Penetration testing up in the air: Securing radio frequency networks
By Toby Scott-Jackson, SureCloud Principal Security Consultant
Published 13th September 2016
As a full-time penetration tester, I’m often asked to look at the out-of-ordinary security vulnerabilities and make risk management software and service recommendations. A case in point was when a major UK financial institution asked us to test for vulnerabilities in its radio frequency (RF) networks, looking at its WiFi networks, digital mobile radio (DMR) systems, cordless DECT phones, Bluetooth devices and more.
These days, a great deal of office networking and comms equipment runs over RF, so the organization was concerned that its data and networks may be exposed to potential vulnerabilities from vectors that they hadn’t tested before: in this case, literally in the air around the organization!
So, this particular job involved me being both inside the organisation’s offices, and getting up onto the rooves of the buildings surrounding the office, so that I could perform a full scan of the frequencies commonly used by RF equipment in the area, using different antennas and kit for each frequency. It’s then a case of identifying where each one is coming from – not an easy task in a densely populated and IT-intensive area such as the City of London.
Walking and talking
I made a number of interesting discoveries during the penetration testing. The first vulnerability I found was that the encryption of digital mobile radio (DMR) systems can quite easily be cracked. Many users don’t employ proper encryption as it’s expensive, and they tend to just rely on a built-in feature called basic privacy. DMR radios are commonly used by security staff as well as emergency services, so a hacker could cause potentially fatal disruption if they hacked the DMR systems.
Although security staff are told not to discuss confidential information over the radios, it would be easy for them to lapse and mention something they shouldn’t.
I was also able to intercept some DECT (Digital Enhanced Cordless Telecommunications) calls while I was there. Most calls were encrypted but I was able to decrypt some, as different manufacturers implement DECT technology differently, which creates a weak spot that can be targeted.
Using a NRF2.4GHz signal, I was also able to discover that the signals from older models of Microsoft wireless keyboards for PCs can be intercepted, enabling an attacker to log the keystrokes made on the keyboard. This can be done from hundreds of metres away depending on the antenna used, and the technique could be used to steal passwords, financial details or other sensitive data that is being typed by users.
This vulnerability surprised me: keylogging is usually the preserve of trojan malware, but it can also be done using a remote antenna to target a specific office or computer.
Follow that car!
Another issue I looked at was vehicle tracking. The financial organization has a number of fleet vehicles, and these are fitted with GPS tracking so that head office can check on their locations. While the GPS signal is very difficult to spoof, it’s very easy to disrupt or block, because it’s a relatively weak signal. It should be noted that the organization uses other security measures for its vehicles, but nevertheless this is a significant risk.
Some building management and SCADA systems also use RF for communications and they can give away information about things like building temperatures as well as more critical information such as gas control valve and electrical switch positions.
In some circumstances, it is also possible to control these systems via RF transmissions by using a replay attack (replaying data that has been previously received) which can have serious implications for environments that rely on close temperature control, such as server rooms and even more serious implications where changes in valve or switch positions could cause a threat to life.
I also uncovered some rogue unidentified access points during the test. Luckily in this case they weren’t connected to the corporate network, but it’s not uncommon for people in positions of power to plug in a private router and connect it to the corporate network, which is a potentially major security risk, giving access to high-level corporate data.
The number of office technologies that can be intercepted over RF is quite surprising and worrying. The damage that can be caused by intercepting keystrokes from a wireless keyboard, or conversations from a supposedly-internal call made on a cordless phone is potentially high, and costly. Organizations therefore need to ensure that they test their systems regularly and implement proper encryption to protect the growing range of technologies that use RF.
The Benefits of Penetration Testing
Of course, the whole point of penetration testing of any kind of system is to locate these vulnerabilities so that businesses can protect against them and put plans in place to minimise any potential damage. One of the key ways of doing this is through a robust security posture – particularly in cyber. This can take the form of risk management software, advisory services, and extensive training programmes to get everyone up to speed. For more information on the GRC products and services that SureCloud can offer, take a look at our Risk Management capability.