Radio Frequency Hacking

Radiofrequency (RF), as the word suggests, is the frequency used by radios to transmit and receive signals. However, it also involves use cases that involve wireless communication, broadcasting, or radar, such as Bluetooth, Wi-Fi, GPS, etc. The wireless nature of these technologies actually makes them more vulnerable than those having wired connections. Let’s talk about how these can be hacked!!

What is RF hacking?

RF hacking is done by disrupting, damaging, or interfering with electronic devices using tools like RTL-SDR, HackerRF One, etc. SDR, or software-defined radio, is used for receiving and transmitting radio signals. In the image below you can see two different types of SDR. One on the left is RTL-SDR, which allows users to receive radio signals. One on the right is HackRF One, which is an advanced type of SDR as it can both receive and transmit signals. It is used majorly in ethical hacking of devices using radio frequency.

Types of RF attacks

Sniffing attack

In this attack, the attacker sniffs and monitors data transmitted over a wireless channel. It can be used to capture sensitive information like passwords and personal data without getting noticed by the sender or receiver.

Jamming attack

A jamming attack interrupts the communication of a particular device by overwhelming it with noise. For example, an attacker uses a device that emits signals on a particular frequency that is the same as that of a Wi-Fi. This will make it impossible for actual users to connect with Wi-Fi.

Replay attack

In this attack, the attacker catches a transmission and replays or resends it later, forcing the receiver into thinking that the signal is from a legitimate user. A very simple example is capturing or bell signals using HackRF One and a tool called Universal Radio Hacker (URH) and then replaying the signal to ring the doorbell.

Spoofing attack

Spoofing involves actors acting as another user or device to get unauthorized access or knowledge. A good example is an IMSI catcher, which acts as a cell tower so that nearby smartphones connect to it. This way the attacker gets access to all the calls and messages of the smartphones connected to it.

Evil twin attack

It is similar to a spoofing attack but it uses different tools and it mimics Wi-Fi. The attacker sets up a fake access point that mimics a legitimate Wi-Fi network. For example, the name of the point is the same as that of the free Wi-Fi of a café nearby. So, the people around connect to it, and the attacker can intercept their data.

GPS hacking

What is GPS?

GPS, or global positioning system, is a navigation system used in aircraft, automatic vehicles, Google Maps, etc. It depends on satellites. It helps one determine the latitude and longitude of a particular place. The GPS unit can then be used to determine various things, such as speed, time of sunrise and sunset, trip distance, etc.

Methods of GPS hacking

GPS jamming: GPS jamming is a technique where GPS signals from satellites are interfered with. This is done by using powerful radio signals, which makes it difficult for GPS receivers to calculate time and position.

GPS spoofing: In GPS spoofing, false GPS signals are broadcast, which ultimately mislead a GPS receiver. I got a chance to witness this in a recent workshop.

All the attendees switched their phones to flight mode so that there were no actual GPS signals in the room. Next, he set up HackRF One and downloaded the GPS-SDR-SIM tool from GitHub. Then he compiled the script of tools. He then downloaded the BRDC NP50 file from NASA’s archive. That file was then used to specify the desired location which was Baroda city. He then broadcasted these coordinates by running a command of the software tool and using HackRF One. As a result, when attendees opened their maps application, it showed their location as Baroda instead of Surat.

Repercussions of GPS Hacking

1. Risk to national security: The military is dependent on GPS for multiple things like targeting and navigation, and if that gets interrupted, it can lead to disaster.
2. Disturb flights and ships: GPS spoofing can mislead flights and ships, which can cause accidents, delays, or logistical issues for fuel.
3. Privacy violations: Accessing someone’s GPS location without their knowledge can be used for stalking or robbing them.
4. Finance crash: There are places that use automation for operation, and GPS hacking can introduce vulnerabilities in these:
   a. Power grids: Power grids automate power supply based on the needs of a place based on its GPS location.
   b. Banks: Banks use GPS to get an exact timestamp of a transaction. GPS hacking can manipulate them or cause loss.
   c. Emergency services: Emergency services like ambulance, fire, and police can reach the wrong location or get delayed, which can worsen the emergency.
5. Cybersecurity issues: As more and more devices depend on GPS now, that vulnerability can be used to create cyberattacks like malware or ransomware.

Wi-Fi Hacking

Wi-Fi hacking is done to get unauthorized access inside a Wi-Fi network. It is done using various vulnerabilities of the network. This helps the attacker to monitor network traffic and intercept confidential information or just interrupt the network.

Types of Wi-Fi Attacks

1. Password cracking: Password cracking is based on a trial-and-error method. Attackers try to guess the password using automated brute-force tools. They can also use word lists made from leaked credentials.
2. Rogue access point: A rogue access point is a fake access point connected to a real Wi-Fi that creates a backdoor. The attacker can then use that backdoor to access all the information that is on the network.
3. Man-in-the-middle attack: Just as the name suggests, the attacker inserts itself in the middle of two communicating devices. So, he can capture all the data being transmitted between them.
4. Packet sniffing: Packet sniffing is done using tools like Wireshark and Nmap. The attacker just investigates data packets being sent over the network.
5. MAC spoofing: In this attack, the attacker changes its MAC (media access control) address to that of an actual user inside the network. This allows an attacker access to the network without any credentials.
6. WPS Vulnerabilities: A Wi-Fi router’s Wi-Fi Protected Setup (WPS) feature can be hacked by cracking the WPS number. The WPS pin connects the device to the network without asking for login.

Let’s have a look at the Wi-Fi pen testing practical.

Wi-Fi Penetration Testing

Warning: This is just for educational purposes. Do not perform it in unauthorized places.

We can perform a penetration attack on Wi-Fi by using a tool named Airgeddon on a Kali Linux system following the below steps:

1. Setup: Change the Wi-Fi password to a very easy one. Connect an Alfa card or adapter to your device and launch the Airgeddon tool. First, put the card in monitor mode using the tool.

2. Capture handshakes: Using Airgeddon, capture WPA/WPA2 handshakes to gather data packets.

3. Using Aireplay: Use the Aireplay tool to send de-authentication packets to all connected devices. This forces them to generate the handshake again to connect to Wi-Fi, which gets captured in the Airgeddon tool.

4. Cracking password: After capturing handshakes, use the Aircrack-ng option in the Airgeddon tool. This mode will use rainbow tables and crack the password of your Wi-Fi.

This highlights how easy passwords make your network vulnerable. This also shows that organizations should regularly perform penetration testing on their Wi-Fi to check the security of their networks.

How to prevent RF attacks?

For Individuals

1. Secure Wi-Fi passwords: Always use a complex and unique password so that it can’t be guessed easily by unauthorized entities.
2. Updated firmware: Regularly update your router and other related firmware to have the latest security patches.
3. Keep off your wireless communications: Disable the auto connection system for all wireless connections like Wi-Fi, Bluetooth, and GPS when they are not needed, as it reduces the risk of RF attacks.
4. Use a Faraday bag: Faraday bags cut off the device put inside it from the outside. It blocks electromagnetic waves from being sent and received by the device that is secured inside it.

For Organizations

1. Monitor wireless communications: Use tools that detect and mitigate RF threats in real-time. For example, the AARTOS RF detection system and RFeye Site by CRFS.
2. Train employees or operators: Employees or the operators who are responsible for operating devices should be educated about RF vulnerabilities. They should also be trained to respond to some common attacks.
3. Security audits: The organization should conduct security audits at regular intervals. It helps in identifying vulnerabilities and checking gaps with compliance. Audits end with updating security checks in place as required.
4. PACE plan: A PACE plan is a communication strategy used while mitigating an attack. Primary, Alternate Contingency, and Emergency is the full form of the PACE plan, which is like a list of alternative ways to communicate when one or the other way fails.

Conclusion

It is said that there are over 22 billion devices connected worldwide, from which almost 15 billion contain radio communication systems like Wi-Fi, Bluetooth, etc., which makes them vulnerable to RF attacks. We saw various attacks that are possible due to Wi-Fi, GPS, or any other form of radio frequency connectivity and the impact they can create.

As prevention is always better than cure, we should employ required prevention measures at an individual and organizational level.

Keep updating your knowledge about RF attacks just like your firmware.

Written by: Virti Mehta