmware on the RZUSBSTICK, AVR Studio is required. The AVR Studio software installation CD comes with the Atmel JTAGICE mkII On-Chip Programmer. After this the device is connected as shown in Figure 17
48
Figure 17 RZUSBSTICK and Atmel JTAGICE Programmer connection with laptop The KillerBee firmware source code was downloaded [28] and uploaded to RZUSBSTICK. Figure 18 shows flashing setting of AVR Studio. The successful upgrade of Killerbee firmware is indicated by the orange LED.
49
Fig. 18 – Flashing the RZUSBSTICK with customised the KillerBee firmware Now
50
A Linux system is required for attacking. The Linux is need to be configured for work with the KillerBee. Since Killerbee is dependent on the Python module usb, crypto, cario and pygtk, these python model were installed as follow $ apt-get install python-gtk2 python-cairo python-usb python-crypto
Python installation in Killerbee directory is excuted by running following command $ python setup.py install
This completes the phase first phase
5.2 Node Scanning KillerBee tool, zbstumbler perform the network discovery task. The tool is capable of discovery of both IEEE 102.15.4 and ZigBee. This tool performs active network scan. It works by transmitting beacon request frames and perform channel hopping. This display information of devices discovered zbstumbler: Transmitting and receiving on interface '002:012' New Network: PANID 0x1234 Source 0x0000 Ext PANID: 00:00:00:00:00:00 Stack Profile: ZigBee Standard Stack Version: ZigBee 2006/2007 Channel: 15
51
This displayed the information like PAN ID, Channel in which communication is taking place protocol type and version. Now as location of the Node is found next task is to perform vulnerabilities identifying.
5.3 Vulnerability Identification The first task in this phase to capture the packet, screen command is run on the Jackdaw USB stick. The command for this is: $ screen /dev/ttyACM0 As the command is runned a blank screen appears. But when any key is presses an error message or some command is executed. If “h” is press a the Jackdaw menus appears as shown in the Figure 19
Figure19 : Jackdaw Menu. 52
As we already know what channel the communication is going on, selecting c witll allow setting the channel at which Jackdaw will work by asking the question. As channel of communication found by zbstumbler was 12, 12 is entered Select 802.15.4 Channel in range 11-26 [26]: 12 Channel changed to 12. Now the next task is to select the task of the Jackdaw in network as sniffer, network monitoring or raw data monitoring. Pressing the option “ r ”, the raw data on the network. Now using wire shark the data can be capture and analysed. The wirehark capture data on the interface usb0. The figure 20 shows the capturing of the data.
Figure 20: Packet capture using wireshark From this capture file the information on packed can be easily analysed. The capture file is saved in the dump format as capturedata.dump 53
The next task is to convert the dump format into the dcf format. This can be donne by command $ zbconvert -i capturedata.dump -o capturedat.dcf Converted 91 packets.
Key sniffing: ZigBee key can do over-the-air (OTA) or pre-installed. OTA key
provisioning perform quick key rotation sending keys in plaintext. The KillerBee zbdsniff can also processes captured packets, investigative APS frames for key transport command, reveal network key. Output displays the revealed key, destination and source address. $ zbdsniff capturdata.dcf Processing /home/crowther/ZigBee/capt.dcf NETWORK KEY FOUND: 00:02:00:01:0b:64:01:04:00:02:00:01:0b:64:01:04 Destination MAC Address: 00:d1:e4:a7:bb:f2:34:e7 Source MAC Address: 00:9c:a9:23:5c:ef:23:b2 Processed 91 capture files.
5.4 Exploitation The exploitation of the network is done by successful replay attack and Denial of Service attack.
54
Replay Attack: In replay attacks, attacker retransmits captured data again and again.
The receiver consider this data as if the data are from original sender. According to application, a replay attack can cause insignificant effect or a severe one. The data must be dcf format before to using the zbreplay. sudo zbreplay -R datacapture.dcf -f 12 -s .01 zbreplay: retransmitting frames from 'datacapture.dcf' on interface '002:012' with a delay of 0.010000 seconds. 91 packets transmitted
Denial of service Attack: Denial of service (DoS) attack is performed by using the
Jackdaw menu. The attack is performed by sending meaningless packet over the channel. Selecting “ S” option perform DoS
Figure21 Denial of service attack 55
6 CONCLUSION In smart grid the Home area network lies on the consumer side and l the home appliance are connected via wireless sensor network. The network being on the public site the Physical tempering is one of the most vital threats. Though attack using physical tempering is not performed it is one of the major issues. From the security assessment performed in Section 5 shows the possibilities’ of the threats on HAN network. The performed attack is only the possibilities which can be removed by using proper counter measures. The security assessment is performed on the only point to point wireless connection. With the network topology like mesh network the attacker can attack any node from a remote location. One of such attack is wormhole attack which allows the attacker to connect two different WSNs to make attacks. From the section 2.4.33 it can be noted that attacks associate with routing are more severe, attacker can any part of the network from the remote location. The work done was use of the basic tools for the ZigBee network analysis. With the development of attacking tools the threats also increase. From the Literature Review section it is clear that many security issues are being studied but there are no tools describe to perform the security testing. This makes the security analysis difficult on real world scenario. On overall conclusion there are several threats related to the WSNs in Home area Network.
56
References 1. Consumer Energy Report, Smart Grid Image, [Online]. Available: http://www.smartgridnews.com/artman/uploads/1/distribution_automation_tropos_ maybe.pdf 2. Nexan, March 2010,Deploying a smarter grid through cable solutions and services, [Online]. Available: http://www.echelon.com/solutions/smartgrid/documents/makingthegridsmarter.pdf 3. Seventh Framework Programme: [Online]. Available: http://www.smarthousesmartgrid.eu/index.php?id=43 4. Iwayemi, S.; Yi, P.; Liu, P.; 19th January 2010, Innovative Smart Grid Technologies IEEE , vol.3, no.5, 2010 5. Yong Wang; Attebury, G.; Ramamurthy, B.; , "A survey of security issues in wireless sensor networks," Communications Surveys & Tutorials, IEEE , vol.8, no.2, pp.2-23, Second Quarter 2006 6. Trilliant, “The Home Area Network: Architectural Considerations for Rapid Innovation”, [Online]. Available: http://wtww.trilliantinc.com/library-files/whitepapers/HAN_white-paper.pdf 7. http://www.burnsmcd.com/Services/Detail/Home-Area-Networks 8. Walters, J. P., Liang, Z., Shi, W., and Chaudhary, V., (2007) “Wireless sensor network security - a survey”, Security in Distributed, Grid, Mobile, and Pervasive Computing, Auerbach Publications, CRC Press. 9. D. W. Carman, P. S. Krus, and B. J. Matt. Constraints and approaches for distributed sensor network security. Technical Report 00-010, NAI Labs, Network Associates, Inc., Glenwood, MD, 2000. [Online]. Available: http://www.csee.umbc.edu/courses/graduate/CMSC691A/Spring04/papers/nailab s_report_00-010_final.pdf 10. Boyle, D.; Newe, T.; , "Security Protocols for Use with Wireless Sensor Networks: A Survey of Security Architectures," Wireless and Mobile Communications, 2007. ICWMC '07. Third International Conference on , vol., no., pp.54, 4-9 March 2007 11. Akyildiz, I.F.; Weilian Su; Sankarasubramaniam, Y.; Cayirci, E.; , "A survey on sensor networks," Communications Magazine, IEEE , vol.40, no.8, pp. 102- 114, Aug 2002
57
12. Charfi, W.; Masmoudi, M.; Derbel, F.; , "A layered model for wireless sensor networks," Systems, Signals and Devices, 2009. SSD '09. 6th International MultiConference on , vol., no., pp.1-5, 23-26 March 2009 13. Sen, J.;, "A Survey on Wireless Sensor Network Security," International Journal of Communication Networks and Information Security (IJCNIS), Vol. 1, No. 2, pp.55-78 August 2009 14. A.R. Beresford and F. Stajano, “Location privacy in pervasive computing”, IEEE Pervasive Computing, Vol. 2 No. 1, pp. 46-55,2003. 15. Brownfield, M.; Yatharth Gupta; Davis, N.; , "Wireless sensor network denial of sleep attack," Information Assurance Workshop, 2005. IAW '05. Proceedings from the Sixth Annual IEEE SMC , vol., no., pp.356-364, 15-17 June 2005 16. Wood, A., Stankovic, J.,;, “Denial of service in sensor networks”, IEEE Computer, Vol. 35, No. 10, pp. 54-62, 2002 17. Wood, A., Stankovic, J.,;,” A mapping service for jammed regions in sensor networks”, IEEE Real-Time Systems Symposium, Cancum, Mexico, Dec. 3-5, 2003 18. Pathan, A.K., Lee, H., Hong, C. S.,;, "Security in Wireless Sensor Networks: Issues and Challenges", Proceedings of 8th IEEE ICACT 2006, Volume II, February 20-22, Phoenix Park, Korea, 2006, pp. 1043-1048 19. Newsome, J., Shi, E., Song, D, and Perrig, A, “The sybil attack in sensor networks: analysis & defenses”, Proc. of the third international symposium on Information processing in sensor networks, ACM, 2004, pp. 259 – 268. 20. Karp, B.; Kung,H. T.;, "GPSR: greedy perimeter stateless routing for wireless networks", MobiCom '00: Proceedings of the 6th annual international conference on Mobile computing and networking, ACM, 2000, pp. 243-254 21. Yu, Y.; Govindan, R.; Estrin, D.;, "Geographical and Energy Aware Routing: A Recursive Data Dissemination Protocol for Wireless Sensor Networks", UCLA Computer Science Department Technical Report UCLA/CSD-TR-01-0023, May 2001 22. Karlof, C.; Wagner D.;, “Secure routing in wireless sensor networks: attacks and countermeasures”, Ad Hoc Networks, Volume 1, Issues 2–3, September 2003, Pages 293-315 23. Liu, S.; “Bluetooth Technology“[Online]. Available: http://progtutorials.tripod.com/Bluetooth_Technology.htm#_Toc41989839 58