Ccdc 2012 Wireless Data Exfiltration - building and using low cost signal intelligence Tools
Who am I? Brad - Just a Guy that Likes to Play with Technology!
DisclaimerEverything I say is my personal Some equipment or functionalityopinion and not those of my may be considered “Dual-useemployer! munitions” and controlled under ITAR 121.1. Be sure to followEducation and Entertainment appropriate laws!purposes only! All examples were taken with permission!The goal is to make you think! Above all do no harm!
AgendaThe adoption of security in Health CareHospitals – A target rich environmentsLow cost Tools for Assessments & Data Exfiltration Equipment Testing / Methodology AnalysisApply the hacker mindsetWhat the future holdsQ&A
Adoption of Security in Health Care Health Care is big business $2.6 Trillion in 2010 Ten times what was spent in 1980 - $256 Billion Heavily driven by legislation and regulatory requirements HIPAA / PSQIA / PHI / etc. Health Care is complex Health Care technology has grown complex Health Care is a highly competitive industry Health Care Technology Dichotomy Race to adopt and offer new medical technology Slow to adopt new information systems technology Rapid immersion in wireless technology Large variety of legacy and new wireless technologies used Significant challenges for Info Sec professionals
Hospitals – Target Rich environmentLet’s take a closer look at wireless802.11(x) is not the only show in townWe have become blinded by all the background noiseLots of other RF attack vectors & data to pursue Legacy Technology(Pocsag, Flex, Mobi, etc.) Current Technology(Zigbee xbee), RF link, etc.) Emerging Technology (Corporate grade MASINT)Hospital environments are unique in many ways How they use these technologies How they can be tested and exploitedWe can build some low cost effective tools for testing!
A revisit to Old School Hacking Post Office Code Standardization Advisory Group (POCSAG) Born from British Telcom Predecessor of Super POCSAG, Flex, Mobi several others Designed for low speed transmission of data Morphed over the years as popularity grew How the Technology works 32-bit blocks of data transmitted Simple Frequency Modulation (FM) using Frequency Shift Keying (FSK) +/- 4.5khz on the carrier frequencies Gives about 512 bits per second (64 characters) Slow by any standard but effective for transmission of plan text Transmitted on both VHF & UHF (152Mhz – 158Mhz & 420Mhz – 540Mhz) Most commonly in the 900Mhz range for Consumer services Flex / Mobi work in a similar fashion though much higher data speeds Flex / Mobi use a FM 4 level modulation on the carrier signal Easily Intercepted and modified
A revisit to Old School Hacking Continued… Medical facilities and Hospitals heavily rely on this technology* How’s it’s being used… Time sensitive data sharing between Doctors and Nurses Acts as a form of middleware between doctors and nurses Personnel communication within a facility Room status, equipment readiness,etc. Notification of success / failure for tasks System alerts ( disk space, disk failure, cpu utilization) Some medical data / Patient information / Patient movement Patient Treatments (YIKES!) Patient status (prescriptions, diagnosis, events , etc.) Patient info (address, contacts, age, insurance carrier, etc.)*
A revisit to Old School Hacking Continued… How is this data intercepted ? Pocsag / Flex offer no real security No encryption Data is only obfuscated via FSK modulation Most transmissions are easily intercepted via demodulation Most organizations do little to “encode” their transmissions ECPA – 18.USC 2510 (prohibits interceptions of radio messaging) How to intercept - (Pentester’s tool kit) It is illegal to intercept messages from national carriers!!! Simple signal receiver (one with a line out or discriminator tap preferred) Hardware or software “data slicer” (Kits, l0pht, google is your friend) Decoding software – PDW (most popular and free) Frequency range (easily obtained, scanning, signal metering, RDF, etc.) Signal capture Tuning – equal parts luck, tuning & skill A good directional antenna makes tuning & capture easier for closed systems
Revisit to Old School Hacking This is the tip of the iceberg! Many examples of sensitive information being transmitted SSN numbers patient policy information Home addresses General Inappropriate conversations (Doctors, nurses, patients?) Not all organizations are transmitting sensitive information Some organizations protect their material better than others A general lack of understanding of the risks! Often looked over by Information Security
Zigbee Radio DevicesThe coolest badge you are ever likely to receive!
Zigbee Radio Packet Interception 802.15.4 multi-channel Packet Capturing (cheap!) IEEE 802.15.4 is an attacker rich (still) emerging tech… What is Zigbee (Quick Primer) Ratified in 2003-2004 WPAN digital radios Low power (60-100mW) Low cost & short range* DSSS modulation (Spread Spectrum) 250kbps (on the high end) 2.4ghz ISM, 868mhz Europe, 915Mhz USA 16 channels Typically Star or Mesh topology Built-in security* Intelligent transmitter – lowers output power
Zigbee (xbee) 802.15.4 Wireless How is it used in Health Care (Telemedicine) Continua Health Alliance – Seems to be steering the ship A standard for Zigbee - ISO/IEEE 11073 Health Device Comm. Typical system is made up of low power sensors communicating back to collection devices “Gateway / Access device” Most devices rely on pre-shared keys generated and distributed by trusted server Wide range of uses Safety sensors, wrist transmitters, fall (movement) detectors Medical Equipment tracking (portable medical devices) Patient Sensor data (BP, ECG, pulse, oximeter, thermometer, etc.) Building Automation (lighting, alarms, intelligent appliances) New users are being adopted everyday LOTS of potential attacks possible Not all devices are encrypted
Zigbee Packet Interception CCDC Badge is an awesome platform to build on! Provides robust platform for testing, capturing and analyzing 802.15.4 Our badge has some advantages Covertly capture 802.15.4 packets without the use of a computer Easily concealable / Practically disposable Long capture times using simple batteries Scans through channels and captures (11 – 26) Data is captured to micoSD card for later analysis Self contained Ease of code changes / open protocol stack
Zigbee (xbee) 802.15.4 Wireless Surprising amount of unencrypted 802.15.4 fames around! Lots of interesting information can be captured Currently there is no IDS for Zigbee* Susceptible to replay attacks Easy to DoS communication between sensors and receivers (Headlines….Anonymous stops doctors from receiving patient data, patient croaks! … Story at 11…) General lack of understanding of the risks associated with the technology More security research is needed!
MASINT Measurement and Signature IntelligenceBuilding the assessment and attack tools of tomorrow
Emerging Technologies - MASINT What is MASINT ? Measurement & Signature Intelligence Collection of unintended emissions or byproducts of devices All devices generate unique undesirable trans. artifacts Hospitals use/have lots of unintended emissions! Quick History Lesson on MASINT Discrete intelligence gathering process DoD - Officially adopted as a Intelligence discipline in the 80s Often aggregated with other information sources (ELINT, SIGINT, HUMINT, ETC.) Lots of different types of MASINT Electro / Electronic / Nuclear / Explosives Geospatial / Materials / Electromagnetic fields*
MASINT – For Assessing Security of Devices MASINT is rapidly growing in the Corporate Info. Sec. space How does this pertain to Health Care devices? MASINT provides Info. Sec. professionals a platform for: Assessing risks Reverse Engineering Threat modeling Troubleshooting Competitive intelligence Detection of malicious activity Health Care’s adoption of wireless devices is helping drive MASINT in the Corporate environment. How about an example…..
MASINT – work in progress Collect – Assess – AttackImplanted Cardioverter High Energy Defibrillator What all the cool kids are getting for Christmas!!! Guess what! It’s completely controlled wirelessly! 802.15.1(Bluetooth) & 802.15.4(Zigbee) models
With a focus on Hospitals - What does it do? Provides a framework / roadmap for wireless security testing Analyze wireless devices when physical access is not an option Assess functionality / Capabilities Identify Signals of Interest (SOI) - Origin and strength Gather Actionable Intelligence How does this work?
MASINT - Why Should you Care? Uniquely identify equipment by its RF artifacts MASINT becoming integrate in Info Sec programs MASINT components are being added to pen testing capabilities Track people by the electronic devices they carry Develop Technical Surveillance & Counter Measures Capabilities Identify spurious transmissions / jamming Cost and complexity for MASINT technology is decreasing
Let’s build it!!! – Equipment Spectrum Analyzers – Lots of Choices but… Not a good fit! Generally very expensive! ($10K-$60K) Typically not designed to provide MASINT or TSCM functionality Limited frequency range Difficult to get data out of in raw form Restrictive antenna capabilities Some hacker friendly models exist (SpecTran, AnritsuTekTronix, etc.) Device of choice – Signal Hound (USB-SA44B) Software defined / USB connected / easily interfaced Decoding Capabilities (FM,WFM, NFM, CW, SSB, Video, FSK, ASK, etc.) API available / scripting friendly Low cost $300 - $400 used 1Hz to 4.4GHz / fast sweep times* Good Sensitivity / built-in Preamp / Attenuators* Calibration capabilities
Let’s build it!!! – Spectral collection Premise – low power RF equipment can be uniquely identified Signatures structure Signature taken a set frequency (446MHz, 220MHz, 146MHz, 900MHz) RF Signature recorded over (3) secs with a Span of 10Khz Unique Signature created using Amplitude (Max & Min) per/Hz Aprox. Distance 10ft – no faraday enclosure used Motorola XTS3000 model3Frequency (MHz) Amplitude Min(mW) Amplitude Max(mW) 445.994986 1.51E-09 1.51E-09 445.995015 1.53E-09 1.53E-09 445.995045 1.17E-09 1.17E-09 445.995075 7.27E-10 7.27E-10 445.995104 4.87E-10 4.87E-10 445.995134 1.91E-10 1.91E-10 445.995164 1.66E-10 1.66E-10 445.995193 2.63E-10 2.63E-10 445.995223 4.61E-10 4.61E-10 445.995253 5.80E-10 5.80E-10 445.995282 3.29E-10 3.29E-10 445.995312 1.12E-10 1.12E-10 445.995342 6.12E-10 6.12E-10
Let’s build it!!! – SOI Signature Collection Finding unique RF characteristics All electronic devices will generate unique “Artifacts” in near-field Filtering Ambient noise with 10db attenuation Measuring mW at the SRD antennas Attenuation to reduce ANF Collecting Amplitude Signal of Interest (SOI) Max/Mins RF span 10Khz 3+ sec measurement Unique Artifacts / (POIs) 340 Points of Interest 0.e-14 sensitivity .CSV file output User defined Max Amplitude Ambient Noise Floor (ANF)
Let’s build it!!! – SOI Signature Compare Signature Comparing No two signatures will come back 100% same Script provides a configurable tolerance Tolerance does not sway results significantly because of the ranges Negative hits increase as you move away from center
MASINT – Wrap up MASINT is becoming more widely adopted in corporate and industrial environments It is possible to build a high functioning MASINT implementation using low cost equipment MASINT capabilities offers many advantages for Information Security for testing and assessing wireless technologies. MASINT and TSCM capabilities can be obtained and incorporated into an organizations information security practice.
To Surmise….. Health Care is big business and has many unique challenges when it comes to Information Security! Sensitive data can often be access in ways that have not been fully considered or understood – Security assessments are Very important! It’s just as important to reassess legacy technologies – Risk can change over time and as a business/industry matures! The rate and adoption of new technologies is escalating faster than Security Professionals can keep up! Business leader beware!
THANK YOU!!!Contact information : Brad Bowers Bbowers@digitalintercept.com