Welcome back, my aspiring radio hackers!
With the advent of inexpensive radio devices such as the RTL-SDR, HackRF, LimeSDR and bladeRF, the possibility of hacking radio frequency (RF) communication and control devices has been blown wide open to anyone in the cybersecurity/infosec field. Although not commonly included in penetration tests, radio hacks should be considered as they are presently one of the most overlooked entry points to the network and systems.
Attack methods
Unlike traditional web based attacks, attackers try to intervene in the radio channel and then connect to the channel and exert control. Once that control is established, it can then be used to penetrate deeper within the network or system. For instance, SCADA/ICS systems often used radio communications to their remote terminal units (RTU) and other stations as physical wiring is impractical over hundreds of acres or miles (km). The attacker may first intercept and control the communication between remote terminals and then work back to the server or PLC’s. In more traditional security systems, the attacker can use the interception of cellphone traffic to eavesdrop on conversations and break text-based 2FA. Intercepting pager traffic with unencrypted emails can be used for phishing and other targeted attacks.
1. Sniffing
The simplest attack methodology and then one most often used before the following attacks is sniffing the traffic. This includes uses an SDR device that is capable of operating at the same frequency. In this way, the attacker can study and learn the principles of the radio system and identify key instruction sin the data stream. Of course, if the data is unencrypted the attacker can also eavesdrop on the traffic.
2. Replay
Many radio communications do not have a replay-proof mechanism (e.g. timestamps or randomization). In such cases, the attacker can capture and copy the transmission and then replay it to the target system. This may work on such systems as car doors, garage doors, household switches and others.
3. Signal deception
In some cases, the attacker can learn the critical packet structure, keys and verification method to control the target. this may include spoofing where the attacker send a fake but valid signal to the target.
4. Signal Hijacking and Denial of Service
The attacker may block the target’s network using a signal interference device or pulls the target on to a fake network. In this way, they can carry out attacks by hijacking upstream and downstream traffic. This might include blocking a 4G cellular network to force the target onto a 2G network where the traffic can be intercepted and eavesdropped. Hijacking can also include such devices as a femto-cell or Stingray.
Summary
Software Defined Radio is a flexible system that offers the options of operating with different wireless communication technologies without having to buy specific hardware and software for each.
In this series, we will be examining each of these attack methods of radio communications using an inexpensive SDR hardware and free and open source software such as GNU Radio, HDSDR or SDR+. SDR for Hackers is the leading edge of information security/cybersecurity and Hackers-Arise is the only place to study this field.