"All Your 900 MHz Are Belong to Us"

If you were asked, “Does your organization use unencrypted wireless communications?”, what would your answer be? Responses may include ones such as “We don’t utilize wireless networks,” or “Our cell phones are our only wireless devices.” These answers may be somewhat true; however, many organizations may not have thought completely about their answer and assets. More specifically, the 900 MHz frequency range comes to mind. The 900 MHz frequency range is used by many common devices yet is often utilized in an unsecure manner for corporate use.

In short, the 900 MHz frequency range is an attacker’s playground. There is so much information that can be gleaned from playing in this space of which many folks are unaware. Two-way radios, simple wireless communication devices, and other items are more common than one might think that utilize this common and open communication channel. I’ll examine two cases in which SecureState engineers were able to obtain valuable information via trivial methods during both physical penetration tests and social engineering exercises.

First, SecureState was hired to perform work for a casino in the United States. Engineers were staying at a hotel approximately 3 or 4 miles away from the casino. From the hotel, a simple ham radio was used to listen to the 900 MHz frequency range and eavesdrop on the radio conversations of casino guards. From this, one could identify when guard shift changes occurred, when large sums of money were being transported, their origination, and destination as well. It doesn’t take a rocket scientist to explain why this is an issue. Other, more sophisticated attacks could be carried out using this information. With a sub $100 radio readily available at your neighborhood Radio Shack, the 900MHz frequency range may be capable of being used to listen in on your organization’s unencrypted communication.

Second, SecureState again fired up a ham radio to perform reconnaissance for a physical penetration test on a financial institution. Upon perusing the 900 MHz frequency range, it was identified that unencrypted wireless telephone headsets were being used in the helpdesk area. From this, SecureState was able to listen to password reset calls, and other issues being addressed at the target financial institution. There is no question why this is an issue, and this isn’t the end of it. Better yet, even after the phone call ends and the headset is put back in its cradle to charge when not in use, it acts as a bug in the office. The headset still transmits despite not being on a call. This means that all conversation in the helpdesk area, even while not on a telephone call, can be eavesdropped upon! Two solutions to this potential exposure are using the Plantronics CS55 and CS70 digital headset models. They both digitally encode and encrypt the audio and transmit it using TDMA technology. These headsets will provide sufficient protection against wireless headset eavesdropping. As best practice, it also is recommended that executives and executives’ assistants do not use wireless headsets for sensitive communications.

With those two simple case studies, it is clear that with less than $100 of readily accessible equipment, your organization may be vulnerable to such eavesdropping. Perhaps in your organization’s regular 802.11 wireless network enumeration looking for rogue access points, the 900 MHz frequency range should be included as well.