Chapter 1 Why Radio Profiling?

Information is everywhere, if you know where to look. When performing penetration tests, uncovering the correct information during the reconnaissance phase can often mean the difference between a successful test and failure. While many of us are familiar with the often used data gathering methods employed by penetration testers, radio traffic can provide a great deal of valuable information. This rarely used reconnaissance method, when used effectively, can provide a wealth of data. The information gathered by the methods described in this book is useful for both physical and logical penetration tests.

Note

This book assumes that you are familiar with the basic concepts of penetration testing. Physical penetration testing is the process of testing the physical security of an organization or facility, while logical penetration testing is the process of testing the network and computer security of an organization or facility. Often, physical and logical penetration tests are combined; for example, once a facility is penetrated, we will then use the physical access to plug into the network or physically access computing equipment.

In addition, as with any other methods used by penetration testers, understanding the methods that can be used by penetration testers and attackers is useful when securing networks and facilities. To protect against attackers, it is necessary to think like an attacker.

Not everything in this book will work in every situation, which is of course not unique of this method of reconnaissance. However, as the included case studies will show, when the methods in this book are used the results can be immensely valuable.

The equipment necessary to perform what is described in this book doesn’t have to be expensive. While there are radios costing thousands of dollars, a basic receiver purchased second hand can provide much of the functionality that you will need. Once the basics are mastered, a determination can be made as to whether to invest in more expensive and more complex equipment. Where possible, multiple methods using varied equipment will be described, with a focus on practicality.

Penetration testers and attackers tend to spend a lot of time looking at 802.11 and other wireless networks, and occasionally will look for Bluetooth to see if there is any valuable traffic on devices such as keyboards. This is only the beginning when it comes to what is available on the radio spectrum. Figure 1.1 shows the radio spectrum (3 kHz–300 GHz) as it is divided up in the US and highlights the portions of spectrum used by 802.11 and Bluetooth. As you can see, these services use just a fraction of the entire radio spectrum. Figure 1.2 shows the radio spectrum, as well as the radios and wireless devices that most penetration testers miss.

Figure 1.1 The Portion of the Radio Spectrum Most Penetration Testers Look At

Figure 1.2 What Most Penetration Testers Miss

Guard Radios, Wireless Headsets, Cordless Phones, Wireless Cameras, Building Control Systems

The targets on the radio spectrum consist of those that have been around for decades, such as the two-way radios used by guards, and those that are just beginning to proliferate such as wireless video cameras. Some of the target radio traffic may have an obvious use for a security professional, such as Bluetooth keyboards. The ability to capture keystrokes can be invaluable for clear reasons. Other traffic, however, may have less obvious advantages. Later chapters will cover the details of on- and off-site reconnaissance, and how to use the appropriate equipment. It is, however, important to first gain a basic understanding of the types of information available to an enterprising attacker. If the target organization has a guard force, the guard’s radio transmissions provide a wealth of intelligence. From the guard’s names, to the time of shift changes, to internal jargon, there is much to glean. When launching a social engineering assessment, or attack, knowing the guard’s names adds credibility to the penetration tester or attacker. Listening in to guard traffic may also let the attacker know when the guards will not be at their posts, either because of scheduled rounds or unscheduled bathroom or smoke breaks. To take things further, in combination with a police scanner, an attacker can learn the response times to incidents. Knowing the time between the discovery of an incident and alerting of authorities, and then authorities’ response time can let an attacker know how long they can be inside the facility without being caught.

Traffic from wireless cameras can provide much of the same information as traffic from guard force radios. Knowing where the guards are within the facility or grounds, and which areas are unoccupied can mean the difference between success and failure during a physical penetration assessment. Additionally being able to see the inside layout of a building before you step inside of it can also be invaluable when performing a physical penetration test. While far less likely to occur in the real world than in Hollywood, it may also be possible, depending on camera resolution and angles, to be able to view cipher lock codes from the camera transmission.

In addition to profiling and reconnaissance, this book also offers valuable insight into counterintelligence. Understanding what information leaks unintentionally from your organization will help to ensure that confidential information remains confidential. The authors have been involved in situations where confidentiality was essential, and have discovered information in unlikely places. One example was while sweeping a conference room for bugs wireless microphones were discovered. The conference room was to be used for a presentation about a potential corporate merger. Despite a large security budget and bug sweeping teams, had wireless microphones been used during this high level meeting, anyone within the vicinity would have been able to listen in on the entire presentation.

Before trying anything in this book, make sure that you understand the legal and ethical ramifications of your actions. There are certain things that are always illegal, such as interfering with radio transmissions, and there are many other things that are illegal in most circumstances. Be sure to seek legal council prior to getting in too deep. Of course, as security practitioners, it is often frustrating that we are bound by the law while attackers, by their very nature, are not. This means that it isn’t possible to attempt everything an attacker would while staying within the law. Thus, it is essential to understand the illegal tools and techniques that attackers have at their disposal to understand how to defend against them.

Tip

It is extremely important that when performing any type of penetration assessment the scope and ground rules are agreed upon in writing prior to starting. Be sure to stick to the scope. While you may find additional items of interest while profiling, only assess those that are within scope. Consider getting a “get out of jail free” card or letter from the organization that you are assessing. If security or law enforcement catches you, the letter can be presented to explain that you are a security professional on a contracted engagement, and not a common criminal. Include the names, titles, and contact information of at least three people at the organization who know that you are performing an assessment. Also, be sure to let those individuals know to keep their phones nearby and to answer them no matter what the time.

Case Study

Perhaps the best way to understand the true value of radio reconnaissance is with a case study. While this case study includes a fictionalized version of events, the authors on actual engagements have used successfully all the techniques described in the following paragraphs.

We knew we were lucky that the power company’s fence was not electrified. Bad jokes aside, when attempting to enter a fenced power company facility, the tools that come to mind may be bolt cutters and carpet to throw over barbed wire rendering it useless. In this case, we had those with us, but it turned out our radios would also prove valuable. The first thought when you hear information security is probably not a couple guys dressed in black tactical gear in the woods up to their ankles in cold mud. In today’s global economy, the stakes are high and competitors and criminals will often stop at nothing to gain the upper hand or steal and sabotage information and equipment. As networks become hardened and information more protected, many attacks have moved to the physical realm. It is often cheaper for nefarious corporations or overseas criminals to send operatives to facilities and attempt to steal information than it is to hack through the network. The goal of a penetration test is to find vulnerabilities and help to mitigate them before attackers can take advantage. On this dark night, that put us in the woods.

The irony is that our target was an energy company, a fact not lost on us as we shivered in the cold. The main gate was guarded, so we followed the fence through the woods, and waded through a cold creek. Our reward was discovering a break in the fence. The scraps of carpet we had in our bags remained there. It is an old trick, but a well-known one, that placing a scrap of carpet over barbed wire makes scaling the fence a breeze. Twenty yards away, a small building stood alone in a field on the property. The door swung open with just a twist of the handle—it was not locked. Inside we found a few company shirts, and a breaker panel. We left the panel alone, because we are the good guys, and didn’t know what dangers we could cause by flipping off the main switch. We discovered later that it controlled all the parking lot and perimeter lights—very useful for a malicious attacker. We moved toward the main facility unimpeded, and reached a locked door. The lock was one we knew well not this particular lock of course, but the make and model. It took us under a minute to pick it and gain access to the building. Breaching the perimeter and gaining access to the main facility was our proof of concept and ended this portion of the assessment. But while we were shivering outside, a second team was taking another avenue to compromise the company, and what they found once they were inside let us know what we could have done inside the building.

People are naturally trusting. And they usually want to help. The second team drove right up to the guard gate, and used a technique more effective than ramming the fence at full speed: conversation. The team told the guard that they were there to fix a network issue. The guard asked their names and what company they were with. We gave them our real names, and made up a company name. The guard diligently printed our names and made up company on visitor badges, and was even kind enough to direct us to the building that houses the computer room. Exiting the car, the team then walked right through an unlocked door, up a few stairs, and found another unlocked door. Behind this door was what we had come for, the server room. All the equipments were neatly and carefully labeled by the company’s IT staff. The backbone of the network. The life safety systems. The financial accounting systems. We added an administrative account to a few machines using a password and username that was on the bulletin board, pinned right next to a poster advertising the importance of maintaining confidentiality. While this case study may not seem to have much to do with radio, aside from the fact that the teams used them to communicate, radio turned out to be the difference between success and failure on this penetration test. Before coming onsite we found the frequency used by the company guard force by using a search engine and scouring radio hobbyist Web sites. While this may seem like a small detail, it allowed us to monitor the guard communications, and slip offsite as soon as they realized something was amiss. Had we not been monitoring the communications, we would likely have been caught and the penetration test would be considered a failure by the client. Instead, we were able to add another successful breach to our history. In this book you’ll learn the tools and techniques we used to discover the frequencies the guards used and monitor them.