Wireless Compromise

Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. [1] [2] Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance.

A Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. [3] [4] The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. [5] The controller then enabled initial access to the network, allowing the capture and replay of tram signals. [3]

ID: T0860
Sub-techniques:  No sub-techniques
Tactic: Initial Access
Platforms: None
Contributors: Scott Dougherty
Version: 1.2
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
C0020 Maroochy Water Breach

In the Maroochy Water Breach, the adversary used a two-way radio to communicate with and set the frequencies of Maroochy Shire's repeater stations.[6]

Targeted Assets

ID Asset
A0013 Field I/O
A0001 Workstation

Mitigations

ID Mitigation Description
M0802 Communication Authenticity

Do not inherently rely on the authenticity provided by the network/link layer (e.g., 802.11, LTE, 802.15.4), as link layer equipment may have long lifespans and protocol vulnerabilities may not be easily patched. Provide defense-in-depth by implementing authenticity within the associated application-layer protocol, or through a network-layer VPN. [7] Furthermore, ensure communication schemes provide strong replay protection, employing techniques such as timestamps or cryptographic nonces.

M0808 Encrypt Network Traffic

Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.

M0806 Minimize Wireless Signal Propagation

Techniques can include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. [8]

M0813 Software Process and Device Authentication

Ensure wireless networks require the authentication of all devices, and that all wireless devices also authenticate network infrastructure devices (i.e., mutual authentication). For defense-in-depth purposes, utilize VPNs or ensure that application-layer protocols also authenticate the system or device. Use protocols that provide strong authentication (e.g., IEEE 802.1X), and enforce basic protections, such as MAC filtering, when stronger cryptographic techniques are not available.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor application logs for new or unexpected devices or sessions on wireless networks.

DS0028 Logon Session Logon Session Creation

Monitor login sessions for new or unexpected devices or sessions on wireless networks.

DS0029 Network Traffic Network Traffic Flow

New or irregular network traffic flows may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.[9] [10] Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.

References