

Plug computers as low-profile security intrusion tools - tectonic
http://blog.andrewcantino.com/post/3565673304/why-plug-computers-are-a-security-nightmare

======
pak
This is a great companion to another paranoia-inducing post on HN recently
(<http://news.ycombinator.com/item?id=2267205>) because it suggests a way to
create your own plug-in-and-leave-it proxies to do whatever on the Internet
without leaving any tracks. As you know, most hackers attempt to do this by
tunneling through one or more compromised systems, but here is a way that
might actually be somewhat legal:

Go to any place where two public wireless networks overlap, and leave one of
these devices in the overlap zone and connected to both networks. Arrange the
networking so that you can tunnel out of one wireless network and back into
the other. Do this in a few such places and you have a series of hops that can
make it quite challenging to trace traffic back to you. Have your device
retain no logs and include a remote power shutoff, so if somebody is chasing
you from the destination network, by the time the physical plug is discovered
(if it is at all, these things are easy to conceal) the router logs for the
source network and ISP have long cycled.

If you are doing something really nefarious, do all of this on a battery-
operated Gumstix and leave it in a trashcan between a Starbucks and a public
library. The battery would probably last you all day, and then the garbage
truck will dispose of all evidence by next morning without any intervention.

------
tptacek
This idea is as old as Phrack Magazine. Pieter Zatko demonstrated the L0pht's
version of it in 1997: a Palm Pilot rigged up to sniff network traffic and
phone it home via telephony.

The problem isn't small form factor computing. It's internal networks where
MAC-layer connections aren't authenticated, and where there is no access
control between desktops and data centers. It's been that way, in virtually
every company big and small, since 1993 when networks cut over from IPX and
extended TCP/IP to the desktop.

~~~
Florin_Andrei
Just curious - in what way was IPX better than this?

~~~
tptacek
It wasn't better; it was just different.

------
theBobMcCormick
I'm not sure how this is really _new_. Everything he's describing has been
possible for _years_ with a laptop. I guess "plug computer" might make it a
little cheaper and a little easier to conceal?

If anything, I'd say plug computers are _good_ for security, if they're making
people more aware of how god awful stupid the "eggshell" model of putting all
your efforts into perimeter security really is.

Unfortunately, instead of focusing on security their internal servers and app,
my bet is most "enterprises" will instead respond by just extending the
eggshell with greater lockdown of end-user PC's. :-(

~~~
pak
Yeah, it's all about form factor. If you see a laptop plugged in and leaning
behind a desk, you think somebody lost their laptop and you pick it up. If you
see one of these sitting in a socket, you don't look at it twice because it
looks like one of millions of power adapters that are hooked into all the
walls everywhere.

Personally, I want one that screws into a lightbulb socket and lights up :-)

~~~
roc
Put one in an otherwise functional power strip and you'd have no problem
getting it into place.

~~~
stcredzero
Put it in a power strip, and people working there will want to steal it for
their own cube!

------
trotsky
Plug computers are a serious threat, though the need for physical access and
relatively easy discovery mean that it's not going to be that common. Pentest
teams are currently using them, which means malicious users are too.

I'd definitely be worried about those POE injectors for conference room phones
and other uses. Most of them already look like a cheap black box, have two
ethernet ports and power and aren't out of place.

Practically though, I'd be much more concerned about penetrations in official
clients. You can get most of the same functionality out of an employees mobile
device and have the added advantage of more deniability. Client malware is so
common that most is not assumed to be a targeted attack, whereas finding an
unauthorized plug computer will raise alarm bells quickly.

Never the less, it's yet another strong argument for implementing 802.1x.

------
tectonic
Someone on IRC just pointed me towards
<http://pwnieexpress.com/pwnplug3g.html> which is scary as hell.

~~~
metageek
I'd be a little less concerned about this one, because it's riskier for the
attacker: once you find it, you can probably get a court order to have Verizon
tell you who's paying the 3G bill.

Although I suppose that just means Step 0 is to get service under a false
identity.

~~~
caudipublius
<http://goo.gl/ouBta> . Would this work though?

~~~
JoachimSchipper
This isn't Twitter, type out your URLs.

------
orenmazor
if this is a problem for you, then you're really screwed when we have fly
sized drones just sitting on the walls in your conf room.

------
motters
"a budding industrial espionagist could buy the SheevaPlug..."

Stopped reading at that point. People can use technology for whatever they
want, including nefarious purposes. That's not an issue which is specific to
plug computers.

------
madmaze
Here is the Kickstarter website:
[https://www.kickstarter.com/projects/plugbot/plugbot-
mobile-...](https://www.kickstarter.com/projects/plugbot/plugbot-mobile-pen-
testing-and-hardware-botnet-pro)

looks like they have a ways to go.

------
Tichy
How does plugging a computer into a power socket compromise the network?
Wouldn't it be the same if I, say, camped below the office window with my
netbook? You still have to hack into the WLAN network, I suppose?

~~~
phlux
Because with you camping below a window - you will be seen, get hungry, get
caught.

Imagine you get an interview at some company and you gain access to some area,
like a lounge. You could potentially smuggle a pluggable box into the facility
and plug it in behind some plant, or a copier, or even a coffee machine.

(Copier being the best option)

This machine could ideally auth with the local wifi and gain access to the
internet, and provide you tunneling access back into the network.

When Aruba Networks first came out, the initial default config of their system
allowed anyone to associate with the network and VPN OUT to the internet -
while not giving them access to corporate resources. While we found this
behavior at Lockheed Martin, and had them patch it - the same scenario could
be found elsewhere today - where you could then connect to the pluggable and
scan/hack your way into the network.

------
Xurinos
FUD

~~~
tectonic
Explain.

~~~
stcredzero
I've worked on the software of a lot of big energy companies. A lot of those
companies can make tons of money just because they are huge and have deals
going on everywhere. This gives them a lot of information about what's going
on in energy markets all around the world. In short, this information is
highly valuable, and yet it often flies around corporate networks in
plaintext. Just undetectably getting this information to an outside party
would be a highly illegal act that would enable a great many other profitable
and highly illegal acts.

(And it would also be very hard to do this without getting caught. Even harder
than most people would think. Particularly at the point where you're trying to
make money.)

~~~
trotsky
Night Dragon:

[http://www.bloomberg.com/news/2011-02-24/exxon-shell-bp-
said...](http://www.bloomberg.com/news/2011-02-24/exxon-shell-bp-said-to-have-
been-hacked-through-chinese-internet-servers.html)

This is a serious APT that's been ongoing for 4-5 years and benefits chinese
oil exploration.

~~~
caudipublius
wait, why are Greg Hoglund and HBGary still 'reputable' sources linked and
quoted from in this article written 4 days ago?

~~~
trotsky
A significant amount of the source material about Night Dragon came from the
same email theft that outed the wikileaks and CoC issues. Since it sounds like
you believe the latter, why would you say the former isn't credible?

