When any new communication medium for sharing information emerges, it’s often quickly followed by those committed to hacking it. This natural progression is unfortunately very predictable: groups of skilled experts form to explore vulnerabilities; they share ideas, code, tools and more. After a while, that small group balloons into a full-blown community that’s equipped with easy-to-use graphical hacking toolkits and hundreds of instructional resources online. Suddenly, hacks that used to require years of experience are now widely available to anyone with a few hours to burn on YouTube and the willingness to download shady software tools.
Wi-Fi is a great example of this hacking progression. In fact, I believe that the Wi-Fi hacking community has now reached critical mass. When you factor in the easy availability of pre-built hacking tools and software defined radios, I believe that we’ll see wireless hacking move beyond Wi-Fi to target other protocols like Zigbee, Bluetooth and Sigfox.
When Wi-Fi was first introduced, it gave the world an inexpensive way to send bits and bytes over the air at short range. Shortly thereafter, small groups of skilled Wi-Fi experts formed and it wasn’t long before presentations on Wi-Fi hacking popped up at Def Con. Those smaller groups turned into larger groups and the commoditization of Wi-Fi attack tools began.
Today, you can buy an easy-to-use graphical attack tool called the Wi-Fi Pineapple. These devices are simply an access point with a collection of attack tools enabled by an easy-to-use graphical web interface that leverage the single biggest weakness in Wi-Fi security: the man-in-the-middle (MiTM) attack.
Even curious amateurs can now perform advanced Wi-Fi attacks and steal usernames, passwords, credit card numbers and more. Thanks largely to tools like the Wi-Fi Pineapple, the popularity of amateur Wi-Fi hacking has attracted a significant following. Don’t believe me? Just check out the millions of video tutorials on YouTube that teach people how to leverage 802.11 networks to steal sensitive information. Furthermore, the recent disclosure of a serious WPA/WPA2 vulnerability (KRACK), which affects nearly all 802.11 Wi-Fi devices, has thrown Wi-Fi hacking into the limelight on a greater scale.
But Wi-Fi isn’t the only wireless protocol out there. Which new wireless communication methods might hackers focus on next? To answer that, we need to ask ourselves two questions:
1. Is there potential value? – Most malicious hackers want a payout. In order for a wireless communication channel to truly become a target, online criminals need to be able to squeeze something of value from it.
2. Is the target easy to find? – Hackers often rely on broad coverage and sheer numbers. For example, they’re not going to waste time hacking a new wireless communication that hasn’t yet seen mass adoption.
Once they determine that a communication system has value and wide usage, hackers still have to overcome some technical hurdles to attack it. In the case of wireless communications, the range of frequencies, modulation schemes and encryption algorithms used vary widely. So, software defined radios (SDRs) are key to enabling cyber criminals to find and exploit vulnerabilities. SDRs are capable of receiving and transmitting wireless signals across a wide range of frequency and enable users to analyze the signals via software for easy-to-interpret results. The HackRF One is an SDR-based tool that’s recently become very popular among expert groups looking to unearth and analyze new vulnerabilities. With the accessibility this tool brings to hacking communities, the complex nature of “understanding wireless” is removed.
Here are four wireless communications standards that are common, have value and can be easily attacked with new SDR tools. These will be some of the prime targets for wireless hacking in the near future.
Consider the type of valuable information transmitted on popular Bluetooth-enabled devices like keyboards, mobile phones, medical devices, cars or conference phones. Several Bluetooth hacking projects have already begun and the market is seeing increased traction. For example, Armis Labs recently exposed BlueBorne, an attack vector that allows bad actors to take control of devices and networks and spread malware to nearby devices. The number of online how-to videos for Bluetooth hacking is growing quickly, enabling viewers to combine several tools to sniff, intercept and manipulate Bluetooth traffic.
Zigbee IoT devices
Present in smart alarm systems, lighting controls and other connected gadgets, Zigbee is one of the more popular wireless communication standards out there. It’s easy to find new tutorials online that teach users how to leverage SDRs to intercept Zigbee communication signals and replay them back to the IoT devices in order to gain physical or remote access. One project gaining traction is the Attify ZigBee Framework, which is a GUI wrapper for RiverLoop Security’s KillerBee tool. Users can easily sniff and capture packets from Zigbee devices and replay them to control the devices or steal sensitive information.
“Fobs” for garages, Cars, etc.
This medium is already hitting critical mass. Since SDR tools can transmit, they’ll often jam a few of the messages from your fob to trick rolling code security, a security method commonly used to prevent attackers from just recording your fob signal and playing it back. In several reports, an eight- to 12-digit “fob” device using rolling codes (common in garage doors and car fobs) can be brute force cracked in less than 12 seconds.
Large area Machine-to-Machine (M2M) wireless networks
Not every machine needs 4K LTE connectivity. For example, smart electricity and water meters, connected health products and even washing machines are being connected wirelessly to low power, high range IoT/M2M networks from providers like SigFox. As a matter of fact, SigFox currently has coverage in 36 countries, providing connectivity for 660 million people. As more devices become connected to these kinds of expansive networks, attackers will surely be utilizing SDR attack tools to find and exploit new vulnerabilities.
Simply put, the commoditization of SDR attack tools is making wireless communications standards easier to crack for skilled hacking communities around the world. Awareness about SDR attack tools and the threat they pose is important for both consumers and suppliers of wireless products of all kinds, especially those listed above that present tempting and vulnerable targets.