Not your Parent's Wireless Threat

Published: 2012-04-09
Last Updated: 2012-04-10 12:19:56 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

Back in the good old days, wireless threats could be summarized in "security your 802.11x access point by picking a strong passphrase and do not connect to evil unknown access points". I am not sure if this was every quite right, but it certainly isn't right today. Cheaper hardware, in particular software defined radios with easily accessible open drivers make larger ranges of the spectrum available to intrusion and detection by non-nation state funded attackers. At the same time, wireless technologies are proliferating at an amazing pace. As much as possible, I am trying to write up a very brief summary of the various technologies. I am sure I forgot some. If so, please add via comments:

802.11: This set of standards deals with wireless LAN communication, and the most commonly known parts of it, a,b,g and n are probably the most common and easiest accessible wireless networking technologies. It uses frequencies in the 2.4 GHz and 5GHz band. (for all frequency mentions here: There tend to be local /national differences in what part of the spectrum is exactly used). At this point, speeds in excess of 100MBit/sec can be reached, and extensions are in the works to push this beyond 1 GBps. The range is typically in the "residential property" scale but can be extended over several km with special gear. Various optional encryption and authentication methods are available, but have to be configured. The cost to an attacker to sniff/attack 802.11 is probably in the $10 range.

Bluetooth: Meant to be a standard to replace pesky cables to connect devices like headsets to phones, the focus of this standard is low power and low cost. There is a simple but pretty effective encryption mechanism built in. However, it frequently is limited by the ability of the user to enter a complex PIN code using a one button headset. The range is typically shorter then 802.11 but can reach 10s of meters. Bluetooth uses the 2.4 GHz band. To effectively attack bluetooth, you need to be a bit more specific on what blue tooth dongle to use then with 802.11, which is why I rate the cost of attack at $50.

DECT: This standard is mostly used in cordless phones again operating in the unlicensed spectrum (900MHz, 2.4GHz, 5GHz). Range is similar to 802.11. Encryption is somewhat optional. Equipment to sniff DECT calls is not as readily available as only very specific cards can be used. Typically you need to import equipment, and you may be breacking some US import laws if you do so. However, the equipment still tends to be pretty cheap consumer grade PCMCIA cards. I will assign them a value / cost of $100.

Zigbee (802.15.4): Zigbee is a bit the new kid on the block, but it is growing quickly in the home automation and alarm system world. The "Killerbee" project is providing open source tools to attack and sniff zigbee. The hardware supported by kllerbee costs around $50. Range is very similar to bluetooth. 

RFID: RFID is very different from the technologies above as it is frequently used with "remote power". The RFID reader has to send out a sufficiently strong signal to power the RFID tag and to read the information embedded in it. There are a number of different sub-standards in how the information is exactly encoded. Readers are pretty cheap, also in the $50 range. If you want to create your own cards, you may need to pay a bit more (lets say $100?). RFID attacks can be dangerous if they are used to clone touchless door access keys. Some credit cards allow reading of the name and card number. Realistically, the range of RFID is a couple meters. Defense is pretty easy. You don't need a full faraday cage wallet. Just adding a credit card size piece of aluminum to your wallet will typically provide enough interference to make the tag not readable.

NFC: an extension to RFID which starts to show up in mobile phones. Just like RFID it is low power and limited to short distances. Attackers cost: $100

Cell phones: That may make a nice diary in itself in the future. I am just wrapping them all up in one for the quick discussion here (GSM, GPRS, EDGE, LTE...) .  Attacking these systems is technically and legally more difficult. It typically requires specific equipment and some expertise. But once set up, an attacker may setup a fake cell phone tower used to record or re-route phone calls. I would rate the cost of the attack in the $1000-$10,000 range (hard to tell with all the different standards. Some old analog standards can be "sniffed" with a decent radio scanner). There isn't much you can do to defend against this, other then using encrypted connections inside the cell phone channel.

 X10: A home automation wireless standard. Pretty much unencrypted. All you need is a transmitter set to the right "house code" (one out of sixteen). Cost: $50

Wireless mice/keyboards: These devices typically use more propriotery standards, but they have shown to be quite weak cryptographically and easy to attack. It does require a bit customized hardware is some cases. However, recently more and more of these devices use bluetooth (cost: $50-$100).

 other standards: z-wave (home automation, 900Mhz or 2.4GHz uses 128bit AES),  WiMax (wireless network technology in licenses spectrum for larger distances, aka "4G" by some carriers competing with LTE)

Many of these standards can be used to exfiltrate short range data. Or if they are used in alarm systems and door access controls, they can be used to assist in a physical attack. 


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: wireless
6 comment(s)
ISC StormCast for Monday, April 9th 2012


Diary Archives