Two-Way Radios Used for Verbal Communication

Radios used for verbal communication have obvious applications for the penetration tester. The best example of these types of radios is the walkie-talkies. Monitoring the guard radios or other radios used by the target organization’s staff will often allow the penetration tester to know where guards and staff are physically located, and help the penetration tester avoid detection. Monitoring these communications can also give you insight into company lingo, employee names, and company culture. Be aware that it isn’t just guards who use radios to communicate. Often times other staff members will use radios to communicate with each other. When out and about, look around for radios. You may be surprised to see employees of retail establishments, restaurants, and other places frequently using radios to communicate. This is in addition to maintenance staff as well as others. Remember, it isn’t just guards who can provide you with valuable reconnaissance information or discover you and call the police during a physical penetration test.

Devices that Use Radio Frequencies

Radio waves are of course invisible to the human eye. That is a good thing, otherwise our vision would be completely obscured by the multitude of radio waves passing by and through us at all times.

Radio is everywhere and is commonly used by electronic devices. As a society, we have been “cutting the cord” in many aspects of our daily life and work. Cameras, headsets, telephones, and many other devices used to require a cable to transmit their information. Now, of course, many, if not most, of these devices transmit wirelessly using radio frequencies.

Ways to use the information gathered from these targets will be covered in later chapters.

Walking into any organization, one of the first people you encounter will often be a receptionist, and receptionists often use wireless headsets. Of course, many other employees aside from receptionists use wireless headsets. These headsets are common in many organizations.

Cordless phones are another example of radio frequencies being used for communication. While older cordless phones were fairly simple to monitor with a scanner capable of receiving 900 MHz, newer cordless phones often use more secure transmission methods. It is important to note that many newer cordless phones, especially those deployed in enterprises, often use encryption as well.

Keep in mind that while many of the benefits of monitoring cordless phone conversations are obvious, others are not. One great example of information that can be gathered from both wireless headsets and cordless phones is voicemail passwords. Using a DTMF decoder, you can capture the voicemail passwords entered on these wireless devices. Remember, however, that the government takes unauthorized monitoring of telephone communication very seriously, and it is essential to consult with counsel and ensure you have permission of the target and the affected staff members prior to monitoring telephone calls.

Closed Circuit Television (CCTV) cameras are another device that was previously tethered to a transmission cable. These days, it is common to come across CCTV cameras that transmit their signals wirelessly. Penetration testers may be used to attempting to monitor camera transmissions by penetrating the management console, however it is often possible to grab the signal from the air. This is another tool in the arsenal of the professional penetration tester. It is usually fairly simple to determine if a camera is transmitting wirelessly, as the antenna is generally obvious.

Some of the most fascinating sources of radio signals within an organization are wireless microphones. Wireless microphones are fascinating because they are often used in boardrooms, conference rooms, auditoriums, and other places where important meetings are held. This means that if you are able to intercept these transmissions, then the information is often sensitive and may be of great value. Keep in mind that of all the radio reconnaissance targets, wireless microphones will usually have the weakest signal, meaning that you will need to be in close proximity to monitor them. This means that you will often have to physically penetrate the organization before you are able to monitor the wireless microphones. One notable exception is the offsite meeting. Board meetings and other high level gatherings are often held in hotels or other quasi public places. If you are able to find out the location of a meeting whether through public media or by other reconnaissance, you may be amazed by what you hear. When in a quasi public space, you will still need to attempt to look like you belong. Depending on the scope of the engagement, if an offsite meeting is held in a hotel, it may even make sense to get a room near the meeting room.

IN THE REAL WORLD: The authors, tasked with securing a boardroom prior to a meeting about a highly secret merger, swept the room for bugs and other transmitters. Great effort and expense was taken by the organization to ensure that what was said in the room, remained in the room. About 10 min before the meeting was to begin, an administrative assistant showed up with a wireless microphone. Upon further inspection, it was noted that the transmission of this wireless microphone was not encrypted. Had this been used, anyone outside of the boardroom with a scanner would have been able to listen to everything that was said. Keep this in mind when securing your organization.