Radio frequency: An invisible espionage threat to enterprises

You can’t see it, but corporate airspaces are under attack via radio frequencies.

Foreign governments, competitors and cyber criminals are all conducting radio-based attacks on enterprises. These sophisticated attacks use compromised RF devices as their entry points. Cell phones, wearables, health performance monitors and IoT infrastructure devices all offer new and unmonitored threat surfaces to launch attacks in order to gain access to company networks and secrets.

The cybersecurity industry has seen an increase in enterprise attacks from vulnerable RF devices. From unmanageable device attacks and IoT devices being more vulnerable than corporate-managed computers to IoT security breaches, RF espionage is a growing concern for enterprises, but the concern still lags behind the threat.

Enterprises are vulnerable

According to Ericsson, there are more than 22 billion connected devices on the planet and 15 billion of them have radios – making them potential targets for RF espionage. In the industrial IoT world, Ericsson predicts that 3.5 billion IoT devices will have cellular connections by 2023. The U.S. government is very concerned about RF espionage as it is largely invisible and because attackers such as Russia, China and others are very sophisticated when it comes to using RF techniques.

The government has already accepted the threat of RF espionage: they now want to know every transmitting device in their facilities and what those devices are doing. Further, the government facilities with valuable secrets have policies to exclude RF devices to keep the threats at bay.

While the government has been proactive in addressing RF threats, enterprises have been slow to recognize the risks even though it’s now clear that nation-states are also attacking enterprises to steal commercial and technical information, just as they have done with national secrets in the past.

Radio frequency threats

Widespread adoption of devices using Bluetooth, BLE, and IoT protocols is fairly recent and, as a result, security teams are still untrained and don’t have adequate tools to mitigate the risks posed by computing devices that often have multiple RF capabilities. For example, IoT infrastructure devices such as HVAC controllers have a hardwired Ethernet connection, plus Bluetooth, Zigbee and Z-Wave enabled, often “protected” by default login usernames and passwords.

Recent radio-based device vulnerabilities include SweynTooth, the Phillips Hue vulnerability Zigbee Worm, BleedingBit, BlueBorne, MouseJack, and KeySniffer. These affect billions of devices and are just the start, underscoring how immature security is for radio frequency protocols.

As a result, it’s important for CISOs to understand their RF attack surface in order to maintain a secure perimeter.

The SweynTooth vulnerabilities publicized in early 2020 are particularly troublesome because it’s hard to locate all the devices in a corporate environment that use BLE. When BLE devices pair with another device, they stop advertising their existence. This means that most BLE devices are invisible in corporate networks.

The SweynTooth vulnerabilities allow attackers to use radio signals to bypass security and take control of or shut down BLE devices. Once the attackers have a compromised device inside a corporate network, they can use it as a beachhead to attack other systems and extract confidential data. Further, devices can be compromised outside the network unbeknownst to their users and then be carried in on the wrists or ears.

How can organizations protect their most sensitive data from radio frequency threats?

Organizations should first find out what devices are operating in their radio space and whether that traffic is encrypted or not. CISOs need to consider solutions that can detect and accurately locate individual cellular devices in addition to providing accurate locations for the more common Wi-Fi, Zigbee, Bluetooth and BLE-based devices.

Of particular importance for enterprises is that they deploy a solution that detects devices in the corporate airspace in real-time, 24×7, not just with a one-off security sweep. From there, security teams need to consider how a solution can help identify which devices in their facilities (both on and off networks) are susceptible to an RF attack, and of course how to integrate this with the rest of their existing security infrastructure.

Enterprises are inescapably reliant on wireless protocols. Many organizations are not yet considering the RF activities in their corporate airspace because they’re assuming that all radio traffic is encrypted. It’s still common to find radio protocols running “in the clear” (unencrypted) or with common or reused key identifiers that facilitate easy decryption. That means that not only can an RF attacker listen to an enterprise’s traffic, they can also send their own instructions to force devices to “misbehave”. The range of a radio attack can reach as far as a mile and is limited only by how much the attacker is prepared to spend on antennas and amplifiers.

Protecting your business

As cyberattacks become more sophisticated, CISOs and security teams need to proactively adopt RF solutions and integrate platforms into their existing infrastructure to thwart RF attacks. RF security solutions that can accurately locate known and unknown devices will protect enterprise data and corporate airspaces from RF espionage threats.

All organizations want to protect their company secrets from competitors, cybercriminals and from technical espionage by foreign governments. Many have spent fortunes locking down 200 Mbps of traffic going in and out of their facilities over internet connections. Isn’t it time now for CISOs to start watching the 5 Gbps which are leaving their facilities vulnerable over unmonitored and unchecked radio waves?


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss