Radio Frequency (RF) Hacking

What is Radio Frequency Hacking?

Radio Frequency (RF) attacks target devices with radio communication systems that transmit and receive data using radio waves. This includes all devices that access cellular networks–from the first generation (1G) to the current 5G spectrum, WiFi, Bluetooth, GPS, NFC, and more.

With wired networks, signals can be tracked and connected networks are known. Radio frequencies, however, transmit signals wirelessly. Unapproved devices can easily sidestep firewalls and network-based detection systems to connect to other devices within 250 feet.

Once a RF-hacker has tuned into your Radio Frequency device, it can be wirelessly tethered to the hacker’s device. Even when you’re not actively using any of these radio communication systems, sensitive data like online passports, IDs, payment methods and more can be stolen and stored on an outside server.

The Different Methods to RF Hacking

Cellular 

Cellular networks ranging from 1G-5G can all be susceptible to a radio based attack. A hacker is able to target cellular networks by simply mimicking a cell tower by using certain types of equipment such as a cell-site simulator, or an IMSI catcher. In doing so, your phone will not be able to detect that this “cell-site” is not real, and will connect to it instead of a real network, after the hacker has jammed the signals of the true cell tower. Once connected to the fake cellular network, the hacker has access to your phone’s IMSI–the ID number linked to your device’s SIM card. This will give the attacker the ability to track your location, steal sensitive data, or deliver spyware.

WiFi

The majority of smartphones and WiFi enabled devices have a feature connected to their WiFi, that when turned on, allows their device to automatically connect the user to a network from a preferred network list (PNL) that contains the SSIDs (WiFi network names) your device recently connected to in that area. A hacker can easily exploit this feature by using the “karma attack” method. By using this method, the hacker can use a rogue AP–often just a WiFi penetration testing device–to replicate an SSID from the PNL, tricking the device into thinking it is connecting to a familiar network. If the attacker’s connection to the device is successful, the attack will turn into a Man in the Middle (MITM) attack–allowing the hacker to actively eavesdrop on what you are doing on your device in real-time, and allows for them to send and receive calls, texts, etc. on said device without the user knowing.

Bluetooth 

A Bluetooth attack is one of the easiest radio-based attacks for hackers to utilize, and one of the most broad potential attacks found in recent years, due to the wide range of vulnerabilities that come with Bluetooth operating systems on any connected smart device. Commonly dubbed “BlueBorne attacks,” a hacker is able to exploit a device without the user having to click on, download, or connect to anything. In fact, a victim to a BlueBorne attack will have no way of knowing their device has been compromised. Similar to how many smart devices have their WiFi enabler set to “automatic”, their Bluetooth capabilities also have this feature, and are discoverable by any nearby device that also has Bluetooth. Even when not in discoverable mode, a Bluetooth enabled device can be identified by a hacker. Once the attacker chooses a nearby Bluetooth connection, they can obtain the MAC address–the unique identifier specific to that device. In doing so, a hacker can determine which operating system his victim is using, and adjust his attack accordingly by exploiting a vulnerability specific to the Bluetooth on said device. Once exploited, the hacker can deploy a MITM attack, allowing for espionage on the victim’s device.

NFC

Near-field communication (NFC) tags are a set of short-range communication protocols that enables communication between two electronic devices over a maximum distance of 4cm. Common examples of NFC tags include bumping your phone with your friend to share photos and videos, making payments with your credit card information by tapping on the payment terminal at the store, unlocking your front door if it has a smart lock. Though less of a practical avenue for RF hackers due to its short frequency range, an NFC attack can still occur. This can happen when a malicious NFC tag is placed on a wall or door in a crowded place where people may bump into said tag. If an unlocked device bumps one of these tags, a malicious site could automatically be opened on the victim’s device.

Key Fob Attacks

Any car with an automatic-open key fob–even if it isn’t push to start–is susceptible to being hacked. Modern day key fobs work by using a Radio Frequency Identification transponder (RFID)–an intelligent barcode system that uses electromagnetic fields to enable it to unlock the system and provide a variety of functions. A key fob attack is the most common form of automotive hacking, as it accounted for 93 percent of theft attacks in 2020, according to Upstream. auto, indicating a 27 percent increase over a five year period. Commonly referred to as “relay attacks,” hackers will use specialized electronic equipment–most commonly cheap relay boxes–to copy and transmit the signal from a key fob, whether it’s in a garage, purse, coat pocket, etc.  to pick up the signal coming from the key fob, amplify it, and transfer it over to their device, so that they are then able to unlock your door. This same form of hacking can be used on the key fobs you use at work, to get into your apartment building, etc.

RF Hacking and 5G

According to an Ericsson report, out of the 22 billion connected devices, 15 billion contain radios, making them a target for an RF breach. With the rollout of 5G heavily underway, this number is expected to skyrocket within the next couple of years.

Although the newest cellular network will allow for a plethora of new opportunities and a massive upgrade to the IoT, there are certain privacy and security risks that will inevitably arise.

The rollout of 5G has begun to shift the network infrastructure from a hardware-based network to a software-based network. Everything will become wireless, without giving up the faster speeds and bandwidth previously reserved for wired services.

With 5G putting everything on the same wireless network, it will become easier for hackers to adopt the RF method, as it goes under the radar of firewalls and network-based connection systems.

Who is at Risk?

Ultimately anyone can be at risk of a radio-based cyber attack. Although your average individual is at a much lesser risk than some of the high-profile targets listed below, they should still be wary of the wireless networks they are connected to, especially when on-the-go.

That being said, there are certain groups that face a higher risk than others. As 5G introduces new risks, high-profile government and military officials, and both large and small corporations can be vulnerable to an RF attack.

Corporations

Both small businesses and large corporations will need to up their security measures in order to mitigate the cybersecurity risks that will come with their adoption of 5G networks.

Small businesses already account for 43% of all cyber attacks. They make for the perfect target as they often can’t afford the investments into security. With 5G, cybersecurity measures are only expected to increase as security measures will only become more complicated and expensive, making it much harder for small businesses to sustain.

High profile targets such as CEOs and VPs working for large corporations will need to be cautious when traveling, or taking important data and information home with them.

The IoT provides countless abilities for cybercriminals to hack into devices via wireless networks, and with RF hacking expected to become more prevalent, a higher level of security will be necessary when carrying important information–new security measures that these high-profile targets may not be used to worrying about.

Governments

5G is expected to pave the way for new innovations, new markets, and economic growth for nations all over the world. Being first may not be the best though, because those countries will take the risk of having a vulnerable security system.

5G has only been around for a few years. Because of the major change in network infrastructure compared to previous networks, there are many new security vulnerabilities to the new system that have yet to be vetted–some which are probably still unknown!

In fact, a recent report from top U.S. national security agencies stated that these new developments “introduce serious risks that can threaten national security, economic security, and impact other national and global interests.”

The architecture and development of new technologies will be impacted by adversarial nations as they contribute to new security controls and technical standards. For example, the 5G-dominant nations can sell their emerging technologies in order to influence standards that specifically benefit their technologies and limit the consumer’s choice to use other equipment, which will ultimately force other nations to use untrusted suppliers in their networks.

Militaries

Like governments, militaries will also become more vulnerable to RF-related attacks. On top of these newer hacking methods being able to compromise important data and information, military equipment and radio-based communication systems used in battle will also become a target via more frequent electromagnetic pulse attacks (EMP).

An EMP attack is a massive burst of electromagnetic energy that can occur naturally or be generated deliberately using nuclear weapons in order to compromise electronic equipment. EMP attacks that are deliberately generated typically happen during war, and can compromise the telecommunications infrastructure of military equipment, ultimately making communication impossible.

Prevention Methods + The Importance of Using a Faraday Bag

Because RF attacks are not as widespread as other methods of cyberattacks, they are more difficult to recognize and combat.

  • Be aware of noticeably slower cellular connections, or changes to the band in your devices status bar–If your cellular connection is working well, and then suddenly becomes slow, or your device status bar changes from an LTE to, say, a 2G network, then you may be at risk of someone trying to manipulate your cellular network.
  • Only connect to WiFi networks that you know are legit–When in a public area, only connect to WiFi services after talking to staff to find out names and passwords, and “forget” any networks that may be fake or trying to manipulate the true one. If you have a hotspot on your phone, try making use of it instead of public WiFi whenever possible.
  • Keep your radio communication services turned off when not in use–Turning off auto-connect, or simply making sure your WiFi, Bluetooth, GPS, NFC, etc. is not discoverable when you are not using them can help to greatly reduce risk. Better yet…
  • Make use of airplane mode–Airplane mode not only automatically disables all radio-based services on your device, but does not allow for data roaming or trying to auto-connect to unsecure networks.

On top of using all of these precautionary methods, one should invest in a Faraday bag to be 100% sure sensitive data and information stays secure. Faraday bags incorporate advanced military-grade EMF shielding technology capable of completely blocking all incoming and outgoing wireless RF signals from electronic devices.