Author: Bob Baxley

Wireless Intrusion Detection Systems (WIDS) — Bastille

In a traditional, hard-wired network, the only way in is through the Internet-facing router. Most modern networks, though, include 802.11 wireless access points (APs). If they aren’t well-secured, or if there are unauthorized APs on the network, they can open the systems to intruders.

With wireless access, there’s no firm boundary between the inside and outside. Other tenants in an office building could be in range. A spy could set up an inconspicuous wireless relay outside a building. Anyone who gets past the AP’s security is inside the network.

To counter this risk, networks deploy Wireless Intrusion Detection Systems (WIDS). In many ways they perform the same functions as regular intrusion detection systems, while adding wireless-specific functionality.

Risks specific to wireless

All APs should, of course, use WPA2 with strong passwords. A very common mistake is to put up the password in a place where visitors can see it. It’s convenient, but it’s really bad security. The APs should receive and install all available firmware updates, especially patches against the KRACK vulnerability. Administrative access needs to be locked down; the account name and password should be changed from the defaults.

A common risk is unauthorized access points. It isn’t hard for an employee to plug in a personal AP on the local wired network for convenience. They might do it to connect a phone to the network — which is a security risk in itself. Some “smart devices” set up their own APs by default, and if no one changes the defaults, it’s likely they have poor security, or none.

A rogue relay set up nearby could impersonate the SSID of a legitimate access point and pass data through, sending another copy of the traffic to its owner, allowing for the collection of credentials, which can then be used in a phishing attack. It has to match the real AP’s password to do this successfully, but if it can, most users won’t recognize it as a fake. They’ll connect to it automatically if it has the strongest signal on that SSID.

The basics of WIDS

WIDS is actually a broader concept than catching break-in attempts. It also includes verifying the access points that are on the network, identifying any that shouldn’t be there or have security issues, and detecting attacks on APs/clients.

A well-run network has an inventory of all authorized devices. This lets a network scan and identify any rogue devices. “Rogue” here means simply that the device wasn’t approved, not necessarily that it’s hostile. Network sniffing tools will probe all IP addresses and identify authorized and unauthorized ones.

Network monitoring over TCP/IP doesn’t always reveal which devices have Wi-Fi capability, and it won’t catch relays that aren’t directly on the network, so over-the-air sniffing is necessary as well. Such sniffing will identify any APs within range and check if they have weak security.

Then we come to intrusion detection in the narrower sense. Intrusion attempts include password guessing, WPS breach attempts, and packet flooding. Detection methods are like the ones used in standard intrusion detection systems, except that they operate at all network layers from 1 (physical) up and include the special risks of wireless access. Regular intrusion detection operates on Layer 3 and higher.

Fingerprinting in a more sophisticated WIDS can be done at multiple layers. For example, at the physical/MAC layer it make sure the modulation scheme is standards-compliant and not trying to exploit idiosyncrasies in chipsets. In addition, it can can perform fine-grained analysis and comparison of capabilities advertised by an AP that a user commonly has no view into.

Rogue access points

Rogue access points can be malicious or merely unauthorized, but either way they pose a risk. The ones which people install for their own convenience may not use WPA2 or, if they do, use good passwords. They could have configuration issues, such as easy access to the administrative account from within the network or even over the Internet. If malware infects any device on the network, it could search for wireless routers and try to change their administrative settings.

Some smart (IoT) devices set up their own access points for convenience of installation. If no one has configured them or they aren’t configurable, they might be open to access by anyone and create a hole in the network. Once they’re discovered, it may be possible to configure them securely or disable them.

Malicious access points need to be connected to the network somehow. An employee working as someone’s spy can do it without much trouble. Such APs are often devious enough to evade casual detection. Some will spoof the MAC address of a legitimate access point when transmitting malicious traffic.

A relay doesn’t need to be physically connected to the network if the security of an authorized access point has been compromised. If passwords aren’t protected, this isn’t very hard. A relay can look on a casual scan like an AP that belongs to somebody else. Good software tools are necessary to separate the unwelcome devices from the legitimate ones by fingerprinting devices.

Unsecured access points

Access points may be legitimate but poorly secured. Open APs with no encryption are a serious risk, and it’s vital to make sure none have been set up that way by accident. Others may use WEP or the original WPA, which provide very weak security. They may use WPA2 but have weak passwords.

Other intrusion paths

While 802.11 (Wi-Fi) is the most common form of wireless network access, other protocols are widely used and have their own risks. Bluetooth has a shorter range but can be a vector for intrusion.

At RSA this year more than a few people claimed that they were secure from RF attacks, but when questioned they could not articulate how they are doing this, and some didn’t understand there are other frequencies to secure other than 2.4 GHz.  

Some IoT devices use industry standards, such as many LPWANs, or custom RF protocols. A comprehensive WIDS solution needs to address all RF data communications.

WIDS tools

Tools are available for sniffing the RF traffic in their range and identifying devices. They range from free, open-source ones to sophisticated, commercially supported ones. Using them allows the discovery of rogue devices as well as attempts to break security. They log information and may issue an alert when discovering a breach attempt.

Kismet is a wireless network detector which is primarily intended for 802.11 but can be expanded to other protocols. It has multiple uses, including identification of all devices within range or monitoring a single one. Using it for intrusion detection requires an appropriate setup, and installation is complicated.

Netstumbler was once well regarded as an scanning tool, but it hasn’t been maintained in many years. Its last release was in 2004.

Commercial tools, including Bastille’s, provide a supported WIDS with a convenient user interface

Bastille monitors the RF-spectrum from 60 Mhz to 6 Ghz, covering a wide range of RF-enabled devices from IoT, through cell phones and hotspots all the way up to rogue Wi-Fi and other RF potential threats.

A network security system has to include wireless intrusion detection if it’s going to protect the network effectively from the growing number of unauthorized RF-enabled devices that enter your organization’s airspace everyday.

Learning more

Many tools are available for detecting wireless devices, but not all of them do a good job. Creating a complete map of Wi-Fi and Bluetooth devices in an area requires the most advanced techniques available. To find out more about RF security, look through Bastille’s white papers and webinars.

 

Leading RF Security Vulnerabilities in 2018 — Bastille

When you think of RF vulnerabilities, you probably think first of Bluetooth and Wi-Fi issues. There have been well-publicized vulnerabilities in both during the past year, but the issue is broader. RF devices also include RFID tags, NFC (e.g., Apple Pay), 433 MHz remote control, LR-WPAN networking, and a host of proprietary protocols. Any of them can have security issues.

While the less known ones don’t get as much publicity, they can cause considerable havoc. Proprietary protocols often don’t get examined as closely as widely used ones, and some have weaknesses or just lack security. Firmware on chips usually isn’t open for examination. Currently significant vulnerabilities are found in both well-known and relatively obscure RF data protocols.

Wi-FI: Krack

The best-known wireless security issue of 2017 was known as Krack. This wasn’t just a software bug but a weakness in the WPA2 protocol. Every computer and access point that implemented WPA2 was affected.

“Krack” stands for “key reinstallation attack.” Briefly, the attack works by interfering in the handshake that negotiates an encryption key. It forces retransmission of one of the messages, causing the same nonce (initialization) value to be reused with the same key. This allows decryption of subsequent frames that use that key.

In some cases, the consequences are worse. Implementations that used the wpa_supplicant library can be made to use an all-zero encryption key, which is to say no encryption. Windows and Linux use this library and are vulnerable unless they have an updated version of it. Patches for all major WPA2 implementations are available; they fix the problem by preventing the forced replay. Many devices, however, haven’t been or can’t be updated.

Another vulnerability reported in 2017 was specific to Broadcom Wi-Fi chips. A remote attacker could use it to execute arbitrary code on an Android or iOS device with the chip. Patches have been available since July, but many devices remain unpatched. A proof-of-concept worm replicated itself from an infected device to nearby devices; a real exploit could spread quickly.

As with any RF vulnerability, the attacker has to be in physical proximity. Under favorable conditions, that can be 100 meters or more. It’s difficult to say how widely these issues have been exploited, since exploits don’t always leave traces that are obvious. Criminals using Krack would conduct targeted attacks rather than mass ones. Someone could spy on a network for months and not be noticed.

Keyless entry

Beyond Wi-Fi and Bluetooth are many forms of RF data communication which few people give much thought to. Because they don’t get a lot of scrutiny, serious vulnerabilities in them may go unnoticed. When they’re exploited, it may not be obvious what happened.

Keyless entry cards are a case in point. Most high-class hotels now use them instead of mechanical keys for access to rooms, and it’s increasingly common for them to use proximity rather than being inserted into a reader. These locks often give little thought to security. The protocols may be unencrypted and lack any authentication mechanism. Locks for high-security areas may suffer from similar vulnerabilities.

A vulnerability has been reported in certain makes of keyless entry locks, letting someone with network access unlock doors and create working counterfeit access cards. Intrusions of this kind could let people walk into hotel rooms or gain access to high-security areas.

Key fobs for remotely unlocking cars may have various vulnerabilities. One is that if a thief can get inside the car, it may be possible to program a new key from the vehicle’s onboard diagnostic port. Then it’s possible either to drive away immediately or come back at a more suitable time. Subaru key fobs reportedly have a weak “rolling code” which is trivially broken.

Medical devices

Wireless medical implants can literally be a lifesaving aid for patients. They provide access for medical personnel to read out information and change settings without invasive procedures. If not properly secured, though, they can be vulnerable to attacks that could harm patients’ health or kill them. An RF transmitter used in implantable cardiac devices was found to be vulnerable to man-in-the-middle attacks. An attacker could increase or decrease the pacing to a dangerous level or drain the battery.

Medical devices may have access to hospital networks, so criminals could use them as jumping-off points to servers, installing ransomware or stealing personal information. If a breach occurs and the Office of Civil Rights finds the healthcare provider negligent, fines in the millions of dollars are possible.

Poor or nonexistent security is common in implantable medical devices. The emphasis is on ease of use, and doctors don’t want to be delayed by hunting for a password in an emergency. But the protocols in many devices are easy to reverse-engineer, so someone with moderate technical skills and proximity to the patient could get access to the devices and do serious damage.

Remotely hijacking vehicles

The possibility of remotely attacking a vehicle through RF data communications is especially alarming because it could let someone injure or kill the occupants. In 2016, Homeland Security was able to penetrate the systems of a Boeing 757 airplane while it was parked at an airport. All that they’ve revealed is that the flaw is in radio frequency communications. No one outside of the few with access to the classified information knows what protocol was involved or how serious a threat it poses. It also isn’t known whether the vulnerability exists in other aircraft systems. Boeing hasn’t made 757s since 2004, but major airlines and the White House still use them.

Several years ago, an experiment in remotely seizing control of a car through its entertainment system made the news. It was possible because a system with remote access and weak security was connected to more critical systems based on a design that predates remote access concerns.

Attacks of this kind are difficult to engineer, but they might be used against prominent individuals, to kill or intimidate them.

The special risks of RF

RF vulnerabilities are most often not the result of flaws in operating systems and applications. The problems often reside in the firmware of communications chips, which are trade secrets not open to public inspection. An attack on them bypasses not just network firewalls but many forms of detection. The vulnerable devices are often simple, mass-produced ones, the kind found on the Internet of Things. Many manufacturers pay more attention to price than security.

With wireless devices of all kinds playing a growing role in data communications, vulnerabilities based in RF communications are a growing concern for cybersecurity, and this trend will continue.

To learn more about the RF vulnerabilities in your environment please contact Bastille.

 

Hacked Pacemakers and Insulin Pumps Are Just the Beginning — Bastille

 

As the number of medical devices explode, protection against RF risk in the clinical setting gets more complicated.

In 2016, the healthcare industry received a wake-up call. Federal regulators discovered critical cybersecurity vulnerabilities in certain pacemakers, defibrillators and other medical devices made by St. Jude Medical. Because these devices use RF signals to transmit and receive patient data, these devices were vulnerable to intrusions and exploits that could have dire consequences for patients.    

It wasn’t the first time medical device security threats have been exposed. In 2011, hackers demonstrated how easy it was to hack an insulin pump during the Black Hat security conference. But it did reinforce the growing concern around medical device security in clinical settings.

Internet of Things (Io)T security in the clinical setting has become a top priority for healthcare delivery organizations, especially as the number of connected medical and non-medical wireless devices skyrockets. Gartner Research estimates that 25 percent of healthcare cyberattacks will originate from IoT devices by 2020 [insert source]..

One of the challenges in securing the clinical setting from wireless and RF risks is the stakeholders involved. Healthcare delivery organizations are accustomed to securing Ethernet and wireless network communications. But what about common IoT protocols like cellular, Bluetooth and ZigBee? Not so much. Furthermore, most don’t have the resources to deploy advanced white-hat security measures to really dig into threat exposure.

Considerable amounts of personally identifiable information are transmitted unencrypted over wireless and wired networks,  These systems rely upon the security of the network itself.  Given that security researchers been able to purchase used medical equipment on eBay with stored network passwords, it would be possible for an attacker to use such credentials to exfiltrate confidential information once they are on the network.

Much of the security responsibility – and vulnerability – lies at the medical device manufacturer level. Manufacturers often tweak standard protocols and make them their own, or fail to provide specs and documentation on custom RF protocols to the public. Lack of public scrutiny does no favours to patients, only making it moret difficult to understand how these devices communicate with other devices and the network, and what vulnerabilities may be present.

Patients are also becoming a key stakeholder in the security equation, as data is exchanged with patients in their homes, both by in-home medical devices and as more patient reported outcomes data is collected to improve the standard of care.

In addition, telemedicine and implanted devices create remote care environments, in the patient’s home or care home. In these cases, patients and care home providers have to take an active role in security – including things like network protection and security updates to devices.

Given the evolving threat landscape and a complex web of stakeholders, it’s understandable that many healthcare delivery organizations are overwhelmed. Where does the journey begin for securing the clinical setting from RF and wireless risks?

It starts with visibility. You can’t secure what you can’t find. Clinicians and technical resources within the clinical setting must be able to identify which devices are present in their environment – both authorized and unauthorized. Furthermore, they need visibility into all devices transmitting across the entire RF spectrum. Where are these devices located? Which RF protocols are they using? When and where is suspicious activity occurring?

There is no silver bullet to securing the clinical setting. It will ultimately require better collaboration between manufacturers, clinical environments and patients. But, there are protective measures healthcare delivery organizations can and should take now. Patient outcomes depend on it!

If you would like to learn more, please watch our webinar, Wireless MD: Addressing Wireless and RF Risk in Clinical Settings

 

Do You Know Who’s Hacking the Trading Floor? — Bastille

What You Need to Know About Monitoring Cellular and IoT Devices in Capital Markets

Will the regulatory climate for capital markets cool off given the pro-business agenda of the current administration? It may be too early to tell, but many believe the answer will be “no” – especially as the government zeroes in on cybersecurity.

Another area of particular focus is electronic communications (or e-comms), which touches virtually every aspect of buy and sell-side activities.

Just ask FINRA. Last December, the agency fined 12 large financial institutions a total of $14.4M for improper electronic records-keeping practices, which made the firms vulnerable to cybersecurity threats.

So, what’s the issue? The challenge with e-comms monitoring is that it has to go beyond preventing illegal activities. It has to provide the ability to measure, prove and – the most challenging of all – disprove intent.

The interesting thing about the 12 FINRA settlements is that most of the cases didn’t focus on actual instances of failure in record keeping (and the e-comm surrounding it). The fines were for negligence in preventing these things from possibly happening.

Therein lies the real challenge. How do you prove your employees aren’t communicating the wrong way? How do you monitor for unauthorized devices – not just phones and wearables, but for more obscure IoT devices like wireless printers or keyboards that can be hacked and exploited for malicious activity?

Without real-time monitoring of all the devices in your space – both the detection of devices and determining whether they present security vulnerabilities – firms don’t have a mechanism to enforce the rules.

This is where Bastille’s enterprise threat detection technology comes in, and why it’s so critical to capital markets. Bastille provides constant and holistic awareness of devices in the enterprise. It allows firms to identify in detail all devices in the enterprise, where they are, the protocols they’re using, the data volume they’re transmitting and what security vulnerabilities may exist. When an unauthorized device enters the enterprise or does something out-of-policy, someone is alerted.

Bastille also enables forensic analysis on device comms. Were there strange patterns in data flows between devices? Which devices? Were they authorized? Were those devices attached to a persona or employee in the enterprise?

Finally, Bastille performs this monitoring in a discreet and non-disruptive way.

At the technical layer, Bastille helps firms meet the dual demands of e-comms monitoring – the ability to prevent malicious activity and the ability to measure, prove or disprove intent through forensic analysis. Finally, it demonstrates and validates to auditors that the firm has the technology in place to enable systemic and continuous monitoring. 

If you would like to learn more, please watch our webinar, Cellular and IoT on Wall Street: Changes in Compliance Requirements, Cellular, and IoT Devices in Capital Markets.

Dallas Siren Attack — Bastille

In light of recent events, particularly the Dallas siren hack we’d like to go through a couple of plausible scenarios that might explain this attack and how they relate to the need for more security when designing RF-enabled devices and implementing RF-enabled networks.

For now, let’s look at the Dallas incident to examine how some public safety and large-scale RF networks work, how they might be vulnerable to such attacks, and what you should take into account when designing and securing such networks.

Dallas – Networks, Topologies, and Sirens
Let’s have a look at an overview of the potential components involved in the Dallas scenario. With a central controller node at the headquarters, there would be some sort of control module.

For example, a computer and software would be interfaced to radio equipment, and then connected to an antenna.

The individual sirens are spread out over a large area, which is an important factor to consider, and is one reason that RF is such a good way to control these systems.  At each node, there is a pole with a siren, a radio receiver listening for commands to control that siren, as well as some sort of module that actually controls the siren and whether or not to emit alarms.

The Dallas Office of Emergency Management (OEM) has not revealed how their network is organized or what sort of security it had, or has, so we are still left to hypothesize on how this might have happened.  While there are a number of theories, here I am going to discuss the types of networks that might be deployed in Dallas and the types of transmission technologies in use.

NETWORK TYPES

Single Frequency Networks
One possible scenario for Dallas is that they use a single-frequency network. In this situation, all the sirens and radios operate at either end of a single-frequency network, which is registered with the FCC.

A single-frequency network uses a large single transmitter to cover an entire emergency region. The transmitter might be up high on a tall building or on a hill and uses a very, very large power output to allow the radio waves to propagate over a significant distance and cover the entire array of sirens.  Since all of the Dallas sirens appear to have been set off at once, this may indicate some sort of centralized control over all of them, as opposed to individually, visiting each one and setting it off.

So, in the single frequency network attack, the attacker most likely traveled to a high point to achieve a good propagation to all the sirens. The equipment to undertake this sort of attack would have included a powerful transmitter, a power amplifier, and antenna set to the specific frequency used by the Dallas system (or around about those frequencies).

Radio Repeater Networks
In this network there is a centralized instance of a single repeater to cover a large region. The repeater accepts weaker signals on one ‘input’ frequency and rebroadcasts them at a stronger signal on a different ‘output’ frequency to cover the larger area.

How does this play out? One hypothetical scenario is that a controller module at headquarters sends out a transmission on the input frequency, which is registered to a particular repeater. The repeater then rebroadcasts the same transmission over the output frequency, but at a much stronger signal. The siren modules will be listening on the output frequency, and anything transmitted on the input would be repeated to the output. That’s how you can cover this broad area.

We’ve briefly covered network configurations, now let’s take a look at how commands are sent.

COMMAND TRANSMISSION: Analog or Digital?

Analog RF Networks
The simplest and least costly approach to use is an analog technique. A normal analog single-frequency or repeater network, most likely using narrowband FM, is used to send voice data.  To listen to these transmissions, all that is needed is a hand-held radio, which is easily purchased from eBay or Amazon for less than $30. You don’t really need anything more sophisticated than that.

If it’s analog transmission, then you can send a series of tones. One possibility is exactly the same sort of dual-tone multi-frequency (DTMF) tones you hear when you dial the digits on a telephone. What might be the case here is that tones are transmitted from headquarters to a receiver and demodulator at each node, and each node is programmed to listen for a certain sequence of tones.  Upon receiving the tones, the node will enact some command, in this case, to activate the sirens.

Now, in either single-frequency or analog case, if there is someone out there that has found the frequency in use, they can simply listen for those tones to be transmitted prior to the monthly test.  In some cases, where there’s practically no security, those tones are transmitted in the clear, and you’re able to replay them to achieve the same effect.

Where might the attacker be? On a single-frequency network, the attacker needs to be up high, with a very powerful transmitter,a power-amplifier, and antenna. With an analog repeater, the attacker simply needs to transmit close to the repeater, perhaps with a directional antenna, on the input frequency, and have those tones in the initial broadcast, rebroadcast by the repeater over the entire network to achieve the same effect.

Digital Repeater Networks
With a digital repeater, emergency headquarters has a radio to send digital data instead of just narrowband FM.  Data is rebroadcast by the digital repeaters to ensure full coverage of the emergency area.

There may be one repeater, or in the case of modern public safety networks, it might be established as a simulcast network, which means that multiple synchronised repeaters would cover an even broader, geographic range.

The difference here is, instead of tones such as the DTMF tones, there would be a distinct packet of data. This is received by a radio, decoded and then the received command is put into action, in this case, to activate the siren at each node.

Encryption
With a digital network, there is the option of including encryption. However, in many networks encryption is not implemented for various reasons, such as key management or simply the much higher cost charged by the manufacturer.

To listen to ‘encrypted’ (where it is not properly implemented) transmissions the attacker may simply need a handheld radio.  Alternatively, the attacker can use a computer or existing radio equipment with a demodulator. As with the analog example, the attacker can wait for the time when the equipment testing occurs to record the transmissions.  To attempt to perpetrate an attack, the attacker rebroadcasts the recording just as with an analog network. However, this may not succeed as it depends on how the encryption was implemented. The Dallas OEM did not use encryption.

Trunked Networks
There is a nuance in certain networks (either analog or digital) when they’re trunked networks.  A trunked network uses a more sophisticated type of repeater system.

The trunked network has allocated to it a number of frequencies that are shared amongst multiple radio users, which means that a single public safety network can support a large number of users, such as the police, ambulance, fire, and other first responders. This operates over a fixed number of frequencies (a pool of channels) that are allocated on-demand as users need to make ‘calls’. These calls are either all analog or digital in nature depending on the type of repeater, just as in the standard repeater case described previously. However, regardless of the call type, a digital signalling (output) channel is still used by the trunking controller to inform radios of allocated channels, and another digital (input) channel is used by radios to request a channel from the controller.

Now, this is not only about calls between mobile users or people. It could potentially be calls to end nodes such as radio-enabled equipment. The radios in these end nodes might be configured to operate on a trunked network, and they might be assigned to a particular talk group. At headquarters, the radio might transmit out to a trunked repeater network, saying, “Call this particular talk group,” so it establishes a call effectively to every single end node. They all start listening, and then the attacker would send either the tones in the analog trunked case, or dial packets in the digital trunked case. Either way, the network would receive the commands and have them sent out to each end node.

The primary problem with common trunked networks is that there is no method to authenticate a legitimate transmitter before setting up a call. Also, as with standard digital networks, there is no method by the network to authenticate the actual message that’s being sent, and there’s no low-level network encryption (it is commonly transparent to the network and implementation is left to the radios using the network).  This means that this type of RF network is entirely open and susceptible to replay attacks.

“Over-the-air rekeying”
With the Dallas incident, the media reported that some level of encryption was added in very short order after the attack took place.  While the Dallas OEM didn’t supply further details of how this was done or what encryption was added, here’s what could have happened: If Dallas was already using a digital repeater network, with radios that supported “over-the-air rekeying,” then they could have enabled encryption or updated the existing encryption keys via a radio-issued command signal.

Encryption and Initialization Vectors
With encryption, the system is now far less susceptible to the “record/replay” attack. However, this depends on how the encryption was implemented.  If the encryption requires an initialization vector to be sent before each actual data transmission, then the data is much safer.  However with systems that do not use this, due to time or cost, an attacker can still just replay the improperly ‘encrypted’ packet – and control the network, encrypted or not!

Emergency networks mainly use analog or unencrypted digital
The vast majority of emergency warning systems are still using analog or digital hardware without encryption, this largely due to cost.  Since it is less likely that Dallas OEM has one of the more sophisticated networks, it is somewhat unclear how Dallas added “encryption” in such short order after the attack.

Radio vs. Wired?
Radio offers many advantages over wired communication systems, such as flexibility and cost, but security is often overlooked.  Wired networks are not 100% secure either, but there is substantial investment to protect them, whereas there is little-to-no investment to protect devices using radio-only networks.

If you set up a radio network, you must secure points within your system, particularly end nodes. Otherwise an attacker can simply perform something like the replay attack and take control of your end node, or gain entry into whatever radio or wired network that is also connected to your end node.

The requirement for security improvements to radio-enabled devices does not just apply to government agency alerting systems.  Today, many buildings and cities are using the Internet of Things to become Smart Buildings and Smart Cities. To achieve this, radio-enabled networks are being deployed – often without having to pass the same security requirements as wired or Wi-Fi devices. The Internet of Things often uses low-energy protocols operating beyond secured Wi-Fi — these include ZigBee, Z-Wave and LoRa.  Often multiple radios are installed on each sensor to allow for future flexibility, and security is nearly alwaysthe last thing on the manufacturer’s list of features to add as they rush to market.

The Internet of Things, the Internet of Radios
With Internet of Things, or the Internet of Radios, it seems all too often that security’s overlooked and is the last consideration by manufacturers.  The Bastille Research Team has found vulnerabilities in many common office and home devices. Last year, we notified brand name manufacturers of wireless keyboard and mice such as Logitech, Dell, and HP of the vulnerabilities in their products that would allow an attacker compromise their customers’ data and networks. Internet of Things sensors and controls operate key building security and infrastructure devices such as office entry and exit systems, windows, and HVAC.  These are often deployed without the same level of security scrutiny and testing as the main Wi-Fi and wired network.

RF: Security through Obscurity
In the case of emergency siren systems, perhaps vendors and purchasers, thought it was security through obscurity, because they had their own special network, with their own dedicated protocol on their own frequency.  However today, radio and computing technology is faster, more accessible and cheaper, enabling hackers the opportunity to research, exploit, and quickly find any weaknesses that exist.

What other RF-controlled infrastructure has similar security vulnerabilities to the Dallas OEM system?
Public safety is obviously a big issue, but there are also other issues in Smart Meters that control people’s gas, electricity and water. There are concerns and interesting research that have turned up issues with the electricity grid and how various substations and transformers can be controlled using SCADA radio links and radio modems. In some cases, there’s very little or no encryption, which means an attacker could even influence that network via the radio-enabled devices on that network.

Smart Cities
As deployment of “Smart City” technology increases, there will be new and interesting ways to use radio-enabled technologies to control streetlights, traffic lights, and so on. However, these can all be vulnerable to attack if the network is not designed with security in mind from the very start.

If you’d like to learn more about what Bastille does to protect wireless infrastructure or how it can help you sense, identify, and locate your RF-enabled devices, especially those that you’re not even aware of, please request a demo or your own Wireless Vulnerability Threat Assessment.