Enterprise Iot Security: Real Threats, Right Now, Ready or Not

Enterprise IoT Security
Flaws in Wireless Mice and Keyboards Let Hackers Type

on Your PC
REAL THREATS, RIGHT NOW, READY OR NOT

Vulnerability in wireless mice allows attacker to install
rootkit within 10 seconds for less than $15
MouseJack Flaw Affects Billions of Devices

www.bastille.net
Real Threats, Right Now, Ready or Not
Table of Contents
About Bastille
Its Time to Take the Blinders Off
Launched in 2014, Bastille is pioneering Internet of Things

(IoT) security with next-generation security sensors and
airborne emission detection, allowing corporations to
Bastille Networks Solves the IoT Security Dilemma
accurately quantify risk and mitigate 21st century airborne
threats. Through its patent-pending, proprietary technology,
C-Suite Protection Radio (RF) Vulnerability Protection
Bastille helps enterprise organizations protect cyber and

human assets while providing unprecedented visibility
Facility/Campus Headquarters Radio (RF) Vulnerability Protection
of wireless IoT devices that could pose a threat to

network infrastructure. For more information,
visit www.bastille.net and follow @bastillenet
Call Centers Radio (RF) Vulnerability Protection
Data Center Radio (RF) Vulnerability Protection
TSCM: Technical Surveillance Counter Measures
Space Utilization
About Bastille
on Twitter and LinkedIn.

www.bastille.net
Threats are becoming more complex as criminals look for new ways to use technology in their
quest for valuable data. As the number of connected devices grows to more than 50 billion by
2020, the IoT will provide an unprecedented expanision of new threat vectors and Enterprise
companies need to be able to respond. Bastille is providing the security solutions to allow
Enterprise companies to rapidly respond to this new threat vector.
Its Time to Take the Blinders Off

The Internet of Things is no longer a nebular IT security
concern its a fully formed enterprise threat. By 2020,
experts estimate that more than 25 percent of identified
enterprise attacks will involve IoT. Disproportionately, IoT
will account for less than 10 percent of IT security budgets.1
Second, IoT has blurred the line between personal,

operational and enterprise security. An automobiles
systems overtaken mid-drive? Its happened. FitBit hacked?
In less than 10 seconds. These are the kind of examples
that come to mind when most people think of IoT security
exploits. But, what about a FitBit accessing sensitive corporate
data or a building control system hack taking down a data
To stay ahead of this threat, smart enterprises are tackling
center? These are real, enterprise-grade threats and point
this vulnerability head on. This starts with acknowledgment
to a larger issue. The distinction between consumer and
of three key dynamics shaping the IoT security landscape:
enterprise security is an outdated construct. Companies
First, IoT security isnt an emerging threat its here.

There is nothing emerging about IoT-related security
that dont embrace this view will find themselves attractive

targets for cyberattack.
threats. In 2016, 6.4 billion connected devices (or things)
Third, WiFi security is not enough. Many companies rely
will be in use worldwide with 5.5 million new ones connecting
on secure WiFi to protect against wireless threats. But, only
every day. This means more attack vectors and more
a subset of wireless devices communicate across the RF
opportunity for exploitation.
spectrum using WiFi protocols. Billions more connect using
non-WiFi protocols, which leaves thes organizations using

these devices wide open to nefarious activity.
The sum of these dynamics equates to a threat landscape
that is broader and more dangerous than many enterprises
realize. Companies need to understand their weaknesses
in this evolving context and calibrate their security
posture accordingly.
IoT Vulnerabilities in the

Enterprise Where Are They?
IoT security vulnerabilities are everywhere across the
enterprise. They range from obvious personal devices
like employee smartphones to hidden culprits like
automated security cameras. These threats typically
fall into three categories:
Threats across the
enterprise environment.
Employee-related threats: The usual suspects are
Vendor/Contractor-related threats: Mobility has
employees laptops, tablets and smartphones. While these
transformed the service industry. Workers in construction
are often governed by BYOD and IT policies, the security
and repair, vending, delivery and other services frequently
gains of these policies are marginal at best. Fifty-one
use mobile handheld devices and RFID tracking technologies
percent of millennials in the workforce admit to knowingly
to perform tasks. Others have network access credentials.
disregarding these policies. Other threats include wearable
When Target was hacked in 2014, resulting in a massive
mobile devices (FitBit, Apple Watch, Garmin, etc) as well as
credit card data breach affecting 70 million customers, the
less conspicuous devices like wireless-enabled pacemakers
initial intrusion was traced back to an HVAC technician.
and insulin pumps.
Industrial Control-related threats: These include basic

automated building control systems like security and heating/
cooling. They also include sophisticated supervisory control
MOST VULNERABLE ENTERPRISE TARGETS

Data centers a simple 4G hotspot left behind can
be a gateway to an information goldmine
Executive offices/boardrooms an antenna in a

delivery package can put hackers in close proximity
to targets
Automated building systems hackers can easily

access HVAC, security and building access system data
Personal computer peripheral devices wireless
and data acquisition (SCADA) and distributed control systems

found in industrial sectors (electrical, water, oil and gas)
and critical infrastructure.
Why Conventional Wireless

Security Cant Touch the IoT Threat
Conventional wireless security solutions focus on perimeter
network defense. UTM, IPS, IDS and authentications solutions
are great at preventing, detecting and monitoring threats
coming over the network. But, theyre inept at protecting
against IoT-related attacks.
keyboards and mice can give uncontrolled access

to enterprise data
Bastilles sensors are installed on-premise and

link to our SaaS cloud analytics platform.
Unlike traditional IT security exploits, IoT threats gain

enterprise access through the broader RF spectrum. Its not
just a laptop or smartphone accessing corporate WiFi that
presents a threat; its any device enabled by Bluetooth,
NFC, RFID, Z-Wave, ZigBee or 2G/3G/4G protocols.
Its no longer enough to protect the perimeter. Enterprises
need to protect themselves against threats spanning the
entire RF spectrum emerging on both legacy and tomorrows
IoT protocols.
Why IoT Exposes a Fragmented

Security Posture in the Enterprise
The IoT does more than expose cybersecurity gaps;
it underscores a fragmented and outdated approach to
enterprise-wide security.
In the past, security has been a departmentalized endeavor.
Operational technology security has been within the purview
of facilities management think identity access management
(e.g. building access) and other physical security measures.
Infosec, on the other hand, has fallen under the jurisdiction
of the IT department. To make matters worse, departments
COMMON DEVICE PROTOCOLS

WiFi - wireless local area network using 2.4
gigahertz and 5 gigahertz radio bands
like sales and marketing often run their own cloud-based,

micro IT ecosystems without any internal IT security oversight.
IoT is forcing companies to take a holistic view of security
across all aspects of their operations, but there are several
Cellular - 2G, 3G, 4G, LTE
roadblocks. There are vast differences in how operational
Bluetooth/BLE - consumer mobile products and
and IT security stakeholders identify, manage and fix
wearables
Zigbee - Mesh network home automation
vulnerabilities. The processes and tools for an admin tasked

with assigning/revoking building access cards look very
different compared to ones specified for managing network
Z-Wave - Mesh networking for industrial sensing
access or data security.
DECT - Wireless headset
The problem is that IoT is blurring the lines between these
Enocean - Low-power RF
areas of the business, and some companies are already
nRF24 - Mouse/keyboard detection
exposed through a HVAC technicians mobile device that
paying the price. As mentioned earlier, it was a vulnerability

took down a retail giant. In another instance, a 4G hotspot
planted inside of a data center exposed one company to
massive data exfiltration. These are just two examples where
Its important to note that many devices connect to the RF
the disconnect between physical and IT security have
spectrum are using proprietary protocols, which means
threatened the reputation and financial health of a business.
enterprises cant get under the hood to inspect and fix

vulnerabilities that arise in their unique IT ecosystem.
Many of these device protocols were meant for a single
use including IoT-enabled light bulbs, wireless keyboards
and mice, and industrial controls like pressure sensors and
water gauges. In most instances, these devices and their
protocols dont support security patches even when the
manufacturer discovers a vulnerability.
MouseJack Case Study

MouseJack is a collection of security vulnerabilities
1. KEYSTROKE INJECTION, SPOOFING A MOUSE
affecting non-Bluetooth wireless mice and keyboards.
When processing received RF packets, some dongles
Bastilles research team tested seven vendors products
do not verify that the type of packet received matches
and discovered that it was possible for an attack to take
the type of device that transmitted it. Under normal
complete control over a victims computer using a
circumstance, a mouse will only transmit movement/
$15 dongle.
clicks to the dongle, and a keyboard will only transmit
Wireless mice and keyboards commonly communicate

using proprietary protocols operating in the 2.4GHz ISM
band. These devices work by transmitting radio frequency
packets to a USB dongle plugged into a users computer.
When a user presses a key on their keyboard or moves
their mouse, information describing the actions are then
sent wirelessly to the USB dongle. The dongle listens for
keypresses. If the dongle does not verify that the packet

type and transmitting device type match, it is possible
for an attacker to pretend to be a mouse, but transmit
a keypress packet. The dongle does not expect packets
coming from a mouse to be encrypted, so it accepts the
keypress packet, allowing the attacker to type arbitrary
commands on the victims computer.
these radio frequency packets and transmits the actions
2. KEYSTROKE INJECTION, SPOOFING A KEYBOARD
to the users computer.
Most of the tested keyboards encrypt data before
In order to prevent eavesdropping, most vendors

encrypt the data being transmitted by wireless keyboards,
however it appears that the same security was not built
into the mouse communications. The communication
between the dongle and mice tested by the research
transmitting it wirelessly to the dongle, but not all of the

dongles tested required that encryption to receive the
data. This makes it possible for an attacker to pretend
to be a keyboard, and transmit unencrypted keyboard
packets to the dongle.
team showed that there was no authentication in place,
3. FORCED PAIRING
leaving the dongle unable to determine the difference
It is possible to bypass pairing mode on some dongles
between commands originating from the users mouse
and pair a new device without any user interaction. In
and those coming from an attacker. This results in the
the case where a victim only has a mouse, but is using
ability for an attacker to pretend to be a mouse and
a dongle vulnerable to keystroke injection by spoofing
transmit their own packets to the dongle.
a keyboard, an attacker can pair a fake keyboard with
Specifics of the discovered vulnerabilities vary from

vendor to vendor, but they generally fall into one of
the dongle, and use it to type arbitrary commands on

the victims computer.
three categories.
Attacker generates
an unencrypted
keystroke sequence
Attackers USB dongle

transmits an unencrypted
keystroke sequence
Victims USB dongle receives

and types the unencrypted
malicious keystrokes
Bastille Networks Solves the IoT Security Dilemma
Bastilles
IoT security
MouseJack
Case
Study solution gives companies full situational awareness and control of all
wireless devices within their facility. Its technology tracks the location and activity of all internet
-connected and wireless devices on premise. As a result, security executives can prevent the
theft of valuable information and protect employees throughout their environment.
How
it Works
complete
control
over a victims computer using a
$15 dongle.
Bastille deploys a mesh network of proprietary radio
frequency (RF) sensors throughout the customer facility.
WirelessThese
mice sensors
and keyboards
commonly
communicate
are able to
track the location
and emissions
using proprietary
protocols
the 2.4GHzBastilles
ISM
of all wireless
devices operating
within theirin
environment.
system
sends work
updates
alerts to end-users
to help
band. These
devices
byand
transmitting
radio frequency
stop ongoing
and threats.
packets immediately
to a USB dongle
pluggedintrusions
into a users
computer.
Bastille provides the situational awareness required to:
bank financial records such as credit card details, and the
like. The top priority is keeping that data protected. The
attack vector that Call Centers are most vulnerable to are

their employees and the devices that they bring along.
Center
(RF)to
Vulnerability
Protection.
The Data
for anData
attacker
to Radio
pretend
be a mouse,
but transmit
Center contains the crown jewels for an organization. In
a keypress
packet. The dongle does not expect packets
addition to the IT equipment we think about, Data Centers
are loaded with Industrial equipment (chillers, lighting, power,
etc.) and often frequented by contractors. Many vectors

the victims
Identify wireless devices or protocols that may pose a risk commands
exposeon
a Data
Center tocomputer.
risk, and as a result, Data Center

to the environment;
security has long been the recipient of significant budget and
attention from both physical and cyber security organizations.

Prevent intruders from hacking into the facility network; Most of
the tested keyboards encrypt data before
Data Centers have the highest physical security for any
Prevent unwanted personnel from entering secure areas; transmitting it wirelessly to the dongle, but not all of the
organization, often employing mantraps, biometrics, and
In order toPrevent
prevent
eavesdropping, most vendors
dongles
tested required
that encryption
toside,
receive
the unwanted transmission (exfiltration) of
expanded
video coverage.
On the cyber
largethe
budgets
encrypt theinformation
data beingfrom
transmitted
the facility;by wireless keyboards,
however it appears that the same security was not built
data. This
makes itfor
possible
forsecurity
an attacker
to pretend
are deployed
endpoint
and intrusion
prevention
keyboard,
transmit unencrypted keyboard
for
the wired and
infrastructure.
Report on or control access and egress within the facility. to be a
into the mouse communications. The communication
C-Suite Protection Radio (RF) Vulnerability Protection. The
C-Suite has the most access to valuable information about
strategy, financial results, customers, partners, employees,
TSCM: Technical Surveillance Counter Measures. There are
many ways for bad actors to exfiltrate information from an

3. FORCED
PAIRING
organization. For example, covert transmitters can create

leaving the
unable
to determine
theexecutive
difference
anddongle
intellectual
property.
In particular,
boardrooms,
voice or data channels that are difficult to detect. These
betweensuites,
commands
originating
from
the
users
mouse
and even
homes hold,
carry,
and
publish
very sensitiveand pair a new device without any user interaction. In
devices commonly use wireless protocols at unmonitored
where a victim
only
has a mouse,
is using
and those
coming from
attacker.
This
results
in theyou are a the case
information
in bothan
oral
and written
format.
Whether
frequencies.
For data
exfiltration,
cellularbut
protocols
are the
vulnerable
to keystroke
injection by spoofing
Fortune
500 corporation
or ato
mid-sized
business,
ability for
an attacker
to pretend
be a mouse
andkeeping the a dongle
most
prevalent example
of an out-of-band
network that
protected
is a top
transmitC-Suite
their own
packets
to priority.
the dongle.
a keyboard,
an large
attacker
can pair
a fake
keyboard are
with
can move
amounts
of data.
Organizations
finding
Facility/Campus Headquarters Radio (RF) Vulnerability
it harder
and
harder
monitor
the entire
radio frequency
the dongle,
and
use
it to to
type
arbitrary
commands
on
spectrum of protocols and bands for anomalous and/or

Protection. Many organizations are interested to understandthe victims computer.
high volume exfiltration signatures.
employee behavior and what types of devices are entering
three categories.
their offices and campuses. Large organizations with sensitive

data want to know the movements of devices in their environment in order to get a holistic view of all the activity in the
radio frequency spectrum within their combined premises.
Call Centers Radio (RF) Vulnerability Protection. Call Centers
deal with very sensitive customer data such as personally
identifiable information including social security numbers,
Attacker generates
an unencrypted
Space Utilization. Enterprises are finding the benefits of

studying employee utilization of corporate spaces and typical
traffic flows through the building. Understanding space
utilization is very important for HR departments and real
estate professionals in particular. It can cut down on costs for
companies as they better understand how to properly use
floor space.


C-Suite Protection Radio (RF) Vulnerability Protection

The C-Suite has the most access to valuable information about strategy, financial results, customers, partners,
employees, and intellectual property. In particular, executive boardrooms, suites, and even homes hold,
carry, and publish very sensitive information in both oral and written format. Whether you are a Fortune 500
corporation or a mid-sized business, keeping the C-Suite protected is a top priority.
The Problem: Inconsistent Monitoring

Many critical meetings and data pass through the executive
suites and boardrooms which makes this area susceptible to
bugs, International Mobile Subscriber Identity (IMSI) catchers, and other nefarious tools used to listen and record.
Typical solutions try to solve this problem by point-in-time
methods such as bug sweeps, which prove to be very costly
and ineffective. In order to fully protect the C-Suite, the radio
frequency spectrum needs constant monitoring to understand
the transmissions of devices in the environment.
In the C-Suite, it is imperative to monitor for unauthorized
access to secured areas, based on badge level or known and
unknown employees. The boardroom is often required to be
a no-device-allowed zone, but enforcing this policy can be
time consuming, costly, and ineffective.
C-Suite vulnerabilities include:
Unauthorized employee access
Tailgating and other methods of entry to high risk areas
Rogue wireless devices and networks being used for data
exfiltration and eavesdropping through the RF spectrum.
Typical security solutions have very little visibility into the
radio frequency space allowing for no knowledge of the devices in call centers and how they are behaving, making BYOD
policy enforcement very difficult.
The Requirements for a C-Suite Radio

Security Solution
A C-Suite radio security solution needs to:
1. Provide visibility into the wireless networks, traffic, and
devices operating in your environment,
2. Inform you of the attack surface for each of these devices,
3. Alert on active wireless attacks on those devices through

your existing SIEM systems, and
4. Suggest best practices for minimizing the attack surface
and mitigating an attack in action.
Specifically, a solution must:
Detect all devices operating in the wireless spectrum
between 100 kHz and 6 GHz, to include Wi-Fi, cellular, Bluetooth, and the hundreds of other protocols in the Internet
of Things (IoT)
Capture the wider RF spectrum, not just specific protocols
Provide awareness into any wireless threats including active attacks, rogue networks, and misconfigured devices.
Have the ability to track the movement of devices, which
include radios, to augment existing security measures.
Show the movements of devices to help enforce access
policies.
Enforce company BYOD/IoT policies
Detect unauthorized access
Detect data exfiltration through wireless devices
Allow the physical security to quickly detect and localize
any malicious devices
Include geofencing capabilities to understand and protect
areas with sensitive data
Detect vulnerable devices being installed
Detect rogue cell towers which can send signals into your
C-Suite
What kinds of organizations need

this solution?
All organizations have centralized meeting facilities and executive office suites where sensitive matters are housed.
Facility/Campus Headquarters Radio (RF) Vulnerability

Protection
MouseJack
Case Study
Many organizations are interested to understand employee behavior and what types of devices are entering
their offices and campuses. Large organizations with sensitive data want to know the movements of devices
in their
environment
in order
to get a holistic view of1.all
the activityINJECTION,
in the radio
frequencyA spectrum
MouseJack
is a collection
of security
vulnerabilities
KEYSTROKE
SPOOFING
MOUSE within
combinedwireless
premises.
affectingtheir
non-Bluetooth
mice and keyboards.
$15 dongle.
Currently organizations do not have an all-inclusive view
Specifically,
a solution
must:
clicks to
the dongle,
and a keyboard
will only transmit
and mitigating
anwill
attack
in transmit
action. movement/
The
Problem:
Not allcomputer
Devices using
are Recognized
complete
control
over a victims
a
circumstance,
a mouse
only
into the wireless devices and traffic in their corporate office keypresses.
If the
dongleoperating
does notinverify
that the
packet
Detect
all devices
the wireless
spectrum
Wirelessenvironments.
mice and keyboards
commonly
communicate
In order to
protect from
the emerging threatstype andbetween
100 kHz
and 6type
GHz, match,
to include
Wi-Fi,
cellular, Bluetransmitting
device
it is
possible
using proprietary
operating
in thecampuses
2.4GHz ISM
associated protocols
with the wireless
spectrum,
must first for an attacker
tooth, and
the hundreds
protocols
in the Internet
to pretend
to beofa other
mouse,
but transmit
band. These
devices
byand
transmitting
frequency
recognize
the work
devices
protocols inradio
their airspace.
of
Things
(IoT)
from
Capture
the overall
wider
RF spectrum,
just specific
coming
a mouse
to be
encrypted,
so itnot
accepts
the
Understanding employees patterns and their associated
protocols
devices gives a view into the insider threat scenario. Rogue keypress packet, allowing the attacker to type arbitrary
their mouse,
information describing the actions are then
devices, data exfiltration, misconfigured equipment, person- commands
on the
victimsinto
computer.
Provide
awareness
any wireless threats including acsent wirelessly
to the USB
dongle.
dongle
listens
forvia
nel accountability,
and
insiderThe
threats
are all
possible
tive attacks, rogue networks, and misconfigured devices
these radio
frequency
packets
and transmits
the actions
nefarious
devices.
Additionally,
this data helps
the corporate2. KEYSTROKE INJECTION, SPOOFING A KEYBOARD
real estate
department understand traffic flows and workto the users
computer.
place productivity to help with future real estate planning.
In order to prevent eavesdropping, most vendors
Facility/Campus
Headquartersby
Security
Vulnerabilities
encrypt the
data being transmitted
wireless
keyboards,
howeverinclude:
it appears that the same security was not built
Unauthorized
devices on premises
into the mouse
communications.
The communication
between the
dongle in
and
mice tested
by the research
Individuals
unauthorized
areas
include radios, to augment existing security measures

policies
data. This makes it possible for an attacker to pretend
Enforce company
BYOD/IoT
policy
to be a keyboard,
and transmit
unencrypted
keyboard
to
Detect
access
packets
the unauthorized
dongle.
3. FORCED PAIRING
team showed
that there was no authentication in place,
The wireless threat surface associated with the devices in
Allow the physical security to quickly detect and localize
leaving thethe
dongle
unable to determine the difference
RF spectrum
Improperly configured devices which can leave an open
any malicious devices

and those gateway
coming for
from
an attacker. This results in the
attackers to eavesdrop on activities and other
areas with sensitive data
ability for an
attacker
to pretend to be a mouse and
nefarious
activities
Detect
devices
installed
a keyboard,
anvulnerable
attacker can
pairbeing
a fake
keyboard with
transmit their own packets to the dongle.
The Requirements for a Facility Radio

Security Solution
Detect
cell
which cancommands
send signalson
into your
the dongle,
androgue
use it
totowers
type arbitrary
facility
the victims
computer.
An office facility radio security solution needs to:
three categories.
Provide visibility into the wireless networks, traffic, and

Inform you of the attack surface for each of these devices,
What kind of organizations need this

solution?
Fortune 2000, financial services, technology and other companies that manage their own data centers.
Alert on active wireless attacks on those devices through

Suggest best practices for minimizing the attack surface
Attacker generates
an unencrypted


Call Centers Radio (RF) Vulnerability Protection

Call Centers deal with very sensitive customer data such as personally identifiable information including social
security numbers, bank financial records such as credit card details, and the like. The top priority is keeping that
data protected. The attack vector that Call Centers are most vulnerable to are their employees and the
devices that they bring along.
The Problem: Complexity and Volume

Call centers handle large volumes of requests by telephone
The Requirements for a Call Center Radio

Security Solution
daily. Many of those requests involve the transfer of highly
A call center radio security solution needs to:
sensitive data and records. Call center protection has become

very complex with the influx of wireless devices that can
easily capture records for data exfiltration. Centers want
their employees to be device free in order to guard against
unauthorized activities, but accomplishing this goal is a challenge.
Some of the unauthorized activities include bringing devices
into an area that is not approved for cell phones or laptops.
For example, an employee with a cell phone or other wireless
device can take pictures of sensitive data displayed on a
monitor and backhaul it out of the center.
Call center security vulnerabilities include:
Rogue wireless devices and networks being used for data exfiltration. Security teams have little visibility into the Radio Frequency Spectrum; therefore monitoring the influx of devices into
call centers is difficult.
Improperly configured devices. Unencrypted DECT headsets
and devices using other protocols leave an open gateway for
attackers to eavesdrop on activities.
DECT Network Scanning:
The nature of DECTs base-station selection criteria means
the FP constantly transmits RFPI information, easily exposing it to network discovery and scanning attacks. In these
attacks, attackers are able to identify and eavesdrop on the
activity of DECT networks.
Many DECT devices do not implement the optional encryption capabilities available in the DECT Standard Cipher
(DSC) algorithm. Further, it is very difficult for consumers
to know if their selected DECT hardware supports encryption, leaving many consumers and businesses vulnerable
to audio recording and eavesdropping attacks.
Typical security solutions have very little visibility into the
radio frequency space allowing for no knowledge of the
devices in call centers and how they are behaving, making
BYOD policy enforcement very difficult.
Provide visibility into the wireless networks and traffic

operating in your environment,
Inform you of the devices in your environment and their
behaviors,
Alert on active wireless attacks on those devices through your
existing SIEM systems, and Suggest best practices for minimizing the attack surface and mitigating an attack action.
between 100 kHz and 6 GHz, to include Wi-Fi, cellular, Bluetooth, and the hundreds of other protocols in the Internet
of Things (IoT)
Provide awareness of any wireless threats including active
attacks, rogue networks, and misconfigured devices
Ingress and egress detection: Have the ability to track the
movement of devices, both authorized and unauthorized,
which include radios, to augment existing security measures
policies
specific areas
Detect misconfigured devices
Enforce company BYOD/IoT policy
What kind of organizations need this

solution?
Call Centers and organizations with wireless headsets that
handle sensitive/ confidential data.
Data Center Radio (RF) Vulnerability Protection

The Data Center contains the crown jewels for an organization. In addition to the IT equipment we think
MouseJack
Case Study
about, Data Centers are loaded with Industrial equipment (chillers, lighting, power, etc.) and often frequented
by contractors. Many vectors expose a Data Center to risk, and as a result, Data Center security has long been
the recipient of significant budget and attention from both physical and cyber security organizations. Data
Centers have the highest physical security for any organization, often employing mantraps, biometrics, and
processing received RF packets, some dongles
expanded video coverage. On the cyber side, large When
budgets
are deployed for endpoint security and intrusion
Bastillesprevention
research team
tested
seven
vendors
products
do
not
verify
that the type of packet received matches
for the wired infrastructure.
$15 dongle.
However, there is an attack vector capable of penetrating Data Center walls and bypassing the firewalls,
complete control over a victims computer using a
namely radio frequency (RF) based attacks.
Wireless mice and keyboards commonly communicate
The Problem:
Unprotected
Devices
using proprietary
protocols
operating inWireless
the 2.4GHz
ISM
Data devices
Centers consist
of transmitting
many computers,
industrial
equipband. These
work by
radio
frequency
anddongle
personnel,
all having
that may
packets ment,
to a USB
plugged
intocomponents
a users computer.
communicate wirelessly. These wireless devices operate on
a variety of wireless protocols, which are susceptible to a

variety of attacks.
Security
professionals
need
totransmits
lock down the
threat
vectors in
these radio
frequency
packets
and
actions

type and
device
type match,
it is possible
in a transmitting
Data Center makes
it possible
to minimize
the wireless
for anattack
attacker
to pretend to be a mouse, but transmit
surface.
Data center security vulnerabilities include:
Rogue wireless devices and networks being used for Data

Exfiltration
Typical exfiltration prevention techniques involve monitoring
2. KEYSTROKE
INJECTION,
SPOOFING
A the
KEYBOARD
corporate
networks and
preventing
use of USB ports for
Data computer.
Centers. Rogue devices, data exfiltration, misconfiguredMost of storage.
the tested
keyboards
encrypt
data
However,
by utilizing
cellular
or before
other hard to see
to the users
equipment, personnel accountability, and insider threats aretransmitting
protocols,
attackers
can
bypass
these
controls.
it wirelessly to the dongle, but not all of the
nefarious devices.
In orderall
topossible
preventvia
eavesdropping,
most vendors
encrypt the data being transmitted by wireless keyboards,
Company controlled Wi-Fi networks may be protected to
howeversome
it appears
that the same security was not built
extent by existing products, but other wireless traf-
Nefarious devices such as pwn plugs and pineapples that
data. This
makes
it possible
attackersteal
to pretend
are
left in Data
Centersfor
to an
specifically
data and backhaul that data
over cellular.
to be a keyboard,
andout
transmit
unencrypted keyboard
into the fic

mouse
communications.
is largely
a blind spot. In a The
Datacommunication
Center environment, an packets
the dongle.
to
Improperly
configured devices
betweenattacker
the dongle
and
mice
tested
by
the
research
exfiltrating data over LTE could easily go undetected
Network infrastructure, e.g. a laptop connected to the
because
no there
traffic was
is going
the Data Centers
network. 3. FORCED PAIRING
team showed
that
no over
authentication
in place,
network, has an open Bluetooth stack beaconing for a
Data Center operators are not always aware of the wireless

transceivers in the equipment they control. More equipment
keyboard.
Data Center equipment can employ proprietary or indus-
and those
coming
from
an attacker.
This ready
resultscontrol
in thesystem in the case where a victim only has a mouse, but is using
today
is being
shipped
with a radio
try ICS protocols for managing aspects of the equipment
a
dongle
vulnerable to keystroke injection by spoofing
ability for
an
attacker
to
pretend
to
be
a
mouse
and
addition to the Ethernet or Console control system that the
or environment. Security professionals have no visibility
attacker
a fakeand
keyboard
with
transmitData
theirCenter
own packets
toemploy.
the dongle.
intends to
However, we have found thata keyboard,
into an
these
devicescan
andpair
protocols
if they are
properly
and use it to type arbitrary commands on
the radio control system, Zigbee or Z-Wave for example, is the dongle,
configured.
Specificsusually
of thedefault
discovered
vulnerabilities
from default the victims computer.
ON when
it is shipped.vary
In addition,
vendor to
vendor,(0000)
but they
generally
fallsimple
into one
of from a
passwords
are used
that are
to find
Google search. As a result, without the knowledge of Data

three categories.
Center personnel who arent using it, the Radio Ready client
is constantly beaconing for a radio controller to pair with it
Employees and contractors who unknowingly carry a compromised cell phone, which once attached to an internal
Wi-Fi network, open a 4G channel and begin beaconing out
packets to the attackers abroad.
and give it instructions. For instance, a misconfigured ZigBee
Typical security solutions have no visibility into what devices
interface on a chiller could enable an attacker to interrupt
exist and operate within the radio frequency, let alone if they
Data Center operations. Knowledge of all wireless transmitters
are doing something nefarious.
Attacker
Attackers
USB
dongle
Victims
USB dongle
receives
By 2020,generates
more than 25 percent of
identified
attacks
in enterprises
will involve
IoT. Gartner
an unencrypted
The Requirements for a Data Center

Radio Security Center Solution
A Data Center radio security solution needs to:
Be always on
Detect unauthorized devices entering the Data Center

Inform you of the attack surface for each of these devices,
Alert on active wireless attacks on those devices through
Suggest best practices for minimizing the attack surface and
mitigating an attack in action.
Detect all devices operating in the wireless spectrum between 100 kHz and 6 GHz, to include Wi-Fi, cellular, Bluetooth, and the hundreds of other protocols in the Internet
of Things (IoT)
Capture wider spectrum not just specific protocols
attacks, rogue networks, and misconfigured devices.
include radios, to augment existing security measures.
policies.
the location(s) of a customers servers within a colocation

facility

Detect anomalous wireless activity originating from the Data
Center (independently from the protocol)
Detect misconfigured devices
Enforce company BYOD/IoT policy
Alert on a wireless attack surface introduced by the installation of new equipment in the Data Center, e.g. an HVAC
system with Zigbee or a MouseJack vulnerable keyboard
facility
What kind of organizations need

this solution?
Fortune 2000, financial services, technology, and other companies that manage their own Data Centers
Data Center companies (hosting providers, etc.)
Cloud infrastructure providers

Detect data exfiltration via wireless devices (large volume
of wireless data leaving the Data Center premises over the
cellular network)
Allow the Data Center operator to quickly detect and localize
any malicious LTE or 3G modems
Billions of Internet-connected devices already have created opportunities for cybercriminals. Tech
companies have stepped up security measures for smartphones, computers and tablets. But
other web-connected devices, such as thermostats, smart refrigerators and wearables have
received less attention. That lag has created dangerous vulnerabilities. Wall Street Journal
TSCM: Technical Surveillance Counter Measures
There are many ways for bad actors to exfiltrate information from an organization. For example, covert transThese devices commonly use wireless
protocols at unmonitored frequencies. For data exfiltration, cellular protocols are the most prevalent example of an out-of-band network that can move large amounts of data. Organizations are finding it harder and
harder to monitor the entire radio frequency spectrum of protocols and bands for anomalous and/or high
volume exfiltration signatures.
MouseJack
Case Study
mitters can create voice or data channels that are difficult to detect.
complete
control
over a victims
computer
using a are
The
Problem:
Surveillance
Devices
Informayou
of thewill
attack
surface
for each
of these devices
circumstance,
mouse
only
transmit
movement/
$15 dongle.
Easy to Obtain
devices are commonly

becoming cheaper
and easier to
WirelessSurveillance
mice and keyboards
communicate
access. There are countless numbers of inexpensive bugs,
using proprietary protocols operating in the 2.4GHz ISM
Alert
on activeand
wireless
attacks on
through
clicks to
the dongle,
a keyboard
willthose
onlydevices
transmit
yourIfexisting
SIEM systems
keypresses.
the dongle
does not verify that the packet
Suggest
best practices
minimizing
attack surface
type and
transmitting
device for
type
match, itthe
is possible
and mitigating an attack in action

pwn plugs, and listening devices that can be purchased over for an attacker to pretend to be a mouse, but transmit
Operate
7 x The
24 todongle
catch out-of-hours
transmission
of data
packet.
does not expect
packets
the counter and over the Internet. They can be installed, havea keypress
band. These devices work by transmitting radio frequency
packets their
to a USB
dongle plugged into a users computer.
own computers, and have their own cellular backhaul
When a user
presses
a key on
theirare
keyboard
moves
prepaid
chips. These
devices
not goingor
over
the wire,
coming
from a mouse to be encrypted, so it accepts the

their mouse,
information
describing
actionssystems.
are then
through
normal security
teams the
monitoring
Instead,commands on the victims computer.
between 100 kHz and 6 GHz, to include Wi-Fi, cellular,
the devices
backhaul
the data The
through
unmonitored
protocols.
sent wirelessly
to the
USB dongle.
dongle
listens for
Bluetooth, and the hundreds of other protocols in the
these radio
frequency
packets
and transmits
the actions
Typically,
when an
organization
needs to conduct
a bugInternet of Things (IoT)
to the users
computer.
sweep,
they hire an outside firm to do a one-time, point-in- Most of the tested keyboards encrypt data before
Detect current and future protocols without requiring
time sweep that is rendered obsolete once the firm leaves. transmitting it wirelessly to the dongle, but not all of the
hardware upgrades
In orderThis
to prevent
eavesdropping,
most vendors
is not only
costly and time consuming,
but also very
Detect known and unknown emitters via observing energy

encrypt the
data being
transmitted
wireless keyboards,
disruptive.
Unfortunately,
mostby
corporations
only use bug- data. This makes it possible for an attacker to pretend
patterns
once that
per quarter,
or in
close proximity
a sensitive to be a keyboard, and transmit unencrypted keyboard
howeversweeps
it appears
the same
security
was nottobuilt
or event, leaving themselves

susceptible to attack.
into the moment
mouse communications.
The communication
packets to
the dongle.
attacks and rogue networks
betweenTechnical
the dongle
and
mice
tested
by
the
research
Surveillance vulnerabilities Include:
Detect data exfiltration via wireless devices
3. FORCED PAIRING
team showed
that
there was
no and
authentication
in place,
Rogue Wireless
Devices
Networks being
used for Data
leaving theExfiltration
dongle unable to determine the difference
Be always on
Detect unauthorized devices

and pair
a new device without any user interaction. In
between commands
originating from the users mouse
Typical exfiltration prevention techniques involve monitor Detect vulnerable devices being installed
and those ing
coming
fromnetworks
an attacker.
This results
the
corporate
and preventing
the in
use
of USB portsthe case where a victim only has a mouse, but is using
Detect anomalous wireless activity originating from the

ability for an
to pretend
be a cellular
mouseor
and
forattacker
storage. However,
by to
utilizing
other hard to a dongle vulnerable to keystroke injection by spoofing
campus
see own
protocols,
attackers
bypass these controls
transmit their
packets
to thecan
dongle.
Alert on a wireless attack surface introduced by the instal Nefarious devices such as pwn plugs and pineapples that the dongle, and use it to type arbitrary commands on
lation of new equipment
are left to specifically steal data and backhaul that data outthe victims computer.
over cellular
three categories.
Unauthorized video systems planted in an organization
facility
The Requirements for a Technical

Surveillance Counter Measure Solution
What kinds of organizations need this

solution?
A TSCM security solution needs to:
Fortune 2000, financial services, technology, and other

devices operating in your environment
Attacker generates
an unencrypted
companies with sensitive data or high risk areas.


Space Utilization
Enterprises are finding the benefits of studying employee utilization of corporate spaces and typical traffic
flows through the building. Understanding space utilization is very important for HR departments and real estate
professionals in particular. It can cut down on costs for companies as they better understand how to properly
use floor space.
With the ability to monitor where people are at any given time based on the devices that theyre carrying, a
corporation can look into the actual usage of the space, how it was designed and how it was planned, versus
how it is actually being used. This can allow them to increase productivity and efficiency by analyzing the use
of that space and then changing the way it is used. Further, by monitoring people passively based on the
devices they carry, the movement of visitors and not just employees can be tracked.
The Problem: Employee Badge Monitoring

Systems Provide an Incomplete Picture
Building owners and landlords want to understand how
their properties are used through out the day and the week.
Employee badge systems only provide part of the answer as
they dont include visitors and they rarely capture intra-building
movement or egress events. It is common for organizations
to hire consulting firms to collect data on how employees
use corporate spaces. This is typically a manual process that
involves sending a person on site to observe employees over
several days then run reports on floor plan use. Unfortunately,
this sort of assessment is expensive, covers a single or a few
points in time and is not very accurate.
Space utilization problems include:
Improper use of building space
Monitor 24 x 7 to show activity inside and outside normal

hours of operation
Work passively and not require building users to carry a
special device
between 100 kHz and 6 GHz, to include Wi-Fi, cellular,
Bluetooth, and the hundreds of other protocols in the
Internet of Things (IoT)
Allow for continuous, persistent monitoring of how a space
is utilized by observing wireless device movements
Show employee ingress and egress in aggregated form
for predetermined areas in the environment, creating the
ability to track room usage, traffic flow, and employee
congregation areas
Improper use of building amenities
Be always on
Space under-utilization and inefficiencies over time, both
Give better understanding of employee patterns of life
within and outside normal business hours.

Traffic flow
The Requirements for a Space

Utilization Solution
A space utilization solution needs to:
Provide visibility into the whereabouts of employees,
visitors, and their devices on a corporate campus
Give real-time updates of space usage
Provide reports that can be used to set better building
procedures
including: who met with whom and when, where people

spend the majority of their time, and when a person enters
a restricted area
Use machine learning algorithms to group devices into RF
personas so that mapping can occur between devices and
people
What Kinds of Organizations Need

this Solution?
Landlords, building owners and organizations that are
nterested in understanding how their corporate spaces
are occupied and used inside and outside normal
business hours.
Securing Enterprise Assets from IoT Risks

Its not difficult to make a business case for IoT security. Most
enterprises are critically vulnerable without the millions of
new mobile devices and sensors coming online each day.
When we factor in the exponential impact of IoT, the attack
surface becomes shockingly porous. Consider this:
Visibility into these threats is crucial. Enterprises need tools

that will help them identify airborne threats and allow for
preemptive response. Which devices are accessing corporate
air space? Where? What protocols are they using? Are they
permitted? Who do they belong to? This scale of ambient
detection enables security teams to see IoT risks in real time
and mitigate them before an attack transpires.
Among organizations with over 5,000 computers, more

than 90 percent have an active breach at any given time.3
Approximately 90 percent of all IT networks will have an
IoT-based security breach within the next two years.
More than half of IoT device manufacturers are unable

to address product threats stemming from weak security
practices.5
To solve these challenges, CISOs must have an active role in
Enterprises that arent already tackling the IoT security threat

should be warned. IoT has opened the door to countless vulnerabilities across all facets of the business. The IoT security
threat is here and evolving at a pace that is unprecedented.
Staying ahead of it is crucial to the health of the business.
1
manage and neutralize IoT-related threats at every juncture
Source: TechCrunch.com, Why Breach Detection Is Your New Must-Have,

Cyber Security Tool, November 2014
all C-level stakeholders. CISOs need to develop and champion holistic, enterprise-wide security strategies that monitor,
Source: Garner, Inc., Press Release Gartner Says 6.4 Billion Connected Things
Will Be in Use in 2016, Up 30 Percent From 2015, November 2015
shaping and executing business strategy. Security is no longer an IT or operational conversation; its one to be had with
Source: Gartner, Inc., Predicts 2016: Security for the Internet of Things, December 2015
Source: IDC, Press Release IDC Reveals Worldwide Internet of Things Predictions for 2015, December 2014
Source: Gartner, Inc., Predicts 2016: Security for the Internet of Things, December 2015
across the organization.
IoT will be full of security vulnerabilities. The majority of the people coding these things have
less security training than the average [person]. InfoWorld
About Bastille
Launched in 2014, Bastille is pioneering Internet of Things (IoT)

MouseJack
Case Study
security with next-generation security sensors and airborne emis-
sion detection, allowing corporations to accurately quantify risk and

mitigate 21st century airborne threats. Through its patent-pend-
MouseJack
is a collection of security vulnerabilities
ing, proprietary technology, Bastille helps enterprise organizations
affecting
non-Bluetooth
micewhile
and keyboards.
About
Bastille
protect
cyber
and wireless
human assets
providing unprecedented
Bastilles
research
team
seven
vendors
products
visibility
ofinwireless
IoT devices
that
could
pose
a of
threat
to network
Launched
2014, tested
Bastille
is pioneering
Internet
Things
(IoT)
security
next-generation
security
sensors
and
infrastructure.
more
information,
visit
www.bastille.net
and
and discovered
thatwith
itFor
was
possible
for an
attack
to take
airborne
emission detection,
allowing
corporations to
follow
@bastillenet
on Twitter
and LinkedIn.
complete
control
over a victims
computer
using a
accurately quantify risk and mitigate 21st century airborne
$15 dongle.
threats. Through its patent-pending, proprietary technology,
Bastille helps enterprise organizations protect cyber and
Wireless
mice and
keyboards
commonly
communicate
human
assets
while providing
unprecedented
visibility
using proprietary
protocols
in thea 2.4GHz
of wireless IoT
devices operating
that could pose
threat toISM
network
infrastructure.
more information,
band. These
devices
work by For
transmitting
radio frequency

for an attacker to pretend to be a mouse, but transmit
a keypress
honored as a Top 100 winner
in the Redpacket.
HerringThe
2016dongle
Awards.does
visit www.bastille.net andBastille
follow @bastillenet
not expect packets
Herring.
Thea variety,
coming
from
mousedepth,
to be disruption
encrypted, so it accepts the
on Twitter and LinkedIn. Alex Vieux, publisher and CEO of Red
When a user presses a key on their
keyboard
and traction
we or
sawmoves
from the earlykeypress
stage companies
to
those
with
packet, allowing thesignificant
attacker to type arbitrary
their mouse, information describing
the actions
are
scale made
it one of
thethen
toughest vintages to judge. The North America winners
are The
representative
of thefor
amazing ecosystem that never ceases to astound,
sent wirelessly to the USB dongle.
dongle listens
with new and experienced entrepreneurs
continuing
to push theSPOOFING
barriers of A KEYBOARD
2. KEYSTROKE
INJECTION,
innovation. As one of the winners, Bastille should be proud of its accomplishment

under such strong competition.

In order to prevent eavesdropping,
most
vendors
tested
required that
encryption to receive the
Bastille has been named one of 10 dongles
finalists for
RSA Conference
Innovation
encrypt the data being transmitted

by wireless
keyboards,
Sandbox
Contest 2016
for its work data.
to secure
Enterprise
through
Thisthe
makes
it possible
fordetection
an attacker to pretend
andsecurity
mitigation
of not
threats
from wireless Internet of Things (IoT) devices.
however it appears that the same
was
built
to be a keyboard, and transmit unencrypted keyboard
On The
Monday,
February 29, 2016, Bastille had the opportunity to showcase its
into the mouse communications.
communication
innovative information security technology to the Innovation Sandbox Contest

panel of judges for a chance to be named RSAC Most Innovative Startup 2016.
3. FORCED PAIRING
and those coming from an attacker. This results in the
ability for an attacker to pretend to be a mouse and
Bastille has been named to the list of Cool Vendors; in the Gartner Cool
Vendors in Cloud and Emerging Technology Security, 2016 1 report by Gartner,

Inc. Bastille was recognized for its groundbreaking IoT security solution that

transmit their own packets to the
dongle.
detects
and analyzes data transmitted via radio frequencies at 60MHz 6GHz
the
dongle, and use it to type arbitrary commands on
and alerts companies of anomalous
behavior
the victims computer.
three categories.
1000 MARIETTA ST #224, ATLANTA, GA 30318 | info@bastille.net | 800.616.4741

2016 BASTILLE NETWORKS. ALL RIGHTS RESERVED.
Attacker generates
an unencrypted


Enterprise Iot Security: Real Threats, Right Now, Ready or Not

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Enterprise Iot Security: Real Threats, Right Now, Ready or Not

Загружено:

Авторское право:

Доступные форматы

Enterprise IoT Security

Flaws in Wireless Mice and Keyboards Let Hackers Type

REAL THREATS, RIGHT NOW, READY OR NOT

MouseJack Flaw Affects Billions of Devices