{ "type": "bundle", "id": "bundle--d80c9623-be6d-4f18-8399-27168ac87c6c", "spec_version": "2.0", "objects": [ { "modified": "2023-03-09T18:38:51.471Z", "name": "Wireless Sniffing", "description": "Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. (Citation: Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018) The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum. \n\nAdversaries may capture RF communications by using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator tuned to the communication frequency. (Citation: Bastille April 2017) Information transmitted over a wireless medium may be captured in-transit whether the sniffing device is the intended destination or not. This technique may be particularly useful to an adversary when the communications are not encrypted. (Citation: Gallagher, S. April 2017) \n\nIn the 2017 Dallas Siren incident, it is suspected that adversaries likely captured wireless command message broadcasts on a 700 MHz frequency during a regular test of the system. These messages were later replayed to trigger the alarm systems. (Citation: Gallagher, S. April 2017)", "kill_chain_phases": [ { "kill_chain_name": "mitre-ics-attack", "phase_name": "discovery" }, { "kill_chain_name": "mitre-ics-attack", "phase_name": "collection" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_contributors": [ "ICSCoE Japan" ], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", "id": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0887", "external_id": "T0887" }, { "source_name": "Bastille April 2017", "description": "Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ", "url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack" }, { "source_name": "Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018", "description": "Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. 2018, April Guide to Industrial Wireless Systems Deployments Retrieved. 2020/12/01 ", "url": "https://nvlpubs.nist.gov/nistpubs/ams/NIST.AMS.300-4.pdf" }, { "source_name": "Gallagher, S. April 2017", "description": "Gallagher, S. 2017, April 12 Pirate radio: Signal spoof set off Dallas emergency sirens, not network hack Retrieved. 2020/12/01 ", "url": "https://arstechnica.com/information-technology/2017/04/dallas-siren-hack-used-radio-signals-to-spoof-alarm-says-city-manager/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ] } ] }