Cracking Channel Hopping Sequences and Graph Routes in Industrial TSCH Networks

Industrial networks typically connect hundreds or thousands of sensors and actuators in industrial facilities, such as manufacturing plants, steel mills, and oil refineries. Although the typical industrial Internet of Things (IoT) applications operate at low data rates, they pose unique challenges because of their critical demands for reliable and real-time communication in harsh industrial environments. IEEE 802.15.4-based wireless sensor-actuator networks (WSANs) technology is appealing for use to construct industrial networks because it does not require wired infrastructure and can be manufactured inexpensively. Battery-powered wireless modules easily and inexpensively retrofit existing sensors and actuators in industrial facilities without running cables for communication and power. To address the stringent real-time and reliability requirements, WSANs made a set of unique design choices such as employing the Time-Synchronized Channel Hopping (TSCH) technology. These designs distinguish WSANs from traditional wireless sensor networks (WSNs) that require only best effort services. The function-based channel hopping used in TSCH simplifies the network operations at the cost of security. Our study shows that an attacker can reverse engineer the channel hopping sequences and graph routes by silently observing the transmission activities and put the network in danger of selective jamming attacks. The cracked knowledge on the channel hopping sequences and graph routes is an important prerequisite for launching selective jamming attacks to TSCH networks. To our knowledge, this article represents the first systematic study that investigates the security vulnerability of TSCH channel hopping and graph routing under realistic settings. In this article, we demonstrate the cracking process, present two case studies using publicly accessible implementations (developed for Orchestra and WirelessHART), and provide a set of insights.