Frequing Obvious - The Things You Discover When You Test RF Networks
August 04, 2016
In my work as a penetration tester for SureCloud, I’m often asked to look at unusual, out-of-the-ordinary vulnerabilities. This was the case when a major UK financial institution asked us to test for vulnerabilities in its radio frequency (RF) networks, looking at its WiFi networks, digital mobile radio (DMR) systems, cordless DECT (News - Alert) phones, Bluetooth devices and more. These days, a great deal of office networking and communications equipment runs over RF than was previously the case, so the organisation was concerned that its data and networks may be exposed to potential vulnerabilities from vectors that they hadn’t tested before.
You might imagine a pen tester being sat in the corner of an office all day hunched over a laptop, but this particular job involved me getting up onto the roofs of the buildings surrounding this organisation’s main office, so that I could perform a full scan of the frequencies commonly used by RF equipment in the area, using different antennas and kit for each frequency. It’s then a case of identifying where each one is coming from – not an easy task in a densely populated and IT-intensive area such as the City of London.
Careless talk …
I made a number of interesting discoveries during the testing. The first vulnerability I found was that the encryption of DMR (digital mobile radio) systems can quite easily be cracked. Many users don’t employ proper encryption as it’s expensive, and they tend to just rely on a built-in feature called basic privacy. DMR radios are commonly used by security staff as well as emergency services, so a hacker could cause potentially fatal disruption if they hacked the DMR systems. Although security staff are told not to discuss confidential information over the radios, it would be easy for them to lapse and mention something they shouldn’t.
I was also able to intercept some DECT (Digital Enhanced Cordless Telecommunications) calls while I was there. Most calls were encrypted but I was able to decrypt some, as different manufacturers implement DECT technology differently, which creates a weak spot that can be targeted.
Just my type
Using a NRF2.4GHz signal, I was also able to discover that the signals from older models of Microsoft (News - Alert) wireless keyboards for PCs can be intercepted, enabling an attacker to log the keystrokes made on the keyboard. This can be done from hundreds of metres away depending on the antenna used, and the technique could be used to steal passwords, financial details or other sensitive data that is being typed by users. This vulnerability surprised me: keylogging is usually the preserve of Trojan malware, but it can also be done using a remote antenna to target a specific office or computer.
Dude, where’s my car?
Another issue I looked at was vehicle tracking. The financial organisation has a number of fleet vehicles, and these are fitted with GPS tracking so that head office can check on their locations. While the GPS signal is very difficult to spoof, it’s very easy to disrupt or block, because it’s a relatively weak signal. It should be noted that the organisation uses other security measures for its vehicles, but nevertheless this is a significant risk given the value of the goods carried by the vehicles.
Some Building management and SCADA systems also use RF for communication, and they can give away information about things like building temperatures as well as more critical information such as gas control valve and electrical switch positions. In some circumstances it is also possible to control these systems via RF transmissions by using a replay attack (replaying data that has been previously received) which can have serious implications for environments that rely on close temperature control, such as server rooms and even more serious implications where changes in valve or switch positions could cause a threat to life.
I also uncovered some rogue unidentified access points during the test. Luckily in this case they weren’t connected to the corporate network, but it’s not uncommon for people in positions of power to plug in a private router and connect it to the corporate network, which is a potentially major security risk, giving access to high-level corporate data.
The number of office technologies that can be intercepted over RF is quite surprising, and worrying. The damage that can be caused by intercepting keystrokes from a wireless keyboard, or conversations from a supposedly-internal call made on a cordless phone is potentially high, and costly. Organisations therefore need to ensure that they test their systems regularly and implement proper encryption to protect the growing range of technologies that use RF.
About the Author
Toby Scott-Jackson is Senior Security Consultant at SureCloud, a supplier of Cloud-based Governance, Risk and Compliance (GRC) solutions. Prior to co-founding SureCloud in 2006, Toby worked at AIL, an independent security consultancy where he was managing director. Toby began his career as a programmer after graduating from Oxford University. A qualified CHECK team leader, Toby today conducts security audits and advises on vulnerabilities for SureCloud’s customers with contact centres including major retailers and financial institutions.
Edited by Peter Bernstein
Article comments powered by