Security – Physical, Cyber and the Unknown of …...Security – Physical, Cyber and the Unknown of Securing the Public Safety Environment in the Technology World Chris Christensen,
36
Security – Physical, Cyber and the Unknown of Securing the Public Safety Environment in the Technology World Chris Christensen, JD DTMB Cybersecurity and Infrastructure Protection Office of Infrastructure Protection
Security – Physical, Cyber and the Unknown of Securing the Public Safety Environment in the
Technology World
Chris Christensen, JDDTMB Cybersecurity and Infrastructure Protection
Office of Infrastructure Protection
HELP. CONNECT. SOLVE.
• The first truly mobile two-way radio was developed in Australia in 1923 by Senior Constable Frederick William Downie of the Victorian Police
• In 1933, the Bayonne, New Jersey police department successfully operated a two-way system between a central fixed station and radio transceivers installed in police cars
History
Presenter
Presentation Notes
The first truly mobile two-way radio was developed in Australia in 1923 by Senior Constable Frederick William Downie of the Victorian Police. The first sets took up the entire back seat of the Lancia patrol cars. The first two-way radio systems made it possible for police to transmit information quickly and efficiently. Their means of communication prior to the invention of the radio was to stop every half hour to call in their locations and check for updates. Downie's adaptation of the two-way radio was a milestone for police. Immediate notification of crimes taking place made it possible for police officers to decrease their response time. This invention is credited for saving many lives and apprehending a number of criminals. It wasn't long before police officers and emergency officials began using Downie's radio all over the world. Today, it's used everywhere.
HELP. CONNECT. SOLVE.
History of Hacking
Presenter
Presentation Notes
IT wasn’t called hacking for Radios it was termed utilizing different frequencies.
HELP. CONNECT. SOLVE.
Critical Voice/Data Support
HELP. CONNECT. SOLVE.
• Voice and data can exist on the same frequency• No communication is lost; you can program the priority voice or data• Key information such as Unit ID, Status Info, and enhanced SMS or alerts
can be embedded in to a single digital radio channel• Various models of radio have full color screens capable of displaying
messages and alerts
Voice/Data Features
Presenter
Presentation Notes
Voice and Data can coexist due to digital trunking systems that automatically give preference to voice or data depending on what is needed. The primary purpose of this type of system is efficiency; many people can carry many conversations over only a few distinct frequencies. Trunking is used by many government entities to provide two-way communication for fire departments, police and other municipal services, who all share spectrum allocated to a city, county, or other entity.
HELP. CONNECT. SOLVE.
• Encrypted transmissions prevent eavesdropping of critical communications or hackers taking control of systems
• AES – Advanced Encryption Standard– 256 Bit– Current Federal Government Standard
Current Encryption Technology
Presenter
Presentation Notes
The Advanced Encryption Standard (AES) is a symmetric-key block cipher algorithm and U.S. government standard for secure and classified data encryption and decryption. AES is a block cipher. Plain text is first divided into blocks of equal size and each block is encrypted separately (well, almost). AES has a 128-bit block size. Broadly speaking, the algorithm first divides the block into 16 bytes (each byte is 8 bits) and places them in a 4x4 table. Then it starts doing manipulations on this table - substituting each byte value with another value (using a predefined substitution table), moving the rows and mixing the columns, and adding a round key, which is 128 bits that are derived from the encryption key using a separate algorithm (called the "key schedule"). This is repeated several times (depending on the size of the key), with a different round key for every round. Decryption does the same exact thing, but in reverse (every operation in the encryption algorithm is reversible). The resources required for a brute-force attack grow exponentially with increasing key size, not linearly. Well, using simple math: If checking one key takes 1000 clock cycles, and the computer has 2,000,000,000 cycles per second, it checks 2 million keys per second. The best case is that the first key you try is correct: total time is half a microsecond. The worst case is that the last key you try is correct: you have 2256 keys divided by around 221 checked a second (that's more like 2.1 million, but close enough), which is 2235 seconds, which is around 1.75 vigintillion (that's 1.75*10^63) years, or around 1.3*10^53 times the age of the universe.
HELP. CONNECT. SOLVE.
• Brute-Force Attack - an attacker trying many passwords or passphrases hoping to guess correctly
• Exhaustive Key Search - an attacker attempting to guess the key using a key derivation function
Attack on Encryption – Brute Force
Presenter
Presentation Notes
In cryptography, a brute-force attack consists of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an exhaustive key search. A brute-force attack is a cryptanalytic attack that can, in theory, be used to attempt to decrypt any encrypted data. Such an attack might be used when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. Brute-force attacks can be made less effective by obscuring the data to be encoded making it more difficult for an attacker to recognize when the code has been cracked or by making the attacker do more work to test each guess. One of the measures of the strength of an encryption system is how long it would theoretically take an attacker to mount a successful brute-force attack against it.
HELP. CONNECT. SOLVE.
LTE Broadband System
HELP. CONNECT. SOLVE.
• Long-Term Evolution (LTE) is a standard for high-speed wireless communication for mobile devices and data terminals
• Private Enterprise LTE networks can be designed to be portable, semi-permanent or fixed installations
• A flexible portable LTE System with fast and easy setup ensures continuous operations no matter the situation
LTE Broadband System
Presenter
Presentation Notes
Long-Term Evolution (LTE) is a standard for high-speed wireless communication for mobile devices and data terminals. based on the GSM/EDGE and UMTS/HSPA technologies. It increases the capacity and speed using a different radio interface together with core network improvements. Private Enterprise LTE networks can be designed to be portable, semi-permanent or fixed installations. Deployment of a portable network can consist of a few variations. Private Enterprise LTE broadband can be deployed in various ways depending on situational requirements. SOW – System-On-Wheels Standalone Supports upwards of 2000 devices Complete LTE Broadband System Range of 15km COW – Cell-On-Wheels Supplementary LTE network Used to create additional coverage and capacity Can be used in remote or during events Range of 15km Vehicular/Backpack/Portable Case Complete LTE Broadband System Creates an LTE bubble up to 2km and can support over 100 subscribers Current battery technology can allow this system to run up to 7 hours.
HELP. CONNECT. SOLVE.
System Design and Construction
HELP. CONNECT. SOLVE.
• Radio systems can scale to fit any organizational requirements.• Todays radio systems consist of:
– Base transmitter/receiver units that provide the radio communications– Central controller that operates the base units– Mobile or portable radios that are operated by the remote personnel
System Design and Construction
Presenter
Presentation Notes
Reliable communication is crucial for effective operations and for the safety of personnel. Base transmitter/receiver units – also called Base transceiver stations (BTS) typically consist of Transceiver (TRX) Quite widely referred to as the driver receiver (DRX). It basically does transmission and reception of signals. Power amplifier (PA) Amplifies the signal from DRX for transmission through antenna; may be integrated with DRX. Combiner Combines feeds from several DRXs so that they could be sent out through a single antenna. Allows for a reduction in the number of antenna used. Multiplexer For separating sending and receiving signals to/from antenna. Does sending and receiving signals through the same antenna ports (cables to antenna). Antenna This is the structure that the BTS lies underneath; it can be installed as it is or disguised in some way (Concealed cell sites). Controller manages the site radio channels and other site functions. It assigns voice and data channels, monitors alarms and provides the frequency reference to the Base Radios. Mobile or portable radios are the devices that are used by remote personnel to communicate with each other or central command or dispatch. These can be in the form of vehicle mounted radios or radios that are small enough to be carried on the person in a holster or a belt attachment.
HELP. CONNECT. SOLVE.
• Radios today are designed to Military Standard 810 to weather proof, shock proof, as well as waterproof
• Batteries are typically Li-ion (Lithium-Ion) or NiMH (Nickel–metal hydride)
• Battery capacities today allow radios to have an operational time of over 10 hours
Radio Design and Construction
Presenter
Presentation Notes
MIL-STD-810, Environmental Engineering Considerations and Laboratory Tests, is a United States Military Standard that emphasizes tailoring an equipment's environmental design and test limits to the conditions that it will experience throughout its service life, and establishing chamber test methods that replicate the effects of environments on the equipment rather than imitating the environments themselves. Although prepared specifically for military applications, the standard is often used for commercial products as well. The military standard MIL STD-810 test series addresses a broad range of environmental conditions that include: low pressure for altitude testing; exposure to high and low temperatures plus temperature shock (both operating and in storage); rain (including wind blown and freezing rain); humidity, fungus and salt fog for rust testing; sand and dust exposure; explosive atmosphere; leakage and acceleration; shock and transport shock (i.e., triangle/sine/square wave shocks); gunfire vibration; and random vibration. Lithium-ion batteries are common in home electronics. They are one of the most popular types of rechargeable batteries for portable electronics, with a high energy density, tiny memory effect and low self-discharge. Lithium-ion cells are supplied as part of a battery pack with temperature sensors, voltage converter/regulator circuit, voltage tap, battery charge state monitor and the main connector. These components monitor the state of charge and current in and out of each cell, capacities of each individual cell and temperature of each cell and minimize the risk of short circuits. NiMH cells are advantageous for high-current-drain applications, largely due to their lower internal resistance. Lithium-ion batteries have a higher specific energy than nickel–metal hydride batteries, but they are significantly more expensive. They also produce a higher voltage (3.2-3.7V nominal), and are thus not a drop-in replacement for alkaline batteries without circuitry to reduce voltage. As of 2005, nickel–metal hydride batteries constituted three percent of the battery market
HELP. CONNECT. SOLVE.
Advanced System Customization and
Maintenance
HELP. CONNECT. SOLVE.
• Radios, Repeaters and Controllers can be added while system is still in operation
• System software updates can be made Over-the-Air (OTA); radios do not need to be returned to base
• Current Android and iPhones can be turned into multi-channel PTT handsets with software
Advanced System Customization and Maintenance
Presenter
Presentation Notes
Radios, Repeaters and Controllers can be added while system is still in operation. Pieces of a radio system are like software controlled Legos. Additional equipment is programmed to the system and can begin operation immediately. This allows the radio system to be, in many ways, infinitely scalable to any requirements. Today’s equipment is built to maximize channel up-time, simplify system technology refresh, optimize efficient site design and minimize the cost of ownership. Due to radio systems being entirely digital, you can easily add new features to your existing system with a simple software download. Based on an IP-architecture, todays equipment is designed so that many upgrades, migrations and conversions can be completed with only software installations. With software applications such as Motorola’s Wave mobile communicator any smartphone, tablet, or custom handheld can allow any user system access from any location, talking with groups of other users or individuals as required. With this technology, not every person would need to carry a separate radio device to have secure instant communication.
HELP. CONNECT. SOLVE.
Encryption, Disruption, and Security
HELP. CONNECT. SOLVE.
• City of Dallas Emergency Siren Hack
Encryption Technology
Presenter
Presentation Notes
April 8th as midnight approached, someone managed to trigger the emergency siren system used by the City of Dallas for tornado warnings and other emergencies. Alarms were active for 95 minutes—even after emergency services workers shut them off. The entire system had to be shut down. By 12:30 AM, the Dallas Office of Emergency Management (OEM) began shutting off the alarms manually. People were panicked began calling 911. The Dallas 911 call center received more than 800 calls between midnight and 12:15 AM. 4,400 calls were received during the 90 minutes the sirens were active. The call volume created wait times of up to six minutes delaying response to actual emergencies. Half an hour into the chaos, the OEM tried to quell panic by issuing social media alerts saying not to call 911. It backfired and people became convinced it was a conspiracy and their local officials were lying to them. Some speculated it was some kind of cover for a crime in progress. The sirens went off continuously until 1:17 AM. In a press conference at Dallas City Hall on Monday morning, Dallas City Manager T.C. Broadnax said the hack was done using a radio frequency, and not via a computer network. Mark Loveless at Duo Security posited a clarifying detail, that it was probably done "through the use of Dual-Tone Multi-Frequency (DTMF) signaling via radio." According to press, city officials said that "it's a tonal-type system," suggesting the hack was done by replicating the tonal code -- the sounds -- that would set off the sirens. This kind of hacking is usually called "phreaking," which is typically associated with the telephone system. In this context, it would be the kind of phreaking done when radio-frequency signal tones are perfectly reproduced to trigger various functions normally reserved for operators or telephone company employees. Like making free calls, eavesdropping and more. Since tornado sirens use radio-frequency communications to work, this is feasible. It's as fascinating as it is disturbing when you consider how many other similar systems exist across the US that are probably about as secure as the ones in Dallas. This incident was a reminder that security has been an afterthought for way too long on city systems. Shutdown of the alarms required them to disconnect everything, leaving the city without its emergency warning sirens until late Sunday night. In the aftermath, local press noted that "no one at City Hall knew something like this was possible."
HELP. CONNECT. SOLVE.
HELP. CONNECT. SOLVE.
HELP. CONNECT. SOLVE.
HELP. CONNECT. SOLVE.
• In January 2018 Police in New Zealand were hacked and the radio frequency broadcasted an anti-police song. The radio played N.W.A. F*** tha Police Repeatedly.
Another recent Radio Hacks
HELP. CONNECT. SOLVE.
• Jammers– devices designed to intentionally block, jam, or interfere with authorized radio
communications (signal blockers, GPS jammers, text stoppers, etc.)
• Jammers can:– prevent your cell phone from making or receiving calls, text messages, and
emails;– prevent your Wi-Fi enabled device from connecting to the Internet;– prevent your GPS unit from receiving correct positioning signals; and– prevent a first responder from locating you in an emergency
Disruptive Technology
Presenter
Presentation Notes
Generally, “jammers” —also commonly called signal blockers, GPS jammers, cell phone jammers, text blockers, etc. — are illegal radio frequency transmitters designed to block, jam, or otherwise interfere with authorized radio communications. Jamming technology generally does not discriminate between desirable and undesirable communications. A jammer can block all radio communications on any device that operates on radio frequencies within its range (i.e., within a certain radius of the jammer) by emitting radio frequency waves that prevent the targeted device from establishing or maintaining a connection. Jammers are more than just a nuisance; they pose an unacceptable risk to public safety by potentially preventing the transmission of emergency communications. Cell phone jammers do not distinguish between social or other cell phone conversations and an emergency call to a family member or a 9-1-1 emergency responder. Similarly, GPS and Wi-Fi jammers maliciously disrupt both routine and critical communications services. Jammers could also block more than just cell phone calls; these devices could disrupt important communications services that operate on adjacent frequencies, or worse, they could disrupt all communications within a broad frequency range.
HELP. CONNECT. SOLVE.
• Anti-Jamming– Finding the source of jamming through triangulation– Changing frequencies to one that is not being jammed– Increase transmission power to overcome the jamming.
Disruption Prevention
Presenter
Presentation Notes
Radio Direction Finding (RDF), is the measurement of the direction from which a received signal was transmitted. By combining the direction information from two or more suitably spaced receivers (or a single mobile receiver), the source of a transmission may be located via triangulation. Radio direction finding is used in the navigation of ships and aircraft, to locate emergency transmitters for search and rescue, for tracking wildlife, and to locate illegal or interfering transmitters as in our use case. Defense against jamming can also be done with something called Frequency hopping which is switching frequencies over a large range of possible frequencies. This relies on the idea that it is much harder to jam a large spectrum than a single well-defined frequency. Increasing transmission power to overcome jamming will basically “drown out” the jammer. Of course, this increases energy consumption and heat dissipation, and it is not necessarily workable with all devices.
HELP. CONNECT. SOLVE.
• Device Theft Prevention– Secure holsters or belt clips– Device proximity sensors
• Device Recovery in Case of Theft– GPS in each device– Remote monitoring of device audio– Remote disabling of device
Physical Radio Security - Personal
Presenter
Presentation Notes
Similar to weapon holsters, radio holsters can be designed so that it takes a certain technique to remove the radio and so any attempts by other people would alert the radio carrier. In the case of a radio device that is used within a certain facility or certain geographical location, the radio can send alerts to central command if it is taken outside of such location using GPS technology on the radio devices themselves. This GPS technology also comes in to play when devices are lost or stolen. When a device is discovered lost or stolen its location can be determined using GPS on the device. This allows a central command to have its exact location to within potentially 2.3ft depending on satellite geometry, signal blockage, atmospheric conditions, and receiver design features/quality. With current radio technology a central command is able to remotely activate the microphone of a device if a situation arises that requires it. If the user of the device is thought to be injured, missing, or incapacitated, it can be useful to listen to gather information on their surroundings. If a device is stolen, this can allow a central command to listen to the thief themselves and their surroundings to assist in the location of the device. Along with all of this, current technologies also allow for radio devices to be remotely disabled and wiped. If a device is stolen, it can potentially be used by the thief to gather intelligence. This can be prevented by disabling the device and wiping its memory.
HELP. CONNECT. SOLVE.
• Radio sites are vulnerable to physical attacks or interference from:– Vandals– Thieves– Animals
• Robust physical security of radio site should be a priority
Physical Radio Security – Site Security
Presenter
Presentation Notes
A longtime problem for wireless-network operators has been the theft of copper used to ground systems in the case of a lightning strike. The high price of copper has made sites an attractive target for thieves. One technique to mitigate thieves is through the use of bait copper. Copper wiring that is easily reached and very visible that has no connection to the radio system itself. Radio sites are also the target of animals. During inclement weather, animals have been known to take shelter inside utility boxes and other equipment areas. This can lead to many issues if they decide to have a snack of wires or cabling.
HELP. CONNECT. SOLVE.
• Professional hackers– Black Hats – the Bad Guys– White Hats – Professional Security Experts
• Script kiddies– Mostly kids/students
• User tools created by black hats,– To get free stuff– Impress their peers– Not get caught
• Underemployed Adult Hackers – Former Script Kiddies
• Can’t get employment in the field• Want recognition in hacker community• Big in eastern european countries
• Ideological Hackers– hack as a mechanism to promote some political or ideological purpose– Usually coincide with political events
About Hackers
HELP. CONNECT. SOLVE.
• Criminal Hackers– Real criminals, are in it for whatever they can get no
matter who it hurts
• Corporate Spies– Are relatively rare
• Disgruntled Employees– Most dangerous to an enterprise as they are “insiders”– Since many companies subcontract their network
services a disgruntled vendor could be very dangerous to the host enterprise
About Hackers
HELP. CONNECT. SOLVE.
• Cyber tools & Physical tools
Tools for Hackers
HELP. CONNECT. SOLVE.
• Internet connected devices are vulnerable to attacks from inside and outside the network
• Networked radio devices are vulnerable to remote attack
Cyber Radio Security
Presenter
Presentation Notes
With the advent of digital radio and software control, there has been a widening of possible vulnerabilities in radio systems. When a radio system is internet connected, as many are, or even connected to an intranet, it becomes vulnerable to remote attack. With these types of systems, the same attack vectors that plague everyday computer systems now affect radio systems. Malware, viruses, data theft, are now concerns that must be taken into account when designing and using radio systems. While radio transmissions are in many cases encrypted, once the transmission has been decrypted on a computer or device it is now vulnerable. Mitigation of these risks include keeping all software updated to prevent a hacker from taking advantage of known vulnerabilities, making use of encryption technology and proper security practices within an intranet as insider threats must also be considered.
HELP. CONNECT. SOLVE.
Malicious Insiders
• Malicious Insider – Employee, former employee, contractor or business associate who has inside information concerning an organization’s security practices, data and/or computer systems and uses that information to cause harm.
• Stop malicious insiders by:– Limiting access to such information– Creating and enforcing comprehensive security policies– Developing a layered approach to security
Personally Identifiable Information (PII)
Sensitive information provided without awareness.
HELP. CONNECT. SOLVE.
Not Me?
HELP. CONNECT. SOLVE.
Physical Security and Cybersecurity
• Change passwords frequently
• Lock your computer when you leave
• Avoid allowing others to use your device
• Avoid visiting risk-prone web addresses that could potentially harm your device. ESPECIALLY links your do not recognize in your e-mail.
HELP. CONNECT. SOLVE.
Social Engineering: Social Media
• Do not post your location on social media; especially if you are away from home
• It is highly encouraged to use strong passwords for social media accounts
• Assure that privacy settings are up-to-date on all social media accounts• Disable your location settings when using social media applications
HELP. CONNECT. SOLVE.
• Go to www.familytreenow.com• How much information is there about you online? • Do you post information that makes you Vulnerable? • Does your family post things that someone could use to their
• Biometric Sensors• Use of new sections of radio spectrum• Advances in encryption technology
Cyber Radio Security - Future
Presenter
Presentation Notes
Biometric security is a security mechanism used to authenticate and provide access to a facility or system based on the automatic and instant verification of an individual's physical characteristics. Because biometric security evaluates an individual’s bodily elements or biological data, it is the strongest and most foolproof physical security technique used for identity verification. Biometric security is mainly implemented in environments with critical physical security requirements or that are highly prone to identity theft. Biometric security-based systems or engines store human body characteristics that do not change over an individual's lifetime. These include fingerprints, eye texture, voice, hand patterns and facial recognition. An individual's body characteristics are stored in a biometric security system or scanner, which may be accessed by authorized personnel. When an individual walks into a facility or tries to gain access to a system, the biometric scanner evaluates his/her physical characteristics, which are matched with stored records. If a match is located, the individual is granted access. Future radio frequencies may very well lead in to the Terahertz range. That’s 1000 Ghz. Its hard to say what this will exactly look like, but most likely it will result in stronger communications in adverse atmospheric conditions, faster bandwidth for data transmission and will allow for more advanced communication in space. New approaches to cryptography in the future will not just simply be longer and harder to guess strings but will have advanced features such as “Honey Encryption” where wrong guess of the key produce information that looks accurate but isn’t. A second approach is "functional encryption," where restricted secret keys enable a key holder to learn about only a specific function of encrypted data and nothing else. In a third approach, called "quantum key encryption," the quantum nature of atoms protects the data.
HELP. CONNECT. SOLVE.
• Unencrypted radio transmissions can be eavesdropped on anywhere within the radio’s range
• Devices that are controlled using radio transmissions can be remotely attacked using the same radio technology
Radio System Vulnerability
Presenter
Presentation Notes
Radio transmissions are broadcast in a wide range. Within this range, the transmission can be intercepted by inexpensive devices that can be purchased by anyone. Once these transmissions are intercepted they can be analyzed. In a case where the transmission is unencrypted, they can simply be listened to. Even encrypted transmissions may pose risks to its users. Through a technique known as Traffic Analysis, eavesdroppers can deduce information from patterns in communication. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. For example, if a certain emitter is known as the radio transmitter of a certain unit, and by using direction finding (DF) tools, the position of the emitter can be found; therefore, changes of location can be monitored. We’re able to understand that this certain unit is moving from one point to another, without listening to any orders or reports. If we know this unit reports back to a command on a certain pattern, and we know that another unit reports on the same pattern to the same command, then the two units are probably related, and that conclusion is based on the metadata of the two units' transmissions, and not on the content of their transmissions. It is difficult to defeat traffic analysis without both encrypting messages and masking the channel. When no actual messages are being sent, the channel can be masked by sending dummy traffic, similar to the encrypted traffic, thereby keeping bandwidth usage constant .
