Re: Microwave/RF point to point link risk assessment

[Joshua Wright <jwright () hasborg com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8/8/2010 9:30 AM, Info Sec wrote:
> We are an Information Security consulting firm, currently doing
> Risk assessment for our client on various wireless technologies
> like WiMAX, CDMA, EVDO, VSAT, GPRS, point to point Microwave and
> RF. We are looking for equipment/software tool useful for
> testing communication security over Microwave, VSAT, and RF
> links. 

I've done a lot of these type of assessments, and they are a little
different each time.  Often it is a challenge to produce a capable
sniffer, especially if it is a proprietary PHY later for which there is
little documentation.  Transmitters are even more challenging.

The USRP2 and GNURadio can often be helpful for analysis.  Make sure to
check out the FCC filing information for the target device as well
(http://www.fcc.gov/oet/ea/fccid/).  Also look into patent filings for
the vendor, I've seen several vendors disclose a lot of sensitive
information there that is useful for reproducing sniffers.

A few times I've been fortunate and the target device runs embedded
Linux.  In those cases, grab a firmware update and see if you can
extract the filesystem to review the device configuration for possible
vulnerabilities.  Try to get console access to a duplicate device and
re-purpose it as your attack interface.

Failing that, a lot of these attacks come down to exploiting duplicate
hardware, eavesdropping on the bus between the on-board microcontroller
and the RF chip (unless it's a SoC, then you have to attack the SoC
directly).  If you can reverse-engineer the radio configuration, you can
implement a BYOM (Bring Your Own Microcontroller) attack to control the
radio for your nefarious purposes.  The GoodFET
(http://goodfet.sourceforge.net/) with it's simple Python SPI interface
is a great tool for this, though you could do it with an Arduino or
other chip as well.

As a consultant, it's interesting to work in this space.  A lot of
companies don't realize the time that goes into exploiting a
proprietary, undocumented wireless technology.  An attacker could
opportunistically exploit a given system (e.g. they figured out how to
exploit the system on their own time and look for convenient targets),
or a dedicated attacker may choose it as their "in" since proprietary
wireless systems are generally not adequately monitored.  Sometimes we
bid on work like this to lose out to a company that can do it in 2 days,
but we know their 2 days of work is unlikely to really map out the
customer's exposure adequately.

Best,

- -Josh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxhO7AACgkQapC4Te3oxYyumgCdGf25OYsqrURiy+BR/gTA1dSF
SNMAnjE1RjCfITTSeeO56EWxNIcG6Fh2
=AgAT
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------