If you’ve been rambling around Second Street in San Francisco’s South of Market tech hub recently (shown here), you might have seen an unusual sight—-a tall young Australian walking along with an open laptop connected to a mysterious knobby white stick.
That was Balint Seeber with an uber-antenna, and he was capturing wireless communications from devices as far as a city block away. Seeber could be called a hacker, but he’s the legal kind known as a security researcher, not one of the bad guys. His job is to find out how much information he can siphon out of the airwaves—-and how much control he might theoretically be able to grab over the devices and networks of other people.
As director of vulnerability research for Atlanta, GA-based Bastille Networks, he’s helping the cybersecurity startup find ways to protect its clients’ information “airspace.”
Taking the chance to visit a hacker in his lair, I met with Seeber at one of Bastille’s Bay Area outposts at a high, glass-walled Second Street building near Mission Street.
In a conference room off Bastille’s roomy office, Seeber showed me the inexpensive arsenal of weapons used in the particular kind of cyberattack he studies. These weapons include commonplace gizmos now built into millions of consumer devices, and which hackers can subvert into their own tools. They are high-powered versions of a consumer invention of the early 20th century that brought on the dawn of the communication age—-the humble radio.
What radios do is miraculous enough. They receive airwaves and translate them into sounds—from Ed Sheeran ballads to witty talk show banter. But the simple radio’s sophisticated cousins—what could be called smart radios—have freed the Internet from cables and sent packets of information flying through the air via wireless channels.
They’re called software defined radios (SDRs), and they’re packed into smartphones, tablets, and the growing ranks of connected household devices including dolls, kitchen appliances, light bulbs, and door locks.
Software defined radios are communication hubs. They can transmit signals as well as receive them. They’re also reconfigurable to do anything you want, Seeber says, because their functions are dictated by programmable software rather than baked into a computer chip. They can talk to all sorts of frequencies, exchanging data through WiFi, Bluetooth, ZigBee, and other wireless communication protocols. That means we can have cell phone conversations, track our runs with a Fitbit, and listen to the ball game from a wireless speaker.
But software defined radios are also great tools for hackers. They can be used to survey the airspace around them and pull the raw radio spectrum from devices into an observer’s computer, Seeber says. They can eavesdrop on “this invisible world that’s buzzing with activity, ripe for exploitation and, we hope, for securing,” Seeber says.
In other words, they can tap into the Web’s data stream just by catching radio waves—-without being on the Internet. “It’s not like you have to splice into cables,” Seeber says.
Just 10 years ago, these smart radios were the exotic, expensive equipment of the technical expert, Seeber says. But much cheaper, smaller versions are now scattered within millions of consumer devices. Some of the dongles we plug into USB ports on our computers are software-defined radios. These can be used to communicate with wireless devices such as keyboards.
Seeber uses a high-end software-defined radio (about $1119 from Ettus Research) attached to his laptop and an antenna to survey the activity of devices around him.
He shows me on his laptop screen the scrolling flux of green lines and dots that represent the radio frequency traffic he has intercepted from the many computers and other machines humming inside the Bastille office. With the right software, he can investigate device transmissions within a range of frequencies he selects, and isolate individual transmissions. He outlines one compressed set of lines with his cursor, and expands his selection on the screen into a visible green block to explore the message being sent.
The software dashboard displays key characteristics of the signal, including the Internet address of the device that sent it and the device it was sent to. The content of the message might also be vulnerable to decoding if it’s not encrypted, he says.
A software defined radio can sniff out poorly protected encryption keys and WiFi credentials—-and this could open the door to a breach of every device a user has connected to the same wireless network—from a connected thermostat or refrigerator to a personal PC.
“There’s one brand of light bulb that will leak your WiFi credentials,” Seeber says.
Bastille’s data security product allows business clients to see their office floorplans on a monitor, with the locations of all devices being used in it—-room by room. This might reveal simple concerns, like a smartphone-toting employee moving into a restricted physical location without permission. But the system can also track the office’s wireless message traffic and flag potential data security breaches, such as a device that’s being targeted by an attacker, or is vulnerable to an attack because of hardware or software weaknesses.
Among these potential weak spots are common consumer tools—-computer keyboards and mice that don’t need to be connected with wires.
Bastille has uncovered a hacker ploy it calls “Mousejack” because it exploits the USB dongles we plug into our computers so they can communicate with a wireless mouse or keyboard.
Many manufacturers equipped these dongles with a Nordic Semiconductor chip that can be modified to securely communicate with wireless accessories such as keyboards. But if a non-Bluetooth wireless device manufacturer installed no additional precautions in the chip, the dongle can become a gateway for hackers to take over the computer from some distance away. For example, if the dongle isn’t programmed to accept only the encrypted keystrokes from the user’s wireless keyboard, the attacker can wirelessly deliver unencrypted keystrokes that the dongle accepts just as though they had been typed by the computer’s legitimate user.
In the Bastille office, Seeber showed me how an entire packet of malicious code could be sent to the victim’s computer wirelessly within seconds.
With a radio frequency transmitting device and a small antenna, a hacker trying something like Mousejack might need to be within 30 feet of the target computer to succeed. But Seeber was able to extend that range to more than 700 feet by buying a bigger antenna—the knobby white stick he uses with his laptop as he roams around Second Street.
“That antenna was $70 on Amazon,” Seeber says. (The computer he Mousejacked was owned by Bastille, in case you wondered.)
I first met Seeber at RSA, the big annual cybersecurity conference, early this year in San Francisco. There, he and some other security researchers gleefully showed how easily they could interfere with radio frequency signals to remotely unlock electronic door locks, jam home alarm signals, and peer through the cameras in Web-connected devices, among other feats.
The addition of microphones to some of these devices—-such as talking dolls and TVs that respond to voice commands—introduces threats to consumer privacy as well as security, Bastille has warned. One smart TV manufacturer said it might use the monitor’s voice command microphone to capture family conversations and send them out to voice-to-text transcription services, a Bastille blogpost reported.
Seeber says his unit at Bastille is still uncovering the low-hanging fruit of security vulnerabilities among wirelessly connected devices, because many manufacturers haven’t caught on to the need to build in protective measures against the capture of airborne signals. And consumers of IoT devices aren’t awake to the dangers either, he says.
“Consumers are just grabbing everything they can because it’s new and cool,” Seeber says.
I wondered if Seeber, who is so aware of the security vulnerabilities of all the connected gizmos we’re bringing into our homes and offices, keeps his own environment relatively free of these devices. He says no.
“One way or the other, we will end up leaking information,” Seeber says. “That’s the price we pay for these modern conveniences.”
But then, he’s a security expert. He has skills that would be arcane for most people, like changing the default settings on a connected kitchen appliance.
How can ordinary consumers surrounded by wireless devices protect themselves? I asked him.
“If you want to be sure about anything, unplug it,” Seeber says.