Visiting A “Legal Hacker” Who Finds Cracks In IoT Security
If you’ve been rambling around Second Street in San Francisco’s South of Market tech hub recently (shown here), you might have seen an unusual sight—-a tall young Australian walking along with an open laptop connected to a mysterious knobby white stick.
That was Balint Seeber with an uber-antenna, and he was capturing wireless communications from devices as far as a city block away. Seeber could be called a hacker, but he’s the legal kind known as a security researcher, not one of the bad guys. His job is to find out how much information he can siphon out of the airwaves—-and how much control he might theoretically be able to grab over the devices and networks of other people.
As director of vulnerability research for Atlanta, GA-based Bastille Networks, he’s helping the cybersecurity startup find ways to protect its clients’ information “airspace.”
Taking the chance to visit a hacker in his lair, I met with Seeber at one of Bastille’s Bay Area outposts at a high, glass-walled Second Street building near Mission Street.
In a conference room off Bastille’s roomy office, Seeber showed me the inexpensive arsenal of weapons used in the particular kind of cyberattack he studies. These weapons include commonplace gizmos now built into millions of consumer devices, and which hackers can subvert into their own tools. They are high-powered versions of a consumer invention of the early 20th century that brought on the dawn of the communication age—-the humble radio.
What radios do is miraculous enough. They receive airwaves and translate them into sounds—from Ed Sheeran ballads to witty talk show banter. But the simple radio’s sophisticated cousins—what could be called smart radios—have freed the Internet from cables and sent packets of information flying through the air via wireless channels.
They’re called software defined radios (SDRs), and they’re packed into smartphones, tablets, and the growing ranks of connected household devices including dolls, kitchen appliances, light bulbs, and door locks.
Software defined radios are communication hubs. They can transmit signals as well as receive them. They’re also reconfigurable to do anything you want, Seeber says, because their functions are dictated by programmable software rather than baked into a computer chip. They can talk to all sorts of frequencies, exchanging data through WiFi, Bluetooth, ZigBee, and other wireless communication protocols. That means we can have cell phone conversations, track our runs with a Fitbit, and listen to the ball game from a wireless speaker.
But software defined radios are also great tools for hackers. They can be used to survey the airspace around them and pull the raw radio spectrum from devices into an observer’s computer, Seeber says. They can eavesdrop on “this invisible world that’s buzzing with activity, ripe for exploitation and, we hope, for securing,” Seeber says.
In other words, they can tap into the Web’s data stream just by catching radio waves—-without being on the Internet. “It’s not like you have to splice into cables,” Seeber says.
Just 10 years ago, these smart radios were the exotic, expensive equipment of the technical expert, Seeber says. But much cheaper, smaller versions are now scattered within millions of consumer devices. Some of the dongles we plug into USB ports on our computers are software-defined radios. These can be used to communicate with wireless devices such as keyboards.
Seeber uses a high-end software-defined radio (about $1119 from Ettus Research) attached to his laptop and an antenna to survey the activity of devices around him.
He shows me on his laptop screen the scrolling flux of green lines and dots that represent the radio frequency traffic he has intercepted from the many computers and other machines humming inside the Bastille office. With the right software, he can investigate device transmissions within a range of frequencies he selects, and isolate individual transmissions. He outlines one compressed set of lines with his cursor, and expands his selection on the screen into a visible green block to explore the message being sent.
The software dashboard displays key characteristics of the signal, including the Internet address of the device that sent it and the device it was sent to. The content of the message might also be vulnerable to decoding if it’s not encrypted, he says.
A software defined radio can sniff out poorly protected encryption keys and WiFi credentials—-and this could open the door to a breach of every device a user has connected to the same wireless network—from a connected thermostat or refrigerator to a personal PC.
“There’s one brand of light bulb that will leak your WiFi credentials,” Seeber says.
Bastille’s data security product allows business clients to see their office floorplans on a monitor, with the locations of all devices being used in it—-room by room. This might reveal simple concerns, like a smartphone-toting employee moving into a restricted physical location without permission. But the system can also track the office’s wireless message traffic and flag potential data security breaches, such as a device that’s being targeted by an attacker, or is vulnerable to an attack because of hardware or software weaknesses.
Among these potential weak spots are common consumer tools—-computer keyboards and mice that don’t need to be connected with wires.
Bastille has uncovered a hacker ploy it calls “Mousejack” because it exploits … Next Page »