Our airwaves are alive with radio frequencies (RF). Right now billions of devices around the world are chattering invisibly over Wi-Fi, Bluetooth, Zigbee, and other protocols you might not have heard of.

On today’s show we peer into the invisible world to better understand the RF threat environment. Our guest is Brett Walkenhorst, CTO of Bastille Networks. He hunts down the hidden risks in our airspace — from rogue Bluetooth gadgets to drone-borne Wi-Fi attacks. He’s here to talk about what we’re missing when we ignore RF security, how Software Defined Radio (SDR) can bring some visibility into the invisible, how to integrate RF monitoring into your security operations, the open-source and commercial tools available, and how a boast by radio pioneer Guglielmo Marconi may have led to the first-ever wireless hack.

Plus, see below for info and resources to get you started.

Episode Links:

Bastille Networks

Ettus Research

Flipper Zero

Open-source RF attack tools: aircrack-ng, bettercap, wifiphisher, btlejack, BIAS, BLURtooth, Zigator

For open source SDR repos, look for GNU Radio code or search for “Software Defined Radio” on GitHub

Episode Transcript:

This episode was transcribed by AI and lightly formatted. We make these transcripts available to help with content accessibility and searchability but we can’t guarantee accuracy. There are likely to be errors and inaccuracies in the transcription. 

Jennifer Minella (0:04 – 0:56) Hey, everybody, and welcome to this week’s episode of Packet Protector, the podcast at the intersection of networking and security. Today, Drew and I are digging into some RF security, which is not just Wi-Fi, but other wireless things. And if you think about it, the most dangerous threats really are the ones that you can’t see. And that’s especially true in the world of RF, where we have billions of devices chattering array over Wi-Fi, Bluetooth, ZigBee, and protocols that even I have never heard of. Today’s guest lives in that invisible world. Dr. Brett Walkenhurst is the CTO of Bastille Networks, where he hunts down the hidden risk in our airspace, from rogue Bluetooth gadgets to drone-borne Wi-Fi attacks, and that one was news to me, frankly. But he’s here to talk about what we’re missing when we ignore RF security, why IoT makes the problem worse, and how we can finally get some visibility into the invisible.

 

Drew Conry-Murray (0:56 – 1:50) Yeah, we’re going to talk about software-defined radio, we’re going to talk about some open source tools and some commercial tools in this space, we’re going to talk a little bit about the physics of RF, or at least how complicated the physics of RF are. And as JJ mentioned, some interesting hacks, including involving a drone, some very simple involving just a mobile hotspot. So if you haven’t thought about the broader RF space beyond sort of your wireless network, there is a lot going on out there.

We also have a really interesting story about probably the very first ever wireless hack that happened to Mr. Guglielmo Marconi way back in the early 1900s. So it just goes to show you should never say, my system is 100% secure, because somebody will always find a way to prove you wrong. So Brett, our listeners are aware of WLAN and cellular and Bluetooth, and that’s already sort of a full plate to monitor and protect. Are there other protocols or frequencies, things that they should be aware of outside of those big three?

 

Brett Walkenhorst (1:50 – 3:04) Well, first of all, I would say most people aren’t monitoring all of those. Typically, what we’re doing is we’re monitoring the wireless LAN, if we’re doing that, and hopefully most people are. So I would say that is like prime. You’ve got to be looking at the wireless LAN, because that’s integrated into your enterprise network. But other stuff can touch you. So cellular, Bluetooth, ZigBee, and then there’s other wireless IoT protocols in the same family. All of those can be used as entry points that can be then, especially with devices that have multiple protocols, you can pivot to another one. You might even be able to pivot to a hardline from one of those. So I would say cellular is all over the place. So you asked about frequencies. We’re looking at everything from the low hundreds of megahertz to 7.125 gigahertz. And then, of course, Wi-Fi lives in three different bands, depending on whether you’re using Wi-Fi 6E or Wi-Fi 7. So you should be monitoring those. And then, of course, Bluetooth and others live primarily in the 2.4 gigahertz band.

 

Jennifer Minella (3:04 – 3:12) Drew, is ever the optimist of thinking we’re doing what we’re supposed to be doing when it comes to security? Like, we’re monitoring all of these things.

 

Brett Walkenhorst (3:12 – 3:13) It’s a nice idea.

 

Jennifer Minella (3:14 – 3:15) It is. It is.

 

Drew Conry-Murray (3:15 – 3:17)  I have to believe. Otherwise, I can’t sleep.

 

Jennifer Minella (3:17 – 4:29) And I think it’s interesting, because the IoT story with having things that are routed protocols, like things that are changing their little IoT protocols into something that’s dropping into IPv4, IPv6, and then translated protocols. And so there’s just – I mean, when we talk about, in the security space, trying to categorize the different IoT and wireless things, it becomes just this tangled ball of spaghetti, because you end up with, okay, something does Bluetooth, but at some point, it does something else. It’s connected to something else. And the same thing, usually, with cellular and anything else. So it becomes this strange, like, tangle of protocols and connectivity and wired and wireless. And I do feel like, yeah, we don’t really have good visibility into that. And even on the Wi-Fi side, I mean, it’s embarrassing the number of organizations I walk into, being a wireless security person, and kind of realize that the only thing they’re monitoring for are things that impact performance. They’re not really even monitoring for security. Maybe rogue devices, you know, but that tends to be the extent of it.

 

Brett Walkenhorst (4:30 – 6:59) So let’s talk a little bit more about that, then. The limitations of what we typically do, even with Wi-Fi. We’re typically just looking at intrusion detection for our specific network. So as you say, we have limited scope, limited visibility, which seems appropriate, depending on what hat you’re wearing. But there are lots of other vectors that could be using other network names that you just don’t think to monitor. As an example, you can fire up a hotspot and use that to connect to some device. And if the WIDS that you’ve have integrated into your enterprise Wi-Fi isn’t monitoring for other SSIDs, which the vast majority of them, as far as I know, don’t, then you can use that as a data exfiltration path. You just hop on the wireless and backhaul via cellular, and your data’s in the cloud somewhere. In addition to that, we’re primarily, I think, focused on network defense. Okay, I’m maybe being optimistic, because you just said maybe we’re just focused on getting things working properly, which is valid. But then if we’re concerned about security, then we’re primarily looking at defending our networks and our data, right? And that seems appropriate. But there’s another piece of this where wireless devices, regardless of the protocol they’re using, can be used to conduct audio and video surveillance. So I think if you’re wearing the IT hat, you’re probably saying, that’s not my job. Probably that belongs to physical security or something, and maybe that’s true. But as the threat of surveillance has evolved, it has gone from very specific, custom-made devices to just leveraging COTS hardware and standard protocols. So it’s very common for off-the-shelf devices that are using Bluetooth, cellular, Wi-Fi, whatever, to be appropriated as surveillance devices. And now they’re kind of hiding amongst all of the rest of the crap that’s in your environment.

And without that visibility, you just don’t know. Bluetooth-enabled or cellular-enabled little bugs that can be implanted in conference rooms or even just AirPods. One gets left behind, and then you have it connected to a phone in another part of the office, and it backhauls all your data to the cloud. There’s lots of this kind of stuff, and there’s lots more examples. But maybe I’ll shut up and let you guys feedback off of that.

 

Jennifer Minella (6:59 – 7:11) Well, I mean, I think the whole RF threat thing is just something we don’t… I mean, I think about it, right? You think about it. But I think in general, it’s something that goes unthought about by most people in the industry, even the security professionals.

 

Brett Walkenhorst (7:12 – 7:12) I agree.

 

Jennifer Minella (7:12 – 7:30) And you were just giving several examples. So if we kind of come back to the Wi-Fi thing, and I think a lot of people think, oh, yeah, I’m monitoring with my Wi-Fi stuff. And in most cases, most Wi-Fi products are going to monitor… Well, they can only monitor what they have radios for, right?

 

Brett Walkenhorst (7:30 – 7:30) That’s right.

 

Jennifer Minella (7:30 – 7:41) So if you’re working in 2.4 and 5 gigahertz, your wireless system isn’t able to monitor even the 6 gigahertz Wi-Fi stuff, much less stuff that’s in the sub-1 gigahertz, etc.

 

Brett Walkenhorst (7:41 – 7:42) That’s right.

 

Jennifer Minella (7:42 – 8:01) So it sounds like in some of the examples I’ve heard from you and seen from other places are that we have all of this other stuff that’s sending data over the air, and we don’t even know that it exists, what it is, what it’s transmitting, and whether or not it’s supposed to be there.

 

Brett Walkenhorst (8:01 – 9:03) Absolutely. That’s right. So a typical front end is dedicated for specific frequencies, and you can’t typically tell it to go somewhere else. It just doesn’t have the capability to do it. So you’re blind to every frequency that is not covered. So as you say, the APs are covering 2.4 and 5. That’s it. They can’t see anything else. They’re not going to be able to see cellular frequencies. If they want to, they could try to focus with the right firmware in place. They could try to focus on the Bluetooth, and some do try to do some level of monitoring of Bluetooth. The problem, though, that we run into is these are resources that are dedicated to enabling operations in the enterprise. That is what they’re good for. That is what they should be doing. And whatever extra resources they might be able to scrounge, maybe they can allocate to doing some security functions. But it’s tricky, right? You have limited processing available. So you have to think about those limitations and realize that whatever visibility you think you have is probably a bit limited. So you should keep that in mind and be aware of the risks of what you’re not seeing.

 

Drew Conry-Murray (9:04 – 9:26) Can you talk about what the risks are, what the risk level is? Because if I’m in an enterprise, I’ve already got my hands full. What do I need to be worried about, and how worried about it do I need to be? You gave an example of somebody bugging a conference room. I’m guessing that’s not an everyday occurrence, but what’s my worry level?

 

Brett Walkenhorst (9:27 – 10:42) Yeah, sure. It’s a hard question to answer. It depends on who you are and what you’re trying to protect. Maybe I’ll split the world into two main categories. One, we’ll talk about audio-video surveillance. Again, that may not feel like IT’s job, but it is using COTS electronics in the same way that standard wireless attacks would be attacking your infrastructure. And then, again, the second category we’ve got where we’re trying to attack the network and or compromise the data on that network in some way. And there’s different examples. The fact that something has been well-known for a long time, you would think, oh, we’ve got that covered. But something as simple as an evil twin attack, these are very effective still. They’re really easy to implement. There are COTS products out there that do it. And the evil twin comes in different flavors. So, as an example, there were some successful attacks being done on a non-government organization in Western Europe by, we’ll say, an advanced persistent threat, but they were actually on the ground conducting evil twin attacks and other kinds of wireless attacks, which they’ve gotten really good at.

 

Drew Conry-Murray (10:42 – 10:43) What is an evil twin attack?

 

Brett Walkenhorst (10:44 – 14:01) Oh, yeah, sorry. Let me back up. So, an evil twin attack is where I instantiate an access point that emulates an access point on a network that I want to attack. That’s one flavor of it. So, I create, I leverage a Wi-Fi interface and I start beaconing out as if I’m an access point on a trusted network. That would be a kind of attack where I typically try to get some information from a user and crack credentials somehow.

So, I would try to compromise their security by posing as a legitimate network and then use that information that I gathered to break into the actual network. Another way to think about that would be I don’t care so much about attacking a specific network, but I want to just get clients to connect to me in a way that they trust the relationship they have with me. So, other forms of an evil twin would be when you see probe requests coming from clients, you would respond to those probe requests. And that kind of pattern has evolved over time in different ways as the defenders did something different, the offensive guys did something different. It’s evolved a bit, but the basic idea is you’re trying to trick clients into connecting to you that, yes, I am Starbucks or whatever it might be. It could be just very, very common SSIDs that you’re going to send out and try to get clients to connect. And once they do, you’re in a trusted position, you’re in a machine-in-the-middle kind of position. You can start to work to compromise those client devices in various ways. So, all of those are flavors of an evil twin attack. So, this story that I was referring to from Western Europe where this APT was working to infiltrate this organization, they were actually apprehended. But they were somewhat successful in their attacks. They get better over time. It’s interesting because some of these APTs pay a lot of attention to wireless. And I don’t think in the US we have paid as much attention on the defensive side as they are on the offensive side. So, some years later, we have another example of an evil twin attack that was conducted rather than putting personnel on the ground, they mounted equipment to a drone and flew the drone and landed on the rooftop of this financial services firm. And they were successful in penetrating the network and they were starting to snoop around and they did something stupid on the network that got them caught. And ultimately, it took them a while but the defenders found these drones and recovered all the equipment and put the story together and it made the news. So, that was interesting because it was an evolution of a very old style of attack but you didn’t have to put people on the ground, you just put devices forward, right? So, those are simple examples of something that many defenders probably know about. If you don’t, that’s okay but it’s been around for a long time and yet it’s still very effective. And there are devices that you can just buy off the shelf that will instantiate that kind of an attack for you.

 

Jennifer Minella (14:02 – 15:29) And we talked about, Drew, when Akili was on a few weeks ago talking about mobile threats and applications, etc. One of the things we talked about is there are so many deficiencies especially in mobile apps. I’m going to say I think traditional endpoints and full operating systems we do a little bit better job with but especially mobile apps. We have so many devices now running around with corporate data on these mobile apps and one of the things we talked about is how so many of the apps are not communicating securely including 20% of financial apps reported by some of the researchers and other corporate productivity apps, etc. So, you’re talking about now having devices connecting to something and you’ve got basically an on-path attack where if you’re the user you don’t even know because if that attacker is just passing your data on to the next hop you don’t know that they’re in the path. And if you’re doing it from a mobile device, you don’t know that you’re using a vulnerable app and they haven’t managed the key exchanges and encryption appropriately, etc. There’s just this long list of this domino effect of things happening over the air in combination with other things that just boggle. To Brett’s point, it boggles my mind because the attackers are all up in RF, they’re all up in embedded systems, they’re all up in everything that we just have no visibility into and it’s alarming.

 

Brett Walkenhorst (15:30 – 16:22) It’s a vast attack surface. And along those same lines we all carry these very sophisticated smartphones around with us all the time. Maybe there’s a few people out there who don’t. I’m jealous of you. These are really solid devices that speak multiple wireless protocols and yet whether it’s an app like you talked about that’s been in place, whether you put it there or someone else was able to put it on and maybe it’s running in the background, doesn’t even show as an application or there are more sophisticated tools that are nation state level capabilities like Pegasus which you may have seen in the news as a toolkit out there and unfortunately that Pegasus toolkit has been leaked to a foreign APT and that’s been demonstrated

 

Jennifer Minella (16:22 – 16:24) Leaked, leaked, air quoting leaked.

 

Brett Walkenhorst (16:24 – 18:19) I don’t know how that happened. It certainly wasn’t an ally of the country where Pegasus was created. But somehow they got a hold of some of these capabilities and that was evidenced by an attack that they conducted using a watering hole attack on a different government organization. So those kinds of capabilities are now in the hands of what we know as bad actors. I mean Pegasus got enough bad press and there are other tools like it out in the world, but now this is promulgating through the ecosystem and attackers have access to these capabilities. And among other things, Pegasus has the ability to implant malware on target devices without any user interaction. So there are zero-click attacks that they have demonstrated and the ones that we know about at least have been patched, but who knows what other capabilities they have. So phones are susceptible to hacking in a way that you can have that malware living on your phone and the attacker has command and control of everything available on your phone. All the interfaces, all the memory, all the applications. They can read your emails, they can read your texts, they can listen in on your phone calls. Now your phone has become a really capable surveillance device against you. And we allow these devices everywhere we go in business and our personal lives. So you have to think about the fact that a compromised phone can come into your facility and you’ll never know, but somehow if it’s already been authorized to access your enterprise network, they can use that authorization to do exfiltration however they want. They can control all the aspects of that device without the user knowing. So there’s all kinds of reasons to be concerned about the way that we implement policy associated with the use of wireless-enabled devices, as well as our total lack of visibility about their behavior. And I think we need to work on that. I’m painting a very gloomy picture, I realize, but I do want to make sure.

 

Jennifer Minella (18:20 – 19:04) It’s realistic. I mean, I think we we’re here to shine the spotlight on the dark corners, right, of the networks and the airspace. And you’ve talked about some things like the drone attacks and some of these sophisticated attacks on mobile devices. I mean, I’m kind of like, I don’t know if this is feeling James Bond-y or like the Kingsman, but there’s definitely like this covert vibe going on. But some of the attacks are just they’re impactful, but they’re not even that sophisticated. And I think I’ve heard tales of like data centers kind of getting tapped. We’ve heard about the cranes coming from other countries that had cellular connections on them that really weren’t supposed to be there. What other kind of stuff have you seen out in the world?

 

Brett Walkenhorst (19:05 – 20:12) Well, you mentioned data centers. We’ve done a lot of work with data centers in recent years. And I’ve got a couple of examples from that environment that I think are interesting. One that really scares me is we had an example where we were able to observe with our system a hotspot regularly coming into a data hall and connecting to a client in the rack. So they had previously established this connection. Every time they come in, it just automatically connects. And data is being transferred for something on the order of an hour each time this occurs. And then, of course, the phone has a cellular connection. So here’s a clear data exfiltration path that no one had any idea was in place until we brought visibility to it. So how many places is that kind of thing happening where nobody knows? Because, again, going back to the idea that your APs are going to secure your network, okay, maybe they do. But they’re not looking at the other SSIDs in the area. They’re not looking for hotspots like that. They’re not looking for the cellular activity.

 

Jennifer Minella (20:13 – 20:21) Well, your DLP ain’t going to catch that kind of stuff. That’s right. You’re SOL right there.

 

Brett Walkenhorst (20:23 – 20:24) I’m sorry, Drew. Go ahead.

 

Drew Conry-Murray (20:24 – 20:28) No, finish what you were going to say, and then I’ve got a question ready.

 

Brett Walkenhorst (20:28 – 22:32) Okay. So, particularly as we are pushing everything into data centers, and as we’re building out these massive AI-focused data centers, I think people are very concerned about the value of the IP that’s being housed in those centers. And especially as we spend exorbitant amounts of money training these very sophisticated AI agents, the weights that are generated by that training are very valuable IP now. And maybe not just the weights, but there’s other valuable information on the side that allows those agents to run properly. All that data needs to be protected. And if we’ve got an insider that is just working through the blind spots using wireless to exfiltrate, like this example that I talked about, that’s bad news. I’m sorry, Drew. Well, there was one other example that I wanted to highlight to answer Jennifer’s question. I’ve got more, but I’ll keep it kind of brief. So, another data center example we had was some industrial-strength chillers in the data hall that until we got there, no one had any idea, but they had been set up with an unsecured ZigBee interface. And ZigBee is an IoT wireless protocol, right? So, it turned out that was intentional by the contractors, but nobody on the customer side knew it. So, the contractors loved it because they could pull up into the parking lot and manage the chillers from the parking lot using this unsecure interface. Meanwhile, it’s dual-homed and has wired connectivity into the rest of the network. And how susceptible that would have been, I don’t know. How well they segmented that kind of thing, I don’t know. But I do know that there was a clear path for access. Someone was screaming, come get me. And if any attackers had been listening close enough, they would have said, thanks, I’ll come right in.

 

Jennifer Minella (22:33 – 23:30) Yeah, especially with ZigBee. I mean, I think now, I don’t know, I’m a fangirl of like Matter and some of the newer IoT protocols that are a little more secure. But so much of the industrial stuff and the facilities management and lighting and everything is like Z-Wave and ZigBee. Even if the protocol supports a secure configuration, the manufacturers typically don’t build it that way because that’s really not their focus. Their focus is, yeah, make the chiller work, get the lighting system to work. They don’t really care about how the protocols and the data packets going around and the encryption keys, etc. There’s so many of these things. And even just printers. I mean, you take something out of the box, you hook it up, a printer, a storage device, whatever, and then suddenly there’s Bluetooth or there’s ZigBee or there’s other Wi-Fi, direct Wi-Fi things being advertised just by default. And unless you go look for those things, you don’t know that they’re happening. You don’t even know that that’s there.

 

Brett Walkenhorst (23:30 – 24:11) And most often, procurement doesn’t even know. We had an example from a customer where on their executive floors, they were installing new RFID readers. And thankfully, we had a system in place that was being used to monitor and we were seeing all these new things pop up. BLE things. BLE here and here. And we were able to identify that it was the readers themselves. Security guys went back to procurement and they were like, oh, no, no, no. We didn’t buy BLE-enabled readers. But they were able to prove it. Like, yeah, you did because look at this data. And so they went back and dug a little deeper and realized, oh, crap. They were actually trying not to, but it’s so hard to get away from because these chips are so cheap.

 

Jennifer Minella (24:11 – 24:13) We didn’t buy cellular-enabled cranes.

 

Brett Walkenhorst (24:14 – 24:27) Yeah. It’s amazing how much they’re embedded in. Like, even clothing. What? Why are BLE chips in your clothing? But someone wanted the ability to touch a button on their phone and tighten their shoes or…

 

Jennifer Minella (24:27 – 24:29) I mean, just because you can doesn’t mean you should.

 

Drew Conry-Murray (24:29 – 24:35) How else am I going to make my smart closet work if my clothes are not BLE-enabled? Exactly. Just answer me that.

 

Brett Walkenhorst (24:33 – 24:35) Yeah. What’s in my closet? Tell me.  Inventory.

 

Drew Conry-Murray (24:36 – 24:49) We’ve mentioned visibility and not being able to see all these frequencies outside of 2.45 and 6, et cetera. How do we get visibility into this broader 

RF environment?

 

Brett Walkenhorst (24:51 – 24:59) The most robust thing… well, step one would be, if you already have enterprise Wi-Fi and you’re not using its WIDS capabilities, that would be the easiest… 

 

Drew Conry-Murray (25:00 – 25:01) Which is wireless intrusion detection.

 

Brett Walkenhorst (25:02 – 26:03) Thank you, yes. Wireless intrusion detection system. If you’re not using it, start using that. Be aware that it has limitations. But that’s an easy first step. The second step, and I’m afraid I don’t know of a better second step, is to procure dedicated receivers that can start to bring visibility to this invisible space. So, if you’ve heard the term software-defined radio, that is an example of a flexible architecture that allows you to start accessing these electromagnetic waves that are floating around us all the time. That’s the mechanism that we use for wireless communication. So, this is very similar to… Well, it is the same thing as sunlight. It’s just that what we see is a very, very high frequency. When we’re talking about radio frequencies, it’s the same physical mechanism.

There are waves that are flying through the air. They travel at the speed of light because it’s the same thing.

 

Jennifer Minella (26:04 – 26:07) I want to make laser noises like pew, pew, pew.

 

Brett Walkenhorst (26:07 – 26:08) Do it, Jennifer.

 

Drew Conry-Murray (26:10 – 26:16) So, yeah. Could you actually just define software-defined radio for us, then? Let’s put some concrete around this definition.

 

Brett Walkenhorst (26:16 – 28:12) Yeah. So, you’ve got a flexible architecture that, with an antenna and a radio front end, you can take that frequency that’s flying around. You can take that wave, turn it into an electrical signal, mix it down to some frequency that we can handle, digitize that, and now you’ve got a bunch of bits that you can operate on. That’s software-defined radio in a nutshell. It’s antenna, RF front end, digitizer, and processor. And they come in various flavors. They can come very cheap, depending on what you need. The cheapest versions are basically just TV tuners. You can listen in on different things at the lowest frequencies. Not super helpful for this application, but then there’s higher-tier stuff that allows you to start to see what’s going on, but maybe not with a lot of bandwidth, maybe not with a lot of processing power. And then you can go all the way to professional-grade SDRs that may be a couple thousand dollars a piece, and they’ll allow you to see in great detail with a lot of processing capability. And that’s the kind of thing that we like to talk about, is let’s bring visibility to all this stuff. That requires a fair bit of processing. So if you’re going to have dedicated systems like that, you want them scanning the frequencies. You want them detecting the wireless packets that are flying. And ideally, you’d like to be able to strip out the information in the headers so that you have metadata that allows you to characterize the behavior, the identity, the connectivity of all these devices, so you can get a complete picture of what’s happening. Much like we’ve become used to having visibility into our wired domain, we kind of know who’s talking to whom and what, and we can analyze that data. That’s where I want to say we really need to work towards getting to that same paradigm in the wireless domain, leveraging that kind of flexible, software-defined radio architecture and other tools.

 

Jennifer Minella (28:13 – 28:57) And I like that you helped us put a table together that we could drop into the show notes, where we’ve got different tiers and costs and frequencies and stuff. And then Drew and I have been doing a little digging and researching and plugging in some other links to that. But I think in my head, and Brett, tell me if this is right or wrong. In my head, there’s kind of the world of the sub-1 GHz stuff, where we’ve got a lot of things buzzing around 900-ish. Then you’ve got those lower frequencies in the 1-2. Then you have where most of Wi-Fi, and I think most of cellular, lives in that 3-6. And then you have 6 and above, where I think maybe other cellular and other things can work in that space as well.

 

Brett Walkenhorst (28:57 – 29:23) Very little cellular. Most of cellular is below 6. Yeah, a little bit. And then, like you say, the above 6 for Wi-Fi is really pretty recent. Since the advent of 6E and now 7, we have access to this third band. So the vast majority of commercial terrestrial comms is 6 and below. But having visibility up to 7 or so is helpful for those newer use cases.

 

Jennifer Minella (29:24 – 29:45) What’s been the… So whether it’s spectrum or protocol, have you seen anything that you thought was unusually crafty from an exploiter, an attacker, an offensive perspective where somebody put something in and did jump through all of the hoops to avoid being detected? Do you have any?

 

Brett Walkenhorst (29:46 – 31:53) Yeah, there’s things that we’ve heard about. Basically, they’re using the same kind of protocol, but they’ll just shift the frequency a little bit, so it makes it harder to detect from standard COTS receivers. But if you have an SDR, you just tune it off a little bit. And if you have good filters that are called phase-lock loops, so if you have the ability to be a little more flexible in designing that, then you can lock into a frequency that’s offset. But you asked about creative. One of the things that popped into my head as you asked that wasn’t so much about how to hide, per se, but it was just a simple attack. There was an attack that we came across that was published by some white hat researchers that I thought was really clever. It’s about session hijacking a Bluetooth link. You’ve got this secure connection and you think everything’s great. Maybe you went through the right authentication and maybe you’ve got encryption running. Or maybe you don’t because, as the user, you don’t actually know. There’s nothing to say. There’s no little lock item on your screen to say, yeah, we’re secure. But anyway, you think you’re all good and then an attacker comes in and there was this really clever paradigm that they implemented. They said, we can just track this network as it hops in frequency. We’ll just track it as it goes across the band. Every time the peripheral responds to the central. You’ve got a central talking and then the peripheral responds. Every time the peripheral responds, we’ll just jam it. You just keep stepping on that frequency over and over again. You can do this very surgically. No one else needs to know. No one else is affected. You’re just immediately, every time you hear the central, you know exactly when the peripheral is going to talk. You just send out some energy on that frequency and no one can hear anything. The central eventually thinks the peripheral has gone away. When the central stops talking, the attacker steps in and they take over that link. They can do the same thing in both directions using different mechanisms. You can hijack a session in one direction or you can hijack it in both and you can become a machine in the middle. There’s lots of really clever tools that people have come up with that allow them to inject themselves and to take control or to modify data or just mess things up in some way.

 

Drew Conry-Murray (31:54 – 32:15) If I’m going down the route of software-defined radio to get visibility into my RF environment, how do I think about operationalizing this? Am I taking a device and walking through the building once a week? Am I sticking up something on the ceiling at various intervals throughout my physical footprint? What does it look like?

 

Brett Walkenhorst (32:15 – 32:38) All of those are valid. I would say that second idea you proposed is probably best practice. We have, for example, in some of the most secure locations that I know about, they have people come in regularly and do these sweeps.

They’re called technical surveillance countermeasures. They come in and try to make sure there’s no bugs, there’s no unauthorized electronics.

 

Drew Conry-Murray (32:39 – 32:43) It’s like the secret service coming into the hotel and checking for bugs before the president spends the night.

 

Brett Walkenhorst (32:44 – 34:24) It’s not just government. Commercial organizations do this too at the highest levels. Not all of them, but many do. It’s a valid service. It’s something important, but it’s also pretty expensive and it doesn’t happen very often. These point-in-time scans that you do, you can say with pretty high confidence, we’re clean right now. Tomorrow might be different. We’ve heard things from customers and spooks that indicate that attackers are wise to this. They see the ops. They see the schedule. Whatever it is, they figure out when they’re coming and they shut everything down. Maybe they even have to go in and remove some things. Then the next day, they pop them back in or just turn them back on. That’s problematic when we’re talking about just these point-in-time sweeps. You can do that. Just be aware again, you will have blind spots. What we recommend is to have continuous monitoring, much like we do on the wire. That requires that we put devices into a facility that stay there and run continuously. What we recommend is that you put these sensors in locations throughout in such a way that you can use the sensors not only to detect and identify the devices and extract metadata, but also to work together to localize the emissions from all those devices. That way, you have spatial information in addition to the temporal and behavioral information. You know where the devices are within the facility. That’s hugely helpful because unlike wire devices where if you put it in, you know where it is, these things can go anywhere.

 

Jennifer Minella (34:26 – 34:42) You might be walking around looking for something the size of your thumb. We covered a story a few weeks ago, Drew, where somebody put a Raspberry Pi on a bank network, the ATM network. It’s like, good luck finding something that’s half the size or a quarter the size of your cell phone.

 

Brett Walkenhorst (34:43 – 35:14) That’s a great example. Someone just walked into a cabinet, plugged something in, walked back out. Who knows how they got access? The implant was super easy and super quick to do. You just plugged it into a switch. The only mechanism that they had, because they were very sophisticated about evading detection on the wire, the only mechanism they could have had would have been to see that there was a cellular signal coming from that device. But again, no one’s looking. We need to start plugging these gaps because that should have been something easy to see. It just took some prep to get there.

 

Drew Conry-Murray (35:16 – 35:41) If I’m starting to get a picture of the RF environment in my physical facility, I’m thinking, if we’re talking about maybe starting to look at cellular connections and employees are using phones at work and that’s expected, but do I run into the issue of I might be intercepting sensitive personal communications that I shouldn’t be seeing? Is that something to think about as you’re doing this?

 

Brett Walkenhorst (35:41 – 36:48) That is a great question and it is something that people are often concerned about. Privacy is a big deal and we definitely, if we’re doing this, we definitely don’t want to be messing with encryption in any way. That would be a big violation of privacy. When we do this in our system, we just don’t touch the payload at all and nothing that we’re collecting is attributable to an individual. I think there are ways to do this in which you don’t get caught up in privacy concerns. The good news about cellular, as you brought that one up, is cellular has done a much better job at least in the developed world. I don’t know about everywhere. I’ve heard some stories that maybe encryption isn’t deployed widely everywhere. I think among at least the three major U.S. carriers, we do encryption by default. Much of those interactions are protected and good luck cracking them. We don’t even attempt it, so I wouldn’t recommend anyone else do either. That’s a valid question and something that people should be aware of if they’re going to try to roll their own, but we’re happy to work with you, too.

 

Jennifer Minella (36:49 – 38:02) It reminds me, too, long ago and far away, one of the projects in the federal space, one of the things that we had swirling around was this, I don’t even know what you call it, but it was this thing you could put something on your own network and it would try to find any path out of the network that it possibly could. And then the vendor had basically something out on the internet in the cloud and if your thing that you put on your own network made it out to the cloud and it would track the path that it got there in a way that you didn’t expect, you knew that there was some, because in a lot of federal, well, really any government or in large enterprise, you end up with links and ISPs and things that vendors or departments put in that you just didn’t realize were put in, and you have entry and exit points in the network, and that was the point of that technology, but it kind of reminds me of the same thing that I’m sure something like that’s swirling out there that you can, so then you have to figure out, okay, where is that emitter coming from if something’s coming out that shouldn’t be? And how do we go find it?

 

Brett Walkenhorst (38:02 – 38:58) Yeah, the unfortunate truth here is right now we don’t have a mechanism for seeing it for the most part, but once you do, you really want that localization so you know where it is. And many of our customers, not all, but some of our customers are so paranoid that any kind of wireless device anywhere is forbidden in a lot of their facilities, so they’ll just go find it right away. They love that localization. But even if you’re more permissive, like many of us, you still want to know, like first of all, you need analytics to identify bad behavior based on the metadata that you extract, and you need to be able to find when something is concerning, now I need to be able to do something about it. And very often, that requires physical interdiction, so that physical location is critical, and as you said, Jennifer, it could be something really tiny, so again, that metadata can help you characterize that device and hopefully identify what kind of a device it might be and help you with your investigation.

 

Drew Conry-Murray (39:00 – 39:17) So is the idea here, it sounds like first, I’m getting visibility, meaning, okay, I have a picture of what’s happening in the RF in my environment. Second is, I assume I’m looking to do some baselining, what kind of looks like quote-unquote normal. And then third, am I moving to setting up a system to tell me when there’s a discrepancy that I might want to look at?

 

Brett Walkenhorst (39:18 – 40:20) Yes. I think that is a good path forward. But I would emphasize the importance of analytics. So you mentioned baselining versus deviation, and that’s a good way to think about things, and there’s ways to implement AI and ML tools to help facilitate that. But we can also use heuristic-based detection capabilities based on things that we know exist. So there are certain behaviors that would be concerning under any condition. We should detect those behaviors, and they will have some delta from what we know as a healthy baseline. We don’t have to train a system on that. We can just do the research and implement the right things. So there’s a combination of things here, right? There’s heuristic-based detections, and there’s an AI and ML component. But the analytics is key, especially in environments where you have a ton of stuff coming in all the time.

You have to winnow that down. There’s a crap ton of stuff, and you’ve got to find what are the few things that deserve my attention. And that’s a really critical thing to be able to build.

 

Drew Conry-Murray (40:21 – 40:35) I’m thinking about intrusion detection systems of old, where in this RF world, if an employee comes to work with a brand-new pair of AirPods, you don’t want a million alarms going off when they turn the monitors to the music at lunch.

 

Brett Walkenhorst (40:36 – 40:48) That’s right. But if those AirPods end up in the boardroom, and there’s a phone that they’re connected to in another room, that’d be good to know, right? So behavior can be very context-dependent.

 

Drew Conry-Murray (40:48 – 41:21) Right. Yeah, it seems like the analytics then are going to be key if you can get that fine-grained of what kind of problems are we looking at. You mentioned metadata. I’m thinking from the wired world that the headers of the communications going through. Are we talking about what I’d expect in a typical Ethernet frame, source port, destination port, source IP, destination IP, and protocol? Or what can I learn from the metadata in an RF environment?

 

Brett Walkenhorst (41:22 – 42:44) Yeah, some of that. Sometimes there are capability advertisements in Bluetooth, or similarly from an AP when it beacons, sometimes we can access the modulation coding scheme, which includes the data rate, like how much data is flowing, and what other kinds of things. So there’s identity-related metrics that we gather, including whether it’s a MAC address or some kind of other unique ID, depending on the protocol. And then there are specific both advertising and service types of data that flow, depending on the protocol. And these can get very long hex strings of data that can sometimes be very useful, whether it’s for identifying the device itself or that the device is engaging in a specific kind of behavior. So it’s surprisingly helpful to have these complex sets of data that as we start to dive into and slice apart, we can begin to see that, oh, a complex combination of logic that checks this field for this kind of pattern, and this field for this kind of pattern, and then maybe over time we can really build a much richer understanding of what those devices are doing.

 

Jennifer Minella (42:44 – 43:15) It reminds me a lot of some of the more in-depth NMAP fingerprinting scans, where you get down into, not only is it Linux, it’s this flavor and version of Linux, because the combination of this port and this port and this version of SSH, etc., etc., etc., where they take 20 different pieces of that telemetry, and that combined indicates it’s this operating system very specifically, or this type of device. So it sounds like that, but for RF.

 

Brett Walkenhorst (43:15 – 43:17) Yeah, I think that’s a good analogy.

 

Jennifer Minella (43:17 – 43:39) And I do need to just point out to the listeners that in this wonderful episode, it was Brett and not Drew who burst the AI cherry first. For your bingo cards. It’s usually Drew. Usually in the first five minutes of every episode or at least the first seven minutes, Drew’s gotten AI out there, everybody’s had their shot, they’ve filled out their bingo card, and we move on.

 

Brett Walkenhorst (43:39 – 43:56) Well, now I’m really ashamed, Jennifer. I don’t like to hype AI too much, because I think it’s over-hyped. But it also has a place to play, and in particular trying to look for deviations from the norm in a statistical sense. That can be useful. Anyway, my bad.

 

Drew Conry-Murray (43:57 – 44:01) Don’t worry. It’s an inevitable question and always has to be asked.

 

Brett Walkenhorst (44:01 – 44:01) Yeah.

 

Drew Conry-Murray (44:02 – 44:09) I’m curious. I feel like we’ve been talking about Wi-Fi and cellular and Bluetooth. What about IoT? Is there a role to play here?

 

Brett Walkenhorst (44:12 – 45:27) Yeah, the short answer is yes. I guess I would just try to characterize IoT as a subset of everything that we’ve been talking about. And also a little bit more than that. So some IoT lives on the wire. And some IoT is enabled by wireless. And there is a lot of that, by the way. There’s a big piece of the wireless world that is IoT. So I think it all definitely applies. IoT devices may speak over ZigBee, Matter, Z-Wave. There’s lots of examples along those lines. But also over Bluetooth, Bluetooth Low Energy, Wi-Fi, even Cellular. So all of the protocols that we talk about as standard wireless protocols in the world, they have a part to play in the IoT world. But there’s more going on, as you all know. There’s more wireless in the world than just IoT. That’s a superset. But it absolutely applies. Depending on your use case, you might want to say, well, I don’t care about the IoT. But if you don’t care about IoT but you care about enterprise wireless, then you still have to pay attention to some of that IoT because it’s too tightly connected.

 

Jennifer Minella (45:27 – 45:30) And you care about it if it’s exfiltrating data.

 

Brett Walkenhorst (45:30 – 45:31) Exactly.

 

Jennifer Minella (45:32 – 45:34) I don’t know, my feeling on this . . .

 

Brett Walkenhorst (45:34 – 45:36)  I didn’t want to say you shouldn’t care about it. I just know that people have different priorities.

 

Jennifer Minella (45:36 – 45:41) If you don’t care about it, you should. Take this as your sign. Here’s your sign.

 

Brett Walkenhorst (45:41 – 45:44) Yes, thank you, Jennifer. That’s a good reality check.

 

Jennifer Minella (45:44 – 45:46) Brett, you’re just so politically correct and calm.

 

Brett Walkenhorst (45:47 – 45:48) I try to be nice.

 

Jennifer Minella (45:48 – 45:50) I swear, you and Drew, like the two of you together.

 

Brett Walkenhorst (45:51 – 46:00) Well, here’s the thing. I know what I would like people to do. But I also know everybody’s operating with limited budgets, a lot of constraints. I get all that.

 

Jennifer Minella (46:00 – 46:04) You’re just nicer than I am, that’s all. It’s okay. It’s good. It’s a fantastic quality.

 

Brett Walkenhorst (46:04 – 46:07) We’re a good combo then. You come out swinging.

 

Jennifer Minella (46:11 – 46:12) Get your stuff together, people.

 

Drew Conry-Murray (46:15 – 46:34) Like you just said, folks have a lot on their plate. If I’m a wireless person or even a CISO or security architect listening, and I’m like, now I’ve got another thing for my to-do list. Is there a first step or a minimum viability that I can start thinking about RF awareness beyond what I’ve been already thinking about?

 

Brett Walkenhorst (46:35 – 48:21) Yeah. I can tell you it’s a scary world to step into. It might be good to have someone hold your hand. As I said earlier, I think it’s wise to just make use of the WID system if you already have one and you’re not using it. That would be a good first step. If you want to start looking independently, I think, I guess my recommendation sort of touches on something that we mentioned early on, that we often don’t think about wireless. And there are probably some very good reasons for that. The IT world is, I think it requires a bit of a different mindset, different skill set than what’s typically found among wireless engineers or people who understand wireless. And there are some people who bridge the gap, and I think that’s great. We probably need more of that. So one of my recommendations might be, if you’re motivated to start doing something, maybe get somebody on your team to get a little smarter on wireless technologies in general. Because you’re going to need that skill set. If you want to dive into this, and if you’re not ready to just dive into the deep end, I mean, you’re welcome to call us and we’ll help you dive in, but if you’re not ready for that as a first step, you really should probably get someone who can speak the language a little bit and then acquire some basic tools to start mucking around with it. Just to start playing, just to start monitoring from whatever level you can, whatever you’re ready to dive into, get a software-defined radio and start trying to make sense out of the packet flows that you’re seeing. It’s going to take you a long time.

 

Drew Conry-Murray (48:21 – 48:25) So I could go buy a software-defined radio online and maybe find an open-source project and start playing?

 

Brett Walkenhorst (48:26 – 48:57) Yeah, that is absolutely viable. I will say, be cautious with that. It won’t get you where I think you need to go. And that’s why I think people who have invested a lot of time in this, like we have, we can really help people jumpstart that. But if you’re motivated to just get your feet wet a little bit and maybe that’s all you have time and resources for, that might be a good way to go. Get one person on your team, start getting smart, get a tool, start playing around with it, and as you get overwhelmed, give somebody like us a call and we’ll help take you to the next step.

 

Jennifer Minella (48:58 – 50:47) I remember when I wrote the book on wireless security, it’s primarily for Wi-Fi, but there’s a chapter in the book that talks about non-Wi-Fi wireless. And I work in the IoT space, not to the degree that you do by any stretch of the imagination, but I went out to different friends who work in that space deeply and I was trying to kind of gather and make some mind maps and connect the dots between Fi and distance and kind of map different things because we’re covering like six low-pan technologies and all of the longer distance and heart and things using industrial so I’m trying to pull all of this together and I remember getting into all of the layer two pieces of things and it’s like well this protocol is like at layer two and three but this protocol is at kind of half of layer one up through three and then this one’s at like really just layer three and the Fi’s can be different and so what that ultimately ends up meaning is that there’s not a good clear cookie cutter view of the spectrum and the width it’s really hard without having a database built to figure out what something may be, what you’re looking at even for those of us that work in the wireless space. So I think it’s an interesting exercise for some hobby playing. It’s certainly not something I would try to do at an enterprise level security program but I do think to Drew’s point it’s nice to kind of like get some, if you’re into that, get some open source things, get your fingers wet and stuff and at least wrap your head around some of the terminology because it’s just so complicated.

 

Brett Walkenhorst (50:48 – 51:52) I agree and I come at this from the other direction so I was a wireless expert for many years before I came into security and I’ve only in the last few years been learning to speak that language and I have a great deal of sympathy for someone coming the other way. It is a very different world. It requires I think an understanding of physics, of math that you’re probably not used to and maybe you just don’t want to dive into. There’s gonna be a lot of people who live in IT that probably just don’t want to mess too much with it. I want to help people get a high level understanding but to become sort of an expert that helps bridge the gap, that probably isn’t for everybody. But it would be really good I think to have more of those people on more teams throughout the country helping us better understand and secure the wireless world. There’s like 60 billion devices that are wirelessly enabled in the world and we’ve got a lot of that here in the U.S. So there’s tons of opportunity for compromise. It’s a big attack surface and we just really need to start paying more attention to it.

 

Jennifer Minella (51:53 – 52:09) And I was just looking, I mean since you kind of outed yourself there, I was just looking at your bio and you’ve been at Lucent, at Raytheon like from the RF perspective you’ve been deeply in this for decades.

 

Brett Walkenhorst (52:09 – 52:17) I’ve been doing RF signal processing since I got out of college 20 something years ago, 25 almost I think.

 

Jennifer Minella (52:17 – 52:22) That is a level of physics and math that is way over my head.

 

Brett Walkenhorst (52:22 – 52:50) It’s mind numbing for most people. Most people should not do that. It’s not good for your sanity. And I learned way more than probably anybody should but it’s been a lot of fun for me. Like I’m a weird personality. I loved doing it for wireless comm but I also did a lot for electronic warfare, signals intelligence and surveillance, radar. So I kind of got mastery of all those subjects and I was like let’s do something different. And here I am talking about wireless security.

 

Jennifer Minella (52:51 – 52:57) So we’re going to have to have you back to talk about some of the SIGINT stuff I think in a follow up to this.

 

Drew Conry-Murray (52:58 – 52:59) Sounds good.

 

Brett Walkenhorst (53:00 – 53:01) Yes that’s right.

 

Jennifer Minella (53:01 – 53:04) That’s fine. Just kill Drew. No I’m kidding.

 

Drew Conry-Murray (53:06 – 53:08) Now I see where I stand.

 

Brett Walkenhorst (53:08 – 53:09) She does come out swinging.

 

Jennifer Minella (53:10 – 53:26) I’m kidding. Well Brett in past webinars and events and stuff you’ve talked about RF threats from the early days of RF technologies. What are some of the lessons that we have from history and things that we’ve learned and then what is the next step for us looking forward?

 

Brett Walkenhorst (53:27 – 57:12) Okay. That’s a great question. Let me start from what I think is the very beginning. Back in the early 1900s there was a guy named Guglielmo Marconi. He’s an Italian inventor. He’s largely credited as being the father of radio. I don’t know if that’s valid or not but he certainly made his mark on that world. He was running a demonstration in 1903 of wireless transmission over 300 miles. This wasn’t the first time he’d done this but he was setting up this demonstration and he made the claim that the system was secure and it would avoid interference because they had the ability to tune the signal whatever that meant to him. Anyway, there was a rival of his nearby who set up a transmitter near the theater where their receiver was located and he basically just overwhelmed the signal. Kind of jammed but basically set up his transmitter to send a bunch of Morse code that ended up like the text of the Morse code was mocking Marconi which is not very nice but he was a bit of a trickster and kind of an interesting guy in his own right. His name was Neville Maskeline and I mention his name because he was influential in helping the allies trick the Nazis in the lead up to D-Day so he had his own bragging rights there. Anyway, I think the story is interesting because way way back I only came across this a couple years ago and as a wireless guy I kind of think I should have known about this before. It’s a great story because first of all you had Marconi a very visible person within the world of wireless claiming that his system could not be hacked. And then you had the world’s first wireless hacker come in and say, oh yeah? And this story plays out over and over again in history, right? We get a little cocky and someone breaks something. And then we go, oh well we got the latest greatest thing now, this one’s good and then someone else breaks that. So fast forward a bit so we have that kind of hack, we have systems starting to come online to do commercial broadcasts different kinds of communication systems for military use and then we get into post-World War II and we have a lot of, I would say purpose-built espionage-type tools. There was a notable example of one that was embedded in the U.S. seal given to the U.S. Embassy by the Russians that was in place for a number of years before it was discovered and there’s all kinds of things going back and forth the U.S. did plenty of that too and so lots of this kind of stuff is being used electronics to do surveillance well that continued but has since morphed and then we have modern communication systems like cellular, Wi-Fi, Bluetooth all becoming embedded in our society and becoming ubiquitous really and there are all kinds of different attacks becoming increasingly sophisticated as these tools are all sophisticated or becoming more sophisticated to support additional use cases now we get vulnerabilities breeding and the attack vectors themselves become increasingly sophisticated but much like the wireline you don’t really have to get that sophisticated sometimes because even the simplest things will continue to work because nobody’s paying attention maybe so if we’re looking to the future I guess what I would say is if we’re trying to figure out where things are going, I think the world is going to continue to rely on wireless the numbers of devices will continue to grow as I said my latest estimate is probably about a year old now and I’m not sure I wasn’t under guessing a little bit but I estimated about 60 billion wireless enabled devices

 

Jennifer Minella (57:13 – 57:15) Billion with a billion with a B

 

Brett Walkenhorst (57:17 – 58:35) I imagine we’ll be well over 100 billion in a couple of years so maybe three to five years from now that’s just going to continue that trend and the trend of offensive research will continue to march ahead in terms of CVEs that have been published related to wireless protocols and wireless implementations in wireless devices we’ve seen an exponential growth in the numbers of published CVEs that attack those kinds of protocols I think we’re probably around three and a half to four thousand CVEs total and there was like a 20-25% increase year over year typically so it’s exponential growth rate that’s going to continue as well and of course the adversaries who are not publishing their findings will continue to research stuff my one question I guess is do we respond to that as defenders? Do we start to catch up a little bit because I see those trends continuing especially if they continue to see these blind spots and these being effective it might take some crises for us to get there but I’m hoping that as defenders we start to respond to that threat and start to secure this large attack space.

 

Drew Conry-Murray (58:39 – 59:01) Well thank you Brett this has been a really cool conversation I do feel like we got a peek into the hidden world of RF so thank you for that and thanks for there’s a bunch of information we’ll have in the show notes on this chart we’ve got lots of links to some open source stuff some tools and so on Brett if folks want to reach out to you online where should they go?

 

Brett Walkenhorst (59:02 – 59:16) They can go to our website there’s a contact form there bastille.net that’s B-A-S-T-I-L-L-E dot net and there’s lots of ways to reach us through that website.

 

Drew Conry-Murray (59:16 – 59:51) Alright that’s Bastille.net so thank you Brett for being with us and thanks to you for listening to another episode of Packet Protector if you have a topic you want us to cover or a comment or correction or question you can reach out at packetpushers.net slash FU FU is for follow up and we do appreciate when listeners reach out and just to let you know Packet Protector is part of the bigger Packet Pushers podcast network we’ve got more than a dozen technical podcasts for your professional development on networking, security, IPv6, DevOps and more an industry blog, two weekly newsletters a community Slack group, a YouTube channel even an IRC group you can find it all for free at packetpushers.net as always thanks for listening.

 

By admin

Leave a Reply