T0860 Wireless Compromise
Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. 2 1 Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance.
A Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. 4 5 The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. 3 The controller then enabled initial access to the network, allowing the capture and replay of tram signals. 4
| Item | Value |
|---|---|
| ID | T0860 |
| Sub-techniques | |
| Tactics | TA0108 |
| Platforms | Control Server, Field Controller/RTU/PLC/IED, Input/Output Server |
| Version | 1.2 |
| Created | 21 May 2020 |
| Last Modified | 30 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| C0020 | Maroochy Water Breach | In the Maroochy Water Breach, the adversary used a two-way radio to communicate with and set the frequencies of Maroochy Shire’s repeater stations.8 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0802 | Communication Authenticity | Do not inherently rely on the authenticity provided by the network/link layer (e.g., 802.11, LTE, 802.15.4), as link layer equipment may have long lifespans and protocol vulnerabilities may not be easily patched. Provide defense-in-depth by implementing authenticity within the associated application-layer protocol, or through a network-layer VPN. 7 Furthermore, ensure communication schemes provide strong replay protection, employing techniques such as timestamps or cryptographic nonces. |
| M0808 | Encrypt Network Traffic | Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications. |
| M0806 | Minimize Wireless Signal Propagation | Techniques can include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. 6 |
| M0813 | Software Process and Device Authentication | Ensure wireless networks require the authentication of all devices, and that all wireless devices also authenticate network infrastructure devices (i.e., mutual authentication). For defense-in-depth purposes, utilize VPNs or ensure that application-layer protocols also authenticate the system or device. Use protocols that provide strong authentication (e.g., IEEE 802.1X), and enforce basic protections, such as MAC filtering, when stronger cryptographic techniques are not available. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0028 | Logon Session | Logon Session Creation |
| DS0029 | Network Traffic | Network Traffic Flow |
References
-
Alexander Bolshev 2014, March 11 S4x14: HART As An Attack Vector Retrieved. 2020/01/05 ↩
-
Alexander Bolshev, Gleb Cherbov 2014, July 08 ICSCorsair: How I will PWN your ERP through 4-20 mA current loop Retrieved. 2020/01/05 ↩
-
Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17 ↩
-
John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17 ↩↩
-
Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17 ↩
-
DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ↩
-
CISA 2010, March 11 https://us-cert.cisa.gov/ncas/tips/ST05-003 Retrieved. 2020/09/25 ↩
-
Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ↩
-
Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved September 26, 2022. ↩
-
Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022. ↩