Hawaii International Conference on System Sciences/IEEE Computer Society: Api-do: Tools for Exploring the Wireless Attack Surface in Smart Meters
Security is critical for the wireless interface offered by soon-to-be-ubiquitous smart meters; if not secure, this technology provides an remotely accessible attack surface distributed throughout many homes and businesses. History shows, however, that new network interfaces remained brittle and vulnerable (although believed otherwise) until security researchers could thoroughly explore their attack surface.
KillerBee software is intended for students, researchers, engineers, and security professionals to use for evaluating the security of IEEE 802.15.4/ZigBee systems. River Loop is a leader in IEEE 802.15.4 and ZigBee security research and penetration testing, and is proud to contribute to the open-source and security community through the continued development of KillerBee along with other contributors.
USENIX Workshop on Offensive Technologies: Packets in Packets: Orson Welles’ In-Band Signaling Attacks for Modern Radios
Presents methods for injecting raw frames at Layer 1 from within upper-layer protocols by abuse of in-band signaling mechanisms common to most digital radio protocols. This packet piggy-backing technique allows attackers to hide malicious packets inside packets that are permitted on the network.
In this post, we continue our series on RF4CE by discussing the mechanisms the protocol uses for security. We encourage you to read the first post for background on the purpose of this post and discussion of security levels and keying techniques. This post will explain how RF4CE devices pair and how payloads are encrypted and protected. Additionally, we’ll explain some of the problems with RF4CE security, and discuss potential remediations.
In the course of security assessments we often come across protocols and communication methods that are not widely known outside of specific industry use. This article is the first in a series of deep dives on one such protocol, RF4CE. In this article, we talk about the background of RF4CE and its use cases, as well as providing an introduction to the basics of RF4CE.
River Loop Security taught an interactive seminar at the CREDC Summer Symposium on June 25th, 2019 in St. Charles, IL.1 Ryan Speers, a Partner with the team, provided attendees an introduction to security assessments on IEEE 802.15.4 and other related protocols like ZigBee. River Loop has done numerous such engagements and maintains KillerBee, the most widely used open-source tool for conducting penetration tests and research on these protocols. Attendees at the symposium included utility operators, industry or academic researchers, and government regulators.
River Loop had the privilege of presenting our latest efforts in wireless fuzzing, including the TumbleRF software framework and the Orthrus offensive radio interface, at DEF CON 26 in Las Vegas, NV. This research highlights the importance of securing oft-overlooked system components, such as non-IP network interfaces and hardware buses. 2014’s Isotope 802.15.4 bugs highlighted an interesting class of vulnerability existing at the PHY layer, so we wrote some tools to make uncovering bugs like those more systematic.
River Loop was thrilled to present its TumbleRF fuzzing framework at Black Hat Arsenal, a forum dedicated to open source security research and software at Black Hat USA. TumbleRF is an open source Python framework that enables researchers to fuzz arbitrary RF technologies down to the PHY. As River Loop’s 2014 Isotope research demonstrated, PHY-layer bugs can have serious implications, and often hide in plain sight. Thus, developing a tool to make finding these bugs systematic seemed like a good fit.