This Hacker Knows Physics: Device Physics Aware Mimicry Attacks in Cyber-Physical Systems

Recent work proposed to improve the security of CPSs by authenticating the CPS devices through the device operation times in the response packets from the devices, due to the strong correlation between the timing fingerprints and the physics of the devices. Although such a technique may be effective in defending against naive attackers, an advanced attacker may monitor the operation of the CPS before launching a device physics aware mimicry attack. In this paper, we show how the spoofed response packets can be crafted by an attacker to deceive the CPS device authentication method based on the device operation times. Specifically, we use the timing and physical measurements embedded in the packets to reconstruct the devices in the physical system, which can be used to spoof response packets corresponding to the actual model and configuration of the devices in the CPS. We demonstrate the performance of our technique in realistic testbeds with real devices. Finally, we propose an upgraded defense mechanism that may be used against such mimicry attacks.