Researcher to blow lid off 'secure' retail networks

Havelt, who will reveal more information at Blackhat Europe in mid April, said that the FHSS networks commonly employed by systems such as Motorola's Symbol product range have commonly been perceived as secure.

"FHSS used to be seen as a security mechanism as well as a way for these things to talk to each other, because it channel hops across the spectrum, so it never lingers on a single channel for a few milliseconds," he said. "Consequently, a lot of organizations that deployed FHSS networks don't follow the same security practices as they do with other wireless networks."

Frequency hopping isn't entirely random, he warned. The hop pattern, along with information such as the system ID, is broadcast in advance from the network access point in the form of beacon frames, which can be sniffed over the network.

"It's possible technically to monitor them, and find enough information by just sitting there and listening to the air to monitor these networks," he said. Once a beacon frame is detected, you can simply connect to the network. "All you need to do initially is just sit on one channel and listen."

The hack could be achieved using something as simple as a laptop, an FHSS network card, and a Universal Software Radio Peripheral. The USRP is a hardware peripheral designed to work with GNU Radio, an open source product designed to create software-defined radio. Software-defined radio emulates traditional hardware radio characteristics in software, creating radios that can produce various protocols without requiring different hardware.

The lack of security in many FHSS deployments means that once hacked, many of these networks could serve as critical attack vectors, he warned. "A lot of them are just plugged directly into the corporate LAN with very minimal control," Havelt said. In one of the largest corporate data breaches in history, retail group TJX found in January 2007 that its systems had been compromised via a wireless network.

Havelt expects the vulnerability to be packaged into an easily executable exploit before long. He drew allusions to Bluesniff, an attack on the Bluetooth stack that used similar exploits in frequency hopping radio technology, which has since been packaged by the Shmoo Group.

What’s Hot on Infosecurity Magazine?