Internet of Vulnerable Things

People at risk such as stalking victims, executives, VIPs, security staff, defense / aerospace and other at-risk device users should consider risks involved in typical wireless use patterns. The proliferation of BYOD, wearables and IoT devices in everything from alarm clocks to utility meters increases the attack surface. State-level actors consider the value of broad swaths of population collection as well as high-value targets. The CDC 2012 National Intimate Partner and Sexual Violence Survey NISVS notes that about 1 in 6 women in the USA have been stalking victims.

Popular media has depicted “burner phones” as a tactic to avoid tracking. Burner phones can be associated with a victim for subsequent attacks when the attacker knows they’re in proximity of the victim and the victim has the burner phone on. At-risk users should consider the risks of having Bluetooth and WiFi enabled. The attacker typically has the advantage of time, and can patiently attack the weakest victim device and escalate from there. Sniffing devices can be left behind inside innocuous devices such as power strips.

Bluetooth 5 and WPA3 include substantial security benefits over earlier standards. Devices may implement the standards imperfectly across their firmware / software stacks, and some new devices still don’t support WPA3, leading some WiFi routers to support hybrid WPA2 / WPA3 modes. Devices wirelessly beacon information useful to the attacker. An attacker knowing the victim’s device type can implement a spear phishing attack–perhaps a text message pretending to be from the victim’s employer or wireless carrier with a link to a zero-day exploit.

Signal strength can pinpoint a user’s location even in a crowd. Research on Wi-Fi probe request monitoring (e.g., Musa & Eriksson, SenSys 2012) shows that signal strength differences can distinguish devices separated by only a few meters, even when the attacker is 10–20+ meters away under favorable conditions. The typical victim has vulnerable devices including smart TVs, pre-WPA3 WiFi networks, Bluetooth speakers, and WiFi security cameras with old firmware. Multiple WiFi APs in the victim’s vicinity, made popular by consumer WiFi mesh networks provide a passive radar to track the victim’s approximate location in a home or office by a passive attacker.

Signal strength target discrimination vs. attacker distance

Wireless energy knows no borders, with maximum range limited by the inverse square law and obstructions. Microprocessors with weak encryption to save computation / energy and lack of OEM liability leave little supply-side motivation to fix these personal and national security risks.

Bluetooth

Bluetooth speakers commonly found in homes and offices often support auto-reconnect to previously paired devices. Speaker may automatically enter discoverable / pairing mode when powered on and no known paired device is in range. This allows anyone nearby to pair with the speaker without physically interacting with it — a significant privacy risk. See also the Stealtooth attack. The attacker could monitor the audio input in headset mode (for speakers with microphones for two-way audio) without the victim knowing they’re being listened to. Suppose the attacker walks down a street listening for auto-discoverable HSP devices, whether speaker or headphones or other device with microphone. Many neighborhoods have HSP devices left on 24/7, which can be used to determine user occupancy patterns, travel plans and other confidential victim information.

Bluetooth Low Energy

Bluetooth Low Energy (BLE) uses 40 channels in the 2.4 GHz band. It has three primary advertising channels at 2402 MHz, 2426 MHz, and 2480 MHz. These frequencies were specifically chosen to sit between common WiFi channels for reduced interference. The remaining 37 channels are primarily used for data connections, and can be used for secondary advertising with Bluetooth 5.0+. A common attack vector of legacy Bluetooth pairing is when the attacker hears pairing and trivially cracks the key. The attacker can then at any time force unpairing, masquerade the connection and take unwanted actions such as crash the device wirelessly or passively eavesdrop. This attack is mitigated by LE Secure Connections when implemented and enforced by both devices.

Maximum range of detecting BLE can be on order of 1 kilometer with inexpensive high gain antennas. Without special antennas, small BLE devices are typically detectable to 50 meters or so. Inexpensive software defined radio (SDR) devices like HackRF enable passive monitoring of already paired devices (as with Wifi) based on periodic updates (100ms to 10sec).

Android “Smart Lock” is good for attackers, not victims. If connection can be intercepted and masqueraded, an attacker can physically obtain the unlocked device, install malicious software and return the device undetected. Corporate device policies and end users should consider blocking this. Windows has a similar feature where Bluetooth-connected device is used to imply user proximity.

Android Smart Lock--anything but!

Suppose the attacker passively sniffs the victim UUID and learns the BLE simple channel hopping pattern. BLE channel hopping pattern is predictable and the UUID is in the clear. The CRACKLE BLE attack enables an attacker to jam the victim BLE wearable, breaking connection and leading the victim to re-pair the wearable (which is the point of vulnerability). The attacker can crack the pairing exchange and then implement passive monitoring or access email, text, phone, calendar, fine location, apps, etc. from 10-100 meters distance from victim.

WiFi

WiFi devices (smartphones, wearables, laptops) periodically send probe requests to discover nearby networks. While modern operating systems such as Apple macOS and iOS, Android have largely stopped broadcasting lists of previously connected visible SSIDs, they still send probes for “hidden” WiFi networks that a user may have connected to in the past. Windows has been observed to still send probe requests for previously connected visible SSIDs, which can be used to track the victim’s location and movement patterns. These probe requests always include a source MAC address — though most modern devices randomize this MAC for privacy. Operating systems for mobile devices and computers have generally implemented a user option to rotate random device WiFi MAC addresses. A user may disable this random MAC address without realizing the security implications. Even with random MAC, the victim beacon/probe signal strength can still be used as a means to track the victim’s proximity and approximate location.

Homes with smart TVs, WiFi security cameras and baby monitors typically use obsolete pre-WPA3 WiFi networks with weak protocols such as WEP, WPA or WPS. Cheap security cameras often have unencrypted or weakly encrypted password exchange. Once the WiFi password is cracked, the attacker can then exploit the typically insecure WiFi devices throughout the modern home or office. The victim attempted to secure their home with surveillance, but made themselves substantially less secure against wireless attacks.

References