Physical Security & Cybersecurity Overlap: Radio Waves and RF Attacks

uh good afternoon my name is Michael weisskoff uh I work for DC3 that's a Department of Defense cyber crime Center uh specifically I work for dice uh that's an even longer acronym for uh Department of Defense defense industrial based collaborative information sharing environment bottom line up front is we help dib companies fence industrial based companies secure our data that we give them COI or kui so that's basically where I work from uh on top of that I also work for UA University uh I I teach cyber security for uh them undergrad and graduate courses and uh so yeah the idea here is we're going to kind of take a top level look and kind of look at where

physical security and cyber security kind of overlap so for the folks in the room that are penetration testers this is to help you to add more tools to your toolbox as you go out and do pen testing for the network Defenders this is something to be on the lookout for as you try to secure your environment so let's get started uh every good uh DOD brief will have an agenda so we'll just kind of go through these items quickly a little bit more about me so obviously got a bunch of stuff up there I'm going to talk about kind of three things that aren't up there uh the first one is is really before I even started

college um you know about 94 95 I was 14 15 years old and I was helping my brother uh helping I was going with him to go to college because he was a lab monitor and so uh internet was just kind of starting out wasn't commercialized yet and so I wanted to go with and go to lab to surf the web right surf the Internet well I was Al I was also into gaming back then you know I did have a Nintendo but obviously computer games are way better than console games so uh I went to the lab hung out you know surf the web then I got this wild idea I'm like I wonder if I can get you know play

video games on these things of course they like 486 is Dos 622 uh Windows 311 windows for work group and and uh the problem was is like they had everything locked down so I tried to drop out of uh Windows wouldn't let me and then uh so I figured out like oh well let's see if I can boot up off a floppy and disable the security software that was an autoette dobat file so I went ahead and uh I tried that didn't work they locked down the boot loader so you can't select different media to boot up from so I said okay let's go back one step further I dropped myself into the BIOS oh they never

password protected it so I went ahead and uh you know set it up so I could boot up off of any media popped in my floppy uh got into the out exit. bat file commented out you know remed out the the line that started security software pulled out to Floppy rebooted that allowed me to drop into Doss and I got Doom installed so I can now play Doom 2 which I couldn't do at home because I didn't have a 46 computer uh fast forward while I was going to school here at RIT uh you I was I think it was my freshman year might have been sophomore year somewhere around there and I get back to my my room and all of

a sudden the internet doesn't work anymore and I'm like crap what's going on so I go to resnet and I'm talking to those folks what's going on my internet they look it up you oh you got to go talk to EMB budsman office I'm like whoa what' I do so I I go to the EMB budsman office talk to them and like oh yeah some company called saying that uh there were scanning on their network uh from your IP so we had to disable it to figure out what's going on and I well at the time I was trying out this new spiffy software called nmap uh so yeah didn't go well with the the folks at RIT

but I asked is this illegal well not really is it you know against any policy not really well then what am I what did I do wrong well the company complains so therefore we got to stop you I'm like look fine I'm here to get a degree not go to jail so so let's let's comply right so uh fast forward to now and what do I do with dice and the dib now is I help them secure cui by providing services to them uh we have a network monitoring solution called dice cubed we have cras which we're looking at the cyber security posture of the the company and we take a look at that and

kind of figure out where they're at to help them figure out where they need to go and then lastly uh I have my advisary emulation team so we we collect a lot of cyber threat information within dice uh from the government and from industry and I can take that now I can take the ttps the tactics techniques and procedures from that and do threat informed pen Tes testing I'm not just going off a Playbook I'm I'm looking at the contracts those companies have I'm looking at the Technologies they're developing I find the adversary it's most likely to Target that and I adapt my playbook so that my playbook uh adapts some of those ttps from that

adversary so it looks like I'm the bad guy when I'm attacking them so and a nutshell that's what I'm doing now uh more specifically at least and how that kind of plays into my past history of being somewhat of a delinquent so uh I don't know if anybody's seen this before this is going to kind of put into perspective what I mean by cyber security and physical security combined now watch the

[Applause] car so in a nutshell what's going on here is the kid with the antenna he's got some sort it's a replay attack he's got some device in the backpack some sort of uh digital receiver transceiver and in the antenna the guy whoever the owner is has the keys on the wall inside the house and he's basically rebroadcasting the signal from the key fob to the car and off they go to the races quite literally physical security cyber security kind of Falls in both Realms and so the goal here is kind of look at that and be like well yeah I'm a cyber security professional but and I I might think of this as physical security but a

piece of this kind of Falls in our realm as well all these examples the big thing is it falls within this whole idea of radio frequency spectrum where on the radio that's what makes this work right we're transmitting data over radio and then that allows us to kind of be able to be in different physical locations and grab that and and due to the nature of radio waves you got to kind of be close proximity to uh the location that adds that physical piece to it so first piece going to talk about is civilian Communications now when you think cyber you're thinking I got to be able to hook my computer to it and pull

data off of it that's not always the case there's a lot of different things out there that transmit data that don't require a computer radio is one of them can you collect information from voice Communications from Radio absolutely now that Paradigm is starting to shift a little bit the radio down here the little black uh black and green one that's a Garmin Rhino those were banned when I was deployed to Iraq because when you there was a GPS built in that when you keyed up it showed the location everybody on the same radio but it wasn't secure so you know who else had location data of all the troops the adversary so they are getting more

sophisticated radio technology the T800 over here you can connect that to your phone via Bluetooth and then transmit data that way as well again insecure you're able to collect on it so from a Communications perspective if you're trying to communicate by voice within the different areas within your business you got to be cognizant that the fact you're transmitting into clear there's a lot of Civilian Technologies out there between Family Radio services or F FRS uh General Mobile Radio Service or gmrs those are all can be used by your businesses but as soon as you key up you're going to be transmitting into clear there's a lot of other stuff out there you'll see in amateur radio as

well uh that aren't necessarily used by businesses but you know same as you got Shadow it you know there you know Shadow communication somebody might think well I need to get this done and how can I get it done and here's a way around that so there's a lot of radio ham radio kind of capabilities out there as well that can transmit data that you can collect on so how do you secure your comms as a civilian and there's some like there's a bunch of different Technologies out there they don't necessarily secure your comms they kind of advertise like they do but they don't really CT ctcss codes they don't actually prevent people from listening to your conversations they

prevent your radio from hearing everybody else's conversations so it's really not a a privacy capability I mean it is if other people turn it on but as soon as you turn it off you get to hear everything so those things you aren't going to really secure you at all trunking it adds an extra layer of knowledge that you need to know but again your your your trans uh TR transmitting audio into clear so that means that as long as somebody knows how the system works they can pull your data your information off of that radio signal yes sir I was say this is why cell phones are now digitally and encrypting because back in the early 9s

all you needed was an amateur radio or something of that else to talk to other cell phone users yep I've never done yep actually we're going to be I'm going to be covering that a little bit too here coming up so digital voice again makes it impossible to hear the conversation with an analog radio but as long as you got a digital radio you have all the information you need to actually uh uh listen in onto the conversation so uh the last kind of pieces there is frequency hopping and encryption frequency hopping it's really meant to prevent jamming but also helps to secure your comms because you you got to know what the frequencies you're hopping to

to listen into it and then the last piece is encryption the problem with both of those is a cost of entry for businesses to be able to get that because it requires special licensing and special radios so you've gone from having this $20 radio at Walmart that lets you do what you want to do but insecure to a several thousand radio that does that keeps things secure but now it's really expensive and then the picture on the side here is actually a crypting device that the military uses to encrypt their radios that stores crypto in such a fashion that should I ever be tampered with it destroys the crypto that's on it so uh just to this gentleman's uh was

bringing up here how do we listen into those radio signals I don't need a similar radio to listen into it I can have what they call an SDR or software defined radio just a little dongle cost you like 30 40 bucks from Amazon hook it up into your computer download some open source software connect it to and now you can listen to everything if it's analog you don't even need special software to listen to it if it's digital or you're doing uh trunking or something like that you might need specialized software but then once it's configured then you don't really have to worry about it you just listen in so these types of this type of Hardware is

out there it's really cheap uh the other stuff is going to be expensive and even the the one down there in the lower left the blue one that's actually self-contained that's a hack RF Porta pack everything you needed hack RF signals is actually built within that little package you don't need a computer to do anything else the the RTL SDR the SDR play and the air spy those you need a computer plug into so obviously little bit more cost intensive needing the extra Hardware but it does what you needed to do the other possibility here too is uh amateur radio you know they go out there you can buy radios are met for amateur radio bands but a lot of them

are modifiable to actually not just receive but transmit on other frequencies as well so you can model you can either do it yourself or stores you can pay stores to buy it to they'll do that for you if you're not good with soldering skills Giga Parts and home Radio Outlet and stuff like that will do that for you yes that's true too so getting away from the civilian coms there's also a lot of different places you can get information that you might not realize in this case ships they're using radios transponders in order to transmit the signal of their location and it use it's called AIS so they they broadcast they broadcast this out it's unencrypted anybody can see it

so if I know what pack what ship my Amazon package is on coming from China I can track that as it comes across the ocean I don't need the tracker going into FedEx or whatever now the other thing was kind of interesting with this is when we had uh Co happening and he had all the ships outside of California they're trying to unload and they couldn't you could see on the maps that are online you can see all that being populated outside of California where all the ships are getting backed up so that provides more information so if you're work for a transportation company and you're trying to keep your uh trans uh transportation of your goods kind of

somewhat secure you can go to these websites and say hey I don't want you to track my information I don't want you to track my ships and a lot of them they will do that similarly aircraft does the same thing adsb you can set you can set up your own receiver uh go on Amazon again there's sdrs and antennas are specific for this and you can see all the aircraft are flying overhead on you or say again oh no that's fine or you can go to these websites and pull that information off as well you guys might have seen in the news talking about the college student is tracking Eon musk's jet well he was getting most

of that information from the web but if you got your own SDR you could do it yourself and you don't need this and the same idea as long as you know what aircraft you're looking for you can watch as it travels the gro Globe now based on the frequencies and technology and that kind of stuff you're not going to be able to pick up a uh radio signal from an airplane on the other side of the globe however remember those sdrs I was talking about earlier there's a lot of people who actually put those on the web so you can access them remotely from the web so what that means is you don't even need the hardware you just need the

software to patch into their server wherever it's at now I think that's kind of cool with with uh the adsb and tracking aircraft and whatnot is when he saw like Ukraine kick off you saw all these aircraft everywhere except this one empty spot that was Ukraine they didn't want anybody to get shot down so they put a safety box around it no fly zone only military flights through flew through that and Military this is this covers military flights as well just like the the ship one covers military ships this covers military flights so you can track all that will say that there's a caveat in that there is two kinds of transmissions and active military flights and police and rescue

don't transmit on adsb they transmit on something called mode C there's three channels that are separate that nobody has written public software for the coding and those are on that you can see that the bird is in the air because you get an ID but you don't get a GPS or anything outside so that's why it's it's still totally in clear and you could conceivably spoof that data by just transmitting you be people hunting for yeah the difference there is that they they turn off the adsb when they're doing actual Ops and they leave that one on for military Ops but when they're just traveling around the globe doing whatever just like this guy here're

that's military aircraft that they're tracking cuz he left adsb on and then just like your FedEx UPS aircraft stuff like that you can track all your packages using this as well so GPS another place to kind of you can't get data from per se but it can cause a lot of Heartache if you don't protect it uh and with commercial civilian use GPS there really isn't many much in the way of protection for it you look around in Europe and you'll see how Russia has been doing a lot of GPS jamming uh if you remember 200 I think it was 2011 uh the the Iranians had found a UAV and uh it's theorized to at least an open source

that they did it through GPS jamming so you jam it it doesn't know where to go eventually it's going to try to fly home or land or do something and that's when they grabbed it so lot of Technologies out there that rely on GPS is you track your trucks with it you monitor speed with it ATMs use it uh there's been stories about people with a trucks that they didn't want the boss know where they're at so they put a GPS Jammer on it and they're traveling around an airport and all sudden all sorts of alarms are going off because they're losing GPS signal so another thing to kind of look at you want to try to

figure out ways to secure if you can so getting more into our realm we got Wi-Fi right and the bottom line is is that the yeah you can use the latest encryption and stuff like that but eventually it's going to get cracked and there's other ways to secure your WiFi than just using uh uh encryption right so you got War driving to find it you can use deot tax to try to get the the the keys to decrypt it uh stuff like that but at the end of the day somebody can build a Pringles can antenna it's basically a yaggi antenna and you can pick up a signal from many clicks away many kilometers away so how do you kind

of secure that physically so like I said emphasis here is more on the physical security side of it so the idea is is like if you have commercial routers not residential ones but commercial wireless access points uh there's a lot more settings on those that you can deal with that try to help secure physically secure your your Hardware to prevent other people from remotely accessing it through Wi-Fi you can reduce the power on the signal strength as it points into the the area you're trying to cover that way it's not going beyond the perimeter the physical perimeter you can set up directional antennas most antennas on Wi-Fi are omnidirectional they they travel in all points at all times so you can get

directional ones and just point it in the area you want to uh so if you have let's say you have a courtyard an open courtyard where people are eating or whatever and you want Wi-Fi access you can still do that you set up your wireless access points you point everything towards the center you reduce the power so you have to get if you're far enough away you can't access it so there there's a lot of ways that you can secure that physically besides the normal cybercity ways using radius servers and certificates and filtering by Mac and IP address and stuff like that uh you can also shut down your Wi-Fi during great times of the day

nobody's at work so I have it running shut it down so nobody can get into it at night you know stuff like that there's a lot of different ways to kind of uh protect your wife yes sir the

top you're right yes so so the these are from like least sophistication to most sophistication and you're right so Average Joe on the street he's not going to see your your uh broadcast SSID for your wireless access point by opening up uh windows and just looking at the the icon in the lower right hand corner somebody with Cali Linux using air snort or snort NG or what you know air crack NG or whatever they're going to see the ssids because they're going to be broadcasting not from the at wireless access point but from the clients that connect it so you're yeah you're absolutely right but I mean wh why why make it easy for them

too so there's lots of attacks using Bluetooth as well uh which you know is that close proximity uh uh Wireless networking capability again my personal opinion is most of the time Bluetooth is a convenience feature uh so if you don't need it turn it off use wired connections and that goes along with like wireless keyboards uh which I think I talk about here shortly too you know just just turn it off go with wired connections uh all it is is convenience so you don't have 8 million wires on your desktop you know so so the best option there for Bluetooth is just just get rid of it uh standards are constantly changing with Bluetooth uh

they're getting better capabilities more efficiency out of it different encryption uh then encryption gets cracked and and people are able to get access to it so but my my take on is just uh just kill it completely wireless keyboards and mice like I was saying uh some of them actually transmit in the open some of them use proprietary protocols and some of them do use certain type of encryption between the dongle and the the uh keyboard or Mouse again if you don't absolutely need it for some sort of requirement get rid of It Go with wired that way you don't have to worry about it in the future switching back over to kind of more the physical side a lot of

companies have areas that are secured for they don't want people in there for whatever reason and there's different ways to secure that right you know we talk about our three factors of of authentication something you know something you have something you do and so a lot of them are are the second factor is something you have you see the devices listed up there with the touch cards and stuff like that a lot of those you can capture that signal and just like that kid did at the beginning with stealing the car do a replay attack and get access to whatever it is you're trying to get access to there's script Kitty level Hardware now out there that

lets you do this some of it you might have actually seen in the news quite a bit one of them being the The Flipper zero so yeah he's got one over there I got I got mine right here so so yeah so yeah if if you know if you had haven't seen these yet very simple tool uh you can hack the hard the firmware on it you there's add-on boards so you can hack the hardware with it you can get custom firmware so you can do more than what they designed it for uh the other thing I'd be careful of is that the guys who develop this are Russian so so if there if there's a cons a

security concern there then you know they fun to play with Hardware know where you're getting your Hardware from so the these uh kind of give you a little story on myself um I have uh my kids go to daycare uh they have these touch cards that allow us in the building and I use my flipper zero to make a copy of it it worked for about two weeks the reason why it stopped working is because somebody did an audit this is my guess anyway somebody did an audit of the logs and when I used a flipper though to unlock the door it did something that the car doesn't do they detected the anomaly and they said said

oh something's wrong here let's block this access I mean it took two weeks for them to do it and and with physical access you can do a lot in two weeks but the point still is is that that the auditing logging and auditing you know two two more cyber security Concepts logging and auditing applies for physical security just as much as it applies to cyber security as well now there's a bunch of different other things that the flipper can can copy uh you know they've been using it for uh there's profiles for it you can unlock open up uh the charging port on Teslas so that's something to be aware of uh garage door opener especially the more

primitive kind uh there there's a lot of stuff out there if if if it puts out an RF frequency radio frequency and you can detect it and pick it up with a flipper and you can record it there's probably some sort of Replay attack that you can associate it with uh I got a buddy of mine who has one he pulls down Nintendo uh amiibo profiles saves it to it hits his switch with it and now he's got whatever features or bells and whistles that amibo turns on for him and he doesn't actually own the the physical item so there's a lot of things to consider uh as we close up here there's a lot of things to consider when you're

talking about physical security and securing information we didn't even touch upon satellite Communications and that's a whole another big Fielding of itself uh viat I think it was when uh the Ukraine war kicked off they got hacked uh that was more of a Cyber attack than a physical attack but there's other things out there as well Puck sags pagers how many how many hospitals still use pagers quite a few actually and there's a lot of Phi or public health information it's transmitted through those pages yes all you need is an SDR tun to the right frequency with the right software and you're pulling all that information in how I'm not a HIPPA expert but how that's not violating

Hippa standards I don't know probably is WR off so yeah if they're allowed to they just accept the risk right if they're allowed to so there's also a lot of old cell phone technology out there uh especially 2G uh um Edge and 2G technology a lot that is crackable but the problem is is there's a and this is cell phone companies are dealing with this now it's like they they they have the service it's for basically the initial internet of things kind of Concepts that are out there these devices that need a little bit of data every now and again and so they they now have they updated them all yes as of two years ago January okay so I I

know uh like during Co whatnot when I'm looking around I could find still Edge and 2G signals they're usually associated to like uh ATMs and stuff like that yep filto cells too yep uh the other thing here too is with home automation um and and this so uh if you guys play around with Laura it's another technology out there for for commuting you know communicating information don't need a license or anything to do this these are actually originally developed for sensors for home for home automation so if you wanted to or or even industry so if you wanted to have something certain pressure or certain temperature or what have you this can track it and

report it back well now they're using it for comms you know between cell phones and whatnot connect to it via Bluetooth and then lower device to lower device you can communicate back and forth so there's a lot of stuff like this that's out there as well for home automation and N none of that stuff's locked down all that stuff is opening to anybody who has a radio tuned to the right frequency to listen to it and you get close enough and you can now read the data that everybody that you're meant other people are meant to see and you're not but you are seeing it so anyway that's uh all I have for you are there any

questions are you I'm in 3 rsy yes there's another guy around here K2 exe I ran into him already oh there he is W yeah so cool I'm W2 ax okay excellent well that's all I have for you uh so I guess we'll go on to the next group