Auto-fryingPAN

Abstract

A spoofing attack for a wireless communication system is the most common attack method for unauthorized access and control. IEEE 802.15.4 is a standard that defines only physical and medium access control layers for low rate, low power, and low cost wireless systems. This standard is widely used as lower layers for not only several wireless communication standards but also customized protocols by manufacturers. However, security has not been considered seriously in customized protocols because of implementation convenience, scalability in deploying, and cost. Their security only relies on confidentiality of customized protocol. This thesis develops methods for manual as well as automatic analysis of these customized protocols. Before developing automatic analysis methodology, we chose three real world targets for manual analysis first: smart plug, center-controlled door lock, and platform screen door system. We then manually analyzed custom protocols on those systems. Spoofing attack based on these results against two targets except platform screen door system were successful. For the last target, we chose not to run the experiment due to significant safety reasons. Analyzed results are converted to generic analysis methodology against customized wireless protocols and typical security vulnerabilities. From generic analysis methodology and vulnerabilities, I implemented prototype of Auto-FryingPAN, an automated custom protocol reverse engineering tool. Auto-FryingPAN automates two main phases of suggested manual analysis methodology. First of all, it groups packets following key information from header. For each packet group, the tool evaluates MAC address field similarity, byte column entropy, byte column range, and CRC possibility. Finally, it combines calculated results and makes final reports for every different message format. By comparing manual analysis, we conclude that Auto-FryingPAN can be extended to a fine-grained automatic protocol reverse-engineering tool or automatic spoofing packet generator.