Wireless devices are all around us. We rely on them for everything we do, from opening the garage, to using a laptop. The Internet of Things (IoT) has enabled a large array of new devices, and the majority of them are connected. The variety of devices out there also have a variety of security mechanisms. Some wireless technologies have been and remain insecure. A Garage Door Opener, for example, can easily be attacked with minimal equipment. It transmits a simple ASK signal that has no security except the number of combinations possible.
On the other hand, there are protocols such as Wi-Fi and Bluetooth which were designed from the ground up with security in mind. Both of these protocols have had vulnerabilities, either in the protocol itself or specific implementations. The original flaws in the WEP protocol which was easily broken gave way to WPA2 and then WPA3 which are much more secure. For Bluetooth, the vulnerabilities prior to the ECDH key exchange introduced in Bluetooth 4.2 show that even specifications that take security seriously get it wrong.
Even though these specifications got things wrong, overall they’ve helped create a secure wireless network. Protocols where security is an afterthought often remain insecure.
Patching Vulnerabilities
One of the biggest challenges in wireless security is that a lot of the devices require updating to fix security vulnerabilities, but updating devices with limited wireless capabilities can be difficult or impossible. For example, updating Bluetooth devices is typically done via Firmware-Over-The-Air (commonly called OTA or FOTA). This requires a device that can perform the firmware transfer, usually a smartphone. But the smartphone needs to be near the Bluetooth device to do this, and it requires the end user to actually allow it to take place.
In practice, it’s often difficult to get users to upgrade the firmware of devices. It can be slow, require them to stay in a spot for a while.
Even worse, there are devices where Firmware Update is not even possible. Usually these are Sub-1GHz (868MHz / 915MHz) devices that run at low data rates and are low power. A firmware upgrade can take tens of minutes and drain the battery significantly, making it difficult to justify. That’s another reason why upgrading is possible – there’s always a tradeoff between being able to upgrade and power/functionality.
If you can’t update the firmware, you can’t patch vulnerabilities that are found. It’s possible to do a hard firmware update (by connecting a device to a programmer), but that’s not going to happen in reality. No one wants to send a technician to do this.
Realistically, security considerations are often secondary to product developers. A break in a feature that customers consider critical is much more likely to get fixed, and customers are more likely to go through a the effort to upgrade. That makes it a good idea to patch security issues alongside features.
Lack of Tools
If there’s one thing that has been allowing developers to get away with insecure products is the fact that some protocols had no tools for analyzing and validating devices, or that those tools are too expensive for attackers. Software Defined Radios and tools like HackRF One have changed this, and enabled many security researchers to look at devices. But it’s still not as easy as downloading an application and hacking away on the internet.
Oftentimes, to secure or attack a wireless system, one needs custom tools and quite a bit of knowhow. The Flipper Zero is a great project, but these devices don’t help product developers evaluate their system
Commercial tools do exist, but they usually cost tens of thousands of dollars. And hacking tools are usually pretty specific to running specific exploits.
Overall, wireless tools are very limited compared to tools for cybersecurity on desktops and servers.
Attacking at a Distance
Attackers looking to exploit a system need to be in the vicinity of the device because wireless communications requires a clear signal. But, adding amplifiers and the right kind of directional antennas can help attackers be a mile away. When you account for the fact that there’s no network for which to trace wireless devices, it means attackers can remain hidden much more easily. Unless someone is looking for a signal directional antennas or using another technique, there’s no website or ISP to provide logs.
Securing wireless systems therefore can’t use firewalls and a slew of other techniques that one can use for wired networks.
Replay Attacks
Another common issue for wireless product security are replay attacks that have been become increasingly common. Thieves have been using repeaters to enable a signal from a car’s Keyfob to be replayed.
The attack is simple – thieves place a repeater near the house walls. This repeater captures the wireless signals from the keyfob and transmit it to another repeater. This bypasses the signal strength limitations of the keyfob. That second repeater is placed close to the car. As far as the car is concerned, the Keyfob is right next to it and it will allow the user to open the car and start the engine. No modification to the packets are needed, just retransmission.
Guarding against these kind of attacks is difficult, because locating the keyfob accurately is not simple.
Summary
Wireless communications introduces a unique set of challenges in building secure products.