research-article

Cracking the channel hopping sequences in IEEE 802.15.4e-based industrial TSCH networks

Authors:
Xia Cheng

State University of New York

State University of New York
View Profile

,
Junyang Shi

State University of New York

State University of New York
View Profile

,
Mo Sha

State University of New York

State University of New York
View Profile

IoTDI '19: Proceedings of the International Conference on Internet of Things Design and ImplementationApril 2019Pages 130–141https://doi.org/10.1145/3302505.3310075

Published:15 April 2019Publication History

IoTDI '19: Proceedings of the International Conference on Internet of Things Design and Implementation

Pages 130–141

ABSTRACT

Industrial networks typically connect hundreds or thousands of sensors and actuators in industrial facilities, such as manufacturing plants, steel mills, and oil refineries. Although the typical industrial applications operate at low data rates, they pose unique challenges because of their critical demands for reliable and real-time communication in harsh industrial environments. IEEE 802.15.4 based Wireless Sensor-Actuator Networks (WSANs) technology is appealing for use to construct industrial networks because it does not require wired infrastructure and can be manufactured inexpensively. Battery-powered wireless modules easily and inexpensively retrofit existing sensors and actuators in industrial facilities without running cables for communication and power. To address the stringent real-time and reliability requirements, WSANs made a set of unique design choices such as employing the Time-Synchronized Channel Hopping (TSCH) technology that distinguish themselves from traditional wireless sensor networks that require only best effort services. The function-based channel hopping used in TSCH simplifies the network operations at the cost of security. Our study shows that an attacker can reverse engineer the channel hopping sequences by silently observing the channel activities and put the network in danger of selective jamming attacks. To our knowledge, this paper represents the first systematic study that investigates the security vulnerability of TSCH channel hopping in IEEE 802.15.4e under realistic traffic. In this paper, we demonstrate the process of cracking the TSCH channel sequences, present two case studies using publicly accessible TSCH implementations (developed for Orchestra and WirelessHART), and provide a set of insights.

References

802.15.4e. 2013. IEEE802.15.4e WPAN Task Group. Retrieved September 28, 2018 from http://www.ieee802.org/15/pub/TG4e.htmlGoogle Scholar
Cristina Alcaraz and Javier Lopez. 2010. A Security Analysis for Wireless Sensor Mesh Networks in Highly Critical Systems. IEEE Transactions on Systems, Man, and Cybernetics 40, 4 (July 2010), 419--428. Google ScholarDigital Library
Farhana Ashraf, Yih-Chun Hu, and Robin H. Kravets. 2012. Bankrupting the jammer in WSN. In Proceedings of the 2012 IEEE 9th International Conference on Mobile Ad-Hoc and Sensor Systems (MASS) (MASS '12). IEEE, Washington, DC, USA, 317--325. Google ScholarDigital Library
Shaibal Chakrabarty, Daniel W. Engels, and Selina Thathapudi. 2015. Black SDN for the Internet of Things. In Proceedings of the 2015 IEEE 12th International Conference on Mobile Ad Hoc and Sensor Systems (MASS) (MASS '15). IEEE, Washington, DC, USA, 190--198. Google ScholarDigital Library
Jerry T. Chiang and Yih-Chun Hu. 2011. Cross-Layer Jamming Detection and Mitigation in Wireless Broadcast Networks. IEEE/ACM Transactions on Networking 19, 1 (Feb. 2011), 286--298. Google ScholarDigital Library
Roberta Daidone, Gianluca Dini, and Marco Tiloca. 2014. A Solution to the GTS-based Selective Jamming Attack on IEEE 802.15.4 Networks. Wireless Networks 20, 5 (July 2014), 1223--1235. Google ScholarDigital Library
Jing Deng, Richard Han, and Shivakant Mishra. 2003. A Performance Evaluation of Intrusion-Tolerant Routing in Wireless Sensor Networks. In Proceedings of the 2nd international conference on Information processing in sensor networks (IPSN'03). Springer-Verlag Berlin, Heidelberg, 349--364. Google ScholarDigital Library
Adam Dunkels. 2002. Contiki: The Open Source OS for the Internet of Things. Retrieved September 28, 2018 from http://www.contiki-os.org/Google Scholar
Simon Duquennoy, Atis Elstsz, Beshr Al Nahasx, and George Oikonomou. 2017. TSCH and 6TiSCH for Contiki: Challenges, Design and Evaluation. In 2017 13th International Conference on Distributed Computing in Sensor Systems (DCOSS). IEEE, Piscataway, NJ, USA.Google Scholar
Simon Duquennoy, Beshr Al Nahas, and Atis Elsts. 2018. 6TiSCH Implementation. Retrieved September 29, 2018 from https://github.com/contiki-ng/contiki-ng/wiki/Documentation:-TSCH-and-6TiSCHGoogle Scholar
Simon Duquennoy, Beshr Al Nahas, Olaf Landsiedel, and Thomas Watteyne. 2015. Orchestra: Robust Mesh Networks Through Autonomously Scheduled TSCH. In Proceedings of the 13th ACM Conference on Embedded Networked Sensor Systems (SenSys '15). ACM, New York, NY, USA, 337--350. Google ScholarDigital Library
Dolvara Gunatilaka, Mo Sha, and Chenyang Lu. 2017. Impacts of Channel Selection on Industrial Wireless Sensor-Actuator Networks. In IEEE INFOCOM 2017 - IEEE Conference on Computer Communications. IEEE, Piscataway, NJ, USA.Google Scholar
HART. 2019. HART Communication Protocol and Foundation (Now the Field-Comm Group). https://fieldcommgroup.org/Google Scholar
IETF. 2019. 6TiSCH: IPv6 over the TSCH mode of IEEE 802.15.4e. Retrieved September 28, 2018 from https://datatracker.ietf.org/wg/6tisch/documents/Google Scholar
ISA 100. 2018. ISA 100. http://www.isa100wci.org/Google Scholar
Chris Karlof, Naveen Sastry, and David Wagner. 2004. TinySec: a Link Layer Security Architecture for Wireless Sensor Networks. In Proceedings of the 2nd international conference on Embedded networked sensor systems (SenSys '04). ACM, New York, NY, USA, 162--175. Google ScholarDigital Library
Loukas Lazos, Sisi Liu, and Marwan Krunz. 2009. Mitigating Control-channel Jamming Attacks in Multi-channel Ad Hoc Networks. In Proceedings of the second ACM conference on Wireless network security (WiSec '09). ACM, New York, NY, USA, 169--180. Google ScholarDigital Library
Philip Levis. 2013. TinyOS Documentation Wiki. Retrieved September 28, 2018 from http://tinyos.stanford.edu/tinyos-wiki/index.php/TinyOS_Documentation_WikiGoogle Scholar
B. Li, Y. Ma, T. Westenbroek, C. Wu, H. Gonzalez, and C. Lu. 2016. Wireless Routing and Control: a Cyber-Physical Case Study. In Proceedings of the 7th International Conference on Cyber-Physical Systems (ICCPS '16). IEEE, Piscataway, NJ, USA. Google ScholarDigital Library
B. Li, L. Nie, C. Wu, H. Gonzalez, and C. Lu. 2015. Incorporating Emergency Alarms in Reliable Wireless Process Control. In Proceedings of the ACM/IEEE Sixth International Conference on Cyber-Physical Systems (ICCPS '15). ACM, New York, NY, USA, 218--227. Google ScholarDigital Library
B. Li, Z. Sun, K. Mechitov, G. Hackmann, C. Lu, S. Dyke, G. Agha, and B. Spencer. 2013. Realistic Case Studies of Wireless Structural Control. In Proceedings of the ACM/IEEE 4th International Conference on Cyber-Physical Systems (ICCPS '13). ACM, New York, NY, USA, 179--188. Google ScholarDigital Library
Chenyang Lu, Abusayeed Saifullah, Bo Li, Mo Sha, Humberto Gonzalez, Dolvara Gunatilaka, Chengjie Wu, Lanshun Nie, and Yixin Chen. 2016. Real-Time Wireless Sensor-Actuator Networks for Industrial Cyber-Physical Systems. Proceedings of the IEEE, Special Issue on Industrial Cyber Physical Systems 104, 5 (May 2016), 1013--1024.Google ScholarCross Ref
Zhuo Lu, Wenye Wang, and Cliff Wang. 2014. Modeling, Evaluation and Detection of Jamming Attacks in Time-Critical Wireless Applications. IEEE Transactions on Mobile Computing 13, 8 (Aug. 2014), 1746--1759.Google ScholarCross Ref
James Manyika, Michael Chui, Jacques Bughin, Richard Dobbs, Peter Bisson, and Alex Marrs. 2013. Disruptive Technologies: Advances that will Transform Life, Business, and the Global Economy. http://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/disruptive-technologiesGoogle Scholar
Hossen Mustafa, Xin Zhang, Zhenhua Liu, Wenyuan Xu, and Adrian Perrig. 2012. Jamming-Resilient Multipath Routing. IEEE Transactions on Dependable and Secure Computing 9, 6 (Nov. 2012), 852--864. Google ScholarDigital Library
Raspberry Pi. 2019. Raspberry Pi. https://www.raspberrypi.org/Google Scholar
Roberto Di Pietro, Gabriele Oligeri, Claudio Soriente, and Gene Tsudik. 2010. Intrusion-Resilience in Mobile Unattended WSNs. In Proceedings of the 29th conference on Information communications (INFOCOM'10). IEEE, Piscataway, NJ, USA, 2303--2311. Google ScholarDigital Library
Kris Pister. 2010. Smart Dust: Autonomous Sensing and Communication in a Cubic Millimeter. https://people.eecs.berkeley.edu/~pister/SmartDust/Google Scholar
Kristofer S. J. Pister and Lance Doherty. 2008. TSMP: Time Synchronized Mesh Protocol. In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, Piscataway, NJ, USA, 391--398.Google Scholar
Christina Popper, Mario Strasser, and Srdjan Capkun. 2010. Anti-jamming Broadcast Communication Using Uncoordinated Spread Spectrum Techniques. IEEE Journal on Selected Areas in Communications 28, 5 (June 2010), 703--715. Google ScholarDigital Library
Michael E Porter and James E Heppelmann. 2014. How Smart, Connected Products are Transforming Competition. Harvard Business Review 92, 11 (Nov. 2014), 64--88. https://hbr.org/2014/11/how-smart-connected-products-are-transforming-competitionGoogle Scholar
Alejandro ProaÃśo and Loukas Lazos. 2010. Selective Jamming Attacks in Wireless Networks. In 2010 IEEE International Conference on Communications. IEEE, Piscataway, NJ, USA, 1--6.Google Scholar
Alejandro ProaÃśo and Loukas Lazos. 2012. Packet-hiding Methods for Preventing Selective Jamming Attacks. IEEE Transactions on Dependable and Secure Computing 9, 1 (Jan. 2012), 101--114. Google ScholarDigital Library
David R. Raymond and Scott F. Midkiff. 2008. Denial-of-Service in Wireless Sensor Networks: Attacks and Defenses. IEEE Pervasive Computing 7, 1 (Jan. 2008), 74--81. Google ScholarDigital Library
Shahid Raza, Adriaan Slabbert, Thiemo Voigt, and Krister LandernÃd's. 2009. Security considerations for the WirelessHART protocol. In Proceedings of the 14th IEEE international conference on Emerging technologies and factory automation (ETFA'09). IEEE, Piscataway, NJ, USA, 242--249. Google ScholarDigital Library
AndrÃl'a Richa, Christian Scheideler, Stefan Schmid, and Jin Zhang. 2013. An Efficient and Fair MAC Protocol Robust to Reactive Interference. IEEE/ACM Transactions on Networking 21, 3 (June 2013), 760--771. Google ScholarDigital Library
RPL. 2012. RFC 6550: RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks. Retrieved September 28, 2018 from https://tools.ietf.org/html/rfc6550Google Scholar
Mo Sha. 2016. Testbed at the State University of New York at Binghamton. Retrieved September 28, 2018 from http://www.cs.binghamton.edu/%7emsha/testbedGoogle Scholar
Michael Spuhler, Domenico Giustiniano, Vincent Lenders, Matthias Wilhelm, and Jens B. Schmitt. 2014. Detection of Reactive Jamming in DSSS-based Wireless Communications. IEEE Transactions on Wireless Communications 13, 3 (March 2014), 1593--1603.Google ScholarCross Ref
Spase Stojanovski and Andrea Kulakov. 2014. Efficient Attacks in Industrial Wireless Sensor Networks. In International Conference on ICT Innovations (ICT). Springer, Cham, Cham, Switzerland, 289--298.Google Scholar
Mario Strasser, Boris Danev, and Srdjan Capkun. 2010. Detection of Reactive Jamming in Sensor Networks. ACM Transactions on Sensor Networks 7, 2 (Aug. 2010), 16:1--16:29. Google ScholarDigital Library
TelosB. 2013. TelosB Datasheet provided by MEMSIC. Retrieved October 2, 2018 from http://www.memsic.com/userfiles/files/Datasheets/WSN/telosb_datasheet.pdfGoogle Scholar
Adam Thierer and Andrea Castillo. 2015. Projecting the Growth and Economic Impact of the Internet of Things. https://www.mercatus.org/publication/projecting-growth-and-economic-impact-internet-thingsGoogle Scholar
Marco Tiloca, Domenico De Guglielmo, Gianluca Dini, Giuseppe Anastasi, and Sajal K. Das. 2017. JAMMY: a Distributed and Self-Adaptive Solution against Selective Jamming Attack in TDMA WSNs. IEEE Transactions on Dependable and Secure Computing 14, 4 (July 2017), 392--405.Google ScholarDigital Library
Marco Tiloca, Domenico De Guglielmo, Gianluca Dini, Giuseppe Anastasi, and Sajal K. Das. 2019. DISH: DIstributed SHuffling against Selective Jamming Attack in IEEE 802.15.4e TSCH Networks. ACM Transactions on Sensor Networks (TOSN) 15, 1 (Feb. 2019). Google ScholarDigital Library
Wireless Cyber-Physical Simulator (WCPS). 2018. Wireless Cyber-Physical Simulator (WCPS). Retrieved October 2, 2018 from http://wsn.cse.wustl.edu/index.php/WCPS:_Wireless_Cyber-Physical_SimulatorGoogle Scholar
Wi-Spy. 2018. Wi-Spy USB Spectrum Analyzer. http://www.wi-spy.co.uk/index.php/productsGoogle Scholar
Matthias Wilhelm, Ivan Martinovic, Jens B. Schmitt, and Vincent Lenders. 2011. Short Paper: Reactive Jamming in Wireless Networks How Realistic is the Threat?. In Proceedings of the fourth ACM conference on Wireless network security (WiSec '11). ACM, New York, NY, USA, 47--52. Google ScholarDigital Library
WirelessHART. 2019. WirelessHART. https://fieldcommgroup.org/technologies/hart/hart-technologyGoogle Scholar
A.D. Wood, J.A. Stankovic, and S.H. Son. 2003. JAM: a Jammed-area Mapping Service for Sensor Networks. In Proceedings of the 24th IEEE International Real-Time Systems Symposium (RTSS'03). IEEE, Washington, DC, USA, 286--297. Google ScholarDigital Library
Anthony D. Wood and John A. Stankovic. 2002. Denial of Service in Sensor Networks. Computer 35, 10 (Oct. 2002), 54--62. Google ScholarDigital Library
Anthony D. Wood, John A. Stankovic, and Gang Zhou. 2007. DEEJAM: Defeating Energy-Efficient Jamming in IEEE 802.15.4-based Wireless Networks. In 2007 4th Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks. IEEE, Piscataway, NJ, USA, 60--69.Google ScholarCross Ref
Wenyuan Xu, Ke Ma, W. Trappe, and Yanyong Zhang. 2006. Jamming Sensor Networks: Attack and Defense Strategies. IEEE Network 20, 3 (May 2006), 41--47. Google ScholarDigital Library
Wenyuan Xu, Wade Trappe, Yanyong Zhang, and Timothy Wood. 2005. The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks. In Proceedings of the 6th ACM international symposium on Mobile ad hoc networking and computing (MobiHoc '05). ACM, New York, NY, USA, 46--57. Google ScholarDigital Library
Wenyuan Xu, Timothy Wood, Wade Trappe, and Yanyong Zhang. 2004. Channel Surfing and Spatial Retreats: Defenses Against Wireless Denial of Service. In Proceedings of the 3rd ACM workshop on Wireless security (WiSe '04). ACM, New York, NY, USA, 80--89. Google ScholarDigital Library

Index Terms

Cracking the channel hopping sequences in IEEE 802.15.4e-based industrial TSCH networks
1. Networks
  1. Network protocols
    1. Link-layer protocols
2. Security and privacy
  1. Network security
    1. Mobile and wireless security

Recommendations

Cracking Channel Hopping Sequences and Graph Routes in Industrial TSCH Networks
SI: Evolution of IoT Networking Architectures papers

Industrial networks typically connect hundreds or thousands of sensors and actuators in industrial facilities, such as manufacturing plants, steel mills, and oil refineries. Although the typical industrial Internet of Things (IoT) applications operate at ...
Read More
Cracking the TSCH Channel Hopping in IEEE 802.15.4e
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Industrial networks typically connect hundreds or thousands of sensors and actuators in industrial facilities, such as steel mills and oil refineries. Although the typical industrial applications operate at low data rates, they pose unique challenges ...
Read More
Performance Analysis of Modified IEEE 802.15.4e MAC for Wireless Sensor Networks
PE-WASUN '17: Proceedings of the 14th ACM Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks

Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) is the most popular channel access mechanism for Wireless Sensor Networks (WSNs). The random backoff and CCAs in CSMA/CA mechanism avoid the collisions. However, inefficient CCAs increase ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
IoTDI '19: Proceedings of the International Conference on Internet of Things Design and Implementation
April 2019
299 pages
ISBN:9781450362832
DOI:10.1145/3302505
General Chairs:
Olaf Landsiedel
Univ. of Kiel,Germany,Chalmers Univ. of Technology, Sweden
,
Klara Nahrstedt
University of Illinois Urbana-Champaign
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 15 April 2019
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
IEEE 802.15.4e
industrial wireless sensor-actuator networks
selective jamming attack
time-synchronized channel hopping
Qualifiers
- research-article
Conference
Upcoming Conference
IoTDI '24

Sponsor:

sigbed

International Conference on Internet-of-Things Design and Implementation

May 13 - 16, 2024

Hong Kong , Hong Kong
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 12
  Total Citations
  View Citations
- 146
  Total Downloads
- Downloads (Last 12 months)25
- Downloads (Last 6 weeks)2
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Cracking the channel hopping sequences in IEEE 802.15.4e-based industrial TSCH networks

IoTDI '19: Proceedings of the International Conference on Internet of Things Design and Implementation

ABSTRACT

References

Cited By

Index Terms

Recommendations

Cracking Channel Hopping Sequences and Graph Routes in Industrial TSCH Networks

Cracking the TSCH Channel Hopping in IEEE 802.15.4e

Performance Analysis of Modified IEEE 802.15.4e MAC for Wireless Sensor Networks