Hacking Your Company’s Radio Frequency Devices is Easier Than You Think

Hacking Your Company’s Radio Frequency Devices is Easier Than You Think

Like most companies, your wireless network (Wi-Fi) is probably heavily protected, while your radio frequency (RF) devices—physical access gates and locks, alarms and surveillance, HVAC controls, lighting, remote controlled machinery, and all the wonderful Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices—have been left vulnerable. If this is not the case, then your company must be one of the few that has an RF cybersecurity champion.

Now you may be thinking, “Why should I worry about my RF devices?”

RF hacking is not new. In 1903, British inventor John Nevil Maskelyne hacked a public demonstration of Guglielmo Marconi’s “secure” wireless telegraph. Marconi, stationed some 300 miles away from the event at the Royal Institute’s lecture theatre in London, was preparing to send his message. Before the demonstration could begin, an unexpected transmission came through spelling “rats rats rats,” followed by some creative insults about Marconi. The culprit was Maskelyne who wirelessly projected his own message to the new “secure” invention. This was Maskelyne’s way of showing the public the invention was not as secure as its inventor claimed.

Until a few years ago, the prevalence of RF hacking was relatively minimal thanks in part to the sizeable learning curve required for radio technology mastery and the specialized, expensive equipment needed. These days you don’t need to be a technical genius to hack the airwaves. With the arrival of Software Defined Radio, it is cheaper and easier than ever to analyze and attack RF technologies. Just ask the makers of the Tesla Model S.

Prior to June 2018 it was possible to obtain a Tesla Model S for roughly $500 USD—if one was inclined to commit grand theft auto. A security flaw in the keyless entry system allowed a key fob to be easily cloned, wirelessly. An attacker only needed to be in range of the key fob’s signal as it was being used. The cloned key fob could then unlock, start, and drive away with the luxury vehicle. All achievable using inexpensive, widely-available hardware and software.

The takeaway is that bugs and engineering flaws can slip through the cracks, even in a company like Tesla who is known for having a top-tier security program.

Trend Micro’s research “Attacks Against Industrial Machines via Vulnerable Radio Remote Controllers” demonstrates how industrial cranes can be manipulated by attackers using RF signals. Another security researcher claims to have hacked into passing aircraft onboard computer systems… from the ground. Thanks to researchers like these, the Industrial and Transportation sectors have begun to patch security holes and make the public safer. Nevertheless, the impact of RF vulnerabilities is proof that companies have a responsibility to regularly test the security of their own RF solutions.

Where are you most vulnerable?

IoT and IIoT technologies represent a notable share of RF devices available to companies eager to streamline their operations and looking for affordable automation solutions. However, digital transformation comes with new security responsibilities, and RF technology is no exception. The proliferation of IoT and automated RF solutions has become a formidable attack surface to defend.

Vendors may make attractive claims that their IoT/IIoT devices are secure or that they communicate over encrypted channels. It is important that companies verify these claims with security testing before deployment into production environments and in regular intervals. For instance, a ZigBee-enabled product may encrypt all outgoing communication, but if the default encryption key is being used a novice RF hacker will have no problem capturing and decrypting the communication in a matter of minutes.

What can you do to secure your RF technology?

For companies ready to mature their RF security posture, there is a simple solution.

First, a company’s RF technology should be subject to governance, policy, and regular testing in the same manner as traditional IT technology. All RF technology can and should be adopted into existing acquisition requirements and compliance frameworks and included in regular cybersecurity testing.

Second, a company who has its own security team should have at least one RF champion. With RF security still a niche sub-field of cybersecurity and an overall lack of cybersecurity talent available to meet the growing demand, finding and hiring an RF specialist can be challenging, if not impossible.

Fortunately, the learning curve isn’t what it used to be, and the equipment needed for testing is relatively inexpensive. RF educational resources should be provided to (or required for) applicable in-house cybersecurity teams in order to satisfy the requirements of RF policy and testing. Resources like the IoT Cybersecurity Alliance, NIST, and the IoT Security Foundation can provide a good starting point for framework development, training requirements, and educational resources. Whereas, companies that outsource cybersecurity should require their partners have reputable RF testing capabilities and frameworks.

Don’t have an RF cybersecurity champion? You can use ours.

Let’s meet to discuss your IIoT cybersecurity strategy.

Request a Meeting


Critical Vulnerability with Active Zero-Day Attacks: CVE-2019-11707
Vulnerability Management: Where is Your Company’s Achilles Heel?