From the Summer 2014 Issue

Stalking Prey: An RF Hacker’s Perspective

Rick Mellendick
Chief Security Officer | PIAchievers

  •  
  •  
  •  
  •  
  •  
  •  

Nearly everyone has an RF signature, and it is becoming as common as your fingerprint. This signature is the culmination of device and device usage such as:

  • Your cell phone’s frequency
  • Names of the networks you connect to with yourdevices
  • Bluetooth devices and the connections to andfrom them
  • Your device or devices (e.g., laptop, phone, keyfob, garage door opener, home security system)

Have you ever attached to the free WiFi at your local coffee shop or bagel store? If so, an attacker can use your RF signature to track you and attack you when you sit down in these seemingly benign locations. Here is how it is done. By default, most devices will automatically connect to a network that it has previously attached to if the device is within range of the signal. This is done for your convenience, and an attacker knows this. In this scenario, your device will establish a connection with the free WiFi access point (AP). An attacker can visit that same coffee shop and set up a rouge AP with an identical name as the free WiFi AP, but with a stronger signal. You come in for your cup of Joe and your device will connect to the rouge AP instead of connecting to the coffee shop. The attacker then has full control of your Internet connection and can in many cases monitor and alter all of your Internet traffic. This is an example of a Man-in-the-Middle (MITM) attack.

The way a laptop or wireless device determines that a previously connected to network is within range is through a probe request. A probe request is similar to the pool game called Marco Polo. A device’s radio is constantly calling out Marco, which is being used in this analogy to represent a previous connection. When something with that name is within range of the probing device, it responds back with Polo, which is being used to represent a wireless AP.

By knowing and understanding the tactics employed by an attacker, it is easier to digitally defend yourself. 

 The cost of the equipment to create an MITM attack used to be expensive. However, now with advances in technology, an MITM attack is extremely inexpensive to create. The computing power needed for these attacks can be done utilizing an embedded system (e.g., raspberry pi or beaglebone) for around $45. The cost for a wireless radio begins at $10 and goes up from there. In fact the most effective WiFi radio in use for an MITM attack sells for just under $15 and is sold in most common electronics stores. For other RF signals of interest (e.g., cell phones, key fobs, pagers) software defined radio (SDR) is needed. The capability found in today’s SDR used to cost upwards of $50K. An SDR that can be used to intercept the signal from your cell phone can be purchased for under $20. Most software used in MITM attacks is free and open source. For less than $100 an attacker can steal your data and take control of your communications.

By knowing and understanding the tactics employed by an attacker, it is easier to digitally defend yourself. The six steps listed below will help you protect your own personal RF signature.

Step 1: Turn off auto join networks. This is a setting that is on most all smartphone operating systems and computer operating systems.

Step 2: Change the way you do your work when you are in a public place. Use your smart phone’s wired tethering capability to give your computer an Internet connection.

Step 3: If you must connect to free public WiFi find one that offers an encrypted connection. An encrypted connection will make the attack more difficult.

Step 4: Turn off Bluetooth when not in use.

Step 5: Turn off your device’s WiFi connection when not in use. This eliminates unnecessary probe requests.

Step 6: Look at people in the coffee shop before connecting to public WiFi. Is anyone sitting near a wall outlet with things plugged into their computer that doesn’t quite look right, such as small devices with blinking lights, lots of cables, or antennas connected to their computer? If so, you might want to think twice about connecting to the public WiFi.

Don’t be the easy target or the low hanging fruit. This will go a long way to securing you as your digital fingerprint stays with you through life.

Leave a Comment