Cracking the Channel Hopping Sequences in IEEE 802.15.4e-Based Industrial TSCH Networks Xia Cheng Junyang Shi Mo Sha Department of Computer Science Department of Computer Science Department of Computer Science State University of New York at State University of New York at State University of New York at Binghamton Binghamton Binghamton [email protected] [email protected] [email protected] ABSTRACT ACM Reference Format: Industrial networks typically connect hundreds or thousands of Xia Cheng, Junyang Shi, and Mo Sha. 2019. Cracking the Channel Hopping sensors and actuators in industrial facilities, such as manufacturing Sequences in IEEE 802.15.4e-Based Industrial TSCH Networks. In IoTDI ’19: Internet of Things Design and Implementation, April 15–18, 2019, Montreal, plants, steel mills, and oil refineries. Although the typical industrial QC, Canada. ACM, New York, NY, USA, 12 pages. https://doi.org/10.1145/ applications operate at low data rates, they pose unique challenges 3302505.3310075 because of their critical demands for reliable and real-time com- munication in harsh industrial environments. IEEE 802.15.4 based 1 INTRODUCTION Wireless Sensor-Actuator Networks (WSANs) technology is ap- The Internet of Things (IoT) refers to a broad vision whereby things, pealing for use to construct industrial networks because it does such as everyday objects, places, and environments, are intercon- not require wired infrastructure and can be manufactured inexpen- nected with one another via the Internet [31]. Until recently, most sively. Battery-powered wireless modules easily and inexpensively of the IoT infrastructures and applications developed by businesses retrofit existing sensors and actuators in industrial facilities with- have focused on smart homes and wearables. However, it is the out running cables for communication and power. To address the łproduction and manufacturingž IoT, which underlies the Fourth stringent real-time and reliability requirements, WSANs made a set Industrial Revolution (or Industry 4.0), that promises to be one of of unique design choices such as employing the Time-Synchronized the largest potential economic effects of IoT [43] Ð up to $47 trillion Channel Hopping (TSCH) technology that distinguish themselves in added value globally by 2025, according to McKinsey’s report on from traditional wireless sensor networks that require only best future disruptive technologies [24]. effort services. The function-based channel hopping used inTSCH Industrial networks, the underlying support of industrial IoT, simplifies the network operations at the cost of security. Ourstudy typically connect hundreds or thousands of sensors and actuators shows that an attacker can reverse engineer the channel hopping in industrial facilities, such as manufacturing plants, steel mills, oil sequences by silently observing the channel activities and put the refineries, and infrastructures implementing complex monitoring network in danger of selective jamming attacks. To our knowledge, and control processes. Although the typical industrial applications this paper represents the first systematic study that investigates the operate at low data rates, they pose unique challenges because of security vulnerability of TSCH channel hopping in IEEE 802.15.4e their critical demands for reliable and real-time communication under realistic traffic. In this paper, we demonstrate the process of in harsh industrial environments. Failure to achieve such perfor- cracking the TSCH channel sequences, present two case studies mance can lead to production inefficiency, safety threats, and fi- using publicly accessible TSCH implementations (developed for nancial loss. These requirements have been traditionally met by Orchestra and WirelessHART), and provide a set of insights. specifically chosen wired solutions, e.g., the Highway Addressable Remote Transducer (HART) communication protocol [13], where CCS CONCEPTS cables connect sensors and forward sensor readings to a control · Security and privacy → Mobile and wireless security; · Net- room where a controller collects sensor readings and sends com- works → Link-layer protocols; mands to actuators. However, wired networks are often costly to deploy and maintain in industrial environments and difficult to KEYWORDS reconfigure to accommodate new production requirements. IEEE Time-Synchronized Channel Hopping, Selective Jamming Attack, 802.15.4-based Wireless Sensor-Actuator Networks (WSANs) tech- IEEE 802.15.4e, Industrial Wireless Sensor-Actuator Networks nology is appealing for use in industrial applications because it does not require wired infrastructure and can be manufactured inexpen- sively. Battery-powered wireless modules easily and inexpensively Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed retrofit existing sensors and actuators in industrial facilities without for profit or commercial advantage and that copies bear this notice and the full citation running cables for communication and power. on the first page. Copyrights for components of this work owned by others than ACM There have been two major technology breakthroughs in in- must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a dustrial WSANs. An initial breakthrough came in 1997 from the fee. Request permissions from [email protected]. UC Berkeley’s Smart Dust project [28], which demonstrated tiny, IoTDI ’19, April 15–18, 2019, Montreal, QC, Canada low-power motes could sense, compute, and communicate through © 2019 Association for Computing Machinery. ACM ISBN 978-1-4503-6283-2/19/04...$15.00 wireless mesh networks. A second breakthrough came in 2006 https://doi.org/10.1145/3302505.3310075 with the time-synchronized mesh protocol (TSMP) [29] with a core 130 IoTDI ’19, April 15–18, 2019, Montreal, QC, Canada Xia Cheng, Junyang Shi, and Mo Sha technology of Time-Synchronized Channel Hopping (TSCH): All The remainder of the paper is organized as follows. Section 2 intro- devices in a network are time synchronized and hop channels to duces the background of TSCH channel hopping. Section 3 presents exploit frequency diversity. The TSCH technology was adopted by the security vulnerability by demonstrating the cracking process. the leading industrial WSAN standards (WirelessHART [49] and Section 4 and Section 5 describe two case studies. Section 6 presents ISA100 [15]) and the one being standardized by IETF (6TiSCH [14]). our lessons learned. Section 7 reviews related work. Section 8 con- A decade of real-world deployments of WirelessHART and ISA100 cludes the paper. have demonstrated the feasibility of using TSCH-based WSANs to achieve reliable low-power wireless communication in industrial 2 BACKGROUND ON TSCH CHANNEL facilities. Therefore, TSCH was amended into the IEEE 802.15.4e HOPPING standard in 2012 [1] as a mode to support industrial or embedded To provide time-deterministic packet deliveries and combat narrow- applications with critical performance requirements. band interference and multi-path fading, TSCH combines time- To address the stringent real-time and reliability requirements, slotted MAC access, multi-channel communication, and channel TSCH made a set of unique design choices that distinguish itself hopping. TSCH divides time into slices of fixed length that are from traditional Medium Access Control (MAC) protocols designed grouped in a slotframe. Each time slot is long enough to deliver a for the Wireless Sensor Networks (WSNs) that require only best data packet and an acknowledgement between a pair of devices. effort services22 [ ]. Specifically, TSCH divides time into slices of Nodes are synchronized and share the notion of a slotframe that fixed length that are grouped in a slotframe. Nodes are synchro- repeats over time. Channel hopping is achieved by sending suc- nized and share the notion of a slotframe that repeats over time. cessive packets on different frequencies. TSCH uses the channel Frequency diversity is used to mitigate effects of multipath fading hopping sequences, which are fixed and known by all devices in and to improve the robustness and the network capacity. Channel the network, instead of using the pseudo-random ones to minimize hopping is achieved by sending successive packets on different the channel synchronization overhead. Initially, 16 different chan- frequencies. All devices in the network compute the channel hop- nels are available for communication. Each channel is identified ping sequences by following a function. TSCH’s function-based by ChannelOf fset. However, some of these frequencies could be channel hopping simplifies the network operations at the costof blacklisted due to low-quality communication and, hence, the total security. Our study shows that an attacker can reverse engineer number of channels N used for channel hopping may be the channel hopping sequences by silently observing the channel channel fewer than 16. In TSCH, a link is defined as the pairwise assignment activities and put the network in danger of selective jamming at- of directed communication between two nodes in a given time slot tacks, where the attacker jams only the transmission of interest on on a given channel offset. Hence, a link between two communicat- its specific communication channel in its specific time slot, which ing nodes can