Orb-weaver and Flying Fox - fbcinc.com€¢ Finding Wi-Fi on devices that you don’t expect •...

Orb-weaver and Flying Fox

Code 5545Mobile Systems Security

Orb-weaver and Flying Fox | 2U.S. Naval Research Laboratory

Problem Statement

Wireless devices pose significant risks to US government classified and unclassified information systems and are

prohibited from entering secure spaces


Agenda

• Wireless Risks• Wi-Fi• Bluetooth• Cellular

• US Government Requirements and Guidance• Wireless Technologies Overview and

Monitoring Challenges• Solution - Orb-weaver and Flying Fox


Wi-Fi Risks

• Rogue Wi-Fi networks

• Eavesdropping

• Impersonation & cloning

• Honeypot


Bluetooth Risks

• Eavesdropping• Audio via Bluetooth speaker / headset

• Data captured from keyboard / mouse

• Data captured from external sensors (e.g., fitness

devices)

• Bluetooth protocol stack vulnerabilities (e.g.,

BlueBorne)


Cellular Risks

• Cell Phone = COMPUTER + Camera + Microphone

• Exfiltration• Hotspot (Wi-Fi)

• Eavesdropping

• Rogue base station• IMSI catcher


Wireless Intrusion Detection System (WIDS) Requirements Documents

Requirements• ODNI memo ES2017-00043, with classified addendum

• Mandates WIDS• DOD Joint Special Access Program (SAP) Implementation Guide (JSIG)

• “The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.”

• Defense Security Service (DSS) Assessment and Authorization Process Manual (DAAPM)• Appendix A Security Controls

• Risk Management Framework (RMF) Information and Resources• National Industrial Security Program (NISP)

• DoD 5220.22-M• Industrial Security Letters• DSS Assessment and Authorization Process Manual

• DoD Instruction 8420.01 (November 3, 2017)• Required if you have a WLAN• Section 1.2 policy dictates “Unclassified and classified DoD wired and wireless LANs

must have a wireless intrusion detection system (WIDS) capability…”

Guidance• NIST Special Publication (SP) 800 series (-37, -39, -53, -53A, -137)• Committee on National Security Systems (CNSS) Policies (22, 1253, 1253A, 3009)

Wireless Technologies and Monitoring Challenges



Wi-Fi (802.11) – Terminology

• Station (STA)• Any device that participates in a Wi-Fi

network• Access Point (AP)

• A device that bridges a wireless network to a wired network

• Basic Service Set (BSS)• A wireless access point and its associated

clients• Service Set Identifier (SSID)

• An identifier for a BSS• Extended Basic Service Set (EBSS)

• A collection of wireless access points and clients that share the same SSID

• Probe Request / Response• 802.11 network discovery protocol

Smartphone

Server Printer

AP

Laptop

Desktop Desktop

BSS

Smartphone

AP

Laptop

BSSEBSS


Wi-Fi (802.11) – Overview

• Wi-Fi Frequency Ranges

• 2.4 GHz (11+ overlapping channels)

• 5 GHz (40+ overlapping channels)

• Medium Access Control

• Carrier sensing

• Modulations

• Direct Sequence Spread Spectrum (DSSS) (802.11b)

• OFDM (Orthogonal Frequency Division Multiplexing) (802.11a/g)

• OFDM with Multiple-Input Multiple Output (MIMO) (802.11n/ac)


Wi-Fi (802.11) – Monitoring Challenges

• Allocating Wi-Fi radios to the large number of available channels

• Lots of devices have Wi-Fi built-in

• Finding Wi-Fi on devices that you don’t expect

• Randomized MAC addresses

• Smartphones (Android and iOS)

• Linux / Windows laptops and tablets


Bluetooth – Overview

• Terms• Piconet: a collection of Bluetooth participating

in an ad-hoc network• Master: the device responsible for

coordinating communications is a piconet• Slave: a device communicating a piconet• Scatternet: a collection of piconets in which

one or more devices participate in at least 2 of the piconets in the collection

• Bluetooth (classic) and Bluetooth Low Energy (LE)• Example Devices

• Activity trackers• Headsets• Speakers• Hearing aids• Thermostats• Security cameras• Smoke detectors• Watches

Piconet #2Piconet #1 Scatternet


Bluetooth – Overview Cont.

• Frequency Ranges

• 2.4 GHz (79 channels, 40 channels for Bluetooth LE)


• Adaptive Frequency Hopping Spread Spectrum (FHSS)

• Modulations

• Gaussian Frequency-shift Keying (GFSK)

• Differential Phase-shift Keying (DPSK)


Bluetooth – Monitoring Challenges

• Discovering devices actively communicating in a piconet

• Discovering devices that aren’t in a discoverable mode

• Finding Bluetooth on devices that you did not expect (e.g., Smart TVs)


Cellular - Terminology

• Base Station “Cell Tower”

• (NodeB, eNodeB, etc.)

• Transmits traffic to/from User Equipment

• Controls medium access

• User Equipment (UE) “Cell Phone”

• Equipment that users use to communicate with

a cellular network

• Smartphones, mobile hotspot devices, etc.

Base station (eNodeB) UE

UE

UE

UE

UE

UE

UE

UE


Cellular – Overview Cont.

• Frequency Ranges

• Various, depends heavily on geographic region and specific cellular technology (GSM, CDMA2K, UMTS, LTE)

• Examples include 700 MHz, 800 MHz, 1700 MHz, 1800 MHz, 1900 MHz, and 2100 MHz

• Each frequency range supports hundreds of channels


• Time Division Multiple Access (TDMA)

• Frequency Division Multiple Access (FDMA)

• Coordination and medium access is managed by the base stations

• Modulations

• GSM/2G (All providers)

− Gaussian Minimum-shift keying (GMSK)

• UMTS/3G (AT&T and T-Mobile)

− Phase-shift keying (PSK)

• CDMA2K/3G (Sprint and Verizon)

• LTE/4G (All providers)

− OFDM

Presentation Title | 17U.S. Naval Research Laboratory

Cellular – Overview Cont.

• Cellular Technology Usage in North America for 2017 (Ericsson Mobility Report – June 2017)

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

North America (2017)

North America (2020)

Current versus Project Cellular Technology Usage

LTE UMTS CDMA2K GSM 5G


Cellular – Identifiers

• Permanent Identifiers

• IMEI (International Mobile Equipment Identifier): stored on the UE

• IMSI (International Mobile Subscriber Identifier): typically stored on the SIM card

− Identifying information about the country and cellular network (e.g., USA and AT&T)

• Temporary Identifiers

• Dependent on the cellular technology

− TMSI

− U-RNTI

− ESN

− S-TMSI

− LTE Random Number

− Etc.


Cellular – Monitoring Challenges

• All cellular spectrum is licensed and heavily regulated, so active localization techniques

cannot be used

• Numerous technologies to monitor (UMTS, LTE, etc.)

• Infrequent transmission (power saving)

• Hard to associate temporary identifiers to individual users

• Phones routinely receive updates that add support for new cellular modulations,

frequency ranges, base station configurations, and medium access control methods

• Base stations routinely change various configuration parameters that effect how UEs

access the cellular network


Cellular – Monitoring Challenges

• Energy threshold-based detection techniques produce high false positive rates

• Time Division Multiple Access (TDMA)

− Base station and UEs use the same frequency for both uplink and downlink

traffic, but slice the time each UE gets to communicate

− Impossible to distinguish between UEs and base stations

− SPRINT has this deployed today

• Frequency Division Multiple Access (FDMA)

− Separate uplink and downlink frequencies

− Bad equipment can produce spurious transmissions

• For example, leaky desktop/server power supplies often put out high energy

signals in cellular frequency bands, which energy-based techniques can’t tell

the difference between these leaky power supplies and UE

Orb-weaver and Flying FoxMeeting the wireless monitoring and localization challenge

U.S. Naval Research Laboratory


Orb-weaver

• Distributed sensor grid for indoor detection and localization of Wi-Fi, Bluetooth, and cellular transmitters


Flying Squirrel

Bluetooth detectionIndoor Scanning

Analyzes data from Flying Squirrel

Locates and maps wireless

devices

Cellular detection (UTMS, LTE)

WiFi discovery

24/7 monitoring Epiq Solutions partnered with NRL’s Flying Squirrel Program Office to develop the Flying Fox sensor.


Wireless Monitoring

• Wi-Fi• COTS Wi-Fi card in monitor mode• Supports 2.4 GHz and 5 GHz spectrum• Supports 802.11a/b/g/n

• Bluetooth/Bluetooth LE• COTS Bluetooth card in monitor mode

• UMTS• Epiq Solutions Software-defined Radio (SDR)• Demodulates UMTS signals to provide positive cell phone identification• Demodulates pilot base station signals to provide positive cell tower identification and feature

extraction (TDMA, FDMA, modulation types, etc.)• LTE

• Demodulates LTE signals to provide positive cell phone identification• Demodulates pilot base station signals to provide positive cell tower identification and feature

extraction (TDMA, FDMA, modulation types, etc.)• Future

• CDMA2K, GSM− Already supported by the sensor with support being added to Orb-weaver


Flying Fox passive RF sensor platform with four flexible Software Defined Radio (SDR) + signal processing cards 70MHz – 6 Ghz 50Mhz per channel Integrated FPGA on each SDR

Demodulates and decodes the initial “handshake” (access request / RACH) messages transmitted by nearby cellular-enabled phones/tablets/etc. to cell towers

For each detection, provides: Cell band + channel of phone Cell provider (Verizon, AT&T, etc.) of phone Mobile identifier used during access request (TMSI,

IMSI, S-TMSI, P-TMSI, S-RNTI, etc.) Detection of multiple simultaneous active cell

phones RSSI (RF signal strength) of phone and tower Timestamp of detection Integrated logging + detection event logged

Software-upgradeable & expandable

“I see an AT&T phone...And a Verizon phone...Another Verizon phone...”

Flying Fox Features

ZERO FALSE POSITIVES. Period.


Wi-Fi (802.11) Monitoring


Bluetooth Monitoring


Cellular Monitoring


Localization

• The process estimating locations of unknown transmitters by combining observations from multiple sensors

• Multiple techniques exist with varying complexity versus cost tradeoffs− Time Difference of Arrival (TDOA)− Time of Flight (ToF)− Power Difference of Arrival (PDOA)− Angle of Arrival (AoA)

• Orb-weaver employs Power Difference of Arrival• Works with off-the-shelf hardware for Wi-Fi and Bluetooth and Flying Fox’s Software-defined radios• Provides good accuracy (75% to 80% errors < 3 meters) and precision (average error 2 – 2.5

meters)

3, 75.00%3, 80.56%

0.00%

20.00%

40.00%

60.00%

80.00%

100.00%

0 2 4 6 8 10 12 14

Per

cent

age

Error (m)

Cumulative Error Distribution

150 m^2/s 100 m^2/s

0

0.5

1

1.5

2

2.5

3

3.5

4

0 50 100 150 200 250 300

Mea

n E

rror

(m)

Sensor Density (m2/sensor)

Mean Error vs. Sensor Density


Localization - Cellular


Localization - Bluetooth


Localization – Multi-floor Radiation Fields


Localization – Multi-floor Ranges


Orb-weaver Features

• Filtering, Sorting, Searching• Wi-Fi MAC address• Wi-Fi SSID• Bluetooth MAC address• Cellular identifier• Device manufacturer• Etc.

• Visualizations• Ranges• Radiations fields• Data points• Logical Wi-Fi connectivity

• Alerts and Triggers (logged to syslog)• Unauthorized devices• Devices in secure spaces• Default access point configurations• Etc.

• Department of Defense Information Network Approved Products List (DODIN APL) Certification


Contact Information

Orb-weaver

https://www.nrl.navy.mil/itd/chacs/5545/flying-squirrel

U.S. Naval Research Laboratory4555 Overlook Ave SWWashington, DC, 20375

Brandon EnochsComputer [email protected](202) 404-5372

Flying Fox

https://epiqsolutions.com/flyingfox/

Epiq Solutions5680 King Centre Drive #600Alexandria, VA 22315

Bill SimsMSG, USA (Ret)Director of Government [email protected](301) 956-0475

Date post:	10-Jun-2018
Category:	Documents
Upload:	ngonga
View:	218 times
Download:	0 times