Case Study: How the AirShield Wireless Intrusion Detection System Was Used to Locate an Unauthorized Wireless Camera in a Manufacturing Facility.
This case study examines how the AirShield wireless intrusion detection system has been used to locate an unauthorized wireless camera within a manufacturing facility.
ComSec LLC provides TSCM / Cyber TSCM Services for government, companies and high risk individuals. The company also provides TSCM product solutions to government, military and corporate clients. In the fall of 2021, ComSec LLC’s team was deployed to conduct a two-day baseline site survey for a company that manufactures computational hardware. The client (name redacted for privacy reasons) received a large piece of equipment that will be used at its manufacturing facility. The client wanted to ensure that the new equipment did not contain any surveillance device(s) or surveillance capabilities.
At the onset of the services, ComSec’s team started a collection using the AirShield wireless intrusion detection system (WIDS). AirShield is a passive system that monitors a wide area for Wi-Fi and Bluetooth, as well as cellular base transceiver stations (BTS). AirShield’s detection capability is the range of 300 Mhz to 6 GHz. The system is used in IoT, Industrial Internet of Things (IIOT), Internet of Medical Things (IOMT), and OT environments, most often as a continuous in-place monitoring system.
The amount of data collected by AirShield is usually dictated by its environment, and the amount of time needed to study the data is equally impacted. One of the features of the AirShield is its ability to collect on Wi-Fi clients. This occurs whether the Wi-Fi capable device is connected to a network or not. The initial list provided by the AirShield collection at the client’s facility was over 450 separate devices in the first 10 hours.
A signal of interest was identified during the AirShield collection. This signal had a MAC address associated with a company that sells IP Cameras. The MAC address was provided to the client’s IT Department with the hope of legitimizing the device as a known and authorized piece of equipment. The device wasn’t recognized by the client’s IT Department, so ComSec’s team then interrogated the signal to its location.
The TSCM / Cyber TSCM team swept for the signal of interest starting from the back of the building and moving to the front of the building. Once halfway down the main hallway, the signal strength changed from -80dBm to -71dBm. After zeroing in on the likely location of the signal, an interrogation of the signal commenced, including a packet capture and a look into the network to see if the device was connected.
The device emitting the signal didn’t show as being connected to any network, but the packet capture revealed the destination of the packet was to ff: ff: ff: ff: ff: ff, which is a broadcast rather than a communication. With the data collected, the client’s liaison was alerted to the findings. Further inquiry concluded that the suspected location was in an access restricted area. This area was not supposed to have any Wi-Fi devices, since it was located in a manufacturing area where proprietary equipment and information were located.
Once ComSec’s team entered the area with the suspect signal, a piece of unidentified equipment with a camera inside was located. The camera was not surreptitiously hidden, but was openly visible. Standing right next to the device, the signal showed as -20dBm. Being careful not to personally remove the device from what appeared to be sensitive equipment, the TSCM /Cyber TSCM team debriefed the client’s liaison and IT Department on their findings.
After the debriefing, the client liaison questioned staff who worked in the access restricted room where the camera was discovered. It came to light that the camera itself was installed by one of the client’s staff. ComSec’s team learned that the camera was used to monitor equipment from home. A staff member produced the phone application which matched with the device’s manufacturer (based on the MAC address). After the camera was removed from the wall of the device in the access restricted room, the signal for the device immediately stopped broadcasting, even though client staff claimed that it was no longer plugged into the network.
After dismantling the camera, an SD card was discovered inside the device. The SD card contained several videos assumed to be still captures of the equipment in the access restricted room. However, to ensure that this device was the actual device in question, an AirShield collection was run in place overnight. The next morning, after concluding that the signal in question was not captured overnight, the camera was reassembled and powered on. Immediately after powering the device on, the signal began broadcasting once more.
ComSec’s team informed the client’s liaison about the device’s nature. As well, the client was informed that the camera had built in Wi-Fi capabilities and was broadcasting its signal loud enough to be captured behind several brick walls.
The equipment ComSec LLC was originally hired to inspect was located at the far end of the building, where the AirShield was originally installed. However, because of the capabilities of the AirShield, ComSec’s team was able to detect a potentially nefarious piece of equipment in a restricted access area from almost a football field away.