Re: Microwave/RF point to point link risk assessment

[Mike Hale <eyeronic.design () gmail com>]

I can address the VSAT portion of this question, though I'm assuming
the same issues are present on other RF-based links.

VSAT traffic, by default, is not encrypted.  It is simply modulated RF
traffic sent over the air.  The same vulnerabilities found in
unencrypted WiFi are present in standard VSAT links.

There is a hitch, however.  There are a plethora of ways to modulate
and encapsulate IP traffic over RF.  I've seen VSAT systems make use
of a lot of different ones...it's really determined by the link budget
the satellite engineers calculate at the time the link is provisioned.

In order to eavesdrop on a connection, you need to figure out bitrate,
modulation, frequency, error correction type, and inversion, among
other things.  Frequency is easily found by using a spectrum analyzer.
 The other values need to be 'brute forced', and that can be a pain in
the ass.  To the best of my knowledge, no device exists that can do
all these steps; however, it is *trivial*, from a techincal
standpoint, to create one.

If you want to proof of concept this to your customer, simply grab a
modem (or receiver) of the type they use in the field, configure the
correct settings, and grab any traffic that is downlinked to their
end-points.

Depending on the footprint and spot-beams of the satellite, you can do
the same for the downlink to their teleport, and thereby eavesdrop on
both sides of the transmission; otherwise, you'll be limited to only
one path.

On Sun, Aug 8, 2010 at 6:30 AM, Info Sec <infoseccon () gawab com> wrote:
> Hi All,
>
> We are an Information Security consulting firm, currently doing
> Risk assessment for our client on various wireless technologies
> like WiMAX, CDMA, EVDO, VSAT, GPRS, point to point Microwave and
> RF. We are looking for equipment/software tool useful for
> testing communication security over Microwave, VSAT, and RF
> links.
>
> Point to point communication, be it wired or wireless can be
> protected using IPSec VPN tunnel but the client is more
> interested in knowing the damage or business impact possible in
> absence of VPN tunnel. Internet search results mainly in
> Wireless testing for Wi-Fi only; not for point to point
> Microwave, RF, or VSAT link. For Wi-Fi, the assessment can be
> done using a laptop with Wi-Fi card, software tool, and an
> access point, without any sophisticated equipment. I wonder what
> equipment / software tool we need to have for point to point
> microwave link assessment.
>
> We are looking for possible methods that an adversary can use to
> steal the data from the wireless link or disrupt the normal
> operation. We need to demonstrate how much penetration or damage
> is viable over the wireless link. We figured out the following
> attacks are possible:
>
> a)      Traffic analysis Attack
> b)      Eavesdropping
> c)      Denial-of-service Attack
> d)      Black-hole Attack
> e)      Node Deprivation Attack
> f)      Rogue Access point/Base Station detection
> g)      Interference, Signal Jamming attack
>
> If you have idea about any software tool / equipment that can
> help us analyze the risk over wireless link, please do suggest.
> Feel free to share if you have any thought / experience /
> methodology / reference in this regard.
>
> Appreciate your reply. Thanks a bunch.
>
> P.S.: Posting this message to Wireless Security and Penetration
> Testing both lists.
>
> Regards,
> Steve
> -----------------------------------------------------------------------------------------------------------------------
> Send big files for free. Simple steps. No registration.
> Visit now http://www.nawelny.com
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------



-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------