Firewall and rules are in place, intrusion detection systems are running, and all industry best practices are being followed. Great, but what about Radio Frequency attacks? They nimbly sidestep all of that.<\/p>\n
Firewalls and intrusion detection systems (IDS) expect attacks to come from certain directions, with particular points of ingress, and to leave predictable and discernible tracks behind them. Those premises hold true for traditional cyberattacks, which is why firewalls, IDS, and other defensive measures are effective.<\/p>\n
However, there is another class of threats that utilize an often ignored attack vector. Radio frequency (RF) attacks target devices that make use of communications methods such as Bluetooth,\u00a0Bluetooth Low Energy (BLE),\u00a0radio, and\u00a0Wi-Fi. In fact, all of these technologies transmit and receive data using radio waves, operating as they do within the RF Spectrum<\/a>. Radio is included in the list to represent devices that use RF without wrapping it into one of the other technologies.<\/p>\n RF communications sidestep firewalls and network-based detection systems, and penetration testing and vulnerability scans don\u2019t look at the RF spectrum.<\/p>\n Ericsson<\/a> estimates that there will be 25 billion connected devices by the year 2025. More than three-quarters of those will have some form of RF capability. The burgeoning\u00a0Internet of Things<\/a> and the vast increase in affordable, cheaply-produced\u00a0smart devices are changing the attack surface of corporate networks. RF-enabled devices introduce new risks and vulnerabilities and offer the threat actors new opportunities to compromise systems.<\/p>\n And it isn\u2019t just the new generation of devices that bring the risk of compromise. Radio-based wireless keyboards and mice are susceptible to attack. The ubiquitous smartphone can be used to perpetrate attacks. And every member of your workforce will have a smartphone\u2014some of them may even be issued by your company.<\/p>\n Using extremely cheap and easy to obtain USB wireless dongles, a threat actor can tune in to the communication between radio connected devices\u2014for example between a keyboard and the radio USB dongle in the computer\u2014within about 250 feet. If they use more expensive equipment they can increase the distance up to about a mile.<\/p>\n Once they\u2019ve tuned in, their equipment can eavesdrop on all keystrokes sent from the keyboard to the victim\u2019s computer. This allows them to capture passwords or any other sensitive information they can find in the data. If the victim makes an online purchase they may capture other valuable information such as credit card or PayPal details.<\/p>\n The threat actor need not even be present. They may surreptitiously plant a small device such as a RaspberryPi<\/a>\u00a0or\u00a0BeagleBone<\/a>\u00a0with suitable USB dongles and access it remotely.<\/p>\n The threat actor can inject a rapid stream of their own keystrokes to the victim\u2019s computer. The computer can then be directed to download malware such as a remote access trojan, or a rootkit. The threat actor can then remotely access the computer whenever they choose. The victim would see only a slight flicker on the screen.<\/p>\n It\u2019s this ability to listen to RF traffic, to block it or modify it, or even to substitute it all together with bogus traffic that makes RF attacks so insidious. The threat actor can record a stream of data transmitted from one radio device to a different receiving device, and replay it at a later time. The receiving device accepts the traffic as though it came from the original, legitimate device. At one time this was a common approach to unlock car doors.<\/p>\n Some sophistication has crept in at the high-end of the market, with rolling code techniques<\/a> making such attacks more difficult. Rolling codes work on the principle that an unpredictable\u2014and yet calculable\u2014code is sent with the data to the receiving device. The receiving device follows the same algorithm and performs the same calculations. If the received code and the calculated code match, the rest of the transmission is accepted.<\/p>\n However, very few manufacturers do this with cheap\u2014or even mid-range\u2014internet of things appliances and RF devices. And yet every one of those devices is a potential gateway onto your network. Even when they have been notified of vulnerabilities in their hardware or firmware, manufacturers are slow to respond. Some vulnerabilities are still present in new products that were reported on old products literally years ago.<\/p>\n Bluetooth and BLE devices can be compromised in similar ways, including Bluetooth wireless keyboards and mice.<\/p>\n A lot of heavy plant such as cranes is either factory-equipped to be remotely controlled or this functionally can be fitted with after-market devices. The RF remote control units were designed with safety in mind, not security.<\/p>\n They are prone to the same attacks as any other RF device, including covertly cloning the legitimate controller so that the threat actor has a fake but seemingly legitimate controller of their own. Drones can be used to get the threat actor\u2019s equipment close enough to initiate the attack.<\/p>\n Someone wishing to halt production could cause their transmitter to repeatedly send the \u201cemergency stop\u201d or \u201cemergency brake\u201d instruction, effectively halting productivity.<\/p>\n Internet of Things devices, wearable computing devices, Wi-Fi or Bluetooth enabled printers, and even hospital medical devices have been shown to have vulnerabilities that can be exploited. Often the compromised device isn\u2019t the target the threat actor is after, they\u2019re just the vulnerability they use as the point of ingress. They then pivot to other, more interesting devices with the network.<\/p>\n Often, Wi-Fi is left switched on, even on devices that don\u2019t need it. For example, a Wi-Fi enabled printer that is being used with a wired network connection. It\u2019s easy to forget to lock down the Wi-Fi on the printer because well, it\u2019s not being used right?<\/p>\n Smartphones can be used by disgruntled employees, industrial spies, or saboteurs to covertly record conversations and meetings. They can also be used to record video. They can be used in the same way as USB memory sticks and copies of sensitive documents can be exfiltrated by copying them to the storage of the smartphone. And by their nature, there\u2019s nothing suspicious about a visitor to your premises having a smartphone. We expect people to carry them.<\/p>\n A smartphone can be tethered to a laptop by Bluetooth and using its 4G<\/a>\u00a0or\u00a05G<\/a> connection to send stolen data to the threat actors. This would be entirely invisible to normal threat detection systems.<\/p>\n Vulnerable Wi-Fi devices are commonplace. Security is an R&D cost, and it is often dropped from the budget\u2014if it was ever there in the first place\u2014from cheap devices. Many businesses cannot tell you how many Wi-Fi devices are connected to their network at any given time. Many of those devices will be vulnerable, especially if you have a lenient\u00a0Bring Your Own Device<\/a>\u00a0policy.<\/p>\n Rogue Wi-Fi access points can be deployed to fool devices to connect to the threat actor\u2019s bogus network.<\/p>\nThe Size of the Problem<\/h2>\n
What Can The Attackers Do?<\/h2>\n
Wireless and Bluetooth Keyboards and Mice<\/h3>\n
Industrial Controllers<\/h3>\n
Smart Devices<\/h3>\n
Smartphones<\/h3>\n
Wi-Fi<\/h3>\n
How To Defend Your Network<\/h2>\n