From new standard requests on wireless devices and Biden’s order on patching to new IoT botnets – these are all things that happened throughout the week in the field of Network Airspace Control and Protection (NACP).
A new standard for the security of wireless device manufacturing?
The EU Commission is requesting for new standards for wireless device manufacturing. The idea behind this is to prevent interference with other wireless communicating devices in the case of takeover. For enterprises this means the elimination of Antenna for Hire – uncontrolled devices broadcasting into the corporate vicinity and taken over by threat actors, as a springboard for attacking the corporate network.
While the industry is right in its thinking that there is a wireless threat posed by Wi-Fi capable devices, the proposed guidelines for manufacturing do not get it right and mix various threats and risks in one.
At end of day, to eliminate the Wi-Fi driven Antenna for Hire threat, many of the things that make Wi-Fi devices what they are must be eliminated. These include the ability to become a hot spot, the ability to arbitrarily connect to any network, the ability to choose a network name and so on. While this is all possible in other domains (e.g. cellular networks) this is not really applicable to Wi-Fi domain which differs both in terms of technology and regulation.
Moreover, the requirements as currently proposed by the EU commission are stated in a very naïve way which is very hard to quantify or certify. In fact, the language currently in use is the equivalent of requiring that standard network equipment could not be used for launching attacks – a statement that is equally impossible to quantify or assure.
The Biden Administration orders Federal agencies to patch
The Biden Administration is ordering the Federal agencies to patch their systems against hundreds of vulnerabilities. This new order, yet again, puts security staff in the role of Sisyphus rolling the heavy stone up the hill only to have it go back down just before he reaches the top.
While it is important to apply patches for critical vulnerabilities we must remember that the state of software vulnerabilities resembles an iceberg:
* At the tip of the iceberg are the known vulnerabilities for which a patch exists (and a small number of vulnerabilities that were published and for which a patch does not exist yet).
* The next tier down are the vulnerabilities reported to and discovered by vendors that were not made public yet – and for which a patch does not exist yet
* The next tier down is already beneath the surface – these are the infamous 0-days being traded and used by skilled attackers
* The bottom tier, and the probably the largest one are the yet to be disclosed vulnerabilities. These are inevitable in today’s complex software and will eventually surface through the other tiers.
With the above description in mind, agencies and corporations need to operate their systems under the assumption that their environment is always vulnerable. Hence, organizations must introduce controls into their environments to compensate for the existence of vulnerabilities. Such controls should detect and prevent attacks regardless of the vulnerability that they attempt to exploit.
BotenaGo IoT Botnet
Recently, researchers at AT&T Labs revealed a botnet, dubbed BotenaGo, which can potentially infect millions of routers and IoT devices.
We see here an IoT botnet — view it as a classic “Antenna for Hire” botnet. A botnet allows threat actors to broker their compromised devices. Which means that an attacker wanting to conduct a wireless attack against a certain company, can now hire one of these compromised devices in the proximity of the target company, removing that initial activity of actively finding and compromising an Antenna for Hire by themselves and focus their efforts and resources on the other aspects of their attack.
Penetrating the corporate from this stage, means searching for a Wireless Receptor – a wireless-capable device within the corporate, wirelessly taking control over it and from there leveraging that it’s also on the corporate network to penetrate the corporate network. It is important to note that the Wireless Receptor acts as an invisible attacker’s entry point, leaving no forensics or logs of its usage to penetrate the corporate network.
A NACP is the only type of technology that:
* Can protect against such wireless attacks.
* Is able to “tell the story” of such an attack, including pinpointing the Wireless Receptor that the attackers would have attempted to use as a bridge into the corporate network.
Sky Routers vulnerability
Sky routers, dedicated routers for the home, have a vulnerability which enables remote takeover of the device.
This vulnerability relates also to businesses. In fact, this is a classic case of an Antenna for Hire. An attacker taking control of a vulnerable Sky router can use it as a springboard to look for Wireless Receptors at a nearby company. Since this vulnerability impacts 6M devices, it also has the potential for threat actors to exploit the vulnerability en masse and create from them a botnet.
AirEye blocks all interaction between an Antenna for Hire and a Wireless Receptor. So even if there is a compromised Antenna for Hire in the vicinity of a company, the security team can be rest assured it will not compromise their network.