Introduction

I’ve been working on nzyme full-time for 10 months now, and I was struggling to find a good name for what its WiFi functionality does. The fact that it looks at not only WiFi but also Ethernet data does not help with that problem. If I have a minute to explain it, it’s no problem - but there was just never a good, snappy title for it.

The obvious thing that comes to mind is “WiFi Security”. I dislike this term, because, historically, “WiFi Security” was never very good. Some enterprise solutions will allow you to tick a box and be compliant, but they are not really doing that much. Nothing I wanted to be thrown into the same pot with.

Time to come up with a better name for what the WiFi functionality of nzyme does.

Close Access Denial - Logo

Recap: What does the nzyme WiFi functionality do?

In short, nzyme records all WiFi traffic to warn you about attacks. It does this by combining classic, but easy to circumvent WiFi monitoring techniques like searching for unexpected BSSIDs or network settings with new methods that are much harder to circumvent:

  • Fingerprinting and warning about unexpected fingerprints of devices advertising your networks
  • Analyzing physical signal characteristics: There can never be two distinct sources of radio signals pretending to be the same access point
  • Detection of known WiFi attack platforms operating in range
  • Anomaly detection

The goal is to automatically detect attackers the moment they start an attack, or even before that.

Who needs this level of WiFi protection?

Nzyme is not in the business of scaring people into implementing or buying things they don’t need.

So, who needs the nzyme WiFi functionality? Everyone who has adversaries so invested into breaching their systems that they would resort to taking the risks associated with showing up on location to attack WiFi networks or WiFi enabled devices. This applies not only to organizations but also to targeted individuals.

Locations that come to mind include critical infrastructure, sites that host people with access to extremely sensitive political, military or industrial information and anything related to national security.

Additionally, everyone who is interested in how wireless security works or simply finds joy in running nzyme should absolutely try it.

Many organizations don’t prioritize WiFi security because they perceive the risk of WiFi attacks as low compared to the cost and effort of defending against them. Nzyme seeks to change this reality.

Back to the new name.

Close Access Operations

A term that comes up often when talking about real breaches of WiFi networks is Close Access Operations: cyberattacks that are executed by means of physical proximity to the target.

Leaked slides refer to an expeditionary arm of the famous NSA Tailored Access Operations (TAO) unit and mention custom WiFi hardware as well as software built for attacks as far back as 2007.

A much better documented actor in the space is the Russian foreign military intelligence agency GRU. A 2020 US Justice Department indictment details how Russia deployed close access operations around the world when traditional remote hacking methods failed.

Close Access Operations against the Organization for the Prohibition of Chemical Weapons (OPCW)

In April 2018, the OPCW, based in The Hague, Netherlands, convened to discuss the use of chemical weapons in Syria. In the same month, the organization submitted statements regarding its investigation of the March 4, 2018, poisoning of a former GRU officer and another Russian national in the UK with the chemical nerve agent Novichok.

During that month, on April 10, a GRU close operations team traveled to The Hague with diplomatic passports. They rented a car and booked hotel rooms directly adjacent to their targets.

OPCW GRU Close Access Operation
Source: Dutch Ministry of Defense
OPCW GRU Close Access Operation
Source: Dutch Ministry of Defense

Long story short: Dutch military intelligence caught them with a trunk full of WiFi Pineapples and other WiFi hacking equipment facing the OPCW building before they could start the operation.

OPCW GRU Close Access Operation
Source: Dutch Ministry of Defense
OPCW GRU Close Access Operation
Source: Dutch Ministry of Defense

Target: Anti-Doping Organizations

The GRU targeted victims for their role in the investigation or public condemnation of Russia’s state-sponsored athlete doping program. Additionally, they used stolen athlete medical records as part of an influence and disinformation campaign.

WiFi-enabled devices of anti-doping officials were targeted in their hotels during international conferences after remote phishing attempts failed. The hackers traveled around the world to execute the attacks and set up persistent access to WiFi infrastructure in at least one case.

The WiFi attacks were successful, laptops of officials were compromised and later used in further attacks.

The New Name: Close Access Denial

I am giving defending against Close Access Operations a simple name:

Close Access Denial.

Close Access Denial - Logo

Close Access Denial consists of multiple disciplines:

  • Monitoring of the radio frequency environment for threats in a affordable way that requires no special hardware.
    • All components have to be available off the shelf and the solution has to run without supervision, excessive maintenance or tedious configuration.
  • Efficient reporting and alerting on any suspicious activity or changes with only a reasonable number of false positives.
  • Realistic action plans to prosecute a on-site radio frequency threat.
  • Physical security and monitoring.

I will dive deeper into all these areas in future posts. Subscribe to the RSS feed and follow me on social media if you want to follow along.

Written by

Lennart Koopmann

Hi! I work on the free and open nzyme Network Defense System. Originally from Hamburg, Germany now living in Houston, TX.