Penetration Testing mailing list archives
Re: Microwave/RF point to point link risk assessment
From: Joshua Wright <jwright () hasborg com>
Date: Tue, 10 Aug 2010 07:44:48 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 8/8/2010 9:30 AM, Info Sec wrote:
We are an Information Security consulting firm, currently doing Risk assessment for our client on various wireless technologies like WiMAX, CDMA, EVDO, VSAT, GPRS, point to point Microwave and RF. We are looking for equipment/software tool useful for testing communication security over Microwave, VSAT, and RF links.
I've done a lot of these type of assessments, and they are a little different each time. Often it is a challenge to produce a capable sniffer, especially if it is a proprietary PHY later for which there is little documentation. Transmitters are even more challenging. The USRP2 and GNURadio can often be helpful for analysis. Make sure to check out the FCC filing information for the target device as well (http://www.fcc.gov/oet/ea/fccid/). Also look into patent filings for the vendor, I've seen several vendors disclose a lot of sensitive information there that is useful for reproducing sniffers. A few times I've been fortunate and the target device runs embedded Linux. In those cases, grab a firmware update and see if you can extract the filesystem to review the device configuration for possible vulnerabilities. Try to get console access to a duplicate device and re-purpose it as your attack interface. Failing that, a lot of these attacks come down to exploiting duplicate hardware, eavesdropping on the bus between the on-board microcontroller and the RF chip (unless it's a SoC, then you have to attack the SoC directly). If you can reverse-engineer the radio configuration, you can implement a BYOM (Bring Your Own Microcontroller) attack to control the radio for your nefarious purposes. The GoodFET (http://goodfet.sourceforge.net/) with it's simple Python SPI interface is a great tool for this, though you could do it with an Arduino or other chip as well. As a consultant, it's interesting to work in this space. A lot of companies don't realize the time that goes into exploiting a proprietary, undocumented wireless technology. An attacker could opportunistically exploit a given system (e.g. they figured out how to exploit the system on their own time and look for convenient targets), or a dedicated attacker may choose it as their "in" since proprietary wireless systems are generally not adequately monitored. Sometimes we bid on work like this to lose out to a company that can do it in 2 days, but we know their 2 days of work is unlikely to really map out the customer's exposure adequately. Best, - -Josh -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxhO7AACgkQapC4Te3oxYyumgCdGf25OYsqrURiy+BR/gTA1dSF SNMAnjE1RjCfITTSeeO56EWxNIcG6Fh2 =AgAT -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Microwave/RF point to point link risk assessment Info Sec (Aug 08)
- Re: Microwave/RF point to point link risk assessment Mike Hale (Aug 08)
- Re: Microwave/RF point to point link risk assessment Joshua Wright (Aug 12)