Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal intelligence Tools
Upcoming SlideShare
Loading in...5

Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal intelligence Tools



Mid-Atlantic CCDC 2012 presentation at John Hopkins Applied Physics Laboratory: Wireless Data Exfiltration - Air Intercepted Messaging & Electronic Espionage

Mid-Atlantic CCDC 2012 presentation at John Hopkins Applied Physics Laboratory: Wireless Data Exfiltration - Air Intercepted Messaging & Electronic Espionage



Total Views
Views on SlideShare
Embed Views



1 Embed 1 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal intelligence Tools Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal intelligence Tools Presentation Transcript

  • Brad
  • Who am I? Brad - Just a Guy that Likes to Play with Technology!
  • DisclaimerEverything I say is my personal Some equipment or functionalityopinion and not those of my may be considered “Dual-useemployer! munitions” and controlled under ITAR 121.1. Be sure to followEducation and Entertainment appropriate laws!purposes only! All examples were taken with permission!The goal is to make you think! Above all do no harm!
  • AgendaThe adoption of security in Health CareHospitals – A target rich environmentsLow cost Tools for Assessments & Data Exfiltration  Equipment  Testing / Methodology  AnalysisApply the hacker mindsetWhat the future holdsQ&A
  • Adoption of Security in Health Care Health Care is big business $2.6 Trillion in 2010  Ten times what was spent in 1980 - $256 Billion Heavily driven by legislation and regulatory requirements  HIPAA / PSQIA / PHI / etc. Health Care is complex Health Care technology has grown complex Health Care is a highly competitive industry Health Care Technology Dichotomy  Race to adopt and offer new medical technology  Slow to adopt new information systems technology Rapid immersion in wireless technology Large variety of legacy and new wireless technologies used Significant challenges for Info Sec professionals
  • Hospitals – Target Rich environmentLet’s take a closer look at wireless802.11(x) is not the only show in townWe have become blinded by all the background noiseLots of other RF attack vectors & data to pursue  Legacy Technology(Pocsag, Flex, Mobi, etc.)  Current Technology(Zigbee xbee), RF link, etc.)  Emerging Technology (Corporate grade MASINT)Hospital environments are unique in many ways  How they use these technologies  How they can be tested and exploitedWe can build some low cost effective tools for testing!
  • A revisit to Old School Hacking Post Office Code Standardization Advisory Group (POCSAG)  Born from British Telcom  Predecessor of Super POCSAG, Flex, Mobi several others  Designed for low speed transmission of data  Morphed over the years as popularity grew How the Technology works  32-bit blocks of data transmitted  Simple Frequency Modulation (FM) using Frequency Shift Keying (FSK)  +/- 4.5khz on the carrier frequencies  Gives about 512 bits per second (64 characters)  Slow by any standard but effective for transmission of plan text  Transmitted on both VHF & UHF (152Mhz – 158Mhz & 420Mhz – 540Mhz)  Most commonly in the 900Mhz range for Consumer services  Flex / Mobi work in a similar fashion though much higher data speeds  Flex / Mobi use a FM 4 level modulation on the carrier signal  Easily Intercepted and modified
  • A revisit to Old School Hacking Continued… Medical facilities and Hospitals heavily rely on this technology* How’s it’s being used…  Time sensitive data sharing between Doctors and Nurses  Acts as a form of middleware between doctors and nurses  Personnel communication within a facility  Room status, equipment readiness,etc.  Notification of success / failure for tasks  System alerts ( disk space, disk failure, cpu utilization)  Some medical data / Patient information / Patient movement  Patient Treatments (YIKES!)  Patient status (prescriptions, diagnosis, events , etc.)  Patient info (address, contacts, age, insurance carrier, etc.)*
  • A revisit to Old School Hacking Continued… How is this data intercepted ?  Pocsag / Flex offer no real security  No encryption  Data is only obfuscated via FSK modulation  Most transmissions are easily intercepted via demodulation  Most organizations do little to “encode” their transmissions  ECPA – 18.USC 2510 (prohibits interceptions of radio messaging) How to intercept - (Pentester’s tool kit)  It is illegal to intercept messages from national carriers!!!  Simple signal receiver (one with a line out or discriminator tap preferred)  Hardware or software “data slicer” (Kits, l0pht, google is your friend)  Decoding software – PDW (most popular and free)  Frequency range (easily obtained, scanning, signal metering, RDF, etc.)  Signal capture Tuning – equal parts luck, tuning & skill  A good directional antenna makes tuning & capture easier for closed systems
  • Revisit to Old School Hacking This is the tip of the iceberg! Many examples of sensitive information being transmitted  SSN numbers  patient policy information  Home addresses  General Inappropriate conversations (Doctors, nurses, patients?) Not all organizations are transmitting sensitive information Some organizations protect their material better than others A general lack of understanding of the risks! Often looked over by Information Security
  • Zigbee Radio DevicesThe coolest badge you are ever likely to receive!
  • Zigbee Radio Packet Interception 802.15.4 multi-channel Packet Capturing (cheap!) IEEE 802.15.4 is an attacker rich (still) emerging tech… What is Zigbee (Quick Primer)  Ratified in 2003-2004  WPAN digital radios  Low power (60-100mW)  Low cost & short range*  DSSS modulation (Spread Spectrum)  250kbps (on the high end)  2.4ghz ISM, 868mhz Europe, 915Mhz USA  16 channels  Typically Star or Mesh topology  Built-in security* Intelligent transmitter – lowers output power
  • Zigbee (xbee) 802.15.4 Wireless How is it used in Health Care (Telemedicine) Continua Health Alliance – Seems to be steering the ship  A standard for Zigbee - ISO/IEEE 11073 Health Device Comm. Typical system is made up of low power sensors communicating back to collection devices “Gateway / Access device” Most devices rely on pre-shared keys generated and distributed by trusted server Wide range of uses  Safety sensors, wrist transmitters, fall (movement) detectors  Medical Equipment tracking (portable medical devices)  Patient Sensor data (BP, ECG, pulse, oximeter, thermometer, etc.)  Building Automation (lighting, alarms, intelligent appliances)  New users are being adopted everyday LOTS of potential attacks possible Not all devices are encrypted
  • Zigbee Packet Interception CCDC Badge is an awesome platform to build on! Provides robust platform for testing, capturing and analyzing 802.15.4 Our badge has some advantages  Covertly capture 802.15.4 packets without the use of a computer  Easily concealable / Practically disposable  Long capture times using simple batteries  Scans through channels and captures (11 – 26)  Data is captured to micoSD card for later analysis  Self contained  Ease of code changes / open protocol stack
  • Zigbee Pentester’s Edition
  • Zigbee Pentester’s Edition
  • Zigbee (xbee) 802.15.4 Wireless Surprising amount of unencrypted 802.15.4 fames around! Lots of interesting information can be captured Currently there is no IDS for Zigbee* Susceptible to replay attacks Easy to DoS communication between sensors and receivers  (Headlines….Anonymous stops doctors from receiving patient data, patient croaks! … Story at 11…) General lack of understanding of the risks associated with the technology More security research is needed!
  • MASINT Measurement and Signature IntelligenceBuilding the assessment and attack tools of tomorrow
  • Emerging Technologies - MASINT What is MASINT ? Measurement & Signature Intelligence Collection of unintended emissions or byproducts of devices All devices generate unique undesirable trans. artifacts Hospitals use/have lots of unintended emissions! Quick History Lesson on MASINT  Discrete intelligence gathering process  DoD - Officially adopted as a Intelligence discipline in the 80s  Often aggregated with other information sources  (ELINT, SIGINT, HUMINT, ETC.)  Lots of different types of MASINT  Electro / Electronic / Nuclear / Explosives  Geospatial / Materials / Electromagnetic fields*
  • MASINT – For Assessing Security of Devices  MASINT is rapidly growing in the Corporate Info. Sec. space  How does this pertain to Health Care devices?  MASINT provides Info. Sec. professionals a platform for:  Assessing risks  Reverse Engineering  Threat modeling  Troubleshooting  Competitive intelligence  Detection of malicious activity  Health Care’s adoption of wireless devices is helping drive MASINT in the Corporate environment.  How about an example…..
  • MASINT – work in progress Collect – Assess – AttackImplanted Cardioverter High Energy Defibrillator What all the cool kids are getting for Christmas!!! Guess what! It’s completely controlled wirelessly! 802.15.1(Bluetooth) & 802.15.4(Zigbee) models
  • With a focus on Hospitals - What does it do? Provides a framework / roadmap for wireless security testing Analyze wireless devices when physical access is not an option Assess functionality / Capabilities Identify Signals of Interest (SOI) - Origin and strength Gather Actionable Intelligence How does this work?
  • MASINT - Why Should you Care? Uniquely identify equipment by its RF artifacts MASINT becoming integrate in Info Sec programs MASINT components are being added to pen testing capabilities Track people by the electronic devices they carry Develop Technical Surveillance & Counter Measures Capabilities Identify spurious transmissions / jamming Cost and complexity for MASINT technology is decreasing
  • RF MASINT – Lets Build It! Spectrum Analyzer Signal Collection Analysis & Signature Analysis, (SDR) Search Signature Tracking, Intel Receiver & GenerationAntenna System
  • Let’s build it!!! – Equipment Spectrum Analyzers – Lots of Choices but… Not a good fit!  Generally very expensive! ($10K-$60K)  Typically not designed to provide MASINT or TSCM functionality  Limited frequency range  Difficult to get data out of in raw form  Restrictive antenna capabilities Some hacker friendly models exist (SpecTran, AnritsuTekTronix, etc.) Device of choice – Signal Hound (USB-SA44B)  Software defined / USB connected / easily interfaced  Decoding Capabilities (FM,WFM, NFM, CW, SSB, Video, FSK, ASK, etc.)  API available / scripting friendly  Low cost $300 - $400 used  1Hz to 4.4GHz / fast sweep times*  Good Sensitivity / built-in Preamp / Attenuators*  Calibration capabilities
  • Let’s build it!!! – Spectral collection  Premise – low power RF equipment can be uniquely identified  Signatures structure  Signature taken a set frequency (446MHz, 220MHz, 146MHz, 900MHz)  RF Signature recorded over (3) secs with a Span of 10Khz  Unique Signature created using Amplitude (Max & Min) per/Hz  Aprox. Distance 10ft – no faraday enclosure used Motorola XTS3000 model3Frequency (MHz) Amplitude Min(mW) Amplitude Max(mW) 445.994986 1.51E-09 1.51E-09 445.995015 1.53E-09 1.53E-09 445.995045 1.17E-09 1.17E-09 445.995075 7.27E-10 7.27E-10 445.995104 4.87E-10 4.87E-10 445.995134 1.91E-10 1.91E-10 445.995164 1.66E-10 1.66E-10 445.995193 2.63E-10 2.63E-10 445.995223 4.61E-10 4.61E-10 445.995253 5.80E-10 5.80E-10 445.995282 3.29E-10 3.29E-10 445.995312 1.12E-10 1.12E-10 445.995342 6.12E-10 6.12E-10
  • Let’s build it!!! – SOI Signature Collection Finding unique RF characteristics  All electronic devices will generate unique “Artifacts” in near-field  Filtering Ambient noise with 10db attenuation  Measuring mW at the SRD antennas Attenuation to reduce ANF  Collecting Amplitude Signal of Interest (SOI) Max/Mins  RF span 10Khz  3+ sec measurement Unique Artifacts / (POIs)  340 Points of Interest  0.e-14 sensitivity  .CSV file output  User defined Max Amplitude Ambient Noise Floor (ANF)
  • Let’s build it!!! – SOI Signature Creation Signature Creation Scripts – Python & .NET  Signature Generator & Signature Compare
  • Let’s build it!!! – SOI Signature Compare Signature Comparing  No two signatures will come back 100% same  Script provides a configurable tolerance  Tolerance does not sway results significantly because of the ranges  Negative hits increase as you move away from center
  • Let’s build it!!! – Signature Compare Contin…
  • MASINT – Wrap up MASINT is becoming more widely adopted in corporate and industrial environments It is possible to build a high functioning MASINT implementation using low cost equipment MASINT capabilities offers many advantages for Information Security for testing and assessing wireless technologies. MASINT and TSCM capabilities can be obtained and incorporated into an organizations information security practice.
  • To Surmise….. Health Care is big business and has many unique challenges when it comes to Information Security! Sensitive data can often be access in ways that have not been fully considered or understood – Security assessments are Very important! It’s just as important to reassess legacy technologies – Risk can change over time and as a business/industry matures! The rate and adoption of new technologies is escalating faster than Security Professionals can keep up! Business leader beware!
  • THANK YOU!!!Contact information : Brad Bowers