Attacking Industrial Wireless Mesh Networks

Explore the intricacies of attacking industrial wireless mesh networks in this comprehensive conference talk from the Hack In The Box Security Conference. Delve into the industrial revolution's impact on process control loops and gain a thorough understanding of WirelessHART and ISA 100.11a protocols. Examine the WISN topology, protocol stacks, and common denominators in industrial wireless networks. Learn about security measures, encryption keys, and methods to obtain key material. Discover the hardware and software tools needed for sniffing wireless traffic, including the NXP USB-KW41Z and Kinetis Protocol Analyzer Adapter. Master the implementation of Time Slotted Channel Hopping, firmware development, and synchronization techniques. Gain insights into channel selection, hopping schedules, and sniffing with channel hopping. Explore unauthenticated attacks, such as advertisement jamming, and discuss future research directions in industrial wireless network security.

Intro
Industrial (r)evolution
Previous research
Industrial process control loop
Introduction to WirelessHART
Introduction to ISA 100.11a
WISN topology
Protocol stacks OSI
Common denominators
WirelessHART & ISA100.11a Security
WirelessHART encryption keys OSI
How to obtain key material
WirelessHART default join keys
Sniffer hardware selection
NXP USB-KW41Z
Kinetix Protocol Analyzer Adapter (sniffer)
USB-KW41Z host communication
USB-KW41Z block diagram
Building the toolset
Sniffing traffic with KillerBee and Wireshark
Superframe
Implementing Time Slotted Channel Hopping
Firmware Bare metal task scheduler
Bare Metal vs. RTOS
How to synchronize?
Channel selection
Channel hopping Scheduling
Sniffing with channel hopping
Unauthenticated attacks
Advertisement jamming
Future research
Questions & thank you