Radio frequency: An airborne threat to corporate and government networks

As the government is committed to securing the nation from cyberattacks and as enterprises proactively protect their corporation from cybercriminals, there looms a silent and stealthy threat: radio frequency (RF) espionage.

The threat of RF attacks to our nation and to the enterprise has never been greater with devices running on various networks across the wireless spectrum. These devices present major risks because wireless communications are a blind spot.

The Hidden RF Dangers

According to the annual Ericsson report, there are more than 22 billion connected devices – 15 billions of these devices contain radios – making them targets for an RF breach. Nations and enterprises are more at risk of a radio-based attack than ever before. Forty years later, we’ve become pretty good at securing the wired Ethernet. Somehow our confidence in wired Ethernet has magically transferred into confidence with Wi-Fi, Bluetooth, Bluetooth Low Energy, Zigbee and Cellular.

But these RF protocols are all newer and each brings its own vulnerabilities. They may have security protocols, but they don’t have the battle-hardening to properly identify and mitigate radio-borne threats. Traditional security products ignore RF protocols in the air and wait for issues to show up as symptoms on the wired network. Corporations and governments can’t counteract what they can’t detect. Vulnerable wireless and cellular devices are currently masquerading as everyday devices inside government facilities and in enterprises. These rogue devices can include building controls, cell phones, medical devices, printers, security cameras, smart TVs and more.

For instance, a company iPad connected to a network can also be tethered to a cell phone via Bluetooth and that same cell phone can be covertly connected to a server in China where hackers are analyzing the exfiltrated data to access sensitive company and customer information.

Beware: Obscurity is Not Security

When 156 emergency sirens in Dallas, Texas were compromised via an RF attack in 2017, they screamed a warning notice about the vulnerable radio-controlled national infrastructure. Systems which use radio controls (not just emergency siren systems) are often vulnerable to invisible radio attacks. The Dallas incident revealed how just vulnerable cities are.

The vendors and purchasers for the siren systems in Dallas potentially thought they had security through obscurity, because they had their own special network and dedicated radio protocol. What they didn’t have was true encryption. An attacker could record the commands sent out every week for the two-minute siren test and play them back in the middle of the night to terrify a major city. Radio hacking tools and computing technology is faster, more accessible and cheaper than ever. This enables hackers the opportunity to research, find and exploit any weaknesses that exist.

Where Vulnerabilities Lie

RF vulnerabilities most often aren’t due to flaws in operating systems and applications. These flaws often reside in the firmware of communications chips, which are trade secrets not open to public inspection. An attack on them bypasses not just network firewalls, but many forms of detection. The vulnerable devices are often simple, produced by the billions and found in IoT, in wearables and in the gadgets we use. Many manufacturers have a tendency to pay more attention to low-cost solutions rather than proven security measures.

The knowledge surrounding these vulnerabilities is widespread. While nation-states used to use hidden “bugs” on obscure frequencies, most are employing cellular, Bluetooth, BLE and Wi-Fi for spying these days since many of these signals are bouncing around everywhere – even in the most secure areas – making it easy for spy radios to be disguised in the traffic. With wireless devices playing a growing role in data communications, vulnerabilities based in RF communications are a growing concern for cybersecurity, and this trend is bound to continue.

Recognizing Malicious RF Threats

As the avalanche of wireless devices increases, the attacks will grow increasingly common. The IoT has resulted in the development of 100 new RF protocols, each optimized for a particular class of devices. Because new wireless protocols are also relatively untested, they are frequently insecure, leaving an entry point for hacks. A network’s airspace is susceptible to RF threats because it is invisible to corporate security teams.

There are multiple examples of radio-based device threats published in the last two years, including SweynTooth, BleedingBit, BlueBorne, KeySniffer, MouseJack, Philips Hue and Zigbee Worm. These SweynTooth vulnerabilities alone affect billions of Bluetooth Low Energy (BLE) chips in wearables, heart monitors and wireless keyboards and more. Very few CISOs even know how many BLE devices are in their facility. SweynTooth may be prevented by bringing all BLE devices up to the post-SweynTooth firmware for that device. However, if you don’t know the devices are there, you certainly haven’t updated their firmware.

The recent SweynTooth vulnerability discovered in early 2020 is particularly alarming because it highlights the difficulty of locating BLE devices in corporate networks. For instance, when BLE devices pair with other devices, the devices stop advertising their existence (that means that most BLE devices are invisible in corporate settings). SweynTooth allows attackers to leverage radio to sidestep security and take control of or shut down BLE devices. Once hackers have a compromised device inside a corporate network, the attackers can use the device as an entry point to infiltrate other systems to mine for company secrets and sensitive data. Notably, company devices or personal gadgets can be compromised outside the facility, i.e. at a coffee shop frequented by employees for example. Then, they are carried back into the facility by an unknowing employee to be used as a beachhead for attackers to extract data.

Securing the Radio Space: RF Security Recommendations

Corporations can safeguard their intellectual property and sensitive data by assessing what devices are operating in their radio space and whether the traffic is encrypted or not.

So how should organizations be preparing? Here are essential steps for enterprises to protect their business from an RF hack:

Take control of your airspace: Obtain visibility into devices that use: cellular, Wi-Fi, Bluetooth and BLE. Locating every radio emitter provides situational awareness into devices in an enterprise’s network. This also lets you bring firmware up to date.
Evaluate RF technology: Assessing RF security solutions will be vital in preserving company secrets. As security teams examine RF products in the market, considering a checklist of capabilities should include solutions that can detect, analyze, alert and accurately locate cellular devices in corporate airspaces in real time.
Deploy RF solutions: Proactively equipping an organization with RF security technology will future-proof an enterprise from an RF breach. Adopting RF solutions that constantly monitor and detect the transmissions of devices in the wireless spectrum will combat nefarious attacks.

There’s widespread recognition of sophisticated RF threats and espionage, but there’s been limited adoption and enforcement of security policies to protect an organization’s valuable assets from an airborne attack. Maintaining secure businesses and deploying RF monitoring technology will be pivotal for corporations to fend off malicious airborne threats.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Many of the security screening standards in use today were put in place decades ago. They addressed the threats at the time and employed the security screening equipment that was available.