Air Watcher: wireless discovery in Guardian

In modern industrial environments, ensuring robust security measures against unauthorized wireless devices is critical. The increasing use of wireless technologies such as WiFi (IEEE 802.11) and Bluetooth® presents both opportunities and risks. Unauthorized or rogue devices can pose significant threats, including data breaches and network disruptions. To mitigate these risks, we have developed Air Watcher,  a wireless device discovery tool using  the Python library Scapy. This tool aims to enhance security by identifying and monitoring wireless devices within industrial environments.

Why Guardian?

Guardian is a cybersecurity tool designed and developed for industrial networks. Its main role is to monitor the traffic created by the factory, and to analyze it based on a combination of static, community-based and AI-powered rules, from which alerts can be deployed directly to the workforce and cut any attack or malfunction that may be happening. Apart from this core capabilities, InprOTech Guardian offers other tools such as this discoverer of wireless devices Air Watcher, an attack vector that should not be overlook.  

Scapy and Its Capabilities

InprOTech Guardian uses Scapy, a powerful open source library written in Python used for wireless packet manipulation and network traffic analysis. It allows users to create, send, and capture network packets, making it an ideal tool for wireless network analysis. Scapy supports a wide range of network protocols, including WiFi (IEEE 802.11) and Bluetooth, which are essential for our tool.

Key Capabilities of Scapy

1. Packet Crafting and Injection: Users can create and send custom packets, useful for testing and network security assessments.
2. Protocol Analysis: Scapy can dissect and analyze numerous protocols, offering detailed insights into network communications.
3. Extensibility: Scapy’s modular architecture allows for easy extension and customization to meet specific needs.
4. Packet Sniffing: Last but not least, Scapy can capture live packets from various interfaces, feeding real-time events into Guardian.

Development

In the spirit of being a silent agent, Guardian only captures passively IEEE 802.11 packets of type Probe Request, Beacon, and Disassociation, and looks for the public information within.  The tool aims to:

Identify Devices: Capture and analyze WiFi and Bluetooth packets to identify wireless devices based on their MAC addresses.

Monitor Activity: Monitor wireless communications to detect unknown,  unauthorized or rogue devices.

Provide Alerts: Generate alerts for suspicious activities or devices that may pose security threats.

Benefits

The development and deployment of Air Watcher offer several key benefits for industrial security:

Enhanced Visibility and Improved Security: Provides real-time visibility into wireless device activities, enabling quick identification of unauthorized devices and swift action against potential threats.

Proactive Threat Management: Enables security teams to respond swiftly to potential threats, minimizing the risk of network disruptions.

Compliance: Assists in meeting regulatory requirements and industry standards for wireless security in industrial settings.

Cost-Effective: Utilizes open-source technologies like Scapy, reducing the overall cost of implementation and maintenance.

Dangers

While the tool provides significant security benefits, there are potential dangers and risks that need to be considered. Following the good practices for secure SDLC (Software Development Life Cycle) and ISMS (Information Security Management System) is in most cases enough to keep these mitigated:

1. Privacy Concerns: Continuous monitoring of wireless communications may raise privacy issues, requiring strict adherence to privacy regulations and policies.
2. False Positives: The tool might generate false alerts, leading to unnecessary investigations and potentially causing operational disruptions.
3. Resource Consumption: Continuous packet capturing and analysis can consume significant computational resources, impacting system performance.
4. Security Risks: The tool itself must be secured to prevent misuse by malicious actors seeking to exploit its capabilities for nefarious purposes.

Summary

In conclusion, the development Ait Watcher, the wireless device discovery tool of InprOTech Guardian,  addresses the critical need for enhanced security in industrial environments. By leveraging Scapy’s packet capturing features, the tool provides real-time visibility, proactive threat management, and integration with existing security systems. While there are challenges and potential dangers associated with its deployment, virtually all them are common to other parts Guardian. Moreover, the benefits of improved security and compliance make it a valuable addition to industrial security measures. Through careful implementation and continuous refinement, this tool can significantly contribute to safeguarding industrial environments against wireless threats.