When you think of RF vulnerabilities, you probably think first of Bluetooth and Wi-Fi issues. There have been well-publicized vulnerabilities in both during the past year, but the issue is broader. RF devices also include RFID tags, NFC (e.g., Apple Pay), 433 MHz remote control, LR-WPAN networking, and a host of proprietary protocols. Any of them can have security issues.
While the less known ones don’t get as much publicity, they can cause considerable havoc. Proprietary protocols often don’t get examined as closely as widely used ones, and some have weaknesses or just lack security. Firmware on chips usually isn’t open for examination. Currently significant vulnerabilities are found in both well-known and relatively obscure RF data protocols.
Wi-FI: Krack
The best-known wireless security issue of 2017 was known as Krack. This wasn’t just a software bug but a weakness in the WPA2 protocol. Every computer and access point that implemented WPA2 was affected.
“Krack” stands for “key reinstallation attack.” Briefly, the attack works by interfering in the handshake that negotiates an encryption key. It forces retransmission of one of the messages, causing the same nonce (initialization) value to be reused with the same key. This allows decryption of subsequent frames that use that key.
In some cases, the consequences are worse. Implementations that used the wpa_supplicant library can be made to use an all-zero encryption key, which is to say no encryption. Windows and Linux use this library and are vulnerable unless they have an updated version of it. Patches for all major WPA2 implementations are available; they fix the problem by preventing the forced replay. Many devices, however, haven’t been or can’t be updated.
Another vulnerability reported in 2017 was specific to Broadcom Wi-Fi chips. A remote attacker could use it to execute arbitrary code on an Android or iOS device with the chip. Patches have been available since July, but many devices remain unpatched. A proof-of-concept worm replicated itself from an infected device to nearby devices; a real exploit could spread quickly.
As with any RF vulnerability, the attacker has to be in physical proximity. Under favorable conditions, that can be 100 meters or more. It’s difficult to say how widely these issues have been exploited, since exploits don’t always leave traces that are obvious. Criminals using Krack would conduct targeted attacks rather than mass ones. Someone could spy on a network for months and not be noticed.
Keyless entry
Beyond Wi-Fi and Bluetooth are many forms of RF data communication which few people give much thought to. Because they don’t get a lot of scrutiny, serious vulnerabilities in them may go unnoticed. When they’re exploited, it may not be obvious what happened.
Keyless entry cards are a case in point. Most high-class hotels now use them instead of mechanical keys for access to rooms, and it’s increasingly common for them to use proximity rather than being inserted into a reader. These locks often give little thought to security. The protocols may be unencrypted and lack any authentication mechanism. Locks for high-security areas may suffer from similar vulnerabilities.
A vulnerability has been reported in certain makes of keyless entry locks, letting someone with network access unlock doors and create working counterfeit access cards. Intrusions of this kind could let people walk into hotel rooms or gain access to high-security areas.
Key fobs for remotely unlocking cars may have various vulnerabilities. One is that if a thief can get inside the car, it may be possible to program a new key from the vehicle’s onboard diagnostic port. Then it’s possible either to drive away immediately or come back at a more suitable time. Subaru key fobs reportedly have a weak “rolling code” which is trivially broken.
Medical devices
Wireless medical implants can literally be a lifesaving aid for patients. They provide access for medical personnel to read out information and change settings without invasive procedures. If not properly secured, though, they can be vulnerable to attacks that could harm patients’ health or kill them. An RF transmitter used in implantable cardiac devices was found to be vulnerable to man-in-the-middle attacks. An attacker could increase or decrease the pacing to a dangerous level or drain the battery.
Medical devices may have access to hospital networks, so criminals could use them as jumping-off points to servers, installing ransomware or stealing personal information. If a breach occurs and the Office of Civil Rights finds the healthcare provider negligent, fines in the millions of dollars are possible.
Poor or nonexistent security is common in implantable medical devices. The emphasis is on ease of use, and doctors don’t want to be delayed by hunting for a password in an emergency. But the protocols in many devices are easy to reverse-engineer, so someone with moderate technical skills and proximity to the patient could get access to the devices and do serious damage.
Remotely hijacking vehicles
The possibility of remotely attacking a vehicle through RF data communications is especially alarming because it could let someone injure or kill the occupants. In 2016, Homeland Security was able to penetrate the systems of a Boeing 757 airplane while it was parked at an airport. All that they’ve revealed is that the flaw is in radio frequency communications. No one outside of the few with access to the classified information knows what protocol was involved or how serious a threat it poses. It also isn’t known whether the vulnerability exists in other aircraft systems. Boeing hasn’t made 757s since 2004, but major airlines and the White House still use them.
Several years ago, an experiment in remotely seizing control of a car through its entertainment system made the news. It was possible because a system with remote access and weak security was connected to more critical systems based on a design that predates remote access concerns.
Attacks of this kind are difficult to engineer, but they might be used against prominent individuals, to kill or intimidate them.
The special risks of RF
RF vulnerabilities are most often not the result of flaws in operating systems and applications. The problems often reside in the firmware of communications chips, which are trade secrets not open to public inspection. An attack on them bypasses not just network firewalls but many forms of detection. The vulnerable devices are often simple, mass-produced ones, the kind found on the Internet of Things. Many manufacturers pay more attention to price than security.
With wireless devices of all kinds playing a growing role in data communications, vulnerabilities based in RF communications are a growing concern for cybersecurity, and this trend will continue.
To learn more about the RF vulnerabilities in your environment please contact Bastille.