Air Watcher: wireless discovery in Guardian

In modern industrial environments ensuring robust security measures against unauthorized wireless devices is essential from both an operational and regulatory perspective. The increasing adoption of wireless technologies, such as WiFi (IEEE 802.11) and Bluetooth, offers multiple benefits, but also introduces significant risks. These include the possibility of unauthorized access, data breaches and potential disruption to critical networks.

To address these challenges, InprOTech has developed Air Watcher, a new feature of our Guardian tool, which allows us to monitor and discover wireless devices and their activities, based on the Python Scapy library.

This solution is specifically designed to identify and monitor wireless devices in industrial environments, providing a proactive approach to security management and detection of potentially malicious activities.

Why Guardian?

InprOTech Guardian is a cybersecurity tool specifically designed and developed to protect industrial networks. Its main objective is monitoring the traffic generated in production environments and analyse it based on a combination of static, community and AI-powered rules. This approach makes it possible to effectively identify threats and issue real-time alerts, directly notifying plants managers and/or operators of possible attacks or operational failures, enabling them to anticipate and reduce their impact. 

In addition to its traffic analysis and incidents response capabilities, InprOTech Guardian includes additional tools to address other critical attack vectors, including Air Watcher, a wireless device detection and monitoring module. Air Watcher strengthens industrial security by identifying potential access points or unauthorized access attempts, an essential factor that must be considered in any integral cybersecurity strategy.

Scapy and Its Capabilities

InprOTech Guardian uses Scapy, a powerful open-source library written in Python that allows the capture, manipulation and analyse of wireless packets and network traffic. It is a recognised tool in the cybersecurity field for its versatility and capability to interact with a wide range of networks protocols.

Among its key features, Scapy offers integral support for key wireless protocols, including WiFi (IEEE 802.11) and Bluetooth, making it an essential tool for Air Watcher.

Key Capabilities of Scapy

1. Packet Creation and Injection: Scapy allows users to build and submit custom-designed packets, an essential functionality for penetration testing, security audits and controlled attack simulations.
2. Protocols Analysis: With its capacity to dissect and analyse a wide range of protocols, Scapy provides granular information about network communications.
3. Extensible and Modular Architecture: The modular nature of Scapy allows it to be customized to suit specific need on each environment.
4. Packets Capture: Scapy can capture live packets from multiple interfaces, enabling continuous monitoring of traffic.

Development

Guardian, true to its purpose as a passive and non-intrusive agent, focuses exclusively on capturing IEEE 802.11 packets of the following types:

1. Probe Request: Packets sent by devices looking for available networks
2. Beacon: Broadcast packets generated by access points to announce their presence.
3. Association/Reassociation: Packets generated during a connection attempt or reconnection to a network.
4. Data Frames: Indicate that a device is transmitting information, providing evidence of activity on the network

To maximise the amount of traffic captured, Guardian implements the Channel Hopping technique, consists of continuous switching between different WiFi channels, achieving a more complete coverage of the wireless spectrum.

For Bluetooth devices scanning, Guardian uses the system Bluetooth interface to capture HCI (Host Controller Interface) packets generated during active searches. This process consists of sending sampling requests and listening for responses from devices present action range.

The captured packets contain only public information provided by the detected devices, which is extracted and processed for analysis. This approach ensures efficient and non-intrusive monitoring, providing an accurate view of the active Bluetooth devices in the environment.

The tool aims to:

1. Identify wireless devices: Capture and analyse WiFi and Bluetooth packets to identify wireless devices in and environment, based on their MAC address and specific activities performed at the time of capture.
2. Monitoring Activities and Anomalies: Monitor wireless communications to detect unusual patterns, unknown devices, unauthorized access or activities that can be industrial security risks.
3. Issue Alerts: Generate automatic alerts for suspicious activities or devices that may be security threat.

Benefits

The development and implementation of Air Watcher provides multiple key advantages to strengthen security in industrial environments.

1. Enhanced Visibility and Optimized Security: Offers a real-time monitoring of wireless devices, providing a clear view of their activities. This allows you to quickly identify unauthorized devices and take immediate action to mitigate potential threat, optimizing network protection. 
2. Proactive Threat Management: Enables security teams to respond quickly and effectively to suspicious events or anomalous behaviour, reducing significantly the risk of operation disrupts and possible vulnerabilities.
3. Regulatory and Normative Compliance: Helps comply with industrial security standards and regulations, enforcing compliance with politics related to the management and monitoring of wireless devices.
4. Cost effectiveness and Efficiency: Being based on open-source technologies such as Scapy, Air Watcher minimises the implementation and maintenance costs, offering a robust and affordable solution without compromising the budget.

Summary

In conclusion, the development of Air Watcher, the InprOTech Guardian’s wireless device discovery tool, responds to the growing need to strengthen security in industrial environments. Leveraging advanced packet capture and analysis capabilities of Scapy. Air Watcher provides integral real-time visibility, facilitates proactive threat management and integration with existing security systems.

In addition, the benefits in terms of improved security and compliance make Air Watcher a crucial addition to industrial security measures. Through meticulous implementation and continuous improvement, this tool has the potential to contribute significantly to the protection of industrial environments from wireless threats.

Resources

[1] https://inprotech.es/guardian/

[2] https://scapy.net/

[3] 802.11 — Parte I: Introducción al protocolo, estructura y sus componentes | by Pablo Demian Rebolini | Medium

[4] Qué bandas de frecuencias WiFi hay: Explicación 2.4 GHz, 5 GHz y 6 GHz

[5] 802.11 Frame Types and Formats – How I WI-FI