Hacker News new | comments | show | ask | jobs | submit login
Plug computers as low-profile security intrusion tools (andrewcantino.com)
43 points by tectonic 2035 days ago | hide | past | web | 28 comments | favorite



This is a great companion to another paranoia-inducing post on HN recently (http://news.ycombinator.com/item?id=2267205) because it suggests a way to create your own plug-in-and-leave-it proxies to do whatever on the Internet without leaving any tracks. As you know, most hackers attempt to do this by tunneling through one or more compromised systems, but here is a way that might actually be somewhat legal:

Go to any place where two public wireless networks overlap, and leave one of these devices in the overlap zone and connected to both networks. Arrange the networking so that you can tunnel out of one wireless network and back into the other. Do this in a few such places and you have a series of hops that can make it quite challenging to trace traffic back to you. Have your device retain no logs and include a remote power shutoff, so if somebody is chasing you from the destination network, by the time the physical plug is discovered (if it is at all, these things are easy to conceal) the router logs for the source network and ISP have long cycled.

If you are doing something really nefarious, do all of this on a battery-operated Gumstix and leave it in a trashcan between a Starbucks and a public library. The battery would probably last you all day, and then the garbage truck will dispose of all evidence by next morning without any intervention.


This idea is as old as Phrack Magazine. Pieter Zatko demonstrated the L0pht's version of it in 1997: a Palm Pilot rigged up to sniff network traffic and phone it home via telephony.

The problem isn't small form factor computing. It's internal networks where MAC-layer connections aren't authenticated, and where there is no access control between desktops and data centers. It's been that way, in virtually every company big and small, since 1993 when networks cut over from IPX and extended TCP/IP to the desktop.


Just curious - in what way was IPX better than this?


It wasn't better; it was just different.


I'm not sure how this is really new. Everything he's describing has been possible for years with a laptop. I guess "plug computer" might make it a little cheaper and a little easier to conceal?

If anything, I'd say plug computers are good for security, if they're making people more aware of how god awful stupid the "eggshell" model of putting all your efforts into perimeter security really is.

Unfortunately, instead of focusing on security their internal servers and app, my bet is most "enterprises" will instead respond by just extending the eggshell with greater lockdown of end-user PC's. :-(


Yeah, it's all about form factor. If you see a laptop plugged in and leaning behind a desk, you think somebody lost their laptop and you pick it up. If you see one of these sitting in a socket, you don't look at it twice because it looks like one of millions of power adapters that are hooked into all the walls everywhere.

Personally, I want one that screws into a lightbulb socket and lights up :-)


Put one in an otherwise functional power strip and you'd have no problem getting it into place.


Put it in a power strip, and people working there will want to steal it for their own cube!


Plugs can take their time.

Not only can you do low intensity probes over a much longer span of time vs a wardrive or loiter-scenario, you can keep throwing new exploits against old targets so long as the plug goes undetected.


I wasn't really thinking about a wardrive/loiter scenario, so much as a "plug a laptop in, then slide it behind a desk/filing cabinet,etc." kind of scenario.

No matter what the form factor, you're probably gonna want at least power and an ethernet connection. Most enterprise networks are pretty locked down on the wireless side, but on the wired side it's still pretty uncommon to find any significant lockdown like 802.1x authentication.


Plug computers are a serious threat, though the need for physical access and relatively easy discovery mean that it's not going to be that common. Pentest teams are currently using them, which means malicious users are too.

I'd definitely be worried about those POE injectors for conference room phones and other uses. Most of them already look like a cheap black box, have two ethernet ports and power and aren't out of place.

Practically though, I'd be much more concerned about penetrations in official clients. You can get most of the same functionality out of an employees mobile device and have the added advantage of more deniability. Client malware is so common that most is not assumed to be a targeted attack, whereas finding an unauthorized plug computer will raise alarm bells quickly.

Never the less, it's yet another strong argument for implementing 802.1x.


Someone on IRC just pointed me towards http://pwnieexpress.com/pwnplug3g.html which is scary as hell.


I'd be a little less concerned about this one, because it's riskier for the attacker: once you find it, you can probably get a court order to have Verizon tell you who's paying the 3G bill.

Although I suppose that just means Step 0 is to get service under a false identity.


http://goo.gl/ouBta . Would this work though?


This isn't Twitter, type out your URLs.


if this is a problem for you, then you're really screwed when we have fly sized drones just sitting on the walls in your conf room.


"a budding industrial espionagist could buy the SheevaPlug..."

Stopped reading at that point. People can use technology for whatever they want, including nefarious purposes. That's not an issue which is specific to plug computers.


FUD


Explain.


I've worked on the software of a lot of big energy companies. A lot of those companies can make tons of money just because they are huge and have deals going on everywhere. This gives them a lot of information about what's going on in energy markets all around the world. In short, this information is highly valuable, and yet it often flies around corporate networks in plaintext. Just undetectably getting this information to an outside party would be a highly illegal act that would enable a great many other profitable and highly illegal acts.

(And it would also be very hard to do this without getting caught. Even harder than most people would think. Particularly at the point where you're trying to make money.)


Night Dragon:

http://www.bloomberg.com/news/2011-02-24/exxon-shell-bp-said...

This is a serious APT that's been ongoing for 4-5 years and benefits chinese oil exploration.


Having foreign governments cover for you is one way of getting away with stuff like that. When I was working at Shell, I would never have imagined such a thing was possible for someone like me to arrange -- that would only be the stuff of movies and books. Now, in this very globally connected age, such things are no longer so far out.

I still wouldn't touch that with a 10 foot pole. Even with China covering for you, it's not a game to play lightly for anyone who has a home and life in the US.


wait, why are Greg Hoglund and HBGary still 'reputable' sources linked and quoted from in this article written 4 days ago?


A significant amount of the source material about Night Dragon came from the same email theft that outed the wikileaks and CoC issues. Since it sounds like you believe the latter, why would you say the former isn't credible?


Probably because there's nothing new here. Controlling physical access to a network is a long standing problem with a wide variety of solutions. As with any security technology, these solutions are imperfect, but the plug computer only brings a couple new factors to the table: it doesn't look like a computer and it is extremely small, so it's very concealable.

Neither of these contribute significantly to your exposure any more than something like a laptop or netbook. Concealment helps protect against casual detection, but many offices are littered with spare laptops that no one pays any attention to any way. This is especially true in IT departments where systems may sit on shelves for days or weeks waiting for repair. The notion that a plug computer may be hard to find once identified sounds scary, but in practice, it's a non-issue. You simply identify the port to which the device is connected, unplug it, then trace the cable back to its termination point. I'm going to ignore wireless, because no sensible security plan involves a WiFi network attached to their private network. You segregate wireless in the DMZ, then allow WiFi users to connect to a VPN endpoint using strong encryption.

Any business concerned about securing their networks has implemented policies like shutting interfaces that aren't in use, and authenticating access at the Ethernet level using 802.1X. Neither of these are foolproof, but depending upon how secure you want to be, you build up security at every layer: physical, Ethernet, VPN, application.


Here is the Kickstarter website: https://www.kickstarter.com/projects/plugbot/plugbot-mobile-...

looks like they have a ways to go.


How does plugging a computer into a power socket compromise the network? Wouldn't it be the same if I, say, camped below the office window with my netbook? You still have to hack into the WLAN network, I suppose?


Because with you camping below a window - you will be seen, get hungry, get caught.

Imagine you get an interview at some company and you gain access to some area, like a lounge. You could potentially smuggle a pluggable box into the facility and plug it in behind some plant, or a copier, or even a coffee machine.

(Copier being the best option)

This machine could ideally auth with the local wifi and gain access to the internet, and provide you tunneling access back into the network.

When Aruba Networks first came out, the initial default config of their system allowed anyone to associate with the network and VPN OUT to the internet - while not giving them access to corporate resources. While we found this behavior at Lockheed Martin, and had them patch it - the same scenario could be found elsewhere today - where you could then connect to the pluggable and scan/hack your way into the network.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: