Oh the fun you’ll have with RF in the Enterprise

rf-hacker

Customers often come to us with requests for security tests around all manner of different software, networks, widgets and so on. While we do a lot of testing around 802.11 Wifi, Bluetooth and RFID, we also do testing with a lot of wireless protocols that you might not be aware of, but quite possibly have floating around your network. Lets take a look at what you might have floating around your office, how to find it and what to do about it.

For all the long range systems we can survey for these devices at the same time as an 802.11 wireless survey at no extra cost. For lower powered devices such as those using dedicated short range integrated circuits, we can take a look at the specific devices up close and personal for a little extra.

Z-Wave, LightwaveRF and ZigBee

By far the three most common home automation technologies we see on customer sites are Z Wave, LightwaveRF and Zigbee. Most of the time we see these in customer facing areas such as showroom areas or meeting rooms. Got a funky Philips Hue light? You’re using Zigbee. Have a complex meeting room system using scenes to control lighting and blinds? If it was expensive it’s possibly Z Wave. If it was cheap, it was probably Lightwave RF.

buzzwave

Where you’ll find them

All of these technologies connect sensors and actuators to network control via some sort of RF hub device connected to a network either over a standard Ethernet socket or over 802.11 Wifi. Find the hub on your network and you’ll find out what you have.

What you need to know

These technologies, when implemented properly and with limited scope are reasonably safe. However, most of the technologies are designed for home rather than business use, and are often open to abuse.

From probing Z-Wave networks with status check requests to compromising LightwaveRF systems and replay attacks against ZigBee, the impact of compromsing these protocols is largely dependent on the applications in which they’re used and how they interact with systems on your main networks.

What to do

If you can, make sure the hubs are isolated on a dedicated network or VLAN. Bear in mind that some of these hubs connect to the cloud, thus reporting on activity ongoing in the areas the systems are deployed. If you’re doing sensitive work and don’t want anyone to know when people are in or out of the facility, you might want to rethink those fancy IoT lights.

Above all, just make sure you’re not using them for anything sensitive such as locking doors or running professional fire safety systems through them.

BluetoothLE/iBeacon

BluetoothLE is a low-power protocol related to Bluetooth really only in name. The most common application for BluetoothLE is for use in tagging, where beacon tags advertise or respond to inquiries. Bluetooth has specific use cases in marketing, tracking and in logistics.

Smeaton Tower, the first Eddystone Lighthouse. Used to warn people away.

Where you’ll find them

Retail for tracking customers, logistics for tracking goods and shipments, physical access systems.

What you need to know

There are no less than 3 BluetoothLE beacon type device standards that we commonly see (Apple’s iBeacon, Google’s Eddystone and Nordic Semiconductor’s Smart Beacon), each with their benefits and drawbacks. The main thing is how they’re used. As relatively dumb devices it’s fairly easy to impersonate the basic functionality of an iBeacon or Eddystone, and with a bit of work and some low level eletronics knowledge, our team have done unspeakable things to and with Nordic Semiconductors chips too. If your application uses BluetoothLE as the equivalent of a QR code with some minor tracking, then you’re probably fine. If your systems are taking action as a result of basic Bluetooth LE functionality, then it’s worth looking into.

What to do

Bluetooth LE is typically used as part of a set of devices, sometimes referred to as a fleet. A dedicated controller will normally orchestrate the fleet, usually connected to an internal network. While there are no known public exploits against these internal systems from the BluetoothLE side, it’s important to understand the context in which these systems are used and the implications, particularly if actions are taken when the beacons are activated, opening doors for example in access control systems, or tracking products being passed through a shipping facility.

Nordic NRF24L01+ and Chipcon/Texas Instruments CC2500

Those names just roll off the tongue, don’t they? While they’re probably not chips you’ve heard of, you’ll almost certainly have one in your office or at home. Most commonly these chips are used in wireless keyboards, mice, sensor networks, thermostats and security systems.

NRF24L01+, not to be confused with the similar-looking ESP8266 ESP-01What you need to know

The NRF24L01+ and CC2500 uses frequencies overlapping to some extent with the 2.4Ghz range commonly used in Wifi networks. If you have a wireless keyboard or mouse that uses a non-bluetooth dongle and occasionally suffers lost keys in areas with strong wifi signal, chances are one of these chips are the culprit.

By default, neither the NRF24L01 nor the CC2500 encrypts in hardware. That’s correct, your keystrokes are probably going unencrypted over the air at this point. Some vendors (most notably Microsoft) have put encryption into their software stack, but this is often poorly implemented as messages often need to be sent multiple times in order to deal with contention in the 2.4Ghz spectrum, limiting communications options.

What to do

Thankfully these chips are typically used in low powered environments and the security aspects are dependent upon the device’s use and purpose. If you have a keyboard with one of these chips it’d be best to replace it. If on the other hand you’re deploying a medical system using a CC2500 for communication with implanted patient systems, you might want to get it looked at in more detail first.

433, 868 and 915mhz Networks

A wide variety of chips exist for implementing wireless networks on the above frequencies. As 915mhz tends to clash with GSM, devices using this range are rare in the UK, but 433mhz and 868mhz devices are incredibly common, being found in everything from heating systems to garage door openers. Some of the more common chips we find using these frequencies include the Hope RF RFM12b and RFM69, TI’s CC1100 and countless others from major and minor vendors.

The picture below is from some fun I had with the RFM69HW. The RFM69HW is the tiny little green board under the relatively small Arduino Pro Mini I was using to drive it.

Your humble author doing devious things with an RFM69HW (below the Arduino Pro Mini)

What you need to know

Each of these modules will have what’s called a datasheet. Being able to read the datasheet will tell you a lot about how the chip is interfaced with the rest of the system, and it’s capabilities. For example, the CC1100 doesn’t do hardware encryption, while the RFM69 does AES-128 (albeit in a flawed manner, but that’s probably best saved for another blog post).

What to do

Firstly, you need to identify the chips used and their configurations. Ideally the vendor should be able to provide you with or point you at the datasheet. If you can’t get any information we may be able to help you. Once you can understand the datasheet, you’ll usually be able to determine your assurance requirements. Of course, if this is all uncharted water or you’d like the experts to take a look, feel free to contact us for a no-obligation appraisal of your system.

Just remember, when you’re looking at wireless there’s so much more out there than 802.11 WiFi and Bluetooth to consider. We’re always happy to have a free no obligation chat about any hardware or RF concerns you may have, so get in touch.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s