This guest blog was contributed by Bob Baxley, CTO at Bastille Networks.
Billions of Internet of Things (IoT) devices have made their way into our daily lives, changing how we work, live and play. But these low-cost, radio frequency (RF) devices contain vulnerabilities that attackers can leverage for nefarious purposes. What was once reserved for nation states and sophisticated hackers, “Remote by RF” attacks can now be carried out by just about anyone with low cost, off-the-shelf-technology. These attacks can have potentially devastating consequences to businesses ranging from installing ransomware, stealing proprietary information, and causing system failures.
These are the latest IoT RF threats that affect billions of devices, users and organizations:
Zigbee Insecure Transport and Network Join – There are two separate attacks in this disclosure: The first is a Zigbee denial of service attack that can cause the target device to be ignored by the hub when it attempts to send out new packets. The second involves the compromise of the trust center key, allowing an attacker to decrypt messages, inject encrypted messages, disassociate devices, and have free reign over the network.
Zigbee Worms – This attack self-propagates wirelessly over Zigbee to all Zigbee devices in range, giving the attacker control over all of the devices. As Smart Cities grow, Zigbee Worms could have wide-ranging implications as attackers can brick devices, turn lights on and off in a coordinated attack, or create a 2.4GHz jamming network.
TV/Cable Box Remote RF4CE Force Pairing – This RF4CE vulnerability allows a hacker to brute force pair an RF4CE peripheral such as a TV or cable box remote control, allows a new device to join an RF4CE network as a trusted node and run trusted commands, giving an attacker a jumping off point into the network. This means that everyday items like remote controls can be compromised and turned into listening devices -- these can then access and exfiltrate data.
LoRaWAN Auditing Framework (LAF) – LoRa offers long range RF with low power characteristics. However, LoRa has a vulnerable application key that an attacker can compromise and then access network and session keys, allowing them to access encrypted traffic, insert their own traffic, and disassociate devices. This attack has the potential to affect hundreds of millions of devices, particularly those employed in critical locations where it would be detrimental if encrypted traffic was accessed.
Telephones/Headsets, DECT Man in the Middle – Found in Mitel DECT devices, an encryption key vulnerability allows attackers to hack into and access conversations, enabling snooping and eavesdropping on audio calls. Additionally, there are open-source hacking tools specifically for DECT devices, that hackers can use their command line tools to find an active call, capture the call as a PCAP file, then convert the capture to a .wav file that they can listen to.
MouseJack, KeyJack, KeySniffer – These vulnerabilities affect billions of wireless mice and keyboards. Leveraging this vulnerability, an attacker can record and inject keystrokes from both encrypted and unencrypted keyboards. This means that attackers can listen for passwords and inject keystrokes to gain remote access to a privileged system. This gives attackers the equivalent of unfettered access to that privileged machine and the networks, and devices it is connected to. This attack can be carried out at a distance of 500 ft or more with the right antennas, or it can even be done remotely by radio.
With IoT devices in use throughout organizations, security teams have the unenviable task of trying to prevent these types of “Remote by RF’ attacks. Paramount to their success, an organization must employ tools that offer visibility on IoT devices with 24x7 monitoring.
Security teams also need to have a clear understanding of what devices are on the premises and what infrastructure they are connected to. Unnecessary devices, components and interfaces should be removed.
Lastly, security teams must remain observant and up-to-date on patching vulnerable devices and components. Exercising these best practices can significantly reduce the risk of a “Remote by RF” attack.
###