everything RF recently interviewed Dr. Brett Walkenhorst who is the CTO at Bastille. Brett leads R&D efforts to enhance product performance and add new capabilities. He has over 20 years of experience as a technology leader in RF systems and signal processing. Prior to Bastille, he led and executed R&D efforts at Lucent Bell Labs, GTRI, NSI-MI Technologies, Silvus Technologies, and Raytheon Technologies.
Q. Can you give us a brief history of Bastille? When was the company formed and what was the objective?
Dr. Brett Walkenhorst: Bastille launched in 2014 with the goal of securing wireless IoT devices. Over the years, the company expanded on that idea, culminating in the 2019 launch of the world's first wireless monitoring system capable of accurately detecting and locating cell phones, Wi-Fi, Bluetooth, and IoT devices by passively listening to their RF emissions.
Security begins with visibility. Bastille secures the invisible wireless attack surface through the visibility provided by our system’s detection/localization capabilities coupled with advanced analytics in Bastille’s Wireless Threat Intelligence Platform.
Q. What solutions and services does Bastille offer? How do your services assist enterprises and governments in strengthening their wireless security?
Dr. Brett Walkenhorst: Bastille’s products enable our customers to monitor their wireless infrastructure and every wireless device within their facility. This comes in two main forms:
- Bastille Enterprise is a permanent installation allowing for persistent, continuous RF monitoring and the establishment of long-term RF baselines.
- Bastille Express is a portable solution that comes in pelican cases for ease of transport, enabling short-term audits and securing environments during events.
Bastille’s monitoring solutions are trusted by Fortune 500 customers, military, and government organizations to secure the wireless environment in their offices, production facilities, remote and temporary locations, and events. These systems observe and analyze wireless emissions to detect devices, extract metadata from wireless packet headers, and compute the locations of the wireless devices themselves. Bastille’s products also provide real-time feeds of this data, enabling users to make security decisions by leveraging the wireless device detections the system provides in light of the organization’s policies for wireless device usage.
Q. Can you tell us more about Wireless Threat Intelligence? What type of wireless threats are most common nowadays? And do your solutions help in mitigating them?
Dr. Brett Walkenhorst: Wireless Threat Intelligence is a critical component of every organization’s security portfolio. Leveraging information about common wireless threats, vulnerabilities, and misconfigurations, the threat intelligence engine analyzes the wireless data collected by the Bastille sensors to provide insights and actionable intelligence about the wireless threats in a customer’s facility.
With over 24 billion wireless devices worldwide and over 2,000 wireless CVEs published in recent years, there are many malicious and sophisticated threats. Some examples include:
- Wi-Fi Evil Twin attacks, which emulate trusted networks to capture unwitting client devices and launch person-in-the-middle attacks. These can lead to several forms of exploitation of the client device, compromised network credentials, and many other effects that lead to data compromise, data loss, ransomware, etc.
- Bluetooth tethering can be used to exfiltrate data outside the purview of an organization’s security enterprise.
- Deauthentication attacks and other forms of management frame abuse can result in denial of service, loss of network resources, and often serve as a prelude to a more dangerous attack.
- Bastille’s Wireless Threat Intelligence platform can detect and alert on all of these behaviors.
Wireless Threat Growth from 2010 to 2022
Q. Can you explain the technology behind Bastille's Radio Frequency (RF) detection for wireless protocols such as Wi-Fi and Bluetooth? What kind of equipment and software do you use?
Dr. Brett Walkenhorst: The detection begins with Bastille’s custom-built RF Sensor Arrays. These sensors are multi-channel software-defined radios (SDRs) that are capable of sensing from 25 MHz to 6 GHz. In operation, these sensors are constantly scanning the frequencies associated with the protocols of interest (Cellular, Wi-Fi, Bluetooth Classic, Bluetooth Low Energy, and IoT protocols based on IEEE 802.15.4). When Bastille’s RF Sensor Arrays detect a packet, they demodulate the header to extract relevant data such as device id, manufacturer, network name, encryption type, and many other data elements that describe the device’s connectivity, behavior, etc.
The sensor data is pushed to server-side systems to be aggregated and for emissions to be localized. These detections are then enhanced based on various analytics tools and user-defined policies before coming to rest in a database.This data can then be served to a user through various UIs to provide real-time and/or historical insight into the wireless activity in the area(s) being monitored.
Q. Can you explain how your systems differentiate between authorized and unauthorized devices? Please describe the methodology behind this.
Dr. Brett Walkenhorst: The system supports whitelisting of devices that are authorized for use in certain spaces. Detection filters can be defined that alert on unauthorized activity with optional filters of space (via geofences) and time. Users can tailor the functionality to their particular policies.
For strict device policies, which would be seen in highly sensitive areas, a user might configure the system to alert on any unauthorized device. For many facilities, the goal is to monitor devices that aren’t strictly authorized and alert when they exhibit odd or malicious behavior.
Q. Can you tell us about some interesting projects that you worked on that helped to prevent or mitigate a security breach?
Dr. Brett Walkenhorst: Most of what we have seen was not a result of a project conducted by Bastille personnel. The Bastille system operates largely autonomously, and our customers identify and mitigate issues as the system identifies them. The following are some examples:
- In a Fortune 10 company, the Bastille system detected a USB Ninja cable on the company’s executive floor. This is a hacker cable disguised as a charging cable that can be used to wirelessly control and exploit a client device when the cable is plugged in.
- In a data center, Bastille detected a laptop beaconing Wi-Fi and Bluetooth packets while connected to a data center server. Using Bastille, the operators were able to find the device and remove it before it could be attacked.
- An access point on a corporate network was detected by the Bastille system to enter a mode where it offered connectivity using WEP, an easily hackable encryption scheme. This change in behavior was temporary, but its detection allowed the customer to investigate and deal with the misconfiguration before it became a point of attack.
- We have seen MANY examples of wireless devices (phones, smartwatches, Fitbits, etc.) operating in unauthorized areas of highly secure facilities. As Bastille systems detects and locates these devices in real-time, security personnel can immediately address any violations.
Q. What does 2023 look like for Bastille? Are there any new systems and technologies on the horizon?
Dr. Brett Walkenhorst: Bastille is constantly innovating and evolving our capabilities to meet the ever-changing needs of the wireless security ecosystem. A major focus right now is building out and maintaining our threat library. This will be an ongoing effort for the foreseeable future as threat actors continue to develop new capabilities that Bastille needs to be able to detect.
We will also continue to develop new integrations with third-party systems. We have built a number of integrations to facilitate information exchange and automated alerts/responses. Such integrations include SIEM/SOAR systems, MDM/UDM systems, physical control systems, and many others. Maturing and expanding those integrations is an area of ongoing activity. Bastille is constantly monitoring the wireless specifications themselves as well as wireless and cybersecurity standards to ensure our systems support the latest and greatest protocols and certification requirements.
About the Author:
Dr. Brett Walkenhorst is Chief Technology Officer at Bastille. He leads R&D efforts to enhance product performance and add new capabilities. He has over 20 years of experience as a technology leader in RF systems and signal processing. Prior to Bastille, he led and executed R&D efforts at Lucent Bell Labs, GTRI, NSI-MI Technologies, Silvus Technologies, and Raytheon Technologies. His experience includes RF system design, communications systems, antenna design/testing, radar, software-defined radios, geolocation, and related topics. He has authored over 70 publications including papers, articles, and reports, has taught numerous graduate, undergraduate, and professional short courses, and has served as an expert witness on multiple occasions. He is a senior member of IEEE and has served as the Chair of the Atlanta Chapter of the IEEE Communications Society.