Nick Delewski - Wireless WiFi Think More About What Wireless Really Means

[Music]

good afternoon my name is nick delusky and my talk today is wireless is greater than wi-fi or thinking more about what wireless really means

so got to start with the obligatory who am i slide um i am a senior manager with productivity at as part of our emerging technologies group uh in my role as a senior manager in immersion emerging technologies i specialize in iot and embedded systems particularly as it relates to security however in the group we also touch a number of different other topics such as machine learning computer vision and some of that exposure uh informs some of the uh connections that you'll see in my talk today i have about 15 years of experience in the industry distributed among um embedded in iot security testing red team penetration testing i've also spent approximately half of my career on the blue team and i t

operations side uh doing security analysis and systems administration some complex multi-uh domain and multi-network excuse me environments if you have any questions throughout the presentation by all means please feel free to reach out my contact information below i i always love hearing from people who have questions uh hope i can uh clarify and and maybe uh point some folks to uh learn more about wireless communications that uh pop up in everyday life but are often neglected in our day-to-day discourse so my main goals for this talk are going to be to explore a couple of common technologies that we use every day but aren't necessarily talked about in end-user context we're going to take a look at a couple of different

methods of communicating data wirelessly and we're going to compare and contrast some of the security assumptions made using some of those media and we're going to present these uh media as an attacker or as a researcher would see them as part of a penetration test or as part of a reverse engineering exercise finally i'm going to provide some actionable actionable guidance that will hopefully help manufacturers enterprise users of uh wireless communications and some end users and consumers give them some questions to ask when encountering a new wireless technology to sort of help them level set you know kind of what their security expectations should be around this new piece of equipment so what i've found in my time working on

on iot and embedded systems is that the perception of wireless often depends on on our own user experiences many of us are very familiar with with wi-fi because of the age-old question what's the wi-fi password um it seems like a very simple question however i think it's powerful in that it at least turns on the light uh and that thought process within uh someone's brain saying oh hey there's something that uh is contributing to the overall security of what i'm doing right now uh i i think that that on a certain intuitive level um if somebody uh puts in a password they say that um you know all right i'm i'm taking some sort of an action

uh making some sort of a choice between convenience and security um with bluetooth for example another commonly used wireless technology uh you have to take an action generally to pair this this new thing this new device with either a phone or a laptop or something along those lines um and again bluetooth is a little bit different in that um in my conversations that i've had the word pairing can seem to to lead some people astray some people believe that you know just by using the word pairing that creates you know this impenetrable tunnel between you know my phone and my earbuds so that you know nobody can tell that you know i'm i'm listening to

um you know friday or or uh i'm listening to um the latest uh pop song uh on my earbuds when uh it's not necessarily the coolest thing for somebody in in it or information security to do um sometimes uh there are additional technologies in there that um the user doesn't even see they're completely transparent so in in more modern earbuds for example in addition to that bluetooth pairing that happens there's also near-field magnetic induction being used to communicate information from one earbud to the other to create um you know stereo sound so it's one of those other situations where that technology just kind of fades into the background and people not might not even realize that it's in play

because they're not directly interacting with it um sort of combine that with cellular data and and we sort of have the typical user experience these days you know your typical handset phone uh cellular data is an always-on wireless technology except obviously when you are in airplane mode or something along those lines the functionality may exist to turn off mobile data separate from airplane mode but um vast majority of users i've talked to wouldn't typically do such a thing but uh the other key thing to remember about cellular data is that there's not typically any user action required to secure it so therefore i think that there tends to be an assumption on the user side

that well i can't control it there's nothing i can do either it is what it is or it has to be secure because that's the telecommunications company's job that's the cell phone carrier's job to make sure that it's secure which there is a certain truth to that however uh you know in certain enterprise situations there might be choices that can be made on the back end that are being missed because of people's typical experience on a consumer level with their mobile devices so unless you're you're well versed in some of the uh security parameters uh regarding say for example a a choice of a sim card deployment or uh how to set up a private apn

on an enterprise iot level uh deployment then you know it might be something that um could be overlooked in an initial test run or or an initial production run of a new product um so what i've found is that um in general high demand for an embedded device an internet of things device combined with um marketing which either minimizes security as a requirement or uh kind of gives the the hand-wavy we've got security covered uh sort of uh sort of treatment to security plus a low interaction user experience as it relates to security that equals ambiguity uh in the mind of an end user and and might even obscure out or abstract out some of the underlying technologies that

are carrying our data or controlling the things around us in reality there really is uh quite a diversity of wireless communications technologies um a number of wireless technologies are out there that have well-defined standards they take place over over reserved or licensed rf band so those kind of fall into one bucket then there are other uh wireless technologies that you know sort of utilize that that shared space on the wireless spectrum so your your 2.4 gigahertz communications 433 megahertz uh those other areas of the spectrum that are kind of set aside for you know other uses uh or other uh usage uh rather and are free for for development and and ism experimentation uh they might have some

proprietary protocols built uh on top of certain chipsets uh some of them uh kind of operate through more of a de facto agreement on uh ways to modulate and demodulate or or encode and decode data on top of these protocols rather than anything official or or rigidly implemented and that's going to have some some security implications uh down down the line also there's the phenomenon of wireless technologies that were developed for one purpose uh being used in ways that you know weren't maybe initially imagined uh what comes immediately to mind with that is the use of wi-fi and bluetooth these days for uh position data um i think it's it's fairly safe to say that uh

when when wi-fi was first being developed it was intended to be a communication protocol it was intended to be a way to move lots of data from an endpoint such as laptop a mobile endpoint onto a network whether it's a home network or or an enterprise network uh without being encumbered by you know needing to drop network jacks everywhere and all of the associated cost that comes with that um several years down the line the idea of war driving came to pass and war driving for those who aren't familiar is the practice of driving around or walking around whatever your preferred mode of transportation is and listening to the different wi-fi access points that are broadcasting their

ssid and correlating that with with where you are in the world either via gps or um you know through sometimes manual means even but mostly through some sort of an automated piece of software such as kismet or wiggle is a very popular wardriving platform for for mobile devices it even has a cloud component where you can uh go online you can search for a specific ssid that you saw and you know their their boom pops up on a map and then there are other proprietary versions of similar things that are used kind of under the hood mobile operating systems to supplement the positioning functionalities that are provided by by gps to counteract some of the

undesirable side effects or different interference scenarios that can be used in classic uh gps or gnss technologies to kind of verify yes i am actually here uh or or to uh kind of drill down a little bit closer and get more more precise and accurate results um finally um and this comes more from from my experience in reverse engineering and pen testing wireless isn't just rf um really when we look at wireless it's just communication without wires and that can be evidenced when when you see some instances of true creativity coming out of the hacker community um although even though we're not just talking about rf when we're talking about wireless communications uh some of these methods of

communication may share some common security concerns so it's always a good idea to sort of calibrate what you're seeing with uh what you know already and then you know kind of map out make sure you validate your assumptions about you know what's similar and what's different when you're taking a look at a new wireless medium so some of the common end user wireless applications i think that many of us are already familiar with we have wireless peripherals we have you know human interface devices keyboards mouse presentation remotes we have wireless earbuds we have thermostats that can smart thermostats we have lighting control occupancy control uh to make sure that you know we're not wasting energy

while we're out of the office or while we're out of our homes uh there's also physical security systems uh made up of a combination of sensors maybe some some door locks uh video cameras uh and many of those physical security systems uh actually have analogs uh in the vehicle security realm as well so um adds a little bit of a different dimension of it when when you're trying to secure something that by its very nature is supposed to be mobile but um you know you do run into some of the same problems uh whether you're trying to secure your home or your car um some of the uh wireless applications that we're sort of seeing more chatter about and get

more traction um even globally we have some smart city and transportation related uh wireless technologies that um you know there's potential for for a vehicle to vehicle communications and vehicle to infrastructure communications uh that will help uh potentially ease traffic congestion in the future or uh alert have vehicles alert one another or receive alerts about dangerous road conditions ahead all of these technologies uh ultimately will factor into the cars of the future especially as as we get more toward functional and accepted autonomous driving and and other uh sorts of uh you know next generation transportation modes um also with the increased uh density of drone flights around um you know they're also running on their own set

of protocols that uh at the moment are sort of sharing um rf with some other applications uh so keeping an eye on on uh drone development and and how those uh communications protocols are developing uh is something we're sort of keeping an eye on um delivery of utilities and and management of utilities is another uh you know very common uh usage of radio communication today but i think there's still a lot that could possibly be done with that in the future uh regarding smart meters and and being able to um you know optimize how those utilities are are maintained and delivered uh throughout an area connected medicine is another area that uh currently uh i see a lot of

telehealth consultation has become much much more important in in the the kova 19 era 2020 has seen a lot of uh development of solutions and and therapies that are designed to sort of help people stay out of uh the hospital and other areas that are uh going to put a patient at a higher risk of either transmitting or or becoming infected with with govid19 so that's been a major driver of some of the technologies that we've seen this year [Music] so wireless medical telemetry systems uh there are also systems that kind of go hand in hand uh sometimes with telehealth especially when there's a known condition uh that um a patient and their medical team uh

are actively monitoring on a day-to-day basis um and then there are some advances uh being made in in various uh mobile uh forms of therapy delivery or or uh you know various other um methods of of receiving therapies that might keep people out of crowded doctors offices and and crowded hospitals uh and you know safer uh and socially distanced so uh we're gonna go through a couple of case studies here about uh some of the technologies that that uh we know are out there right now uh and then uh after some of these case studies uh then you know we're gonna maybe see a little bit more of what we can do today uh in order to uh get a better grasp on

on what we need to do with our own uh wireless communications whether we're a manufacturer whether we're an enterprise consumer or whether we're an end user so we're going to start off with something that is probably going to be fairly well known uh within the information security community and and certainly uh i think that many folks can [Music] relate to how a wireless keyboard and mouse might affect somebody's security so uh the mouse jack uh series of vulnerabilities were first disclosed by mark newlin in 2016. so mousejack essentially affects an entire class of different wireless keyboards and mice multiple manufacturers uh most of them i believe all of them actually operate on the 2.4 gigahertz band of radio

communications uh and just as a as a side note um that often coexists with with wi-fi and bluetooth communications as well so these this series of vulnerabilities enabled an attacker to potentially sniff or inject keystrokes either going from the uh keyboard to the pc or or if we're going to inject keystrokes you know we just kind of decide what we're going to inject and then you know we create the packets and and you know send out the rf that's going to make that happen um essentially turning that remote uh wireless keyboard dongle into your own personal um rubber ducky if you're familiar with you know kind of the pen testing tool of that name that

essentially you know acts as a keyboard but uh can be used to script different commands and and execute them in a surreptitious manner if you can you know say plug it into a computer as part of a physical pen test something of those something along those lines however it kind of makes it uh you know very much a a remote attack now where instead of having to uh you know plug that rubber ducky directly into that computer and then do your thing um you know you might be able to um execute this either from a parking lot or if uh you know your your pen testing client is in a shared office building you know you might be able to to um you

know launch this from a common area like a coffee shop or a courtyard or something along those lines so certainly uh security implications when somebody can inject keystrokes you know you can use that to [Music] spin up a command window run scripts or or you know download cobalt strike beacon or something along those lines and and then you know off you go on your your network pen test um the interesting thing about this though is that uh sort of three years later uh there's another group of vulnerabilities disclosed by marcus mengs and his work focused on logitech's unifying technology and while many of the mouse jack vulnerabilities uh were patched in a patched version of

the firmware that goes on the unifying dongles reporting at the time found that there were still unpatched dongles on the market on the shelves being bought by people three years after the original disclosure of mouse jack so here is an excerpt of one of the contemporaneous articles covering meng's disclosure and i highlighted a couple of areas here uh one being uh logitech's peripherals come prepared so there's not even that user interaction saying hey i should probably be thinking about uh the security of this this wireless technology uh it's already done granted there are good reasons that you want a low friction user experience when you're talking about wireless tech and i think that um [Music]

preparing uh devices to make sure that they are uh securely communicating with one another uh is a good practice uh i do however think that there should be some meaningful engagement on security uh to just reinforce to the user hey you know this is a wireless technology we've done some of that security work for you and if there are any relevant security settings that a user might want to change we should be presenting them in my opinion to the users um after all i'll i've i'll say this now and i'll probably say it again uh one or two more times in the presentation my threat model is not your threat model is not my neighbor's threat model everybody's

slightly different um and so i do believe that there should be that level of control where it's wanted and there should be security by default but overall there should be uh at least transparency about the need for security so um [Music] going down to the the second part that's highlighted and this is officially uh confirmed by the rep that uh the unpatched dongles were still on the market essentially because uh they were never recalled to be reflashed from the factory or anything of that nature so they were just shipped out and they sat on the shelves until they were needed and users might not have even known that there were updates that still needed to be installed on

these dongles they might have assumed hey you know the manufacturer you know said that they had a patch for this i bought this three years later so i'm good right um another technology that we we often use on an everyday basis that a lot of people can relate to is uh key fobs on a car remote so you know your traditional key fob remotes actually have a lot of similarities to something like a garage door opener a lot of them are going to use rolling codes the older remotes probably aren't going to be encrypted [Music] they are generally going to be you know button activated um they might have some remote start functionality but as a general rule uh you're still going

to need to place your key in the ignition in order to drive the car and most cars probably within the last 20 years or so uh are actually going to have little transponder chips within the key itself uh that uh kind of uh contribute to security as well uh regarding um you know somebody's ability to actually steal the car versus have access to it uh now some of the newer uh smart key fob remotes that allow push button engine start on the car um you know they use somewhat of a different model uh so they are uh going to be you know sort of in an always-on mode which is nice and convenient because that way um you know we can have this

key in our pocket uh you know we might have say a bunch of different stuff in our hands you know maybe we're just coming back from the store uh or you know we have our our phone in our hand and you know we're trying to um you know put a kid in the car or something along those lines and all of a sudden our car sort of knows it's us approaching so it can be very helpful and and unlock the doors for us and make our lives a lot easier um so a lot of these uh key fobs again kind of are are coming out after there has been some discussion about uh security uh on these wireless devices

so uh many of them do implement some kind of an encryption or uh at least some sort of cryptographically strong implementation of rolling codes um and uh in general they uh do require that uh these remotes are near the vehicle uh in order to either unlock the car or or start the engine so as can happen sometimes when you're depending on physical proximity as a security measure um there needs to be some kind of a verification that the thing nearby you know your asset is actually the thing that it's claiming to be and one way to get around that is actually fairly simple uh conceptually so a relay attack is a instance where an attacker

doesn't necessarily care about um decoding the messages that are being sent from one party in a conversation to another they just want to be able to repeat them so they take uh in one side of the conversation they broadcast them out the other side either you know at the same power or or a greater power in order to extend the range of that broadcast it's kind of like a wi-fi repeater it doesn't necessarily do any filtering doesn't necessarily do any uh you know meaningful routing it just sort of takes in and goes right back out except stronger um very very simple conceptually very very simple to implement and can happen in real time unfortunately this means that

those key fobs that are relying on proximity for security uh are making an assumption that's not necessarily true because if i'm an attacker and i can place my receiver within range of that key fob and i can then rebroadcast well that means that i can be you know way closer than just a couple of feet from your car or i can be further rather than just a couple of feet your car or your key fob i can actually be quite a distance away and um there have actually been kind of some uh commoditized toolkits uh to [Music] implement this kind of attack put out by uh team unicorn for example as one example there are a lot of other

researchers that have um done work in in relay attacks as well so uh this right here is uh actually an example from west midlands uk police of a relay attack in action

so here we see our suspects driving up

see they have two of them

both suspects appear to be holding some sort of a device one it looks like he is holding it up by the window probably trying to uh receive that transponder signal the other is next to the car car unlocks gets in the driver's seat again remembering this is in the uk so driver's seat's going to be on the right hand side now he has to go back probably so that he can turn the car on so he wandered away the wheel man is in the car but he couldn't turn on the engine now he's going back up to the window get the signal engine is on and now he's getting his car out of the way

while the wheel man drives off so in most vehicles uh there's going to be some kind of a time limited um aspect to that where uh the engine is eventually going to turn off uh without the key nearby however uh it's kind of an asymmetric consequence as much as the uh thieves don't get the full functionality out of the vehicle that you do they can't you know joyride it and and you know take it for a spin at 120 miles an hour they can easily drive that onto a back of a waiting tow truck uh and then take it to a chop shop to be disassembled or uh whatever uh other sorts of schemes uh they might be looking to to

get into and the end result is either way regardless of how much access they have to your car you don't have a car anymore

another type of attack that was released in 2019 as the raptor captor attack that actually affects um a couple of 2019 and maybe a few earlier ford vehicles where dale woody wooden found out that a certain [Music] a certain progression of replay attacks taken from two different key fobs could actually reset the the rolling code sequence that a vehicle will use to control access to the vehicle uh again this is one of those situations where um you know there there's kind of a of an asymmetric consequence um you know this isn't going to necessarily get a user choose an attacker to steal your car um according to uh woody's talk and and some of the write-ups that have

taken place around it you know they might be able to start your start the car's engine um but it doesn't actually fully disengage the the immobilizer on the vehicle but one of the consequences of this attack is since it resets the rolling codes associated with the key fob that key fob now isn't going to work until it's reset in the vehicle so if for whatever reason um an attacker were able to execute this successfully on your car and uh you know you're relying on that key fob to get back in you know they could essentially lock you out of your car uh and then they could you know be able to get into your car

and and rummage through at their convenience and then uh you know be off on their their merry way so a lot of these vehicle uh the old style key fobs um were broadcasting around you know 453 megahertz 315 megahertz um there's some other interesting vehicle related transmissions that happen on those bands um tire pressure monitor sensors uh often uh are are on you know one of those two bands depending on your region um there are a myriad of other uses uh on those those bands as well so um rtl 433 is a phenomenal tool uh that actually will will survey up to 169 different device types and protocols uh for information just being broadcast in your general area

and it's all accessible uh using a 25 dollar rtl sdr dongle so this is one of the first things that i recommend for uh people that are curious about wireless security and and seeing what's going on around them um you know this is a whole world of wireless communications that you know you're probably going to find a lot of things like weather stations and thermometers but you know certainly there's there's a greater capability and capability for abuse of improperly secured wireless communications some legacy security systems for example would also use these bands and they would not encrypt their traffic uh in fact um you know many of these protocols would be um not only uh in plain text but they wouldn't even

necessarily have enforced sequencing measures so that way you can completely forge packets say from a certain older [Music] security systems uh to lock and unlock um many of them are are susceptible to to jamming as well um again uh you know not every system is the same but i think it's it's fair to say that the older systems um maybe relied way too much on on uh people not being able to uh see these waveforms and do this bear decoding uh that's now actually pretty uh ubiquitous and and the barrier to entry is is very very low so from there um i'm going to take a bit of a of a of a hard 90 degree angle here

um and this kind of comes at us from a slightly different perspective so one time i was i was doing an assessment and one of the inputs to a business process was through a barcode scanner and from a reverse engineer's perspective you know we want to make sure that we know how everything works on a particular system or a device inside now um you know sometimes you know we have access to the source code so we can just look there other times we kind of have to improvise a little bit so qr codes if you think about it are another means of wireless communication um it's just not necessarily radio frequency so the thing with qr codes

is that they are very easily machine readable but you know not human verifiable in any meaningful way i know there's no way i could uh verify uh what's on a qr code just by looking at it um for anybody that's curious about the background um you know you can absolutely look it up don't worry i will never let you down when it comes to interesting content in a in a presentation uh in an enterprise context um you know i've found that things like qr codes and barcodes uh are still often uh trusted inputs in in certain systems uh either because um you know they are [Music] taken from from uh sort of legacy systems where

uh there might be some um institutional knowledge uh that was lost as part of the original development or [Music] maybe there are some other functional limitations to the the hardware that is doing the processing but just some things to think about if you use any of these technologies uh in your enterprise you know how would my system react if if um you know i had put a qr code sticker that contained a sql injection or a command injection above the proper sticker on that box um you know it's still getting data where it needs to be theoretically in order to get detonated get launched um [Music] what about the icar test string for those that aren't familiar the icar test

string is um it's essentially a special string that actually is a functional uh executable in a windows environment and it also happens to be um you know human typable as well which is uh like this this great and elegant duality of it um because it's something that's used often to test antivirus systems uh if they can test the icar test string then okay you know that you know you at least have visibility uh [Music] your antivirus engine at least has visibility in that process or in that system however what your antivirus system decides to do from there may be less than helpful so there are systems out there that if an icar test string say is

discovered in a database it's possible that that entire database might get quarantined uh which may depending on on the process result in some um production down uh situations and and maybe some some very difficult explanations um so even though qr codes are kind of difficult to modify on the fly uh i think it's probably pretty easy to uh think of a scenario where somebody could have some of the more common ones uh on stickers and then you know sort of inject them into different processes uh in a complex system um kind of going the opposite direction uh you know we're not reading qr codes here on on my slides we're reading written words so uh written words with the caveat that

there are you know many many languages uh on on this earth and you know not all of them use the same character sets um you know not all of them uh follow anywhere near the same rules uh but by and large the written word is easy for people and harder for machines to understand so optical character recognition is kind of the opposite of the qr code it's a machine trying to analyze the written work and then convert that back into data that's easy to consume and then feed into other processes the other thing that might not always be um called out along with optical character recognition is the need for context so context is another um

part of language that's easy uh for people to understand as long as you know you're um you know well-versed in the same jargon or you know you have two people in the same field talking to one another but it's harder for machines to get so we have to make sure that as developers we are building that context into our models as well um for one particularly harrowing but kind of hilarious story about how that goes wrong so a bioactive researcher who goes by droogie did a defcon 27 conference talk about his adventures in uh obtaining a vanity plate that said no um he was hoping that he wouldn't get tickets from automated license plates license plate readers and uh things did

not exactly go as planned for him uh i definitely recommend that you uh watch that uh watch that talk it's very interesting from a uh process and context perspective the kinds of things that can go wrong when we are trusting ocr a little bit too much kind of related to the visible light communications we also have invisible light so infrared is a medium of communication that's actually been around for quite a long time most of us know it from simple uh you know one directional protocols um you used to you know change your channel on our tv or work some other appliances or lighting controls you know oftentimes it's just very very simple um keying on on top of the carrier

frequency and uh the individual codes are programmed into the tv or appliance and that's it however um as much as that world is a little bit more uh proprietary and freewheeling outside of the the carrier frequencies um there are some significantly more complex applications of infrared and communications so um irda is a technology that's been around for a number of years and it supports bi-directional communications with a number of different devices you would find in a modern office home or enterprise [Music] i should say you probably wouldn't find too many of these devices in a modern home or enterprise but they still do exist including uh medical devices um and part of the reason for that

uh is because you know they want communications uh in a way that uh are unlikely to uh cause interference or we they want to make sure that the communication functions even in the event of rf interference so uh there is some some uh scientific logic to to why uh ir would be desirable in those kinds of situations so yep medical devices sometimes do use irda and turns out since it's not as widely implemented today as it used to be some of the tooling for irda can be sort of hard to get um definitely 250 is is uh kind of cheap for uh i should say kind of expensive for a hobbyist who uh might come across uh you know some random

thing that looks like it has an irda port on it um luckily however uh you know reverse engineers and pen testers are are good at sort of thinking on our feet so i use this eight dollar pawn shop palm spring visor instead [Music] it supports the standard irda protocols communicated with the medical device out of the box uh did everything that i needed to do uh it was just from a very well bygone era and i happened to know what i was looking for so um you know when you are thinking about the researchers and the the adversaries that are out there trying to reverse engineer uh your your product or or might be trying to

worse uh attack your product um you do have to kind of think outside the box and and um maybe challenge your assumptions when you're you're thinking that something is going to be too high of a barrier of entry um and and you're relying on that for for security um just a quick note on some of the other uh main usages of infrared uh yes infrared is the same uh form of light that you know most consumer uh security night vision cameras are going to use um so the lamps themselves are are mostly invisible to the naked eye there might be a little bit of a red uh sort of halo around the ir leds that

are illuminating the target surface [Music] so naked eye has a very very difficult time sort of seeing those and calling those out however uh just an interesting side note um if you are securing your building with uh ir cameras and all of your cameras have ir leds all over them um they're to be very visible to other ir cameras which are are also very very cheap these days uh to the tune of 20 25 uh you know they can sort of turn off their own um ir led illumination and just kind of look for yours so um your ir cameras if you're only relying on the illumination that's on the camera itself uh you're sort of giving away your

camera positions uh might be a good idea to look at something like an ir illuminator uh where it's just that ir light source uh rather than that having that camera uh your illuminator then provides sort of that light gets bounced back the camera remains somewhat covert why would that be an issue potentially because dazzling is another type of interference problem if you think about it uh much the same way signal jamming uh would work on an rf perspective dazzling happens when uh a camera is able to take so much light in [Music] but if you are flooding that sensor with uh with light then it can only compensate in its settings so much in its exposure settings

to sort of dull that down before it starts to degrade the image quality either partially or completely so if somebody knows where your ir cameras are and then they can flood that with ir light that means that um you know your camera is going to be much less useful in the event of an actual incident um can definitely degrade your ability to excuse me identify a suspect or or a potential perpetrator um and i am actually aware of at least one situation where a method similar to uh the one detailed here at hackaday uh was used to sort of subverts um camera identification in in the commission of a burglary um so again the attackers are very very um

attackers are very very creative they understand the physics they understand you know how all of your your security systems and your wireless systems are working obscurity and and sort of uh hand waving uh only goes so far in in making sure that you're actually building in uh what you need to in order to protect your customers in order to protect your assets so what do i do now um i've given a whole lot of information about case studies and things that have gone wrong in the past things that could potentially go wrong in the future um it's kind of a bleak and jury picture i know but what do i do sometimes it feels like

you know we just have to uh succumb to the urge to uh cover everything in aluminum foil um this is 2020. uh you never know what we're going to have to do [Music] in the future um and uh i'll i've said it before i'll say it again now my threat model is not your threat model um your mileage may vary and go low um so the thing is with uh rf shielding it used to be something that there is this perception of um you know paranoia around somebody that that you know uh buys a shielded wallet to protect their cards against uh being stolen through uh you know contactless uh payment technologies uh or uh you know passports uh that have rfid

chips in them uh things of that nature but with so much of our world actually going wireless uh i would i want to really challenge some of the uh stigmas against using things like rf pouches and faraday cages in fact uh some automobile manufacturers have even explored building faraday cages into vehicles so that people could place their phones inside them uh to ensure that uh they're not receiving text messages or they're not receiving other uh they're not being distracted otherwise by their phones while they should be driving so i would honestly uh say that there there perhaps is a place uh for you know some method of rf shielding in a general home uh you know maybe um you know a

nightstand where you know you place your keys at the end of the day if you have one of those always-on transponders or uh something of that nature at least until sort of the uh manufacturing ecosystem starts to take another look at whether this always on trend is is really where we want or need to be going when it when it comes to communication security and asset security um if i'm a manufacturer what do i want to make sure that i'm doing to keep my name out of the news and protect my customers i want to make sure that i have a security testing and vulnerability management program and i want to make sure that my suppliers do as well to the

extent that i'm able um a lot of the embedded vulnerabilities that have been seen recently can affect somewhere a little bit further back in the supply chain so maybe even sometimes the um label manufacturer doesn't know that they're using an insecure component or an insecure chip or an insecure protocol so the more that i can bring the rest of my supply chain up to my level in terms of security testing and vulnerability management the better and that's on both software and a hardware side the next thing i want to do is i want to i want to ask if i am really meaningfully including security as part of the user experience and i'm not saying this

uh to say that i want to um completely take make the user responsible for for absolutely everything um as far as their own security we absolutely should have security by default uh but maybe uh informing them why things are set up the way they are and keeping them informed of the fact that this is a wireless technology if there is a problem identified with it in the future we do take it seriously and you know you can look for security updates here uh you can make sure that you know you're applying these security updates on a regular basis using our software uh etc um i also want to ask if i'm participating in the efforts to make

things better as a whole for everybody that's going to include my customers that's maybe even going to include my competitors customers they might see what i'm doing and that i'm taking security seriously and so i am uh maybe even gonna uh you know win some of them over by by some of my uh you know security-mindedness um am i giving users the choice uh to choose security and privacy over convenience um it's probably the third time i'm going to say it my security model my threat model is not the same as your threat model is not the same as my neighbor's threat model um trying to build a single device that accounts for all three of those

threat models especially at at a consumer level um let alone an enterprise level with all the complexities that that are there um is is probably going to be less than practical and i think is going to result in a sub-optimal balance of security and convenience um one of the simplest things that we can really do uh as a a uh manufacturer as a designer is make sure that our users can actually like turn our product off when it's not needed physical switches for for simple things i would definitely like to start seeing more of that [Music] i know that uh that apple has has kind of uh moved a little bit in that direction uh with its its microphones um

saying there is a hardware switch it's not quite the same as i'm imagining a physical switch but it's really one of those simple things you kind of have to ask ask your question everybody out there has um who's security minded has a webcam cover on these days uh and they have it on there for a reason why could it not be a little physical switch on the the side of your laptop or on your phone that you know cuts power to that peripheral or or disconnects the data line just to make sure give the users that extra degree of assurance that they have control over their device and how it's being used and then finally i covered this a little

bit before am i relying on on being uh physically close to something for security and if i'm doing that um is my decision sound is the physics sound uh is the protocol sound or uh am i potentially opening myself up for a relay attack uh or something similar uh where an attacker could actually circumvent that at the enterprise i want to know what devices are on my network and i also want to know what devices aren't on my network um i say what aren't on my network what devices aren't on my network because um things like building automation security systems oftentimes they are uh individual nodes that are connected by a common media but they're not going to interface in any

sort of a meaningful way with your i.t infrastructure even if they might use some of the same radio spectrum so i kind of view them as being sort of on a parallel infrastructure except for maybe a touch point if you happen to have the the iot hub or the controller on the local network in many cases if it's air gapped that doesn't necessarily mean those systems don't exist it just means that um you know maybe it's a little bit more more difficult to get to the the back end uh that's actually uh you know taking all that data and processing it um i also want to know uh kind of similar to the manufacturer level i want to know if

the wireless devices that i'm buying from my enterprise have already gone secure undergone security testing at the manufacturer level uh or if maybe i should do some of that testing myself if not um depending on my implementation uh there absolutely could be some situations where i want to make absolutely sure that this is going to be a rock solid device um and that i'm accounting for any vulnerabilities that may be there so um you know maybe uh getting some uh expertise on on that uh in to take a look at my implementation uh training some folks up on wireless security uh having a basic tool kit in-house and and basic competencies might be a very

very good idea depending on uh the types of systems that i'm fielding and the consequences uh that could come from a breach of those systems uh also finally uh making sure that i'm validating data everywhere it comes into a system including ocr and machine readable sources as well again trusting these sources is generally not a a good idea um they they can be fairly easily manipulated and it's just a matter of having that momentary access to either uh cover over that sticker or um you know that um guy that does something as a joke uh but it's all fun and games until somebody loses a table um so that's uh that that would be one

thing that i really want to hone in on for anybody that is using optical methods for for data input and for end users i think it we need to take a little bit more of a different tack because not everybody has the time to dedicate to uh security the way we do uh more than anything uh if i'm an end user i wanna know uh if i really know how my devices are using my data what data is being sent wirelessly can i control how i'm interacting with my devices can i turn wireless off if i need to can i turn wireless off if i want to if the device doesn't give me that option i can always pull the plug

uh or i can always put it on you know a power strip with a switch and when i'm done with it i just turn off that power and i know it's dormant i know it's not doing anything uh that i don't want it to do and i'm also going to just do a little bit of research uh seeing if i can find any potential security issues with the device and if so um you know are they patchable or am i essentially knowing that i'm rolling the dice while i am um buying this product or while i am while i'm running this product uh it could be that you know for what i need it for

not a big deal i can take that risk or it could be something i'm like well maybe i just do it the manual way or maybe i look somewhere else so if after this talk you do want to learn a little bit more about wireless security um lots of really great resources out there here are three that i found very very useful to me throughout my career um early early on in my career i actually [Music] went through the the process to get a ham radio license american radio relay league as a great resource for learning about how rf works uh learning some of the basics that might be a good starting spot before maybe getting

into how software defined radios work mike osman has a really great series of videos where he uh gets down into the details uh and explains the math uh honestly and one of the most uh straightforward concise ways that i had ever seen it explained before so i would highly recommend taking a look at his series to learn more about how software defined radio affects um the current ecosystem and how you can do a little bit of exploration on your own uh also um i'm a big fan of uh getting out in the community and uh you know the wireless village guys uh they go to a number of different uh security conferences uh they have always put on top-notch wireless

capture the flag competitions where you can actually go out and try to apply some of these concepts and and learn hands-on i would definitely definitely keep an eye on on what those guys are up to they have um i've learned a lot over the years from talks at wireless villages and by participating in their stuff so definitely keep an eye on them so uh thank you so much to uh besides philly for uh having me speak and i am happy to answer any questions you may have

you