Professional Documents
Culture Documents
AbstractWith the rapid technological advancements of or sensor devices [3]. Securing IoT devices at an early
sensors, Wireless Sensor Networks (WSNs) have become a stage will be critical in protecting the future of the Internet.
popular technology for the Internet of Things (IoT). We Using todays cryptographic protocols, such as RSA and
investigated the security of WSNs in an environmental mon-
itoring application with the goal to demonstrate the overall AES, raises two problems in a WSN environment. The first
security. We implemented a Secure Temperature Monitoring problem is the fact that these protocols are computationally
System (STMS), which served as our WSN application. Our expensive. The second problem is the fact that these pro-
results revealed a security flaw found in the bootstrap loader tocols do not protect the nature of sensor devices of being
(BSL) password used to protect MSP430 micro-controller units unattended for years.
(MCUs). We demonstrated how the BSL password could be
brute forced in a matter of days. Furthermore, we illustrate Node capture attacks is a well respected research field
how an attacker can reverse engineer WSN applications to within WSN due to the fact that sensor devices are deployed
obtain critical security information such as encryption keys. in unattended environments with easy physical access. Un-
We contribute a solution to patch the weak BSL password like computers or servers that are either physically locked
security flaw and improve the security of MSP430 MCU chips. or encrypted, sensor devices lack these features. All of the
The Secure-BSL patch we contribute allows the randomization
of the BSL password. Our solution increases the brute force proposed node capture attacks research have one thing in
time to decades. The impractical brute force time enhances the common: they all assume that a node has been captured
security of the MSP430 and prevents future reverse engineering but do not highlight the consequence of capturing a node
tactics. Our research serves as proof that the security of WSNs [4] [5]. We take the node capturing attacks one step further
and the overall IoT technology is broken if we cannot protect by illustrating how reverse engineering methodologies can
these everyday objects at the physical layer.
reveal secret information such as encryption keys used to
Keywords-Wireless Sensor Networks; IoT; Reverse Engi- secure a network. We hope that this manuscript can serve
neering; Security; Hacking; IEEE 802.15.4; TelosB; Bootstrap as motivation for further research in the physical security of
Loader; Brute Force
IoT devices.
I. I NTRODUCTION II. WSN A PPLICATIONS
With the rapid technological advancements of sensors, There are numerous WSN applications, but ultimately
Wireless Sensor Networks (WSNs) have become the main they all fall into two categories: monitoring and tracking.
technology for IoT [1]. WSNs are composed of a large Monitoring examples include temperature levels, humidity
number of sensors that are physically small, communicate levels, ultra-violet levels, pressure levels, noise levels, etc.
wirelessly among each other, and are deployed without prior Tracking examples include movements of objects, direc-
knowledge of the network topology [2]. The deployment tions of objects, traveling speeds, absence or presence of
environments could be over a small or a large geographical objects. Furthermore, applications vary depending on the
area in locations that are either public or hostile. Typically, environment where the sensors are deployed. A WSN can be
the environments require little human interaction and devices deployed in the following environments: military, environ-
go unattended for months or even years. mental, health, public and personal. In a military environ-
According to Gartner, there will be nearly 26 billion ment sensors can be an integral component for battle field
IoT devices by 2020 [1]. As we witness more IoT devices surveillance or reconnaissance of opposing forces and terrain
connecting to the Internet, the overall security of networks [6]. In environmental applications sensors can play a critical
becomes more vulnerable. As discussed by OFlaherty, sensor role for example in detecting forest fires [7] or monitoring
devices will become the favored point of entry for compro- micro climates in crop fields [8], [9]. In a health environment
mising other, bigger targets [1]. Even worst, botnets will find sensors can be used for example to monitor patients health
millions of new recruits in the form of zombie appliances by implanting a cubic-millimeter computer into a patients
182
body [10]. In a commercial environment sensors can used for encrypts the communication in a WSN. Our STMS is
example to detect car thefts [11] or management of inventory able to securely monitor room temperatures in real time
tracking [12]. In a personal environment sensors can be in a university environment such as the Computer Science
integrated on every day appliances [13] and ultimately create department at James Madison University. Therefore, STMS
a smart home environment [14]. It is up to our imagination is the proper choice to demonstrate the security flaw found
on where WSNs can be deployed. in the MSP430 MCU chips.
Most of the applications, including the former examples,
are deployed in environments that are resource expensive to III. TAMPERING MSP430 MCU
simulate. Our research concentrates in the physical security The MSP430 can be programmed in two different ways.
of sensor devices and not the actual applications. For exam- The first way is through the use of a JTAG connector, which
ple, simulating a Wild Fire Monitoring System [15] requires requires additional hardware. The second and more conve-
the purchase of expensive equipment that is unnecessary nient way is through the use of the USB serial bootstrap
for our research purpose. We instead concentrate in using a loader (BSL).
sensor application that is inexpensive to simulate so we dont
have to buy expensive hardware. Any inexpensive system A. JTAG
has similar security concerns as the more complex systems. The TelosB motes support MSP430 programing through
Without a loss of generality, we chose a temperature mon- the use of the JTAG 8-pin 2mm connector. In addition to pro-
itoring system as our WSN application. In fact, we found gramming, the JTAG connector allows on-chip debugging,
that temperature monitoring systems using WSN is a popular single stepping through code, reading from memory, and
field of research. writing to memory. For the most part the JTAG connector
The researchers at Sirindhorn International Institute of is mainly used by developers to test the functionality of
Technology (SIIT) implemented a remote temperature mon- their equipment. With that being said, access to the JTAG
itoring system that collected classroom temperature levels is unprotected, allowing anyone with a JTAG adapter full
and provided necessary data for the energy consumption access to code store in flash memory. To prevent unwanted
management of air conditioning units [16]. The SIIT imple- access to the JTAG interface, the MSP430 provides the
mentation made use of the Zigbee protocol to implement feature of fuse blowing. The JTAG port is protected by a
their network, consisting of a Coordinator, End-Devices fuse; blowing the fuse completely disables the entire JTAG
and a web server. A similar system was implemented at test circuitry in the micro-controller and is irreversible [21].
Berkley to monitor room temperatures using the Coordinator Once the fuze is blown the only way to program the MSP430
and End-Devices approach [17]. The difference between is through the USB bootstrap loader.
the two is the implementation software used; SIIT used
XBee, where as Berkley used Code::Blocks software. An- B. Bootstrap Loader
other temperature monitoring system was implemented using Unlike the JTAG interface, access to the USB bootstrap
MATLAB software, which also made use of the Zigbee loader (BSL) is password protected, which makes it ideal for
protocol [18]. All three systems suggests that building on after production maintenance. The MSP430 BSL interface
top of the Zigbee protocol is a popular choice. The Zigbee provides access to flash memory as well as RAM, making
protocol serves at the network layer and is built on top the programing task easier by not requiring additional hard-
of the IEEE 802.15.4 protocol. Besides Zigbee, another ware. Even after the JTAG fuse has been blown, the BSL
commonality found between the monitoring systems is the interface continues to function as expected making it optimal
use of unencrypted and unauthenticated communications. for in the field mote programing. The MSP430-BSL is a
Although the Zigbee protocol provides security services, to unique code located in a factory masked boot ROM, which
our knowledge there is no open source implementation of does not allow write or erase access to prevent the BSL code
the security features. Furthermore, there is limited Zigbee from being tamper. The BSL code consists of commands
open source code available and most Zigbee software is that use the UART protocol with RS232 interface to allow
proprietary [19]. Keep in mind that Zigbee is built on top of communication between a computer and the MSP430 MCU
the IEEE 802.15.4 layer; therefore, if the physical layer is [22]. The key security feature of the MSP430 is the restricted
broken then all upper layers, including Zigbee, are no longer BSL commands supported if the user does not have the
secure. password.
We implement the Secure Temperature Monitoring Sys- We have contributed investigation results of analyzing the
tem which we refer to it as STMS [20]. STMS has sim- MSP430 BSL password. We demonstrated that the password
ilar features to the three different temperature monitoring used to restrict MSP430 MCU access is brute-forceable. We
systems implemented by Boosawat et al. [16], Risteska et showed that the address space used to store the password is
al. [18] and Mon et al. [17]. However, to our knowledge the same as the address space used to store the Interrupt
our STMS is the only temperature monitoring system that Vector Table (IVT) entries [20]. Using TinyOS sample
183
Table I
MSP430-BSL C OMMANDS A LLOWED W ITHOUT VS . W ITH T HE
PASSWORD
184
Table II
targets for the msp430-objcopy are: elf32-msp430, elf32- F IRST BLOCK OF ASSEMBLY INSTRUCTIONS
little, elf32-big, srec, symbolsrec, verilog, tekhex, binary,
and ihex. We converted the extracted binary object file to Address Op-codes Instruction
4000: 55 42 20 01 mov.b &0x0120, r5
an elf32-msp430 object file. 4004: 35 d0 08 5a bis #23048, r5
2) msp430-objdump: The msp430-objdump command 4008: 82 45 06 13 mov r5, &0x1306
displays information about MSP430 object files, such as the
disassembled contents of all sections in a object file. We Table III
S ECOND BLOCK OF ASSEMBLY INSTRUCTIONS
used the msp430-objdump tool to disassemble the binary
that was extracted from our STMS End-Device TelosB Address Op-codes Instruction
sensor. By executing the msp430-objdump command, the 400c: 31 40 00 39 mov #14592, r1
disassembled version of the STMS End-Device application
that was found in flash memory was obtained. In our case
the disassembled file contained assembly instructions of the As previously stated user code begins at address 0x4000,
STMS End-Device application. At this point, we were ready therefore the reverse engineering process begins at this
to analyze the assembly instructions to ultimately collect address and execution flow will continue from this address.
important information of the STMS WSN application. We have grouped the instructions into blocks based on
the overall functionality achieved by the combined set of
C. Code Analysis instructions. Since our contribution is to investigate how an
Since the foundation of our STMS implementation solely attacker can obtain a copy of the cryptographic keys, only
used the physical layer, then any future application making the instructions that lead to finding the keys are highlighted.
use of the CC2420 inline encryption will most likely have The first block of instructions are used to establish
a similar code analysis process [20]. Furthermore, research watchdog timer peripheral support and are found in every
suggests WSNs are moving towards encryption using hard- application. The instructions at address 0x4000 moves the
ware implementation due to being 42 times faster and using low byte found in the watchdog timer register (WDTCTL).
4.5 times less energy than similar software implementation The watchdog timer peripheral is protected from user code
[24]. With that being said, we provide the reader with an and only the WDTCTL register (0x120) can be used to get
overview of the MSP430 assembly language and contribute access to the watchdog timer peripheral. The purpose of the
an example on how we were able to efficiently locate the first block of instructions is to initiate the watchdog timer
network wide encryption key of the STMS application. peripheral support in order to perform or prevent application
The MSP430 interconnects a 16-bit RISC Micropro- restarts. All applications are required to start the watchdog
cessor (MPU), peripherals, and memory through the use time support in order for any application to properly load.
of a memory address bus (MAB) and memory data bus The second block of instructions are used to initiate the
(MDB). The von-Neumann architecture has one address stack pointer by moving the immediate value 0x3900 to
space shared with flash memory, RAM, peripherals and register r1. The stack pointer is initiated to address 0x3900
special function registers [21]. As a Reduce Instruction which points to the top of the RAM region in flash memory
Set Computer (RISC), the MSP430 only has 15 registers, (refer to Figure 1).
7 addressing modes and a total of 27 instructions. The The third block of instructions are used to copy the
MPS430 instruction set is composed of 27 core instructions content from the .data section into the RAM region. The
and 24 emulated instructions. The difference between the instruction at address 0x4020 is the most important in-
two types of instructions is that the core instructions have struction of the third block because the instruction are
unique op-codes, where as emulated instructions do not copying the data found at address 0x7ca6(offset) to address
have unique opcodes. The emulated instructions are used 0x1100(offset). The last instruction at address 0x4026 jumps
for making assembly code more readable/writable and are
replaced automatically by the assembler with an equivalent
core instruction. Table IV
T HIRD BLOCK OF ASSEMBLY INSTRUCTIONS
We have analyzed the disassembled version of the binary
that was extracted from the captured STMS End-Device Address Op-codes Instruction
mote [20]. All End-Devices that are part of the STMS 4010: 3f 40 48 00 mov #72, r15
4014: 0f 93 tst r15
have a copy of the network wide shared key. If a network 4016: 08 24 jz $+18
wide shared key has been pre-deployed then the security 4018: 92 42 06 13 mov &0x1306, &0x0120
of any WSN environment will be broken through reverse 401c: 20 01
401e: 2f 83 decd r15
engineering methodologies. With that being said, let us now 4020: 9f 4f a6 7c mov 31910(r15),4352(r15)
discuss the technical details of how the cryptographic key 4024: 00 11
was located. 4026: f8 23 jnz $-14
185
Figure 4. The network wide shared key found through reverse engineering.
186
be practical and ultimately allowing full access to MSP430 [11] G. J. Pottie and W. J. Kaiser, Wireless integrated network
MCU chips. To our knowledge, we have provided the first sensors, Communications of the ACM, vol. 43, no. 5, pp.
example of reverse engineering WSN applications to obtain 5158, 2000.
critical security information such as cryptographic keys. [12] M. L. McKelvin Jr, M. L. Williams, and N. M. Berry,
We have contributed the Secure-BSL software to improve Integrated radio frequency identification and wireless sensor
the password used to protect access to the MSP430 MCU. network architecture for automated inventory management
In summary, our security investigation results show that and tracking applications, in Proceedings of the 2005 Con-
ference on Diversity in Computing. ACM, 2005, pp. 4447.
the physical securing of IoT or WSN devices is a critical
component for the overall security of the Internet. [13] E. M. Petriu, N. D. Georganas, D. C. Petriu, D. Makrakis,
Our future work will focus on evaluating other popular and V. Z. Groza, Sensor-based information appliances,
Instrumentation & Measurement Magazine, IEEE, vol. 3,
micro-controller units to test their level of tamper resistance.
no. 4, pp. 3135, 2000.
In particular, we are interested in evaluating the ARM,
AVR and PIC micro-controllers [26]. We want to investigate [14] C. Herring and S. Kaplan, Component-based software sys-
whether any of these micro-controllers have the same BSL tems for smart environments, IEEE Personal Communica-
tions, vol. 7, no. 5, pp. 6061, 2000.
password vulnerability as well as investigate any other
tampering techniques that can be used to access the MCU [15] D. M. Doolin and N. Sitar, Wireless sensors for wildfire
internals. monitoring, in Smart Structures and Materials. International
Society for Optics and Photonics, 2005, pp. 477484.
R EFERENCES
[16] V. Boonsawat, J. Ekchamanonta, K. Bumrungkhet, and S. Kit-
[1] K. OFlaherty, Securing the internet of things, SC Magazine tipiyakul, Xbee wireless sensor networks for temperature
UK, 2015. monitoring, in the second conference on application research
and development (ECTI-CARD 2010), Chon Buri, Thailand,
[2] Y. W. Law, J. Doumen, and P. Hartel, Survey and bench- 2010.
mark of block ciphers for wireless sensor networks, ACM
Transactions on Sensor Networks (TOSN), vol. 2, no. 1, pp. [17] Y.-J. Mon, C.-M. Lin, I. J. Rudas et al., Wireless sensor
6593, 2006. network (wsn) control for indoor temperature monitoring,
Acta Polytechnica Hungarica, vol. 9, no. 6, pp. 1728, 2012.
[3] S. McGillicuddy, Whos in charge here? securing the internet
of things, Information Security Insider Edition, 2014. [18] B. Risteska Stojkoska, A. Popovska Avramova, and P. Chatz-
imisios, Application of wireless sensor networks for indoor
[4] H. Chan, A. Perrig, and D. Song, Random key predistribu- temperature regulation, International Journal of Distributed
tion schemes for sensor networks, in IEEE Symposium on Sensor Networks, vol. 2014, 2014.
Security and Privacy, 2003, pp. 197213.
[19] ZBOSS, Zigbee open source stack http://zboss.dsr-
[5] Y. Xiao, V. K. Rayi, B. Sun, X. Du, F. Hu, and M. Galloway, wireless.com/, Trusted Software Development, Tech. Rep.,
A survey of key management schemes in wireless sensor 2013.
networks, Computer communications, vol. 30, no. 11, pp.
23142341, 2007. [20] M. Tellez, S. El-Tawab, and H. Heydari, Improving the
security of wireless sensor networks in an iot environmental
[6] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, monitoring system, in IEEE Systems and Information Engi-
Wireless sensor networks: a survey, Computer networks, neering Design Conference (SIEDS 16), 2016.
vol. 38, no. 4, pp. 393422, 2002.
[21] MSP430x1xx Familiy, Texas Instrument, 2006.
[7] B. Son, Y.-s. Her, and J.-G. Kim, A design and implemen- [22] T. Instruments, Msp430 programming with the bootloader
tation of forest-fires surveillance system based on wireless (bsl), TI Application Report SLAU319K, 2015.
sensor networks for south korea mountains, International
Journal of Computer Science and Network Security (IJCSNS), [23] Flash Memory Controller, Texas Instrument, POST OFFICE
vol. 6, no. 9, pp. 124130, 2006. BOX 655303 DALLAS, TEXAS 75265, May 2015.
[8] A. Baggio, Wireless sensor networks in precision agricul- [24] J. Andersen and M. T. Hansen, Energy bucket: A tool for
ture, in ACM Workshop on Real-World Wireless Sensor power profiling and debugging of sensor nodes, in IEEE
Networks (REALWSN 2005), Stockholm, Sweden. Citeseer, Third International Conference on Sensor Technologies and
2005. Applications, SENSORCOMM09., 2009, pp. 132138.
[9] S. El-Tawab, M. Abuelela, and Y. Gongjun, Real-time [25] A. Becher, Z. Benenson, and M. Dornseif, Tampering with
weather notification system using intelligent vehicles and motes: Real-world physical attacks on wireless sensor net-
smart sensors, in IEEE 6th International Conference on works. Springer, 2006.
Mobile Adhoc and Sensor Systems, Oct 2009, pp. 627632.
[26] R. Roman, C. Alcaraz, and J. Lopez, A survey of cryp-
[10] B. Warneke, M. Last, B. Liebowitz, and K. S. Pister, Smart tographic primitives and implementations for hardware-
dust: Communicating with a cubic-millimeter computer, constrained sensor network nodes, Mobile Networks and
Computer, vol. 34, no. 1, pp. 4451, 2001. Applications, vol. 12, no. 4, pp. 231244, 2007.
187