skip to main content
research-article
Public Access

Cracking Channel Hopping Sequences and Graph Routes in Industrial TSCH Networks

Authors Info & Claims
Published:31 July 2020Publication History
Skip Abstract Section

Abstract

Industrial networks typically connect hundreds or thousands of sensors and actuators in industrial facilities, such as manufacturing plants, steel mills, and oil refineries. Although the typical industrial Internet of Things (IoT) applications operate at low data rates, they pose unique challenges because of their critical demands for reliable and real-time communication in harsh industrial environments. IEEE 802.15.4-based wireless sensor-actuator networks (WSANs) technology is appealing for use to construct industrial networks because it does not require wired infrastructure and can be manufactured inexpensively. Battery-powered wireless modules easily and inexpensively retrofit existing sensors and actuators in industrial facilities without running cables for communication and power. To address the stringent real-time and reliability requirements, WSANs made a set of unique design choices such as employing the Time-Synchronized Channel Hopping (TSCH) technology. These designs distinguish WSANs from traditional wireless sensor networks (WSNs) that require only best effort services. The function-based channel hopping used in TSCH simplifies the network operations at the cost of security. Our study shows that an attacker can reverse engineer the channel hopping sequences and graph routes by silently observing the transmission activities and put the network in danger of selective jamming attacks. The cracked knowledge on the channel hopping sequences and graph routes is an important prerequisite for launching selective jamming attacks to TSCH networks. To our knowledge, this article represents the first systematic study that investigates the security vulnerability of TSCH channel hopping and graph routing under realistic settings. In this article, we demonstrate the cracking process, present two case studies using publicly accessible implementations (developed for Orchestra and WirelessHART), and provide a set of insights.

References

  1. 802.15.4e. 2013. IEEE802.15.4e WPAN Task Group. Retrieved September 28, 2018 from http://www.ieee802.org/15/pub/TG4e.html.Google ScholarGoogle Scholar
  2. Wahhab Albazrqaoe, Jun Huang, and Guoliang Xing. 2016. Practical Bluetooth traffic sniffing: Systems and privacy implications. In Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys’16). ACM, New York, NY, 333--345. DOI:https://doi.org/10.1145/2906388.2906403Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Cristina Alcaraz and Javier Lopez. 2010. A security analysis for wireless sensor mesh networks in highly critical systems. IEEE Transactions on Systems, Man, and Cybernetics 40, 4 (July 2010), 419--428. DOI:https://doi.org/10.1109/TSMCC.2010.2045373Google ScholarGoogle Scholar
  4. Farhana Ashraf, Yih-Chun Hu, and Robin H. Kravets. 2012. Bankrupting the jammer in WSN. In Proceedings of the 2012 IEEE 9th International Conference on Mobile Ad-Hoc and Sensor Systems (MASS’12). IEEE, Washington, D.C., 317--325. DOI:https://doi.org/10.1109/MASS.2012.6502531Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Carlo Alberto Boano, Thiemo Voigt, Claro Noda, Kay Römer, and Marco Zuniga. 2011. JamLab: Augmenting sensornet testbeds with realistic and controlled interference generation. In Proceedings of the 10th ACM/IEEE International Conference on Information Processing in Sensor Networks. IEEE, 175--186.Google ScholarGoogle Scholar
  6. Shaibal Chakrabarty, Daniel W. Engels, and Selina Thathapudi. 2015. Black SDN for the Internet of Things. In Proceedings of the 2015 IEEE 12th International Conference on Mobile Ad Hoc and Sensor Systems (MASS’15). IEEE, Washington, D.C., 190--198. DOI:https://doi.org/10.1109/MASS.2015.100Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Xia Cheng, Junyang Shi, and Mo Sha. 2019. Cracking the channel hopping sequences in IEEE 802.15.4e-based industrial TSCH networks. In Proceedings of the International Conference on Internet of Things Design and Implementation (IoTDI’19). ACM, New York, NY, 130--141. DOI:https://doi.org/10.1145/3302505.3310075Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Jerry T. Chiang and Yih-Chun Hu. 2011. Cross-layer jamming detection and mitigation in wireless broadcast networks. IEEE/ACM Transactions on Networking 19, 1 (Feb. 2011), 286--298. DOI:https://doi.org/10.1109/TNET.2010.2068576Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Roberta Daidone, Gianluca Dini, and Marco Tiloca. 2014. A solution to the GTS-based selective jamming attack on IEEE 802.15.4 networks. Wireless Networks 20, 5 (July 2014), 1223--1235. DOI:https://doi.org/10.1007/s11276-013-0673-yGoogle ScholarGoogle ScholarDigital LibraryDigital Library
  10. Jing Deng, Richard Han, and Shivakant Mishra. 2003. A performance evaluation of intrusion-tolerant routing in wireless sensor networks. In Proceedings of the 2nd International Conference on Information Processing in Sensor Networks (IPSN’03). Springer-Verlag Berlin, Germany, 349--364. DOI:https://doi.org/10.1007/3-540-36978-3_23Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Adam Dunkels. 2002. Contiki: The Open Source OS for the Internet of Things. Retrieved September 28, 2018 from http://www.contiki-os.org/.Google ScholarGoogle Scholar
  12. Simon Duquennoy, Atis Elsts, Beshr Al Nahas, and George Oikonomo. 2017. TSCH and 6TiSCH for Contiki: Challenges, design and evaluation. In 2017 13th International Conference on Distributed Computing in Sensor Systems (DCOSS). IEEE, Piscataway, NJ. DOI:https://doi.org/10.1109/DCOSS.2017.29Google ScholarGoogle ScholarCross RefCross Ref
  13. Simon Duquennoy, Beshr Al Nahas, and Atis Elsts. 2018. 6TiSCH Implementation. Retrieved September 29, 2018 from https://github.com/contiki-ng/contiki-ng/wiki/Documentation:-TSCH-and-6TiSCHGoogle ScholarGoogle Scholar
  14. Simon Duquennoy, Beshr Al Nahas, Olaf Landsiedel, and Thomas Watteyne. 2015. Orchestra: Robust mesh networks through autonomously scheduled TSCH. In Proceedings of the 13th ACM Conference on Embedded Networked Sensor Systems (SenSys’15). ACM, New York, NY, 337--350. DOI:https://doi.org/10.1145/2809695.2809714Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. FTE. 2019. FTE comprobe bpa 600. Retrieved from http://www.fte.com/products/BPA600.aspx.Google ScholarGoogle Scholar
  16. Dolvara Gunatilaka, Mo Sha, and Chenyang Lu. 2017. Impacts of channel selection on industrial wireless sensor-actuator networks. In Proceedings of the IEEE Conference on Computer Communications, IEEE INFOCOM 2017. IEEE, Piscataway, NJ. DOI:https://doi.org/10.1109/INFOCOM.2017.8057049Google ScholarGoogle ScholarCross RefCross Ref
  17. HART. 2019. HART Communication Protocol and Foundation (Now the FieldComm Group). Retreived from https://fieldcommgroup.org/.Google ScholarGoogle Scholar
  18. IETF. 2018. IPv6 over the TSCH mode of IEEE 802.15.4e. Retrieved September 28, 2018 from https://datatracker.ietf.org/wg/6tisch/documents/.Google ScholarGoogle Scholar
  19. ISA100. 2018. ISA100. Retrieved from http://www.isa100wci.org/.Google ScholarGoogle Scholar
  20. Chris Karlof, Naveen Sastry, and David Wagner. 2004. TinySec: A link layer security architecture for wireless sensor networks. In Proceedings of the 2nd International Conference on Embedded Networked Sensor Systems (SenSys’04). ACM, New York, NY, 162--175. DOI:https://doi.org/10.1145/1031495.1031515Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Loukas Lazos, Sisi Liu, and Marwan Krunz. 2009. Mitigating control-channel jamming attacks in multi-channel ad hoc networks. In Proceedings of the 2nd ACM Conference on Wireless Network Security (WiSec’09). ACM, New York, NY, 169--180. DOI:https://doi.org/10.1145/1514274.1514299Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Philip Levis. 2013. TinyOS Documentation Wiki. Retrieved September 28, 2018 from http://tinyos.stanford.edu/tinyos-wiki/index.php/TinyOS_Documentation_Wiki.Google ScholarGoogle Scholar
  23. Bo Li, Yehan Ma, Tyler Westenbroek, Chengjie Wu, Humberto Gonzalez, and Chenyang Lu. 2016. Wireless routing and control: A cyber-physical case study. In Proceedings of the 7th International Conference on Cyber-Physical Systems (ICCPS’16). IEEE, Piscataway, NJ. DOI:https://doi.org/10.1109/ICCPS.2016.7479131Google ScholarGoogle ScholarCross RefCross Ref
  24. Bo Li, Lanshun Nie, Chengjie Wu, Humberto Gonzalez, and Chenyang Lu. 2015. Incorporating emergency alarms in reliable wireless process control. In Proceedings of the ACM/IEEE 6th International Conference on Cyber-Physical Systems (ICCPS’15). ACM, New York, NY, 218--227. DOI:https://doi.org/10.1145/2735960.2735983Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Bo Li, Zhuoxiong Sun, Kirill Mechitov, Gregory Hackmann, Chenyang Lu, Shirley J. Dyke, Gul Agha, and Billie F. Spencer Jr. 2013. Realistic case studies of wireless structural control. In Proceedings of the ACM/IEEE 4th International Conference on Cyber-Physical Systems (ICCPS’13). ACM, New York, NY, 179--188. DOI:https://doi.org/10.1145/2502524.2502549Google ScholarGoogle Scholar
  26. Chenyang Lu, Abusayeed Saifullah, Bo Li, Mo Sha, Humberto Gonzalez, Dolvara Gunatilaka, Chengjie Wu, Lanshun Nie, and Yixin Chen. 2016. Real-time wireless sensor-actuator networks for industrial cyber-physical systems. Proceedings of the IEEE, Special Issue on Industrial Cyber Physical Systems 104, 5 (May 2016), 1013--1024. DOI:https://doi.org/10.1109/JPROC.2015.2497161Google ScholarGoogle ScholarCross RefCross Ref
  27. Zhuo Lu, Wenye Wang, and Cliff Wang. 2014. Modeling, evaluation and detection of jamming attacks in time-critical wireless applications. IEEE Transactions on Mobile Computing 13, 8 (Aug. 2014), 1746--1759. DOI:https://doi.org/10.1109/TMC.2013.146Google ScholarGoogle ScholarCross RefCross Ref
  28. James Manyika, Michael Chui, Jacques Bughin, Richard Dobbs, Peter Bisson, and Alex Marrs. 2013. Disruptive Technologies: Advances that will Transform Life, Business, and the Global Economy. Retrieved from http://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/disruptive-technologies.Google ScholarGoogle Scholar
  29. Aristides Mpitziopoulos, Damianos Gavalas, Charalampos Konstantopoulos, and Grammati Pantziou. 2009. A survey on jamming attacks and countermeasures in WSNs. IEEE Communications Surveys and Tutorials 11, 4 (2009), 42--56.Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Hossen Mustafa, Xin Zhang, Zhenhua Liu, Wenyuan Xu, and Adrian Perrig. 2012. Jamming-resilient multipath routing. IEEE Transactions on Dependable and Secure Computing 9, 6 (Nov. 2012), 852--864. DOI:https://doi.org/10.1109/TDSC.2012.69Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Raspberry Pi. 2019. Raspberry Pi. Retrieved from https://www.raspberrypi.org/.Google ScholarGoogle Scholar
  32. Roberto Di Pietro, Gabriele Oligeri, Claudio Soriente, and Gene Tsudik. 2010. Intrusion-resilience in mobile unattended WSNs. In Proceedings of the 29th Conference on Information Communications (INFOCOM’10). IEEE, Piscataway, NJ, 2303--2311. DOI:https://doi.org/10.1109/INFCOM.2010.5462056Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Kristofer S. J. Pister. 2010. Smart Dust: Autonomous Sensing and Communication in a Cubic Millimeter. Retrieved from https://people.eecs.berkeley.edu/ pister/SmartDust/.Google ScholarGoogle Scholar
  34. Kristofer S. J. Pister and Lance Doherty. 2008. TSMP: Time synchronized mesh protocol. In Proceedings of the IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, Piscataway, NJ, 391--398.Google ScholarGoogle Scholar
  35. Christina Popper, Mario Strasser, and Srdjan Capkun. 2010. Anti-jamming broadcast communication using uncoordinated spread spectrum techniques. IEEE Journal on Selected Areas in Communications 28, 5 (June 2010), 703--715. DOI:https://doi.org/10.1109/JSAC.2010.100608Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Michael E. Porter and James E. Heppelmann. 2014. How Smart, Connected Products are Transforming Competition. Retrieved from https://hbr.org/2014/11/how-smart-connected-products-are-transforming-competition.Google ScholarGoogle Scholar
  37. Alejandro Proaño and Loukas Lazos. 2010. Selective jamming attacks in wireless networks. In Proceedings of the 2010 IEEE International Conference on Communications. IEEE, Piscataway, NJ, 1--6. DOI:https://doi.org/10.1109/ICC.2010.5502322Google ScholarGoogle ScholarCross RefCross Ref
  38. Alejandro Proaño and Loukas Lazos. 2012. Packet-hiding methods for preventing selective jamming attacks. IEEE Transactions on Dependable and Secure Computing 9, 1 (Jan. 2012), 101--114. DOI:https://doi.org/10.1109/TDSC.2011.41Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. David R. Raymond and Scott F. Midkiff. 2008. Denial-of-service in wireless sensor networks: Attacks and defenses. IEEE Pervasive Computing 7, 1 (Jan. 2008), 74--81. DOI:https://doi.org/10.1109/MPRV.2008.6Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Shahid Raza, Adriaan Slabbert, Thiemo Voigt, and Krister Landernäs. 2009. Security considerations for the WirelessHART protocol. In Proceedings of the 14th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA’09). IEEE, Piscataway, NJ, 242--249. DOI:https://doi.org/10.1109/ETFA.2009.5347043Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Andréa Richa, Christian Scheideler, Stefan Schmid, and Jin Zhang. 2013. An efficient and fair MAC protocol robust to reactive interference. IEEE/ACM Transactions on Networking 21, 3 (June 2013), 760--771. DOI:https://doi.org/10.1109/TNET.2012.2210241Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. RPL. 2012. RFC 6550: RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks. Retrieved September 28, 2018 from https://tools.ietf.org/html/rfc6550.Google ScholarGoogle Scholar
  43. Mike Ryan. 2013. Bluetooth: With low energy comes low security. In Presented as Part of the 7th USENIX Workshop on Offensive Technologies. USENIX, Washington, D.C. https://www.usenix.org/conference/woot13/workshop-program/presentation/RyanGoogle ScholarGoogle Scholar
  44. Mo Sha. 2016. Testbed at the State University of New York at Binghamton. Retrieved September 28, 2018 from http://www.cs.binghamton.edu/%7emsha/testbed.Google ScholarGoogle Scholar
  45. Michael Spuhler, Domenico Giustiniano, Vincent Lenders, Matthias Wilhelm, and Jens B. Schmitt. 2014. Detection of reactive jamming in DSSS-based wireless communications. IEEE Transactions on Wireless Communications 13, 3 (March 2014), 1593--1603. DOI:https://doi.org/10.1109/TWC.2013.013014.131037Google ScholarGoogle ScholarCross RefCross Ref
  46. Mario Strasser, Boris Danev, and Srdjan Čapkun. 2010. Detection of reactive jamming in sensor networks. ACM Transactions on Sensor Networks 7, 2 (Aug. 2010), 16:1–16:29. DOI:https://doi.org/10.1145/1824766.1824772Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. TelosB. 2013. TelosB Datasheet provided by MEMSIC. Retrieved October 2, 2018 from http://www.memsic.com/userfiles/files/Datasheets/WSN/telosb_datasheet.pdf.Google ScholarGoogle Scholar
  48. Adam Thierer and Andrea Castillo. 2015. Projecting the Growth and Economic Impact of the Internet of Things. Retrieved from https://www.mercatus.org/publication/projecting-growth-and-economic-impact-internet-things.Google ScholarGoogle Scholar
  49. Marco Tiloca, Domenico De Guglielmo, Gianluca Dini, Giuseppe Anastasi, and Sajal K. Das. 2017. JAMMY: A distributed and self-adaptive solution against selective jamming attack in TDMA WSNs. IEEE Transactions on Dependable and Secure Computing 14, 4 (July 2017), 392--405. DOI:https://doi.org/10.1109/TDSC.2015.2467391Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Marco Tiloca, Domenico De Guglielmo, Gianluca Dini, Giuseppe Anastasi, and Sajal K. Das. 2018. DISH: DIstributed SHuffling against selective jamming attack in IEEE 802.15.4e TSCH networks. ACM Transactions on Sensor Networks (TOSN) 15, 1 (Feb. 2018), 3:1–3:28. DOI:https://doi.org/10.1145/3241052Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Wireless Cyber-Physical Simulator (WCPS). 2018. Wireless Cyber-Physical Simulator (WCPS). Retrieved October 2, 2018 from http://wsn.cse.wustl.edu/index.php/WCPS:_Wireless_Cyber-Physical_Simulator.Google ScholarGoogle Scholar
  52. Wi-Spy. 2018. Wi-Spy USB Spectrum Analyzer. http://www.wi-spy.co.uk/index.php/products.Google ScholarGoogle Scholar
  53. Matthias Wilhelm, Ivan Martinovic, Jens B. Schmitt, and Vincent Lenders. 2011. Short paper: Reactive jamming in wireless networks how realistic is the threat? In Proceedings of the 4th ACM Conference on Wireless Network Security (WiSec’11). ACM, New York, NY, 47--52. DOI:https://doi.org/10.1145/1998412.1998422Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. WirelessHART. 2019. WirelessHART. Retrieved from https://fieldcommgroup.org/technologies/hart/hart-technology.Google ScholarGoogle Scholar
  55. Anthony D. Wood and John A. Stankovic. 2002. Denial of service in sensor networks. Computer 35, 10 (Oct. 2002), 54--62. DOI:https://doi.org/10.1109/MC.2002.1039518Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Anthony D. Wood, John A. Stankovic, and S. H. Son. 2003. JAM: A jammed-area mapping service for sensor networks. In Proceedings of the 24th IEEE International Real-Time Systems Symposium (RTSS’03). IEEE, Washington, D.C., 286--297. DOI:https://doi.org/10.1109/REAL.2003.1253275Google ScholarGoogle Scholar
  57. Anthony D. Wood, John A. Stankovic, and Gang Zhou. 2007. DEEJAM: Defeating energy-efficient jamming in IEEE 802.15.4-based wireless networks. In 2007 4th Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks. IEEE, Piscataway, NJ, 60--69. DOI:https://doi.org/10.1109/SAHCN.2007.4292818Google ScholarGoogle ScholarCross RefCross Ref
  58. Wenyuan Xu, Ke Ma, Wade Trappe, and Yanyong Zhang. 2006. Jamming sensor networks: Attack and defense strategies. IEEE Network 20, 3 (May 2006), 41--47. DOI:https://doi.org/10.1109/MNET.2006.1637931Google ScholarGoogle Scholar
  59. Wenyuan Xu, Wade Trappe, Yanyong Zhang, and Timothy Wood. 2005. The feasibility of launching and detecting jamming attacks in wireless networks. In Proceedings of the 6th ACM International Symposium on Mobile Ad Hoc Networking and Computing (MobiHoc’05). ACM, New York, NY, 46--57. DOI:https://doi.org/10.1145/1062689.1062697Google ScholarGoogle ScholarDigital LibraryDigital Library
  60. Wenyuan Xu, Timothy Wood, Wade Trappe, and Yanyong Zhang. 2004. Channel surfing and spatial retreats: Defenses against wireless denial of service. In Proceedings of the 3rd ACM Workshop on Wireless Security (WiSe’04). ACM, New York, NY, 80--89. DOI:https://doi.org/10.1145/1023646.1023661Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. Fan Zhang, Reiner Dojen, and Tom Coffey. 2011. Comparative performance and energy consumption analysis of different AES implementations on a wireless sensor network node. International Journal of Sensor Networks 10, 4 (Oct. 2011), 192--201. DOI:https://doi.org/10.1504/IJSNET.2011.042767Google ScholarGoogle ScholarDigital LibraryDigital Library
  62. Dimitrios Zorbas, Panayiotis Kotzanikolaou, and Christos Douligeris. 2018. R-TSCH: Proactive jamming attack protection for IEEE 802.15.4-TSCH networks. In Proceedings of the 2018 IEEE Symposium on Computers and Communications (ISCC). IEEE, 00766--00771. DOI:https://doi.org/10.1109/ISCC.2018.8538705Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. Cracking Channel Hopping Sequences and Graph Routes in Industrial TSCH Networks

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      HTML Format

      View this article in HTML Format .

      View HTML Format
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!