Not your Parent's Wireless Threat

Published: 2012-04-09
Last Updated: 2012-04-10 12:19:56 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

Back in the good old days, wireless threats could be summarized in "security your 802.11x access point by picking a strong passphrase and do not connect to evil unknown access points". I am not sure if this was every quite right, but it certainly isn't right today. Cheaper hardware, in particular software defined radios with easily accessible open drivers make larger ranges of the spectrum available to intrusion and detection by non-nation state funded attackers. At the same time, wireless technologies are proliferating at an amazing pace. As much as possible, I am trying to write up a very brief summary of the various technologies. I am sure I forgot some. If so, please add via comments:

802.11: This set of standards deals with wireless LAN communication, and the most commonly known parts of it, a,b,g and n are probably the most common and easiest accessible wireless networking technologies. It uses frequencies in the 2.4 GHz and 5GHz band. (for all frequency mentions here: There tend to be local /national differences in what part of the spectrum is exactly used). At this point, speeds in excess of 100MBit/sec can be reached, and extensions are in the works to push this beyond 1 GBps. The range is typically in the "residential property" scale but can be extended over several km with special gear. Various optional encryption and authentication methods are available, but have to be configured. The cost to an attacker to sniff/attack 802.11 is probably in the $10 range.

Bluetooth: Meant to be a standard to replace pesky cables to connect devices like headsets to phones, the focus of this standard is low power and low cost. There is a simple but pretty effective encryption mechanism built in. However, it frequently is limited by the ability of the user to enter a complex PIN code using a one button headset. The range is typically shorter then 802.11 but can reach 10s of meters. Bluetooth uses the 2.4 GHz band. To effectively attack bluetooth, you need to be a bit more specific on what blue tooth dongle to use then with 802.11, which is why I rate the cost of attack at $50.

DECT: This standard is mostly used in cordless phones again operating in the unlicensed spectrum (900MHz, 2.4GHz, 5GHz). Range is similar to 802.11. Encryption is somewhat optional. Equipment to sniff DECT calls is not as readily available as only very specific cards can be used. Typically you need to import equipment, and you may be breacking some US import laws if you do so. However, the equipment still tends to be pretty cheap consumer grade PCMCIA cards. I will assign them a value / cost of $100.

Zigbee (802.15.4): Zigbee is a bit the new kid on the block, but it is growing quickly in the home automation and alarm system world. The "Killerbee" project is providing open source tools to attack and sniff zigbee. The hardware supported by kllerbee costs around $50. Range is very similar to bluetooth. 

RFID: RFID is very different from the technologies above as it is frequently used with "remote power". The RFID reader has to send out a sufficiently strong signal to power the RFID tag and to read the information embedded in it. There are a number of different sub-standards in how the information is exactly encoded. Readers are pretty cheap, also in the $50 range. If you want to create your own cards, you may need to pay a bit more (lets say $100?). RFID attacks can be dangerous if they are used to clone touchless door access keys. Some credit cards allow reading of the name and card number. Realistically, the range of RFID is a couple meters. Defense is pretty easy. You don't need a full faraday cage wallet. Just adding a credit card size piece of aluminum to your wallet will typically provide enough interference to make the tag not readable.

NFC: an extension to RFID which starts to show up in mobile phones. Just like RFID it is low power and limited to short distances. Attackers cost: $100

Cell phones: That may make a nice diary in itself in the future. I am just wrapping them all up in one for the quick discussion here (GSM, GPRS, EDGE, LTE...) .  Attacking these systems is technically and legally more difficult. It typically requires specific equipment and some expertise. But once set up, an attacker may setup a fake cell phone tower used to record or re-route phone calls. I would rate the cost of the attack in the $1000-$10,000 range (hard to tell with all the different standards. Some old analog standards can be "sniffed" with a decent radio scanner). There isn't much you can do to defend against this, other then using encrypted connections inside the cell phone channel.

 X10: A home automation wireless standard. Pretty much unencrypted. All you need is a transmitter set to the right "house code" (one out of sixteen). Cost: $50

Wireless mice/keyboards: These devices typically use more propriotery standards, but they have shown to be quite weak cryptographically and easy to attack. It does require a bit customized hardware is some cases. However, recently more and more of these devices use bluetooth (cost: $50-$100).

 other standards: z-wave (home automation, 900Mhz or 2.4GHz uses 128bit AES),  WiMax (wireless network technology in licenses spectrum for larger distances, aka "4G" by some carriers competing with LTE)

Many of these standards can be used to exfiltrate short range data. Or if they are used in alarm systems and door access controls, they can be used to assist in a physical attack. 


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: wireless
6 comment(s)


It might be useful to those not familiar all that much with wireless technology that the "distance" one can receive (or transmit) is not a property of one of the endpoints. It is a property of BOTH sides combined with the medium in between. To put that in perspective: even if your computer does not pick up you WiFi from across the street, it does not mean that an attacker with e.g. a directional antenna cannot connect to it. It's more difficult to power an RFID tag from great distances, but as long as you do not need to power the remote device, there isn't much to stop an attacker from being able to zero in on any of us, from any distance -given the right equipment on their end-. Similarly it's no because your phone will not see you hands-free car kit from across the parking lot that an attacker can not communicate with both from the same or even greater distances away.
I think there are more technologies around. I know that there are different home alarm systems typically using the 868 MHz frequency range in Europe. Here all sorts of devices communicate. Many with proprietary protocols, probably easy to hack.

Alarm systems could soon be a target.
In a similar vane to home security, there are garage door opener standards (homelink is one). This is somewhat of a security standard and there is "learning" involved usually by pushing a button on the garage door opener and letting it learn a code from the remote opener unit.
Receive only can also be a risk - such as GPS. For now, this is an expensive attack, more focused on DoS than on spoofing. But it is possible, and if you are constructing high-value systems or processes built on GPS, keep in mind that you may be making GPS related attacks worthwhile.
What would be helpful to include in these dollar figures is an estimate of the non-hardware relative costs to successfully attack a properly configured (and therefore secured) endpoint successfully. If not a dollar figure then a relative difficulty for the hacker to successfully use that $25 to $100 hardware to actually get information. That they can see packets flowing with an SSID by itself is of limited concern if the encryption is still intact.

Success in my mind is getting information about something other than the access point itself that the attacker would find of value. Examples would include (but not limited to): account or transaction information from an HTTPS session, information that could be used to track your location or identity that includes some real world ID like name or SSN, private files of any kind on your computer.

These are the things that to me are the most serious problems. Tracking cookies, what move file I am viewing now, and other anonymous ID values are a problem but far below what the above examples represent. In a properly secured environment we should not have unsecured file shares, open 802.11 points, unencrypted sensitive information flowing on the network, etc.

Otherwise this is not quantifiable for anyone outside the security business itself, especially home users who make up a very large number of the potential targets for this activity. While their value is lower than a business in theory they are a lot easier to hack, so just hack the CXO's home computer and you are bound to find something worth some effort.
One more I would add is text pagers using flex, reflex, and/or pocsag. Plenty of enterprise IT shops (and medical service agencies) still use text pagers to send alerts for downed servers, circuits, etc. These are very easy to intercept with a cheap -- even otherwise obsolete -- radio scanner and a soundcard or serial port. It might not provide a route into your network, but it's a goldmine for social eingeers. If they can recite to you what servers are out and name people in your org, you're going to trust they belong to your organization. Range is metropolitan area or national if you pay for national service.

Diary Archives