New Standards and Protocols Introduce Wireless Security Threats

Posted on December 03, 2014 by John Linkous

When I hear the term "wireless security," the first thing I think of is my 802.11 Wi-Fi-enabled router, humming along with WPA2 (and Wi-Fi Protected Setup disabled, naturally). There is a relatively low risk that anyone will be able to get to my data—at least until it routes to the Internet. What I—like many of you, probably—tend to forget about are the other, lesser known protocols and standards that can create a security nightmare.

Wireless network connections are precisely what the name implies: connectivity without a physical connection. There are numerous types of wireless protocols and standards, often developed for specific purposes. Mobile devices—particularly smartphones—provide methods of wireless connectivity that can often be initiated by either end of the connection.

When a secure, locked-down Wi-Fi authentication or encryption connection icon is displayed on a device, many people tend to think their communications are secure. But Wi-Fi implementations still have security issues, as was seen with Apple's recent fixes to prevent Wi-Fi hijacking within iOS 8.

Wi-Fi isn't the only wireless connection on the block, and it certainly isn't the only one we have to worry about when it comes to wireless security. Like Wi-Fi, both Bluetooth and NFC support bidirectional communication between systems using the same protocol. Both are additional, complementary wireless technologies to the ubiquitous 802.11 Wi-Fi standards, and they're proliferating across all types of devices: Bluetooth is standard in most new cars, and both features are used in smartphones, laptops, and tablet computers. NFC is rapidly taking off on smartphones, in particular. Apple Pay on the iPhone 6 is the latest NFC implementation.

While Bluetooth has long been a standard and many (but certainly not all) of its technical security flaws—such as "Bluesnarfing," or connecting to a Bluetooth device set to a discoverable state—have been worked out, wireless security threats still remain. "Bluejacking," for example, involves sending unsolicited messages via Bluetooth, and it can be used as a form of social engineering to convince unsophisticated users to follow the directions of an arbitrary message ("You've been infected! Go to www.FreeVirusRemover.net to clean your device!," for example.) NFC is hardly any better; multiple attacks, including man-in-the-middle (MTM) attacks, have exposed flaws that compromise NFC-enabled devices and the integrity of their communications.

Computers and smartphones aren't the only devices promulgating new wireless connection types. In these early days of the Internet of Things (IoT), we're seeing a proliferation of new wireless protocols and standards to support everyday devices. This is particularly true for home automation of lights, door locks, appliances, and anything else that clever manufacturers think of embedding with a circuit board and some logic.

While many home automation systems support either traditional 802.11 Wi-Fi networks or powerline networks that are (sort of) wired, new standards are emerging. INSTEON, a digital wireless communication protocol that can ride over top of powerlines and through the air via radio frequency (RF) modulation, is one such entry. Like other home automation protocols, it supports mesh communications and allows any device to transmit, receive, and repeat messages. Similarly, the Z-Wave protocol operates over RF. Unlike INSTEON, which views all participants in the network as peers, Z-Wave uses a controller-and-slave approach that provides centralized management.

Despite the subtle differences between these protocols and systems, the fact remains that new vulnerabilities continue to be discovered within these relatively new technologies. Last year, Forbes reported on a flaw within an early INSTEON version that allowed wireless remote control of homes using the technology . . . directly from the Internet. Z-Wave has not fared any better, with research publications and security industry presentations waxing poetic on the poor implementation of security within Z-Wave products, in spite of the fact that the protocol itself supports common security measures such as authentication and encryption.

And these are not the only examples of wireless security gone amok. As new industries embrace the concept of the IoT, the number of new protocols for wireless communication will mushroom: energy, manufacturing, transportation . . . you name it. Each of these, like every other protocol and communication standard (wireless or otherwise) will go through a painful learning experience in which security flaws will be discovered, exploited, and (hopefully) patched. Unfortunately, those growing pains will come at the expense of those who adopt these technologies first.

Contributors

John Linkous

, Technology Advisor

critical infrastructure data security hackers & threats threat intelligence

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.