WiFi Blackbox - A Tamper-proof Forensic-ready Device for Wifi Networks

Abstract

With the current trend of computer and communication technologies, wired computer networks are almost entirely being replaced by wireless networks. For this purpose, the IEEE 802.11 protocol, i.e., Wi-Fi, is increasingly being used. With this rapid increase in usage, Wi-Fi networks are turning into the most important target of network-based malicious activities. It has been found that most of the successful Wi-Fi-related attacks in recent history have originated from internal threat actors, which amounts to a 60% of all attacks. In order to make an impact on those kinds of internal Wi-Fi attacks, this research aims to create and deploy a forensic-ready device, called WiFi-Blackbox, for internal networks that acts as a passive control mechanism that monitors, stores, and communicates the activities in a Wi-Fi network and later detects anomalies and patterns from the gathered data and information. The WiFi-Blackbox device is mainly integrated with five main hardware components and five software modules. The main board is a Raspberry Pi 4 single-board computer, which is combined with an RTL881cu USB Wi-Fi adapter that operates in WiFi monitor mode to observe nearby Wi-Fi networks constantly. To make the device tamper-proof, various physical and technical controls have been applied, such as an reliable internal power supply to face power failures and a backup 4G modem to face network failures. The device is also equipped with a GPS sensor to detect the location of the device, which can be used to prevent theft. The enclosure open notifier is another technical security control that detects physical tampering attempts on the device by attempting to open the sealed enclosure of the device. All the hardware components are controlled by internal software modules, which were written with a mixture of Python, PHP, and Shell scripts. The Sniffing module connects with the W-FI adapter and sniffs all the data frames, stores relevant frames, and decrypts them where necessary. The Anomaly Detection module checks for anomalies in each data frame and notify the user. It uses a third-party virus database to detect viruses, Trojans, and other malware. At the same time, it detects anomalies such as denial-of-service attacks. The devices Backup and Maintenance module is responsible for keeping backups of captured frames, while the System Monitor module helps to maintain a healthy system. The Communication module is the key to securely communicate between multiple WiFi-Blackbox devices and notify about incidents to each other.. The evaluation was done in a controlled environment with known infected files. Furthermore, stress testing was done by using 10 Wi-Fi networks in the deployed environment. The results indicate that a continuous data capturing and anomaly detection takes the maximum CPU power and reaches a CPU heat of 86C. Also, the device’s data accuracy is about 99%, and the data corruption rate is less than 1%. This research indicates that internal Wi-Fi networks can be protected and WiFi-related activities can be tracked and saved for forensic purposes. At the same time, it shows the possibility of implementing a tamper-proof network monitoring platform and how to demotivate insider attackers by representing the device as a deterrent controller.