From the Spring 2021 Issue

Radio Frequency Operations and Training From a Virtually Different Point of View

Rick Mellendick
Chief Security Officer | Process Improvement Achievers, LLC

Radio Frequency (RF) security, sometimes called wireless security, is much more than just WiFi. Over the past few years, there has been rapid growth in WiFi training courses, but very few that specialize in RF defensive and operational preparation.

The usable RF spectrum for data exfiltration is typically from around 10 MHz though near 12Ghz, not just the WiFi or Bluetooth portion of the spectrum, which is the 2.4 GHz and 5Ghz ranges. Full spectrum RF offensive and defensive training should be the process of learning how to actively evaluate the RF emissions from computing devices, infrastructure, phones, etc.  This is a critical step in the offense and defense of RF security as a cyber capability. Testing and training should focus on replicating threats that are relevant to an organization’s IT environment as information leaks within the entire RF spectrum. This is often unknown and invisible to an organization, due to IT and security staff members who are untrained or unpracticed in RF security.

It has been over 20 years since the release of WiFi. Since then, wireless training, and more importantly preparation for operations, has been reliant upon the organization’s internal RF infrastructures and rapidly and insecurely built RF labs (unless the budget is in the millions). However, in the last 7 years, with the growth of Software Defined Radio and the release of the HackRF One by Great Scott Gadgets, the gap in RF security training has been deeply exacerbated. Red Teams, Government agencies, security students, and researchers have typically been limited to shielded rooms or unrealistic low powered testing labs. With the growth and increased utilization of RF signals, including WiFi, Bluetooth, handheld radios, security systems, Internet of Things (IoT), 4G, 5G, and other signaling protocols, there has been a strong need to virtualize this capability.

RF engineers, Cybersecurity staff, IT staff, and red teams (we will call them RF Operators from here on out) that work in the IT and security fields typically have a weak spot in their training when it comes to the security around RF.  Typically, this is due to the lack of effective training and correctly tuned lab space. They need to have the ability to understand at a deep level the defense necessary to protect their networks.  As RF Operators, they need to understand the findings and recommendations that are presented from penetration testing, vulnerability testing, and red/purple team operations. The knowledge gained from practice and training allows for a level of proficiency that is necessary in this constantly growing field. RF Operators need to understand the concepts and basics of RF, including antenna theory, reasons to use different antennas, implementing the correct use of RF assessment/attack tools, how to work in hostile environments, and how to maintain a secure virtual RF lab and training area. RF Operators working in this field need to establish knowledge of newly developed tools including both hardware and software and learn how to reconfigure these on the fly.  There is also a strong need to accurately identify a target, either a “loud talker” or rogue device. RF Operators also need to effectively configure and protect their networks and secure the networks that they are monitoring.

“The knowledge gained from practice and training allows for a level of proficiency that is necessary in this constantly growing field.” 

Training and lab setups need to adapt to the changing RF environment. Any usable lab needs to have the capability to emulate and provide real world scenarios and have effective outcomes based on actual testing. There needs to be a pre-deployment hands on exercise at the conclusion of each testing session before any engagement or deployment. Training for RF offensive and defensive needs to include examples from wireless assessments, wireless quick plant detection, and real world examples with a goal of locating and or eliminating data-rich rogue RF devices and RF exfiltration capabilities. The goal of any RF security testing lab is to have the capability to run exercises and the ability to practice and train 24/7, to improve the operator’s capabilities. The configuration of these scenarios is very expensive, not just in hardware, but in time as well.

A typical problem with RF training and practice is that the RF Operators create too much non-realistic RF pollution. This added digital chaff inhibits their ability to practice completely and effectively. The reliability of lab RF emitting equipment is always in question due to potential degradation from age, use, maintenance, and abuse. Until now there was not an efficient or effective way to test an RF Operator’s knowledge of the RF environment at the end of training or practice due to RF interference in the space, unless the lab was an RF quiet room or anechoic chamber separate from the lab. An anechoic chamber is a separate room or lab configured to absorb RF energy for the purposes of isolation of the devices (both targets and operators devices) from the main RF lab’s surroundings.

The ability to emulate and replay RF signals through an assortment of tools like Universal Radio Hacker (URH), Signal Hound’s Spike, and GQRX, along with MAC 802.11_hwsim have been available for many years for RF Operators, but until recently there has not been a significant enough effort to get these tools into the mainstream.  Today, RF Operators do not typically have a functional way to perform testing and planning in a dedicated RF environment.

The virtual RF lab that was developed for DefCon, as well as many other security conferences by the RF Hackers Sanctuary (RFHS), is a solution the industry has been looking for to address the training and practice problems. The virtual RF lab gives RF Operators the flexibility to be presented with very specific scenarios, and solve, attack, or defend against them to meet training and exercise goals without unrealistic or unintended outside RF interference. The virtual RF lab is designed using MAC 802.11_hwsim, and ZMQ sockets at a kernel level, virtualizing both the Transmit (Tx) and Receive (Rx) signaling to provide a clean RF environment upon each login.

“The virtual RF lab gives RF Operators the flexibility to be presented with very specific scenarios, and solve, attack, or defend against them to meet training and exercise goals without unrealistic or unintended outside RF interference.”

There are no antennas that can be bent or dropped, no radios to break or burn out, or any operating systems that need to be updated by the RF Operators in the virtual lab. This new concept of “RF lab” would therefore provide a stable, functional, and efficient training and lab environment. With this more efficient and streamlined lab experience, RF Operators have additional time for testing and training giving them added time in the field working.

Last year the Wireless Capture the Flag (WCTF) at DefCon 2020 was completely virtual using this RF lab. This showed the community at large a better use of this technology that will aid RF Operators, as well as people trying to learn the ever changing technology in the usable RF signal space without the huge budgets previously needed. This was, and is, still a completely free and open capability for anyone to learn and play with. Using this capability as a training mechanism can expand the capabilities of any security team.

The virtual RF lab can scale to thousands of synchronous users. In its current configuration, the virtual RF lab has a web front end for the team to choose which of three operating systems they want to use for RF Operations. The three operating systems to choose from are: Kali, Parrot, and Pentoo. This choice can be customized based on need and is only limited by the container configurations that are built for it. There is a design in the works for a tiered session type as well:

  • Tier One: Individual users in individual work spaces used for individual training and testing
  • Tier Two: Individual pods of up to eight users in group work spaces, for team use and training
  • Tier Three: Multi-group full training is a single workspace, for exercising real world scenarios

The tiered model will reduce the RF pollution on a per RF Operator basis when needed. The virtual RF lab provides full customization of RF challenges, and naming conventions to provide a safe training environment with no RF emissions. This new virtual RF lab concept has now proven to be a game changer for training, mission planning, new tool development, and practice!

In order to become more proficient in RF and Cyber defense and operations, an RF engineer has to understand a few general concepts.  There is stuff in and around the network other than WiFi that can be a threat.  Physical lab training is complex and expensive. Virtual lab training is simpler and cheaper.  The problem isn’t that there aren’t enough capable people in security; the issue is that the training that currently is occurring for RF Operators is mostly antiquated and stuck in the late 90’s.  The answer to this complex problem is that virtual RF training must be combined with physical RF training.  Alternatively, something like RFaaS (Radio Frequency as a Service) might be a better answer.  Maybe this is the “something else” that comes out of this current work-from-home situation other than video conference calls and working with your dog. lock

“Physical lab training is complex and expensive. Virtual lab training is simpler and cheaper.”

Rick Mellendick

Leave a Comment