Firewall and rules are in place, intrusion detection systems are running, and all industry best practices are being followed. Great, but what about Radio Frequency attacks? They nimbly sidestep all of that.
Radio Frequency Attacks
Firewalls and intrusion detection systems (IDS) expect attacks to come from certain directions, with particular points of ingress, and to leave predictable and discernible tracks behind them. Those premises hold true for traditional cyberattacks, which is why firewalls, IDS, and other defensive measures are effective.
However, there is another class of threats that utilize an often ignored attack vector. Radio frequency (RF) attacks target devices that make use of communications methods such as Bluetooth, Bluetooth Low Energy (BLE), radio, and Wi-Fi. In fact, all of these technologies transmit and receive data using radio waves, operating as they do within the RF Spectrum. Radio is included in the list to represent devices that use RF without wrapping it into one of the other technologies.
RF communications sidestep firewalls and network-based detection systems, and penetration testing and vulnerability scans don’t look at the RF spectrum.
The Size of the Problem
Ericsson estimates that there will be 25 billion connected devices by the year 2025. More than three-quarters of those will have some form of RF capability. The burgeoning Internet of Things and the vast increase in affordable, cheaply-produced smart devices are changing the attack surface of corporate networks. RF-enabled devices introduce new risks and vulnerabilities and offer the threat actors new opportunities to compromise systems.
And it isn’t just the new generation of devices that bring the risk of compromise. Radio-based wireless keyboards and mice are susceptible to attack. The ubiquitous smartphone can be used to perpetrate attacks. And every member of your workforce will have a smartphone—some of them may even be issued by your company.
What Can The Attackers Do?
Wireless and Bluetooth Keyboards and Mice
Using extremely cheap and easy to obtain USB wireless dongles, a threat actor can tune in to the communication between radio connected devices—for example between a keyboard and the radio USB dongle in the computer—within about 250 feet. If they use more expensive equipment they can increase the distance up to about a mile.
Once they’ve tuned in, their equipment can eavesdrop on all keystrokes sent from the keyboard to the victim’s computer. This allows them to capture passwords or any other sensitive information they can find in the data. If the victim makes an online purchase they may capture other valuable information such as credit card or PayPal details.
The threat actor need not even be present. They may surreptitiously plant a small device such as a RaspberryPi or BeagleBone with suitable USB dongles and access it remotely.
The threat actor can inject a rapid stream of their own keystrokes to the victim’s computer. The computer can then be directed to download malware such as a remote access trojan, or a rootkit. The threat actor can then remotely access the computer whenever they choose. The victim would see only a slight flicker on the screen.
It’s this ability to listen to RF traffic, to block it or modify it, or even to substitute it all together with bogus traffic that makes RF attacks so insidious. The threat actor can record a stream of data transmitted from one radio device to a different receiving device, and replay it at a later time. The receiving device accepts the traffic as though it came from the original, legitimate device. At one time this was a common approach to unlock car doors.
Some sophistication has crept in at the high-end of the market, with rolling code techniques making such attacks more difficult. Rolling codes work on the principle that an unpredictable—and yet calculable—code is sent with the data to the receiving device. The receiving device follows the same algorithm and performs the same calculations. If the received code and the calculated code match, the rest of the transmission is accepted.
However, very few manufacturers do this with cheap—or even mid-range—internet of things appliances and RF devices. And yet every one of those devices is a potential gateway onto your network. Even when they have been notified of vulnerabilities in their hardware or firmware, manufacturers are slow to respond. Some vulnerabilities are still present in new products that were reported on old products literally years ago.
Bluetooth and BLE devices can be compromised in similar ways, including Bluetooth wireless keyboards and mice.
Industrial Controllers
A lot of heavy plant such as cranes is either factory-equipped to be remotely controlled or this functionally can be fitted with after-market devices. The RF remote control units were designed with safety in mind, not security.
They are prone to the same attacks as any other RF device, including covertly cloning the legitimate controller so that the threat actor has a fake but seemingly legitimate controller of their own. Drones can be used to get the threat actor’s equipment close enough to initiate the attack.
Someone wishing to halt production could cause their transmitter to repeatedly send the “emergency stop” or “emergency brake” instruction, effectively halting productivity.
Smart Devices
Internet of Things devices, wearable computing devices, Wi-Fi or Bluetooth enabled printers, and even hospital medical devices have been shown to have vulnerabilities that can be exploited. Often the compromised device isn’t the target the threat actor is after, they’re just the vulnerability they use as the point of ingress. They then pivot to other, more interesting devices with the network.
Often, Wi-Fi is left switched on, even on devices that don’t need it. For example, a Wi-Fi enabled printer that is being used with a wired network connection. It’s easy to forget to lock down the Wi-Fi on the printer because well, it’s not being used right?
Smartphones
Smartphones can be used by disgruntled employees, industrial spies, or saboteurs to covertly record conversations and meetings. They can also be used to record video. They can be used in the same way as USB memory sticks and copies of sensitive documents can be exfiltrated by copying them to the storage of the smartphone. And by their nature, there’s nothing suspicious about a visitor to your premises having a smartphone. We expect people to carry them.
A smartphone can be tethered to a laptop by Bluetooth and using its 4G or 5G connection to send stolen data to the threat actors. This would be entirely invisible to normal threat detection systems.
Wi-Fi
Vulnerable Wi-Fi devices are commonplace. Security is an R&D cost, and it is often dropped from the budget—if it was ever there in the first place—from cheap devices. Many businesses cannot tell you how many Wi-Fi devices are connected to their network at any given time. Many of those devices will be vulnerable, especially if you have a lenient Bring Your Own Device policy.
Rogue Wi-Fi access points can be deployed to fool devices to connect to the threat actor’s bogus network.
How To Defend Your Network
Defending against RF threats requires specialist equipment and services. The task facing the CSO is, as always, one of measurement, monitoring, and management. Bastille is a market leader in providing RF detection and alerting systems that help protect enterprise and government facilities alike.
“Understanding radio frequency (RF) transmissions in your facilities and understanding what communication is taking place is as essential as understanding what communication is going on between your network and the outside world,” said Bob Baxley, CTO at Bastille. “Bastille detects and locates RF devices within a building. Bastille demodulates each packet, allowing it to identify and differentiate individual devices and their emissions, even when the devices are closely clustered.”
Without that type of detection and granularity, countering RF-based threats becomes very difficult indeed. To be effective, your response to the RF risks must include:
- Quantifying what RF devices are on your premises, including those that are mobile and carried in by staff and visitors.
- Assessing what communication is taking place between RF devices on the four prime protocols: Cellular, Bluetooth, Bluetooth Low Energy, and Wi-Fi.
- Real-time monitoring and alerting providing clear and accurate information, feeding into situational awareness.
- Detecting and identifying unknown devices will protect corporations from risky RF attacks.
- Establishing RF-free areas such as the boardroom or server room, or RF-restricted zones where only a set of validated devices are allowed to enter.
Although this will require specialist equipment, you’ll be locking down one more attack vector. One that is often overlooked.
