Replay Attack | Cyber-Physical Systems Virtual Organization

Replay Attack

Learning Goals

Even by taking the extra work to implement an out-of-band key exchange, replay attacks can still be effective
Replay attacks are countered by sequence numbering
Constant cycle of vulnerability, fixes, new vulnerability, stronger fixes, etc.

Description

Even with safely exchanged strong keys, replay attacks can still wreak havoc. The solution is to introduce sequence numbering, such that commands that don't have a higher sequence number are ignored by the robot. Replay attackers can't change the sequence number without knowing the key or keys, in which case replay attacks aren't necessary anyways.

Glossary

replay attack

Required/Authorized Commands

[seqno] [command]
reset seq
all previous commands

Activities

Replay Attack
- Even when an attacker cannot understand, decrypt or manipulate the contents of a message being sent to the robot, they still can capture and replay those commands. By storing a previously sent message - assuming it's a valid one - the attacker can play them back to the robot at any time to achieve the same results.
- This is done in the real world to "hack" such things as automatic locks in cars and remote-triggered garage door openers. The messages sent around are encrypted, but that doesn't matter with replay attacks. This allowed hackers to unlock or lock cars, open or close garage doors, etc. before these exploits were fixed.
- To demonstrate how a robot's intended behavior can be hijacked or interfered with through replaying their commands, we will listen to and capture the communication to the target robot and wait for an interesting command to be issued. Then it's just a matter of storing that last issued command for later use.
- Another approach could be to randomly play the last "n" commands back to the robot in random order.
- Students will do the Tug of War game with replay attacks this time. If done properly, even the student who does not know the key of the robot can influence that robot in unexpected ways!
Sequencing
- Demonstration of a simple technique to prevent even replay attacks.
- By simply adding a number to the beginning of each command - generally starting with 1 and increasing by at least 1 but no more than 100 for each successive command - replay attacks are rendered ineffective.

Common Pitfalls

Always changing keys would reduce the period that the robot will accept the captured command without sequencing. This is a good thing for defenders trying to secure their robots and a bad thing for potential attackers!