By: Cybrary Threat Intelligence Group (CTIG)
April 12, 2023
CTIG IoT Research
By: Cybrary Threat Intelligence Group (CTIG)
April 12, 2023
The IoT Problem
To begin a discussion about preventing stalking and surveillance, we must first talk about the Internet of Things (IoT). We begin here because the IoT has permeated modern life in countless ways and will only continue to do so. Devices that we use every day from credit card readers at the farmers market, to the tire pressure sensors on your car, are all a part of this ecosystem. While the IoT has been talked about a lot in the past few years, it is not well understood. Each of these devices represent a convenience that we take advantage of, but unlike a laptop computer, few people understand how they work - including the people who sell them. Our goal is to increase the awareness of this subject for new students as well as security professionals, and create the opportunity to understand, operate and research devices in this environment.
What makes these devices different from legacy systems that we’re used to? While they all can be described as very small computers in that they are “smart,” the similarities end there. For the sake of simplicity, they’re often designed for a single instead of a general purpose, and usually not designed to be directly interfaced with by users. And while traditional computers often rely on Wi-Fi or Ethernet connections for internet access, IoT devices use a variety of communication protocols to meet their specific needs. Smaller form factors must be more efficient, and have less of a need to communicate over longer ranges. They are more likely to be designed to operate at scale, networked with hundreds of similar devices communicating with minimal overhead. While traditional networks are built on a client/server model, IoT devices take advantage of peer-to-peer networks to extend connectivity into areas that might not have traditional infrastructure. This network topography is often referred to as a “mesh” network.
Mesh: Connecting IoT
Mesh networking is the great enabler for IoT devices. From industrial control systems to the water meter at your home, a great number of devices stretching over an extended distance can relay data among themselves and only need one link to the outside world to transport the information. That single point could be any device in the array, making the mesh network more resilient and efficient.
Let's look at mesh networking through the lens of popular consumer tracking devices. The introduction of the Tile, Galaxy Smart Tag and Apple’s AirTag have made tracking your valuable items both inexpensive and simple. These devices can make their location known to the user through mobile apps, but they don’t connect to the internet directly. Instead they work with similar devices to relay their location and identity, and whenever they come in range of any “connected” device in their meshed network, it will relay that information to a central server to which the user connects. In other words, every Apple device - desktops, laptops, tablets, phones, Apple TV and watches, all serve as a repeater for the AirTag. Hundreds of millions of devices all over the world, serving as nodes in the “Find My” network.
As an entry point to begin learning about mesh networks in general and tracking devices in particular, we examined a real-world problem that they present. While trackers serve a great benefit in maintaining contact with your valuable items, they can also be used as surveillance devices for unscrupulous individuals.
Research: Malicious Tracking
Identification of Target and Goal
Released in April 2021, AirTags were an immediate success. While the Tile had been around since 2013, those devices relied on the range offered by their bluetooth systems alone, and paired to a specific phone would only be discoverable at a range that eventually reached 100 meters. Tile did not have access to the kind of mesh network that the AirTag used until they combined forces with Amazon to join the “Sidewalk” network, which allowed them to bridge with Ring cameras and the Echo device system in May of that year. With both becoming more popular, it did not take long for news stories to emerge showing how tracking devices were being used nefariously; and these stories have sadly become more common over the last year.
In December 2022, we took note of an update that reflected Apple’s effort to limit the use of AirTags as tools for stalking. Our goal was to determine if the device was still capable of misuse, and if so, what could we do about it.
Researching the Target with OSINT
We began by first discovering what frequencies we needed to deal with, in order to determine what tools were required to begin searching for signals. To do that, we looked up the FCC ID for AirTags, as that would be our first target. The FCC report for the Air Tag is here: https://fcc.report/FCC-ID/BCGA2187
AirTags have three radios - NFC, Bluetooth, and Ultra Wideband (UWB). We could see that BT frequencies were listed, so we knew that we could detect these signals with an Ubertooth device. The frequency range is 2404.0-2478.0 and 2402.0-2480.0. If you are well versed in RD protocols, those ranges will stick out as the ranges for BTLE using different configurations. The frequency range of 6489.6-7987.2 is used by Apple’s Ultra WideBand (UWB) chip for precise location when searching for devices in close proximity. Security analysis of UWB technology is beyond the scope of this report.
Acquire multiple samples of the Target Device
In research the old saying that “two is one, and one is none” still holds true. Had we attempted to do non-destructive analysis of the trackers, this research would have been incomplete. In searching for limited capabilities, we either know how it will work out, or we leave some questions unanswered. We ended up destroying 4 AirTags, 2 Tiles, and 3 of the Samsung Smart Tag+. If we had acquired individual devices for testing, any experiment resulting in physical damage would require a replacement, adding days or weeks to the process. We sacrificed several devices taking them apart for inspection, exposure to magnetic fields, lasers, and drills. All told, we ordered 16 AirTags, 8 Tiles and 8 of Smart Tags+.
We acquired multiple Ubertooths, Yardstick Ones, Pandwa RF, BladeRFs, and Flipper Zeros. Not all researchers have the means to be so well stocked, and not all subject matter is relatively affordable. For instance, if you are researching hacking Teslas, it is unlikely most orgs would approve a purchase order for 2 cars - or even one. We mention the stock level as a frame to look at our mindset. We have a difficult problem and in solving that problem we expect to damage, break, and even explode some devices.
(An example of one phase of testing, in this case using a laser to glitch the memory of a device in an attempt to better understand its operating state.)
Use RF Isolation Techniques to capture and analyze device traffic and emissions
To create the experiment we needed consistency, and the ability to quarantine each device. This way any signal you do receive is coming from the device, and you just need to figure out what it means. Once properly isolated, we were able to read raw signal data over several days and determine the device's pattern of operation, and from this information we derived detection logic.
Below is an example of RF activity in the 2.4Ghz range without shielding, and the following images show the faraday bag in use (with common items for reference, and turned inside out to display the lining), and the captured traffic with the device and receiver both placed inside the bag. The difference is significant, as one can see.
2.4Ghz is a “busy” range, which includes Wifi, Bluetooth and other Industrial Scientific, and Medical (ISM) RF traffic. The saturation of the 2.4Ghz band, paired with privacy features of BLE makes researching protocols unnecessarily problematic.
What you’re seeing is a significant increase in observed activity, made possible by isolating the device. You may note that the numbers on the left side of the graph show the receiver is picking up less than 40 decibels (top image) while exposed, and 90 decibels while quarantined. In other words, this is like having a conversation in a car on the highway with the windows rolled down, versus the windows up. We can take in more information and understand with more precision. This is critical when capturing signals from devices that transmit at low power.
Use tools to examine, understand, and duplicate the device operational flow
We start with Ubertooth. Ubertooth is a Bluetooth development platform used for Bluetooth experimentation, monitoring, and testing. The Ubertooth tool operates in the 2.4 GHz frequency range and can detect, intercept, and analyze Bluetooth communications. It is an open-source hardware and software platform, and it is widely used in the field of blackbox reverse engineering.
Ubertooth can be used to detect AirTags by monitoring Bluetooth communications in the 2.4 GHz frequency range. When a tracker is reaching out or broadcasting its presence, the Ubertooth device can be configured to scan for the advertising packets sent by the AirTag. These packets can be captured and analyzed to determine if the AirTag is communicating with an unauthorized device or if it is being used for malicious purposes.
Codify the research into a easy to use portable device: Flipper Zero
From here we were able to port this logic into a much more versatile, mobile and fun device, the Flipper Zero. The Flipper Zero is an excellent device for interacting with several radio protocols, RFID, infrared, and the short-range protocol Near Field Communication (NFC).
Our goals for this project were several. First, we determined that the mitigations put in place by the manufacturers were not sufficient - perhaps nothing will be - and the devices could still be misused in a number of ways. From this, we felt that in the interest of personal privacy and security, we could create something for the benefit of everyone. Last but not least, we wanted to show that research into IoT and RF devices is almost exactly the same as researching a network for attack or defense, and that the same training you’ve traditionally relied on Cybrary for, applies here. If you consider the steps you take to gain entry into a network: Planning and reconnaissance, scanning and enumerating, capturing network traffic, getting a malware sample or using a POC to gain access, maintaining access, etc., these are direct correlations to the steps you see above. The major difference is in using specific tools for observing traffic, and understanding what you see.
We will follow up this procedure with detailed classes for not only this work, but more work on devices in the IoT, and RF hacking in general.