Wireless Sniffing

Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. [1] The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum.

Adversaries may capture RF communications by using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator tuned to the communication frequency. [2] Information transmitted over a wireless medium may be captured in-transit whether the sniffing device is the intended destination or not. This technique may be particularly useful to an adversary when the communications are not encrypted. [3]

In the 2017 Dallas Siren incident, it is suspected that adversaries likely captured wireless command message broadcasts on a 700 MHz frequency during a regular test of the system. These messages were later replayed to trigger the alarm systems. [3]

ID: T0887
Sub-techniques:  No sub-techniques
Tactics: Discovery, Collection
Platforms: None
Contributors: ICSCoE Japan
Version: 1.1
Created: 21 May 2020
Last Modified: 13 October 2023

Targeted Assets

ID Asset
A0013 Field I/O
A0001 Workstation

Mitigations

ID Mitigation Description
M0808 Encrypt Network Traffic

Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications. [2]

M0806 Minimize Wireless Signal Propagation

Reduce the range of RF communications to their intended operating range when possible. Propagation reduction methods may include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. [4]

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Traffic Flow

Purely passive network sniffing cannot be detected effectively. In cases where the adversary interacts with the wireless network (e.g., joining a Wi-Fi network) detection may be possible. Monitor for new or irregular network traffic flows which may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.[5] [6] Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.

References