Upload
warezjoe
View
339
Download
5
Embed Size (px)
DESCRIPTION
Mid-Atlantic CCDC 2012 presentation at John Hopkins Applied Physics Laboratory: Wireless Data Exfiltration - Air Intercepted Messaging & Electronic Espionage
Citation preview
Brad Bowers [email protected]
Who am I? Brad - Just a Guy that Likes to Play with Technology!
Disclaimer
Everything I say is my personal opinion and not those of my employer!
Some equipment or functionality may be considered “Dual-use munitions” and controlled under ITAR 121.1. Be sure to follow appropriate laws! Education and Entertainment
purposes only!
Above all do no harm!
The goal is to make you think!
All examples were taken with permission!
Agenda
The adoption of security in Health Care
Hospitals – A target rich environments
Low cost Tools for Assessments & Data Exfiltration
Equipment
Testing / Methodology
Analysis
Apply the hacker mindset
What the future holds
Q&A
Health Care is big business $2.6 Trillion in 2010
Ten times what was spent in 1980 - $256 Billion
Heavily driven by legislation and regulatory requirements HIPAA / PSQIA / PHI / etc.
Health Care is complex
Health Care technology has grown complex
Health Care is a highly competitive industry
Health Care Technology Dichotomy
Race to adopt and offer new medical technology
Slow to adopt new information systems technology
Rapid immersion in wireless technology
Large variety of legacy and new wireless technologies used
Significant challenges for Info Sec professionals
Adoption of Security in Health Care
Let’s take a closer look at wireless
802.11(x) is not the only show in town
We have become blinded by all the background noise
Lots of other RF attack vectors & data to pursue
Legacy Technology(Pocsag, Flex, Mobi, etc.)
Current Technology(Zigbee xbee), RF link, etc.)
Emerging Technology (Corporate grade MASINT)
Hospital environments are unique in many ways
How they use these technologies
How they can be tested and exploited
We can build some low cost effective tools for testing!
Hospitals – Target Rich environment
Post Office Code Standardization Advisory Group (POCSAG) Born from British Telcom
Predecessor of Super POCSAG, Flex, Mobi several others
Designed for low speed transmission of data
Morphed over the years as popularity grew
How the Technology works 32-bit blocks of data transmitted
Simple Frequency Modulation (FM) using Frequency Shift Keying (FSK)
+/- 4.5khz on the carrier frequencies
Gives about 512 bits per second (64 characters)
Slow by any standard but effective for transmission of plan text
Transmitted on both VHF & UHF (152Mhz – 158Mhz & 420Mhz – 540Mhz)
Most commonly in the 900Mhz range for Consumer services
Flex / Mobi work in a similar fashion though much higher data speeds
Flex / Mobi use a FM 4 level modulation on the carrier signal
Easily Intercepted and modified
A revisit to Old School Hacking
Medical facilities and Hospitals heavily rely on this technology*
How’s it’s being used…
Time sensitive data sharing between Doctors and Nurses
Acts as a form of middleware between doctors and nurses
Personnel communication within a facility
Room status, equipment readiness,etc.
Notification of success / failure for tasks
System alerts ( disk space, disk failure, cpu utilization)
Some medical data / Patient information / Patient movement
Patient Treatments (YIKES!)
Patient status (prescriptions, diagnosis, events , etc.)
Patient info (address, contacts, age, insurance carrier, etc.)*
A revisit to Old School Hacking Continued…
How is this data intercepted ? Pocsag / Flex offer no real security
No encryption
Data is only obfuscated via FSK modulation
Most transmissions are easily intercepted via demodulation
Most organizations do little to “encode” their transmissions
ECPA – 18.USC 2510 (prohibits interceptions of radio messaging)
How to intercept - (Pentester’s tool kit) It is illegal to intercept messages from national carriers!!!
Simple signal receiver (one with a line out or discriminator tap preferred)
Hardware or software “data slicer” (Kits, l0pht, google is your friend)
Decoding software – PDW (most popular and free)
Frequency range (easily obtained, scanning, signal metering, RDF, etc.)
Signal capture Tuning – equal parts luck, tuning & skill
A good directional antenna makes tuning & capture easier for closed systems
A revisit to Old School Hacking Continued…
Revisit to Old School Hacking
This is the tip of the iceberg!
Many examples of sensitive information being transmitted SSN numbers
patient policy information
Home addresses
General Inappropriate conversations (Doctors, nurses, patients?)
Not all organizations are transmitting sensitive information
Some organizations protect their material better than others
A general lack of understanding of the risks!
Often looked over by Information Security
Zigbee Radio Devices
The coolest badge you are ever likely to receive!
802.15.4 multi-channel Packet Capturing (cheap!)
IEEE 802.15.4 is an attacker rich (still) emerging tech…
What is Zigbee (Quick Primer)
Ratified in 2003-2004
WPAN digital radios
Low power (60-100mW)
Low cost & short range*
DSSS modulation (Spread Spectrum)
250kbps (on the high end)
2.4ghz ISM, 868mhz Europe, 915Mhz USA
16 channels
Typically Star or Mesh topology
Built-in security*
Intelligent transmitter – lowers output power
Zigbee Radio Packet Interception
How is it used in Health Care (Telemedicine)
Continua Health Alliance – Seems to be steering the ship
A standard for Zigbee - ISO/IEEE 11073 Health Device Comm.
Typical system is made up of low power sensors communicating back to collection devices “Gateway / Access device”
Most devices rely on pre-shared keys generated and distributed by trusted server
Wide range of uses
Safety sensors, wrist transmitters, fall (movement) detectors
Medical Equipment tracking (portable medical devices)
Patient Sensor data (BP, ECG, pulse, oximeter, thermometer, etc.)
Building Automation (lighting, alarms, intelligent appliances)
New users are being adopted everyday
LOTS of potential attacks possible
Not all devices are encrypted
Zigbee (xbee) 802.15.4 Wireless
Zigbee Packet Interception CCDC Badge is an awesome platform to build on!
Provides robust platform for testing, capturing and analyzing 802.15.4
Our badge has some advantages
Covertly capture 802.15.4 packets without the use of a computer
Easily concealable / Practically disposable
Long capture times using simple batteries
Scans through channels and captures (11 – 26)
Data is captured to micoSD card for later analysis
Self contained
Ease of code changes / open protocol stack
Zigbee Pentester’s Edition
Zigbee Pentester’s Edition
Surprising amount of unencrypted 802.15.4 fames around!
Lots of interesting information can be captured
Currently there is no IDS for Zigbee*
Susceptible to replay attacks
Easy to DoS communication between sensors and receivers
(Headlines….Anonymous stops doctors from receiving patient data, patient croaks! … Story at 11…)
General lack of understanding of the risks associated with the technology
More security research is needed!
Zigbee (xbee) 802.15.4 Wireless
MASINT Measurement and Signature Intelligence
Building the assessment and attack tools of tomorrow
What is MASINT ?
Measurement & Signature Intelligence
Collection of unintended emissions or byproducts of devices
All devices generate unique undesirable trans. artifacts
Hospitals use/have lots of unintended emissions!
Quick History Lesson on MASINT
Discrete intelligence gathering process
DoD - Officially adopted as a Intelligence discipline in the 80s
Often aggregated with other information sources
(ELINT, SIGINT, HUMINT, ETC.)
Lots of different types of MASINT
Electro / Electronic / Nuclear / Explosives
Geospatial / Materials / Electromagnetic fields*
Emerging Technologies - MASINT
MASINT is rapidly growing in the Corporate Info. Sec. space
How does this pertain to Health Care devices?
MASINT provides Info. Sec. professionals a platform for:
Assessing risks
Reverse Engineering
Threat modeling
Troubleshooting
Competitive intelligence
Detection of malicious activity
Health Care’s adoption of wireless devices is helping drive MASINT in the Corporate environment.
How about an example…..
MASINT – For Assessing Security of Devices
MASINT – work in progress Collect – Assess – Attack
Implanted Cardioverter High Energy Defibrillator What all the cool kids are getting for Christmas!!! Guess what! It’s completely controlled wirelessly! 802.15.1(Bluetooth) & 802.15.4(Zigbee) models
Provides a framework / roadmap for wireless security testing
Analyze wireless devices when physical access is not an option
Assess functionality / Capabilities
Identify Signals of Interest (SOI) - Origin and strength
Gather Actionable Intelligence
How does this work?
With a focus on Hospitals - What does it do?
Uniquely identify equipment by its RF artifacts
MASINT becoming integrate in Info Sec programs
MASINT components are being added to pen testing capabilities
Track people by the electronic devices they carry
Develop Technical Surveillance & Counter Measures Capabilities
Identify spurious transmissions / jamming
Cost and complexity for MASINT technology is decreasing
MASINT - Why Should you Care?
Spectrum Analyzer
(SDR) Search Receiver &
Antenna System
Signal Collection Analysis & Signature
Generation
Signature Analysis, Tracking, Intel
RF MASINT – Lets Build It!
Spectrum Analyzers – Lots of Choices but… Not a good fit! Generally very expensive! ($10K-$60K)
Typically not designed to provide MASINT or TSCM functionality
Limited frequency range
Difficult to get data out of in raw form
Restrictive antenna capabilities
Some hacker friendly models exist (SpecTran, AnritsuTekTronix, etc.)
Device of choice – Signal Hound (USB-SA44B) Software defined / USB connected / easily interfaced
Decoding Capabilities (FM,WFM, NFM, CW, SSB, Video, FSK, ASK, etc.)
API available / scripting friendly
Low cost $300 - $400 used
1Hz to 4.4GHz / fast sweep times*
Good Sensitivity / built-in Preamp / Attenuators*
Calibration capabilities
Let’s build it!!! – Equipment
Premise – low power RF equipment can be uniquely identified
Signatures structure Signature taken a set frequency (446MHz, 220MHz, 146MHz, 900MHz)
RF Signature recorded over (3) secs with a Span of 10Khz
Unique Signature created using Amplitude (Max & Min) per/Hz
Aprox. Distance 10ft – no faraday enclosure used
Let’s build it!!! – Spectral collection
Frequency (MHz) Amplitude Min(mW) Amplitude Max(mW)
445.994986 1.51E-09 1.51E-09
445.995015 1.53E-09 1.53E-09
445.995045 1.17E-09 1.17E-09
445.995075 7.27E-10 7.27E-10
445.995104 4.87E-10 4.87E-10
445.995134 1.91E-10 1.91E-10
445.995164 1.66E-10 1.66E-10
445.995193 2.63E-10 2.63E-10
445.995223 4.61E-10 4.61E-10
445.995253 5.80E-10 5.80E-10
445.995282 3.29E-10 3.29E-10
445.995312 1.12E-10 1.12E-10
445.995342 6.12E-10 6.12E-10
Motorola XTS3000 model3
Finding unique RF characteristics All electronic devices will generate unique “Artifacts” in near-field
Filtering Ambient noise with 10db attenuation
Measuring mW at the SRD antennas
Collecting Amplitude
Max/Mins
RF span 10Khz
3+ sec measurement
340 Points of Interest
0.e-14 sensitivity
.CSV file output
User defined Max
Amplitude
Let’s build it!!! – SOI Signature Collection
Signal of Interest (SOI)
Ambient Noise Floor (ANF)
Attenuation to reduce ANF
Unique Artifacts / (POIs)
Signature Creation Scripts – Python & .NET Signature Generator & Signature Compare
Let’s build it!!! – SOI Signature Creation
Signature Comparing No two signatures will come back 100% same
Script provides a configurable tolerance
Tolerance does not sway results significantly because of the ranges
Negative hits increase as you move away from center
Let’s build it!!! – SOI Signature Compare
Let’s build it!!! – Signature Compare Contin…
MASINT is becoming more widely adopted in corporate and industrial environments
It is possible to build a high functioning MASINT implementation using low cost equipment
MASINT capabilities offers many advantages for Information Security for testing and assessing wireless technologies.
MASINT and TSCM capabilities can be obtained and incorporated into an organization's information security practice.
MASINT – Wrap up
Health Care is big business and has many unique challenges when it comes to Information Security!
Sensitive data can often be access in ways that have not been fully considered or understood – Security assessments are Very important!
It’s just as important to reassess legacy technologies – Risk can change over time and as a business/industry matures!
The rate and adoption of new technologies is escalating faster than Security Professionals can keep up! Business leader beware!
To Surmise…..