Category: Uncategorized

AMA with Brian Contos and Brett Walkenhorst (Bastille) on the Nearest Neighbor Attack

Posted on December 19, 2024 by - Uncategorized


On December 17, 2024, Brian Contos spoke with Brett Walkenhorst, Bastille Networks’s Chief Technology Officer, recording a quick Ask Me Anything video about the recent wireless attack that Veloxity disclosed.

The conversation explores the “Nearest Neighbor Attack,” an innovative wireless attack strategy highlighting how attackers bypass traditional proximity-based security assumptions. It delves into the attack’s mechanics and implications and discusses how Bastille Networks’ solutions address these challenges.

Volexity states, “The Nearest Neighbor Attack effectively amounts to a close access operation, but the risk of being physically identified or detained has been removed. This attack has all the benefits of being in close physical proximity to the target while allowing the operator to be thousands of miles away.”

The Nearest Neighbor Attack exemplifies the ingenuity and persistence of modern cyber adversaries. It underscores the need for comprehensive wireless security solutions like Bastille Networks, which provide visibility, detection, and actionable responses to mitigate these evolving threats. By integrating seamlessly with existing systems, Bastille addresses critical gaps in wireless security and helps organizations stay ahead of attackers.

Watch the video to hear the full discussion.

Samsung Employee Indicted for Stealing $180 Million in Intellectual Property Using Phone Camera, Seoul Prosecutors Claim

Posted on December 15, 2024 by - Uncategorized

A recent industrial espionage case in South Korea highlights how insider threats can leverage physical and wireless vulnerabilities to exfiltrate highly sensitive intellectual property. The incident, which South Korean prosecutors value at over $180 million in damages, demonstrates why organizations need comprehensive visibility into all potential data exfiltration channels, including personal cell phones.

The Incident

The Seoul Eastern District Prosecutors’ Office indicted a former Samsung Display researcher for allegedly stealing trade secrets related to automated factory operations and leaking them to a Chinese competitor. The researcher, who lived in China for Samsung Display, is accused of photographing at least 17 key documents for Samsung’s Digital Display IP and transmitting them directly to Chinese firm employees between November 2021 and May 2022.

The Security Gaps

This case exposes several critical vulnerabilities that many organizations still struggle to address:

  1. Unauthorized Data Transmission: The suspect photographed and transmitted sensitive data directly to external parties without detection, using their mobile device, thus bypassing traditional network monitoring.
  2. Physical-Digital Convergence: The attacker exploited the gap between physical security controls and digital security monitoring by photographing confidential information and wirelessly transmitting it.
  3. Prolonged Exfiltration: The continuous data transmission over several months suggests a capability gap to detect anomalous wireless activity within secure areas.

The Impact

Prosecutors estimate the economic damage at 241.2 billion won (approximately $180 million), and experts suggest the technological gap created by this leak represents about ten years of R&D advantage. More concerning, during a May 2024 search of the employee’s residence, investigators discovered additional trade secrets beyond the 17 photographs that earlier investigations had missed.

Key Lessons for CISOs

This incident underscores why modern security programs must:

  • Monitor all potential data exfiltration vulnerabilities, including the proximity of personal phones to restricted areas with sensitive information. 
  • Maintain continuous visibility into wireless device activity within sensitive areas.
  • Deploy solutions that can detect anomalous wireless transmissions in real-time.
  • Correlate physical and digital security data for more effective threat detection.

The ability to detect and prevent wireless data exfiltration is no longer optional – it’s a critical requirement for protecting intellectual property in today’s threat landscape. Organizations must ensure complete visibility into their wireless airspace to identify potential insider threats before critical data leaves the building.

FBI and NSA warn of three new wireless attack vectors already exploited in the wild

Posted on December 9, 2024 by - Uncategorized

In a joint cybersecurity advisory released October 10th, 2024, the FBI, NSA, UK NCSC, and other Western intelligence agencies warned that Russia’s Foreign Intelligence Service (SVR) continues to successfully breach private sector and government networks worldwide using a combination of traditional network attacks and concerning new wireless intrusion techniques.

The Wireless Vulnerabilities

The advisory highlights 24 specific vulnerabilities that network defenders should remediate to protect themselves against active exploitation from SVR (also known as APT-29, Midnight Blizzard, and Cozy Bear). While many of the highlighted CVEs target traditional network infrastructure like Microsoft Exchange Server and Apache, three vulnerabilities specifically enable wireless attacks that can compromise devices without requiring direct network access:

1. The agencies highlight CVE-2023-24023, a vulnerability in Bluetooth pairing that allows attackers within wireless range to conduct man-in-the-middle attacks, downgrade encryption, and potentially intercept or inject communications between Bluetooth devices.

2. The alert also suggests the SVR is exploiting CVE-2023-45866, a vulnerability that lets attackers within proximity of Bluetooth keyboards inject keystrokes and execute arbitrary commands on the connected computer – essentially giving them remote control of the machine through its wireless peripherals.

3. Third, and perhaps most concerning, is CVE-2023-40088, which enables remote code execution on Android devices through a “proximal/adjacent” Bluetooth attack without requiring any user interaction. This vulnerability means attackers only need to launch attacks from wireless transmitting devices within range of their target, not necessarily connected to the target’s network.

Attacker Strategy

The intelligence agencies note that SVR hackers are performing both targeted and opportunistic compromises of organizations by combining exploitation of traditional tactics like password spraying, supply chain compromise, and cloud account takeover with newer tactics. This hybrid approach lets them breach networks through conventional means and exploit wireless devices. The most concerning is how threat actors could hybridize these attacks – all of APT-29’s other profiled tactics are remote. As another Russian state-affiliated actor, APT-28, has shown with their Nearest Neighbor Attack, attackers thousands of miles away and outside an organization’s network security perimeter can control those devices launching wireless attacks remotely. Investigators found APT-28 remotely compromised the networks of nearby buildings and then launched wireless attacks from the devices on those neighboring networks. The alert does not specify that this is what APT-29 is doing. However, a joint cybersecurity advisory telling organizations around the globe to patch three separate proximal/adjacent wireless attack vectors suggests APT-29 can exploit these wireless attacks at scale.

“This activity is a global threat to the government and private sectors and requires thorough review of security controls, including prioritizing patches and keeping software up to date,” said Dave Luber, NSA’s Cybersecurity Director. The advisory states that SVR has “consistently targeted US, European, and global entities in the defense, technology, and finance sectors.”

The agencies strongly recommend organizations patch these vulnerabilities immediately, implement multi-factor authentication wherever possible, audit cloud accounts regularly, and, notably, “baseline authorized devices and apply additional scrutiny to systems accessing network resources that do not adhere to the baseline.” This recommendation suggests organizations need better visibility into what wireless devices are actually present in their facilities, not just what’s officially connected to their networks.

Why Wireless Airspace Defence

In the alert, the authoring agencies “recommend testing your existing security controls to assess how they perform against the techniques described in this advisory,” three of which are wireless attack techniques. 

Intelligence agencies have recently started highlighting other Russian hacking groups exploiting wireless vulnerabilities. In June 2024, the Health Sector Cybersecurity Coordination Center (HC3) of the Department of Health and Human Services released a cyber advisory on the Qilin Ransomware Group, which listed MITRE ATT&CK “T1011.001 – Exfiltration Over Other Network” as one of its tactics. Cybersecurity firm Volexity reported on the Nearest Neighbor Attack mentioned above in November 2024.

How To Protect Your Wireless Airspace

Organizations should review the full advisory for a complete list of vulnerabilities and detailed mitigation guidance. The key takeaway is that network defenders can no longer focus solely on protecting network perimeters – they must also actively monitor and secure the wireless airspace around their facilities, as sophisticated adversaries are increasingly exploiting these invisible attack vectors.

Contact Bastille today to learn how your organization can protect against these and other wireless vulnerabilities.

 NSA Issues Updated Guidance on Russian SVR Cyber Operations > National Security Agency/Central Security Service > Press Release View 
 Russian APT’s “Nearest Neighbor Attack” Reveals Critical Security Gap: An Organization’s Wireless Airspace – Bastille
https://media.defense.gov/2024/Oct/09/2003562611/-1/-1/0/CSA-UPDATE-ON-SVR-CYBER-OPS.PDF

Pakistani State Actors Compromised Indian Gov with Hak5 Wireless Pentesting Tools — Russia Remotely Hijacked Them

Posted on December 9, 2024 by - Uncategorized

Joint reports from Microsoft Threat Intelligence and Black Lotus Labs disclose details of a years-long hacking campaign by the Russian FSB-linked group Secret Blizzard. Through a sophisticated multi-stage campaign, the group successfully compromised and repurposed Pakistani cyber operations infrastructure in Afghanistan and Indian networks, through a sophisticated multi-stage campaign.

The Heart of The Investigation: Hardware Hack

While tracking the activity of Pakistani state-affiliated group “Storm-0156”, Black Lotus Labs researchers discovered a C2 server designed to control a suite of deployed Hak5 commercial pen-testing devices remotely. Hak5 sells a variety of disguised penetration testing implant tools that rely on wireless or physical device access to compromise a target. Many of these tools have independent wireless antennas that allow remote C2 control via Hak5 software. Researchers observed Storm-0156’s server (with Hak5’s Commercial C2 Software Banner) with incredibly high data flow from several targets, including the Indian Ministry of Foreign Affairs office in Europe, an Indian national defense organization, and several other government bodies. This activity suggests that Storm-0156 had deployed Hak5 implants on these networks. Black Lotus Labs researchers assume that the group chose Hak5 devices because of the advantage of this attack vector: these wireless and close-access attacks bypass standard EDR/XDR protections. 

The Russian Takeover

What came next was surprising: Every Storm-0156 C2 node used in this operation began communicating with 3 VPS IPs associated with the Russian FSB-linked group “Secret Blizzard” (also known as Turla). As the investigation of Storm-0156’s campaigns progressed, researchers discovered Russia’s Secret Blizzard had compromised 33 command-and-control server nodes used for their Indian and Afghanistan cyber operations campaigns.

Expansion of Operations

The Russian actors didn’t stop at simply monitoring Pakistani operations. By mid-2023, they had:

  • Infiltrated Pakistani operators’ workstations
  • Deployed their custom malware (“TwoDash” and “Statuezy”) into the networks of the Afghan Government Ministry and Intelligence Agencies
  • Acquired control of additional hacking tools used by other threat actors, including “Waiscot” and “CrimsonRAT”
  • Began retargeting Indian networks compromised by Storm-0156

Impact:

While current reports do not disclose further details on Secret Blizzard’s recent campaigns, they already highlight some key strategic implications.

Until the recent Nearest Neighbor Attack alerted the world to the reality of remote wireless attacks, cybersecurity professionals had discounted their organization’s wireless and cyber-physical vulnerabilities. Despite these attacks having many inherent advantages in avoiding EDR/XDR detection, organizations tolerated an increasing debt of wireless and cyber-physical vulnerabilities because they assumed attackers needed “Close Access” to exploit them. The events of 2024 have made clear, however, that attackers are actively leveraging an organization’s lack of wireless airspace visibility in their attack strategy. In the past 6 months, reports on Qilin group, APT-28, APT-29, and Storm-0156 have profiled their use of wireless attack vectors in cyber operations. As we see from the compromised C2 server in this attack, or APT-28’s Nearest Neighbor Attack, attackers can exploit these wireless vulnerabilities remotely.

How Bastille Can Help:

Bastille Networks’ Wireless Airspace Defense would 

  • Immediately identify the location and anomalous connections of any Hak5 wireless device.
  • Implement continuous wireless monitoring to detect unauthorized devices and connections
  • Detect and locate all other wireless implants in real-time
  • Create alerts for anomalous wireless behavior that could indicate compromised infrastructure
  • Maintain comprehensive wireless device inventory

Now, more than ever, the ability to detect, locate, and raise alerts on unauthorized wireless devices and connections is a critical security requirement as adversaries increasingly leverage wireless attack methods to bypass traditional defenses.

FBI warns of broad and ongoing Salt Typhoon Telecom Breach

Posted on December 5, 2024 by - Uncategorized

Americans should stop unencrypted texting on their iPhones or Androids

Executive Summary

A confluence of troubling developments has emerged as U.S. officials reveal that Chinese state hackers remain deeply embedded in telecommunications systems. Meanwhile, due to the ongoing breach, the FBI and CISA have taken the unprecedented step of warning Americans to abandon standard text and voice messaging in favor of encrypted communications. This move represents a fundamental shift in how organizations approach personal and corporate wireless device security.

The Ongoing Breach

The Salt Typhoon breach of most U.S. telecommunications providers, initially disclosed to have targeted the presidential campaigns of both Donald Trump and Kamala Harris, now appears to be just a part of an ongoing “broad and significant cyber espionage campaign,” according to CISA Executive Assistant Director Jeff Greene.  Greene confirmed the telecommunications compromise is “ongoing and likely larger in scale than previously understood.” “We cannot say with certainty that the adversary has been evicted because we still don’t know the scope of what they’re doing,” said Greene. Senior FBI officials believe the investigation timeline to uncover Salt Typhoon’s full presence in these systems will be “measured in years.”

So far, the investigation has confirmed that attackers  gained access to:

  • Individual voice call audio and text message content
  • Bulk customer call metadata and communication patterns
  • Law enforcement surveillance request data

FBI warns Americans to stop sending texts

In light of the ongoing breach, CISA and FBI officials have urged Americans to “use encrypted apps for all their communications.” In the press briefing, Greene added, “Our suggestion, what we have told folks internally, is not new here: encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible.”

Enterprise IP Targeted

Following Tuesday’s media briefing, Anne Neuberger, the U.S. deputy national security adviser for cyber and emerging technologies, addressed reporters on Wednesday, stating they now believe that Chinese-state affiliated actors had, in addition to targeting people of political interest to the Chinese government, targeted key enterprise IP. “We believe this is intended as a Chinese espionage program focused, again, on key government officials, key corporate IP, so that will determine which telecoms were often targeted, and how many were compromised as well.” In the same address, Neuberger reiterated that Chinese-state affiliated actors are still in U.S. telecom networks and stated the breach has likely persisted for the last 1-2 years. Neuberger also revealed that officials now believe these attacks have impacted the telecommunications providers of multiple countries in the EU and the Indo-Pacific region, in addition to at least eight telco providers in the U.S.

Enterprise Impact Assessment

U.S. official’s broad warning of this breach’s potential impact on Americans exposes a critical enterprise security gap that demands immediate attention:

It doesn’t matter if it’s a personal or enterprise-controlled device. Smartphones record an incredible variety of information from their environment and transmit it over networks your organization does not control.

Organizations should establish policies to prevent personal or enterprise cell phones from being near sensitive information that could be (unknowingly) exfiltrated via the device’s voice, camera, or messaging capabilities.

  1. Communication Security Organizations must reevaluate their wireless communication security, particularly:
  • Executive communications protocols
  • Sensitive business discussions
  • Cross-border communications
  1. Threat Detection Capabilities Traditional network monitoring may miss wireless-based threats, necessitating:
  • Continuous wireless spectrum monitoring for real-time, precise wireless device location reporting integration into existing SIEM and physical security systems to enforce device policy near sensitive locations
  • Real-time anomaly detection
  • Enhanced visibility into wireless device behavior

Strategic Implications 

“We need to do some hard thinking long-term on what this means and how we’re going to secure our networks,” acknowledged CISA officials. This crisis represents more than just another data breach – it demonstrates fundamental vulnerabilities in how modern enterprises communicate.

The combination of compromised carrier networks and inherently insecure messaging platforms creates an urgent need for organizations to implement comprehensive wireless security monitoring. Without the ability to detect anomalous cellular activity, device presence, unauthorized connections, and potential compromises, enterprises remain blind to sophisticated attacks that bypass traditional security controls.

How Bastille Can Solve This Problem

Bastille Networks’ Wireless Airspace Defense Sensor Arrays allow organizations real-time visibility and anomaly reporting into the wireless devices transmitting in their environment. 

Bastille integrates into your existing SIEM solution and provides complete visibility alerting for:

  • Unauthorized cellular devices that could be exfiltrating sensitive information
  • Rogue access points that could intercept wireless traffic
  • Bluetooth connections that could create unauthorized data channels
  • Malicious wireless connections to your network infrastructure, like those seen with the recent APT28 Nearest-Neighbor attack

Contact Bastille today to learn how your organization can secure the vulnerabilities in your wireless airspace attack surface.

Why handheld and point-solution detection equipment will fail DOD and Federal WIDS requirements

Posted on September 17, 2024 by - Uncategorized

INTRODUCTION TO DOD AND FEDERAL WIDS REQUIREMENTS

DOD and Federal WIDS (Wireless Intrusion Detection System) requirements, such as those of the Secretary of Defense Memo of June 30th 2023 relating to the safeguarding of classified national security information (CNSI) from the threats posed by personal and portable electronic devices within SCIFs and SAPFs, cannot be met with handheld detection solutions for practical, technical, and regulatory reasons. Our breakdown explains the challenges in more detail:

CHALLENGES IN MEETING DOD AND FEDERAL WIDS REQUIREMENTS WITH HANDHELD DETECTION EQUIPMENT

COVERAGE AND DETECTION RANGE LIMITATIONS

DOD and Federal WIDS require comprehensive network monitoring to detect unauthorized access points, rogue devices, and potential security threats. Handheld point solutions, due to their compact size and lower-sensitivity receivers, have limited detection ranges, making them inadequate for covering large areas or monitoring complex environments such as office buildings, airports, or military bases. Fixed WIDS sensors provide greater sensitivity for increased detection range and, when placed strategically around the building, provide more comprehensive coverage.

CONTINUOUS MONITORING REQUIREMENTS

Federal and DOD sites require 24/7 monitoring capabilities to ensure that any intrusion or security breach is detected in real time. Handheld devices, designed for portable, on-the-go use, are not built for continuous, unattended operation. This intermittent use can lead to gaps in coverage, allowing security incidents to go undetected.

PROCESSING POWER AND REAL-TIME ANALYSIS CHALLENGES

Meeting WIDS requirements requires real-time analysis of wireless traffic from cellular, Bluetooth, Wi-Fi, and IoT devices, which involves processing large volumes of data and running complex algorithms. Handheld devices typically lack the necessary processing power and resources compared to dedicated WIDS hardware, which are designed with robust processors and specialized software to handle these tasks efficiently.

LACK OF WHITELISTING CAPABILITIES

Due to their limited capabilities, handheld devices are incapable of maintaining lists of authorized devices. This is a crucial capability to accommodate exceptions for medical devices such as hearing aids, insulin pumps, and other authorized devices. The inability of handheld detectors to maintain such lists leads to alerts on every electronic device, false alarms, operator fatigue, and the security gaps that inevitably follow. A dedicated WIDS system with appropriate packet decoding and management software is necessary to meet these needs.

COMPLIANCE AND AUDIT LOGGING DEFICIENCIES

Federal and DOD requirements may require detailed logging and audit capabilities to track wireless activity and intrusion attempts. Handheld devices have limited storage capacity and lack the robust logging infrastructure for long-term data retention and compliance reporting. Dedicated WIDS systems are equipped with centralized logging servers and secure storage solutions to meet these requirements.

ADVANCED THREAT DETECTION AND RESPONSE

Meeting DOD and Federal WIDS requirements involves detecting advanced threats like protocol attacks, signal jamming, and spoofing. Handheld devices are generally designed for basic scanning and detection tasks and may not support the advanced analytical tools or response mechanisms necessary to counter sophisticated threats.

REGULATORY COMPLIANCE AND CERTIFICATION CHALLENGES

Handheld devices are consumer-grade or commercial-off-the-shelf (COTS) products. They typically fail to meet stringent regulatory certifications like NIAP, making them unsuitable for regulated environments. They may also emit RF in order to detect wireless devices, rather than being a 100% RF passive solution as with some permanent WIDS solutions. This makes them unsuitable for monitoring secure facilities like SCIFs and SAPFs where active RF emissions are prohibited.

INTEGRATION WITH EXISTING SECURITY INFRASTRUCTURE

Federal and DOD WIDS requirements, like those in the Secretary of Defense Memo of June 30th, 2023, require integration with other security infrastructure systems, such as SIEM (Security Information and Event Management) systems, physical security control software, and automated response tools. Handheld devices are not designed to seamlessly integrate with these systems, limiting their effectiveness within a comprehensive security architecture.

PRACTICAL LIMITATIONS OF LOBBY-BASED WIDS DEVICES

GAPS IN SECURITY COVERAGE IN ENTRANCE AREAS

Placing WIDS devices only in entrance areas leaves gaps in security coverage throughout the building. A common tactic to circumvent WIDS detection is for individuals to turn off their phones or other wireless devices before passing through monitored entry points, re-enabling them once inside. Without continuous, building-wide monitoring, unauthorized devices can operate undetected once past the initial checkpoint. Addressing this gap requires a comprehensive WIDS deployment with sensors distributed throughout the facility.

MISSED DETECTIONS AND FALSE ALARMS

Lobby-based systems are prone to miss detections due to the bursty nature of wireless protocols. But they are also prone to false alarms due to their inability to decode packets and identify individual devices. Such systems, operating based on power thresholds, are unable to distinguish between one device near the entrance to a secure space and many devices in the lobby or parking lot. This also prevents these systems from accommodating authorized device exceptions, leading to further false alarms. Such behavior limits the effectiveness of the system, often leading operators to ignore alerts or shut the system down. Deployment of such systems leads to a false sense of security, which ultimately weakens the organization’s security.

CONCLUSION: THE NEED FOR DEDICATED WIDS SOLUTIONS

Handheld and other point solutions for electronic device detection lack the technical capabilities, continuous monitoring features, processing power, compliance mechanisms, and integration options required to meet federal WIDS requirements. Environments that must adhere to these requirements need dedicated WIDS solutions with enterprise-grade hardware and software for comprehensive wireless security monitoring and compliance to counter the threat from bad actors.

Wireless Threat Intelligence: Enhancing Modern Corporate Security — Bastille

Posted on August 23, 2024 by - Uncategorized


The Critical Role of Wireless Threat Intelligence in Modern Corporate Security


In today’s interconnected world, wireless technology is an integral part of corporate infrastructure. As businesses continue to rely on wireless networks for daily operations, the importance of securing these networks has never been more critical.

Employees and visitors bring wireless devices into corporate facilities. Visiting wireless devices may be unwittingly compromised or used by bad actors to compromise corporate assets and networks, exfiltrating voice and data or introducing threats and vulnerabilities to corporate systems.

This is where Wireless Threat Intelligence (WTI) comes into play. WTI provides organizations with the tools and insights needed to detect, analyze, and mitigate threats to their wireless environments. In this article, we will explore the significance of Wireless Threat Intelligence and its impact on modern corporate security.

Understanding Wireless Threat Intelligence

Wireless Threat Intelligence refers to the collection, analysis, and dissemination of information regarding threats to wireless networks. This encompasses a range of activities, including the identification of unauthorized access points, detection of anomalous network behavior, rogue wireless devices and networks, and analysis of wireless vulnerabilities. By leveraging WTI, organizations gain a comprehensive understanding of the threats facing their wireless environments and take proactive measures to safeguard their networks.

The Evolution of Wireless Threats

Wireless threats have evolved significantly. Initially, the primary concern was securing Wi-Fi networks from unauthorized access. However, with the advent of advanced technologies and sophisticated attack techniques, the threat landscape has become increasingly complex. Today, organizations must contend with a wide array of wireless threats, using Wi-Fi, cellular and IoT protocols including:

  • Rogue Access Points: Unauthorized devices that mimic legitimate access points to intercept sensitive information.

  • Man-in-the-Middle (MitM) Attacks: Intercepting and altering communication between two parties without their knowledge.

  • Wireless Eavesdropping: Unauthorized listening to private communications over wireless networks.

  • Denial of Service (DoS) Attacks: Disrupting wireless services by overwhelming the network with traffic.

  • Bluetooth Exploits: Attacks that target Bluetooth connections to gain unauthorized access or spread malware.

These evolving threats underscore the need for Wireless Threat Intelligence to detect and mitigate potential risks effectively.

The Importance of Wireless Threat Intelligence in Corporate Security

Wireless Threat Intelligence is crucial for several reasons:

Proactive Threat Detection

One of the primary benefits of WTI is its ability to detect threats proactively. Traditional security measures often rely on reactive approaches, addressing threats only after they are identified. In contrast, WTI enables organizations to identify potential threats before they cause significant damage. By continuously monitoring wireless networks and the airwaves for suspicious activity, WTI will alert security teams to potential risks in real-time, allowing for swift and effective response.

Enhanced Visibility and Control

Wireless Threat Intelligence provides organizations with enhanced visibility into their wireless environments. This includes identifying all devices connected to the network, monitoring their behavior, and detecting any anomalies that may indicate a security breach. With this level of visibility, organizations maintain greater control over their wireless networks, ensuring that only authorized devices have access and that any suspicious activity is promptly addressed. In addition, WTI finds wireless devices that are in the facility but are not connected to the network, including cellular devices and those that use IoT protocols.

Improved Incident Response

In the event of a security breach, WTI plays a critical role in incident response. By providing detailed information about the nature of the threat and the affected systems, WTI enables security teams to respond quickly and effectively. This includes isolating compromised devices, mitigating the impact of the attack, and preventing future incidents. With Wireless Threat Intelligence, organizations minimize the damage caused by security breaches and ensure a swift recovery.

Compliance and Regulatory Requirements

Many industries are subject to strict regulatory requirements regarding the security of their wireless networks. Compliance with these regulations often necessitates the implementation of advanced security measures, including Wireless Threat Intelligence. By leveraging WTI, organizations ensure that they meet regulatory requirements and avoid potential penalties. This is particularly important in industries such as healthcare, finance, and government, where the security of sensitive information is paramount.

Implementing Wireless Threat Intelligence

Implementing Wireless Threat Intelligence requires a multi-faceted approach that encompasses several key components:

Wireless Intrusion Detection Systems (WIDS)

Wireless Intrusion Detection Systems (WIDS) are a critical component of WTI. These systems monitor wireless networks and wireless devices for suspicious activity, then alert security teams to potential threats. WIDS detects a wide range of threats, including rogue access points, unauthorized devices, and anomalous network behavior. By integrating WIDS into their security infrastructure, organizations enhance their ability to detect and respond to wireless threats.

Machine Learning and AI

Machine learning and artificial intelligence (AI) play an increasingly important role in Wireless Threat Intelligence. These technologies enable organizations to analyze vast amounts of data and identify patterns that may indicate a security threat. By leveraging machine learning and AI, organizations enhance their ability to detect and respond to wireless threats in real-time.

Employee Training and Awareness

Employee training and awareness are critical components of an effective WTI strategy. Organizations must ensure that their employees are aware of the risks associated with wireless networks and are trained to recognize potential threats. This includes educating employees about safe wireless practices, such as avoiding public Wi-Fi networks and recognizing phishing attempts. By fostering a culture of security awareness, organizations reduce the risk of wireless threats.

Continuous Monitoring and Updates

Wireless Threat Intelligence is not a one-time effort but an ongoing process. Continuous monitoring and regular updates are essential to keep up with the evolving threat landscape. Organizations must invest in technologies and practices that allow for constant vigilance and adaptation to new threats. This includes updating threat intelligence databases, refining detection algorithms, and ensuring that security policies remain current and effective.

The Future of Wireless Threat Intelligence

As wireless technology continues to evolve, so too will the threats facing corporate networks. Emerging technologies such as 5G and the Internet of Things (IoT) present new opportunities and challenges for Wireless Threat Intelligence. To stay ahead of these evolving threats, organizations must continue to invest in advanced WTI solutions and stay informed about the latest developments in wireless security.

The Impact of 5G on Wireless Threat Intelligence

The rollout of 5G technology promises faster speeds and more reliable connections. However, it also introduces new security challenges. The increased bandwidth and connectivity offered by 5G can be exploited by cybercriminals. Organizations must adapt their Wireless Threat Intelligence strategies to address the unique risks associated with 5G networks.

Securing the Internet of Things (IoT)

The proliferation of IoT devices adds another layer of complexity to wireless security. Each connected device represents a potential entry point for cyber threats. Effective Wireless Threat Intelligence must include strategies for securing IoT devices, such as implementing authentication mechanisms, ensuring firmware updates, and monitoring for anomalous behavior.

Conclusion

In conclusion, Wireless Threat Intelligence is a critical component of modern corporate security. By providing organizations with the tools and insights needed to detect, analyze, and mitigate wireless threats, WTI enables businesses to protect their networks and ensure the security of their sensitive information. As the threat landscape continues to evolve, the importance of Wireless Threat Intelligence will only continue to grow. Organizations that invest in advanced WTI solutions and adopt a proactive approach to wireless security will be better equipped to navigate the challenges of the digital age and safeguard their operations against emerging threats.

Next

Learn more about WIDS

Request a demo





Share

Enhancing Security in Critical Environments Series: The Pager — Bastille

Posted on July 2, 2024 by - Uncategorized

Pagers – History, Uses Today and How to Detect 

In a world of ever-faster mobile communications devices and cellular networks, it is easy to forget the role still played by much older wireless communication devices: pagers.

While smartphones dominate modern communication, pagers—once ubiquitous for short messages and alerts—are still widely used in critical environments. Detecting and monitoring pagers is vital to ensuring operational security. Bastille Networks provides a comprehensive solution for detecting wireless devices across the RF spectrum, including pagers.

Understanding the history and current usage of pagers is key to recognizing their significance and the potential security risks they pose.

A Brief History of Pagers

Pagers, or beepers, first emerged in the early 20th century as basic communication tools, eventually evolving into more advanced devices. The first iterations of what became known as a pager were first implemented by the Detroit Police Department in the 1920s. Their popularity peaked in the 1990s, with millions of users worldwide relying on them for critical communication. Despite being overshadowed by mobile phones, pagers continue to serve vital roles in certain sectors today, including health care and public safety.

Key Milestones in Pager Technology History:

  • 1920s-1950s: The development of early pagers for hospitals and medical staff.

  • 1959: The first commercial pager, introduced by Motorola, revolutionized emergency communications by offering one-way communication to doctors and hospital staff. This is when the term pager came into usage.

  • 1970s-1980s: Pagers gained widespread use in industries like law enforcement, corporate management, and emergency services due to their reliability.

  • 1990s: Pagers reached their peak with around 61 million users globally, but began to decline with the rise of mobile phones and cellular networks.

  • 2000s-present: While the global use of pagers has significantly decreased, they are still common in sectors requiring robust and reliable communication..

How Many Pagers Are in Use Today?

While the overall use of pagers has dramatically declined, approximately two million pagers are still in active use globally. . A few regions and industries, including government,healthcare and emergency services, continue to rely on pagers due to their unique benefits, including reliability in areas with poor cellular coverage and the ability to communicate during network outages.

Pagers in Use by Country:

  • United States: The US healthcare industry remains the largest consumer of pagers, with an estimated 85% of hospitals still using them. Doctors, nurses, and emergency responders often rely on pagers to receive urgent communications, especially when  cellular signals are unreliable or in situations requiring fast, secure alerts.

  • Japan: Pagers remained popular in Japan for longer than in most other countries. Tokyo Telemessage, the last paging company in Japan, discontinued services in 2019, but before then, pagers were still used by businesses and young people for secure, quick communications.

  • United Kingdom: Pagers are still used in healthcare and emergency services in the UK. The National Health Service (NHS) is one of the largest users of pagers. Despite efforts to phase out pagers, and transition to more modern communication tools many hospitals still depend on them.

  • Germany and France: Both countries have reduced pager usage but continue to employ them in healthcare settings and other industries that require secure, encrypted messaging systems.

  • Canada: In Canada, pagers are still in use within the healthcare system and by certain government agencies, although the numbers are significantly lower compared to the peak usage era.

Why Are Pagers Still in Use?

Despite the rise of smartphones, pagers offer several distinct advantages:

  1. Reliable Communication: Pagers are more reliable in environments with poor or no cellular reception, such as large buildings, hospitals, or rural areas.

  2. Network Independence: Pagers operate independently of congested cellular networks, making them a reliable tool in emergencies when cellular systems may be overloaded.

  3. Battery Life: Pagers can last several weeks on a single battery, making them ideal for long-term use in emergencies or power outages.

  4. Cost-Effective: Pagers are often more affordable than modern smartphones or communication systems, making them an economical option for many organizations.

  5. Security: Some pagers are equipped with encryption, making them secure for transmitting sensitive information, especially in healthcare or government sectors.

  6. Employees without cell phone coverage: One-way pagers allow professionals to receive messages while working in no to low cell phone coverage locations, such as rural areas.

Cellular Networks and Pager Technology

Pagers operate on dedicated paging networks, separate from mobile cellular networks like GSM or CDMA. These networks typically broadcast messages over VHF (Very High Frequency) or UHF (Ultra High Frequency) radio bands, allowing for long-range communication.

Types of Paging Networks:

  1. One-Way Paging: The most common type, where users receive messages but cannot respond. These systems use specific frequencies, such as 138–174 MHz (VHF) or 929–932 MHz (UHF).

  2. Two-Way Paging: In two-way systems, users can send responses, often using a combination of paging and cellular networks. These systems may use more advanced cellular technologies like GPRS (General Packet Radio Service) to send replies.

Bastille Networks: Detecting Pagers Across the RF Spectrum

Given the critical role pagers play in industries like healthcare, Bastille Networks provides advanced tools to monitor and detect pager signals.

How Bastille Detects and Locates Pager Signals:

  1. RF Spectrum Monitoring: Bastille’s technology scans frequencies from 100 MHz to 7.125 GHz.. This ensures comprehensive monitoring of pager transmissions, as well as other wireless devices.

  2. Localization: Bastille provides the location of radio-emitting devices such as pagers, allowing security teams to quickly respond to potential threats from unauthorized or suspicious devices.

  3. Real-Time Alerts: Bastille provides real-time notifications when devices are detected. This enables immediate action, such as investigating unauthorized devices or addressing security vulnerabilities.

Use Cases for Pager Detection

  • Government & Defense: High-security environments use pagers for secure communications. Bastille detects unauthorized pager signals to prevent potential espionage or breaches.

  • Industrial Control Systems: Pagers play a key role in industrial control environments. Bastille’s system ensures that only authorized pagers are operating, protecting operational integrity.

  • Healthcare: Some hospitals still rely on pagers to send urgent communications to doctors, nurses, and emergency personnel. Emergency or hospital teams may have to enter buildings housing sensitive information without time for security checks. In this case, Bastille helps monitor pagers, providing information on where they are going inside the building.

Why Choose Bastille for Pager Detection?

  1. Comprehensive RF Coverage: Bastille monitors frequencies from 100 MHz to 7.125 GHz, providing full visibility into pager transmissions across all major bands.

  2. Real-Time Detection: Bastille’s system detects radio frequency activity in real time, including the RF frequencies used by pagers, allowing security teams to respond to potential threats as they arise.

  3. Localization: Bastille’s capabilities allow for localization of pager signals, aiding in swift security intervention.

  4. Industry Expertise: Bastille’s products are designed for critical environments, offering specialized solutions for enterprise, government, and industrial sectors.

Conclusion

While pagers may seem like relics of the past, they remain essential in industries like healthcare, government, and emergency services. With an estimated two million pagers still in use worldwide, detecting and locating these devices is still important.

Bastille Networks offers a comprehensive solution to monitor pager activity, covering a broad spectrum of RF frequencies from 100 MHz to 7.125 GHz, and providing real-time alerts, signal characterization, and device localization.

Bastille’s pager detection capabilities mitigate the risks posed by unauthorized and often insecure wireless devices such as pagers. Whether in healthcare, government, or industrial sectors, Bastille’s solutions ensure that even legacy devices like pagers do not become a weak link in an organization’s security posture.

Further reading

https://www.spok.com/blog/throwback-thursday-history-pagers

Sources:

History of Pagers:

  • The History of Pagers: This site provides a detailed overview of the development and milestones of pagers from their invention to present day.

  • ThoughtCo. Article “History of Pagers and Beepers” (2021) on the rise and decline of pager technology. Discusses the global peak of pager usage in the 1990s, when around 61 million pagers were in use

Current Use of Pagers:

  • BBC Article: ,”NHS told to ditch ‘outdated’ pagers” (2019) estimates that the NHS still has around 130,000 pagers, which is about 10% of the total left in use globally.

  • UK Govt Website (2019): NHS’s plan to phase them out, with many hospitals still using pagers for urgent communications.

Pagers in Specific Countries:

  • BBC Article “Japan’s last pagers beep for the final time” (2019) : Discusses the end of pager services in Japan after the closure of Tokyo Telemessage in 2019, marking the end of an era for pagers in the country.

  • HealthTech Article “Why the Hospital Pager Withstood the Test of Time” (2019)Highlights the continued use of pagers in hospitals , where pagers are still seen as a reliable tool for communication.

RF Spectrum and Pager Frequencies:

Paging | Federal Communications Commission (fcc.gov) provides details about pager frequencies and licensing

How to Detect and Locate Unauthorized Cell phones — Bastille

Posted on May 8, 2023 by - Uncategorized

Detect and Locate Unauthorized Cell phones

Bastille is the first and only product to detect and locate cellular phones within a building based on their cellular signal. Real-time detection with alerts plus DVR-like playback for forensics.

Cellular phones are a great business productivity tool, but they are also the most ubiquitous security and compliance threat faced by financial services organizations. Cell phones have cameras, recording devices, the ability to become out-of-network hotspots and to tether to laptops and computers in the building for data-exfiltration. Financial services firms want to track both the authorized and unauthorized phones that enter and move around their environments to alert on potential security threats and compliance issues in real time.

Cell phone tracking has been impossibly difficult to date, because a cell phone detection and location product must detect a cell phone even when the Wi-Fi and BlueTooth are turned off. After 4 years of intense R&D and more than a dozen patents, Bastille has created the solution.

DETECTION VIA CELLULAR SIGNAL

Bastille is the first and only solution to detect and locate the presence of cell phones even if the only available signal they are producing is the cellular signal.

DON’T BE FOOLED BY OTHER SOLUTIONS’ CLAIMS

Other solutions claim to observe phones but actually rely on detection of Wi-Fi and Bluetooth which can easily be turned off by bad actors. some competitors even claim to detect cell phones but, in fact, they are only detecting energy in cellular frequencies near a sensor. Other solutions can’t tell if it is one cell phone close to a sensor or 10 cell phones farther away. only Bastille can tell you how many cell phones are in a room and where those phones are located.

DETECTION IN REAL TIME

Bastille alerts on the presence of a cellular phone in a facility within seconds.

DVR PLAYBACK

Bastille records all the cell phones seen, and their movements, to enable DVR-like playback for forensic purposes. so if you want to find out what happened in your facility 2 months ago, you can jump back to that date and replay all activity before and after that event.

LOCATE WITHIN 2 METERS

Bastille sees every cellular phone within a space and puts a separate Dot-on-a-map to mark the location of each device. location accuracy is within 2 meters.

DETECT WHEN A CELL PHONE COMES ON

If someone brings in a cell phone which is powered down, Bastille can alert you when it is powered back up in your facility.

DETECT UNAUTHORIZED CELL PHONE ACTIVITY

Some organizations allow employees to bring personal cell phones into secure facilities but ask them to leave the secure area if a call comes in. Bastille alerts you when an inactive personal cell phone becomes active and lets you track whether it leaves the secure area to continue to call.

ALERTING VIA YOUR EXISTING SYSTEMS

Bastille integrates with your existing SIEM and/or alerting systems via its open standards based Apis. native integration with systems like Splunk(R) and Elasticsearch/Kibana(R), PagerDuty(R), SMS and email. Alternatively customers can view alerts via the Bastille Portal, and use that platform to dig into alerts for more information.

Wireless Intrusion Detection Systems (WIDS) — Bastille

Posted on August 1, 2018 by - Uncategorized

In a traditional, hard-wired network, the only way in is through the Internet-facing router. Most modern networks, though, include 802.11 wireless access points (APs). If they aren’t well-secured, or if there are unauthorized APs on the network, they can open the systems to intruders.

With wireless access, there’s no firm boundary between the inside and outside. Other tenants in an office building could be in range. A spy could set up an inconspicuous wireless relay outside a building. Anyone who gets past the AP’s security is inside the network.

To counter this risk, networks deploy Wireless Intrusion Detection Systems (WIDS). In many ways they perform the same functions as regular intrusion detection systems, while adding wireless-specific functionality.

Risks specific to wireless

All APs should, of course, use WPA2 with strong passwords. A very common mistake is to put up the password in a place where visitors can see it. It’s convenient, but it’s really bad security. The APs should receive and install all available firmware updates, especially patches against the KRACK vulnerability. Administrative access needs to be locked down; the account name and password should be changed from the defaults.

A common risk is unauthorized access points. It isn’t hard for an employee to plug in a personal AP on the local wired network for convenience. They might do it to connect a phone to the network — which is a security risk in itself. Some “smart devices” set up their own APs by default, and if no one changes the defaults, it’s likely they have poor security, or none.

A rogue relay set up nearby could impersonate the SSID of a legitimate access point and pass data through, sending another copy of the traffic to its owner, allowing for the collection of credentials, which can then be used in a phishing attack. It has to match the real AP’s password to do this successfully, but if it can, most users won’t recognize it as a fake. They’ll connect to it automatically if it has the strongest signal on that SSID.

The basics of WIDS

WIDS is actually a broader concept than catching break-in attempts. It also includes verifying the access points that are on the network, identifying any that shouldn’t be there or have security issues, and detecting attacks on APs/clients.

A well-run network has an inventory of all authorized devices. This lets a network scan and identify any rogue devices. “Rogue” here means simply that the device wasn’t approved, not necessarily that it’s hostile. Network sniffing tools will probe all IP addresses and identify authorized and unauthorized ones.

Network monitoring over TCP/IP doesn’t always reveal which devices have Wi-Fi capability, and it won’t catch relays that aren’t directly on the network, so over-the-air sniffing is necessary as well. Such sniffing will identify any APs within range and check if they have weak security.

Then we come to intrusion detection in the narrower sense. Intrusion attempts include password guessing, WPS breach attempts, and packet flooding. Detection methods are like the ones used in standard intrusion detection systems, except that they operate at all network layers from 1 (physical) up and include the special risks of wireless access. Regular intrusion detection operates on Layer 3 and higher.

Fingerprinting in a more sophisticated WIDS can be done at multiple layers. For example, at the physical/MAC layer it make sure the modulation scheme is standards-compliant and not trying to exploit idiosyncrasies in chipsets. In addition, it can can perform fine-grained analysis and comparison of capabilities advertised by an AP that a user commonly has no view into.

Rogue access points

Rogue access points can be malicious or merely unauthorized, but either way they pose a risk. The ones which people install for their own convenience may not use WPA2 or, if they do, use good passwords. They could have configuration issues, such as easy access to the administrative account from within the network or even over the Internet. If malware infects any device on the network, it could search for wireless routers and try to change their administrative settings.

Some smart (IoT) devices set up their own access points for convenience of installation. If no one has configured them or they aren’t configurable, they might be open to access by anyone and create a hole in the network. Once they’re discovered, it may be possible to configure them securely or disable them.

Malicious access points need to be connected to the network somehow. An employee working as someone’s spy can do it without much trouble. Such APs are often devious enough to evade casual detection. Some will spoof the MAC address of a legitimate access point when transmitting malicious traffic.

A relay doesn’t need to be physically connected to the network if the security of an authorized access point has been compromised. If passwords aren’t protected, this isn’t very hard. A relay can look on a casual scan like an AP that belongs to somebody else. Good software tools are necessary to separate the unwelcome devices from the legitimate ones by fingerprinting devices.

Unsecured access points

Access points may be legitimate but poorly secured. Open APs with no encryption are a serious risk, and it’s vital to make sure none have been set up that way by accident. Others may use WEP or the original WPA, which provide very weak security. They may use WPA2 but have weak passwords.

Other intrusion paths

While 802.11 (Wi-Fi) is the most common form of wireless network access, other protocols are widely used and have their own risks. Bluetooth has a shorter range but can be a vector for intrusion.

At RSA this year more than a few people claimed that they were secure from RF attacks, but when questioned they could not articulate how they are doing this, and some didn’t understand there are other frequencies to secure other than 2.4 GHz.  

Some IoT devices use industry standards, such as many LPWANs, or custom RF protocols. A comprehensive WIDS solution needs to address all RF data communications.

WIDS tools

Tools are available for sniffing the RF traffic in their range and identifying devices. They range from free, open-source ones to sophisticated, commercially supported ones. Using them allows the discovery of rogue devices as well as attempts to break security. They log information and may issue an alert when discovering a breach attempt.

Kismet is a wireless network detector which is primarily intended for 802.11 but can be expanded to other protocols. It has multiple uses, including identification of all devices within range or monitoring a single one. Using it for intrusion detection requires an appropriate setup, and installation is complicated.

Netstumbler was once well regarded as an scanning tool, but it hasn’t been maintained in many years. Its last release was in 2004.

Commercial tools, including Bastille’s, provide a supported WIDS with a convenient user interface

Bastille monitors the RF-spectrum from 60 Mhz to 6 Ghz, covering a wide range of RF-enabled devices from IoT, through cell phones and hotspots all the way up to rogue Wi-Fi and other RF potential threats.

A network security system has to include wireless intrusion detection if it’s going to protect the network effectively from the growing number of unauthorized RF-enabled devices that enter your organization’s airspace everyday.

Learning more

Many tools are available for detecting wireless devices, but not all of them do a good job. Creating a complete map of Wi-Fi and Bluetooth devices in an area requires the most advanced techniques available. To find out more about RF security, look through Bastille’s white papers and webinars.