Raspberry Pi As Hardware Backdoor 76
An anonymous reader writes "NCC Group has released a new whitepaper at the Blackhat Europe conference on using a Raspberry PI as a hardware-based backdoor (PDF) in laptop docking stations. From the paper: 'The IT department is typically more concerned about someone stealing your laptop, so they'll ask you to secure your laptop with a Kensington-style lock, but not necessarily to secure the dock. This paper details how attackers can exploit the privileged position that laptop docking stations have within an environment. It will also describe the construction of a remotely controllable, covert hardware implant, but most importantly it will discuss some of the techniques that can be employed to detect such devices and mitigate the risks that they pose.'"
Surprise!!! (Score:5, Insightful)
If you have physical access, you can do bad things. Is this really news or simply fear mongering?
Re:Surprise!!! (Score:4, Insightful)
You hit the nail on the head. It's just fear mongering and there is nothing new to see here.
Re:Surprise!!! (Score:4, Interesting)
Re: (Score:2)
You hit the nail on the head. It's just fear mongering and there is nothing new to see here.
I find your lack of faith in the Fear disturbing.
Re:Surprise!!! (Score:4, Insightful)
This is similar to dropping a Sega Dreamcast into a network as an inexpensive hardware backdoor.
If your company has been physically compromised you probably need to start sweeping for bugs and bringing in the bomb sniffer dogs as well ;)
Re: (Score:2)
Yup. And at the same time many small-medium businesses run printers with web servers wholly unprotected.
Re:Surprise!!! (Score:5, Informative)
It is just a nice demonstration of something that has been known for a long time. As such, the _demonstration_ is news, but not the possibility itself.
I must say however, that the motto "freedom from doubt" on the paper is pure snake-oil, as IT security cannot achieve that and anybody that claims this is a liar. What IT security can to is reduce risks and make it harder for an attacker to get in. When the attacker has to spend more than the protected information is worth, you could say that you have "perfect security" or "freedom form doubt", but that does not happen in practice. The problem is that you cannot estimate the worth if your secret data to the attacker reliably. For example, your attackers may be fanatics (maybe even in the form of a fanatics-run nation state) and hence may be completely irrational and attribute value to the secret data or the successful break-in itself that is far beyond any rational estimates.
Re: (Score:1)
If you have physical access, you can do bad things. Is this really news or simply fear mongering?
Is a stolen llaptop really stolen or is it a honey-pot waiting to be tasted? You make the call.
Just because I have lojack in my car ( or computer ) does not necessarily mean that I put lojack stickers on it. Let the bastards find out the hard way, when the cops come busting through the door. Thou shalt not steal.
Raspberry pi nothing, printers are the real danger (Score:5, Insightful)
Forget raspberry pi, the real danger is your printer. Printers can have their firmware upgraded by printing a special PDF file. They are networked devices. Once hacked, they can carry out attacks, act as backdoors, or even send a copy of everything printed to an attacker.
Re: (Score:3)
The problem is just that programming a Raspberry Pi is very easy, while programming a printer is pretty hard.
Re: (Score:3)
The problem is just that programming a Raspberry Pi is very easy, while programming a printer is pretty hard.
But all it takes is one very smart programmer to do that programming, then the exploit code can be distributed or sold to whoever wants to launch an attack.
Re: (Score:2)
Once it is distributed or sold, it becomes almost worthless. The thing with these attacks is that you need to stay undiscovered for longer times in order for the information you gather to stay valuable. This is not something that is worthwhile doing with bought attack code. People that buy their attack code typically earn very little money from their attacks.
Re: (Score:2)
All doable and valid. This does not devalue the idea to go into a docking station, and the docking station has some unique advantages,like access to keyboard and video output that a pure network hardware Trojan does not have.
Not, the demonstration is not any kind of breakthrough, but a nice piece of hardware hacking (if not done too competently here, see e.g. the missing actually working video-grabbing and the botched power supply issue).
Re: (Score:2)
The problem is just that programming a Raspberry Pi is very easy, while programming a printer is pretty hard.
Remember the old HP printer message April Fools' gag: http://kovaya.com/miscellany/2007/10/insert-coin.html [kovaya.com] . . . ?
How about modifying that so the victims are instructed to enter their userids and passwords . . . ?
someting so huge (Score:5, Insightful)
Why use a R pi when you can get linux boxes the size of Ethernet jacks? Because the R Pi is "cool"?
Re: (Score:3)
No, because the Pi has the power to actually follow the Ethernet stream and it has the number of needed interfaces. Your miniature Linux device cannot follow both directions passively (the Pi can once you add a second Ethernet interface via USB), and it is far too slow for even one direction. Typically, these small things cannot even handle full-sized Ethernet packets and have to pause after each packet received. The one I have also does not have a "promiscuous" mode at all, making it entirely unsuitable. S
Re: (Score:2)
So, no, not because the R Pi is "cool", but because it can get the job done.
An old pogoplug not only has the horsepower to handle the traffic, but also the ethernet interface that will reliably deliver the packets. Which is why before we heard about the pwnie pad we heard about the pwnie plug. It has the added benefit of being cheaper than a Raspberry Pi, and the missing video output won't be missed in this context.
Re: (Score:2)
A PogoPlug is not a "Linux in an Ethernet connector" solution at all. If anything, it is a variation on the Raspberry Pi and its PCB may actually be larger. Whether you use the Raspberry Pi or equivalent hardware for this attack is completely unimportant. Also, the price difference is completely unimportant, as even the Raspberry Pi costs less than one engineering hour and you may already need that hour to get the PogoPlug board out of its case.
I should also note that there is no "reliably deliver the packe
Re: (Score:2)
I have no idea where you get your price-estimates: A PogoPlug sells for 2-3 times of what a Raspberry Pi costs.
The R-pi doesn't have all you need out of the box - you need to add to it, making the final costs much higher.
Re: (Score:1)
A PogoPlug is not a "Linux in an Ethernet connector" solution at all.
I never described it as one. But, neither is the R-Pi. That's the XJack.
If anything, it is a variation on the Raspberry Pi and its PCB may actually be larger.
You don't actually know, but you're shooting your mouth off anyway. Ever decase one?
Whether you use the Raspberry Pi or equivalent hardware for this attack is completely unimportant.
So why are you commenting?
Also, the price difference is completely unimportant, as even the Raspberry Pi costs less than one engineering hour and you may already need that hour to get the PogoPlug board out of its case.
You're not using your brain. It is very likely that an attacker will want to install a whole bunch of these.
I should also note that there is no "reliably deliver the packets" here, as this is a purely _passive_ sniffer.
Reliably deliver the packets to the device, idiot. The Raspberry Pi has PURE SHIT for ethernet. Not only is it connected to USB, which costs you substantial CPU any time the interface is particularly active, but it's also
Re: (Score:2)
LOL! You quote mass-production in one answer and _then_ you quote prices that you cannot get at quantity? How stupid is that? I think it is pretty clear who is not using his brain here....
Re: (Score:2)
...costs less than one engineering hour..."
Yes, everyone who is implanting backdoors in docking stations is paying an engineer's salary to do so. ;)
"it is a variation on the Raspberry Pi..."
Here's a guy who knows his history...
Re: (Score:2)
...costs less than one engineering hour..."
Yes, everyone who is implanting backdoors in docking stations is paying an engineer's salary to do so. ;)
Quite obviously so? Or do you think that amateurs can manage such a project including deployment and use in the field and using the data gained?
"it is a variation on the Raspberry Pi..."
Here's a guy who knows his history...
"A variation of" when commenting on the selection of a component does not imply any temporal order of invention.
Re: (Score:3)
You think the Pi is going to keep up real time on gige? Not much is running 100bt anymore. Yea the little ones are not that powerful but neither is the Pi.
Re: (Score:2)
For GbE, this would not work, as the Pi does not do GbE and adding it via USB requires USB3.0, also not present on the Pi. But here is the thing: This is for attack on a corporate network, and these very rarely use GbE for the individual sockets. The standard is to run GbE or faster to the group/department/building-level switch and then distribute with 100Mb/s Ethernet only. As replacing cabling is expensive, GbE cabling is more sensitive and more expensive, GbE department switches are more expensive, and t
Re: (Score:2)
Perhaps where you work - where I work, we replaced 100 Mb with 1000 Mb several years ago. Every desk even has a GbE switch.
Cat 5e doesn't cost more. Cat 6 does, but you generally only use it for stretches between patch bays, not to individual computers due to the stiffness and lack of need.
Re: (Score:1)
Another vote for the Pogoplug! It actually has GigE not on USB, whereas the R-Pi has 100bT on a flaky USB controller with bad firmware that they're not serious about updating. Given the low memory requirements you could use a dockstar, they're $14 and pretty easy to de-case with a spudger or heavy guitar pick.
ah yes the raspberry pi fanboys are here to mod (Score:2)
I've had two comments pointing out the truth about the Raspberry Pi modded down. It's a fact that it has flaky USB, and it's a fact that the ethernet is attached to it. Therefore it's a fact that it has poorly-implemented Ethernet. You can argue or abuse moderation all day and it won't change the fact that the Raspberry Pi is a poor choice for a sniffer by any critera. The single most important factor in a sniffer is working networking, which the Pi lacks.
Re: (Score:2)
Are you stuck somewhere in the late 90's? At this point it's not possible to buy a 100bt switch to use in a corp environment. Your bottom end is all ge, 10ge uplinks in the middle and 10ge switches for larger servers. Sure some corp buildings are odd I can think of a couple fortune 500's that are using token ring (replacing it requires lots of demo work).
You really need a device with USB target support so you can grab all keyboard input. There are plenty of soc's that fit the bill much better than a R P
Re: (Score:2)
Well, sure, if the network security people are bloody amateurs, that can work. In professionally managed environments, that thing will trigger alerts and may not even get any connectivity at all. Hint: Professionally run networks have inventories of MAC addresses known (look it up if you do not know what an "inventory" or a "MAC" is). This story is not targeted at your amateur-level "hacking", the device demonstrated uses entirely passive Ethernet sniffing for a reason. Of course there are still a lot of co
Re: (Score:3)
The Pi can't keep up with any much of an ethernet stream. It might be able to intercept the occasional web page but thats about it.
My 'docking station' is gigabit ethernet, though most are 100mb still ... Just exactly how do you plan to have the Pi keep up with something it simply doesn't have the bandwidth to follow. People are most certainly going to notice when their email is now suddenly slower to sync at the office than it is over their cell phone.
It CAN NOT move anywhere CLOSE to 100mb/s of data thr
Easier to extend? (Score:2)
Is it possibly easier to add custom hardware to the Raspberrry Pi? I mean they're both Linux boxes, but one of them is designed to be extended.
You could add an FM transceiver for remote operations without communicating over LAN/WAN?
Re: (Score:2)
Is it possibly easier to add custom hardware to the Raspberrry Pi? I mean they're both Linux boxes, but one of them is designed to be extended.
You could add an FM transceiver for remote operations without communicating over LAN/WAN?
this project of theirs takes so much effort that you might just as well use a custom board with some soc.
the raspberry is in the mix just for media points. due to it being a raspberry they have to add a bunch of extra stuff(analog in and stuff - to be noted that it also made the mods that they actually did easy to detect! they didn't seem to have build for example anything really fancy like usb interceptors - instead recommending attacking organizations that use ps/2 keyboards etc. so the raspberry helped t
Re: (Score:2)
Yes, I see your point, I suppose it's been possible for some time, but now almost anyone can do it [with other technology than the Raspberry].
Re: (Score:1)
Re: (Score:2)
Because you bought one and can't figure out what to do with it;)
article wrong on voltage divider for power source (Score:3, Interesting)
The voltage divider shown couldn't deliver any significant current (less than 1 milliamp). The Pi is rated for about 1 Amp. Somebody is proud of their voltage divider equation but doesn't understand it. Unimpressed!
Re:article wrong on voltage divider for power sour (Score:5, Informative)
Hehehehe, fascinating!
In addition, these people do not know that a voltage divider is entirely unsuitable for powering anything with variable current consumption. The easy solution would be to use a switching-mode 5V 1A regulator module like the Traco Power TSR 1-2450. My guess is they never powered the Raspberry Pi from the 19V input. These people seem to understand digital electronics to some degree, but gave no clue about analog electronics.
The demo is nice nonetheless.
Re: (Score:3, Informative)
Given the overall level of detail, the stupidity in this chapter "Power considerations" kind of amazed me. Calculations look correct btw, result just doesn't hold up when you draw up to 1A.
Probably the person(s) who figured out most of the info, person writing this chapter, and person putting everything together, must be different people. Otherwise this chapter would surely have been re-written.
Re: (Score:3)
Sounds plausible to me. I also guess this was finished in some haste to get it to the conference in time. For example, the video-grabbing is not implemented, while I see no fundamental problem with that.
Re: (Score:2)
Damn, power supplies are getting small. That thing is 11 x 10 x 7 mm!
Re: (Score:2)
A 7805 would work, but generate a lot of heat and require a relatively large heat-sink. The TSR-2450 is pretty amazing, also because it is probably cheaper than the 7805 when you take the cost of the heat-sink and mounting materials into account.
Cellphone (Score:3)
Why to bring an obvious "strange device" at the eyes of the unsuspecting to connect to a company laptop if you can bring a cellphone for doing the same task? (if current cellphones are too braindead/locked for that, an N900 should be more than enough).
If you don't care about being subtle, just rebooting with a bootable pendrive or disarming the notebook to extract the HD should do the word, but a cellphone is something that could not raise suspicion, you can always say that is for recharging the battery (and again, with an N900, will make even more sense)
Re: (Score:2)
Simple: The cellphone does not get wired Ethernet access, it does not get access to the Laptop keyboard, screen, etc. The whole pointy of this demo is that you can watch somebody while they are working.
You are describing an entirely different type of attack (valid nonetheless).
Re: (Score:3)
I've seen USB dongles that let Android devices have pretty much anything you want. Your phone can have Ethernet access.
http://usbtips.com/usb-otg-adapter-connects-usb-accessories-to-your-android-device/ [usbtips.com]
Re: (Score:2)
Yes, but how to you insert it for passive eavesdropping? Put the cellphone into the docking station? That does not make sense as it might be possible, but far, far more effort than using something like the Raspberry Pi. Face it: For this type of attack (trojaned hardware), a phone is the wrong platform.
Re: (Score:2)
Neither does the Raspberry Pi, technically.
It certainly isn't doing anything with the screen. Its 'ethernet' is over USB, and its USB implementation is utterly asstastic and has a hard time keeping up with copy/paste over SSH, let alone a real ethernet stream of data. It isn't going to be doing passive monitoring of USB keyboards worth a shit either ... again due to its absolutely shitty USB subsystem.
This article is not about Raspberry Pi... (Score:4, Interesting)
It is about people hacking the docking station for laptops...
If the victim is very important to the organisation which conducts hacking, a custom made PCB might be implant into the docking station... There is no need to use Raspberry Pi, which would make the whole thing very amateur.
Re: (Score:3)
Further, Raspberry Pis cannot act as a slave USB device, only a host (it is a hardware limitation in the way the chipset was physically connected to the USB port - required components for USB slave are not in place). Thus USB could not be the physical connectivity in a dock. The only other option would be to use the GPIO pins directly to try and emulate the OEM's proprietary dock connector, however I very much doubt the pi could communicate at a high enough rate to communicate with the laptop. The bandwi
Re:This article is not about Raspberry Pi... (Score:5, Interesting)
One approach we've seen on attacks on us, i.e. drives people find in the parking lot, is that the device appears as a composite device. Part of it shows up as an almost empty USB drive with a couple of innocuous Word documents, as long as you don't show hidden files and directories. However, the second and third parts are HID, when idle for too long, the new keyboard will try to do windows key+R -> "iexplore malwaresite". They also do other attacks using that means of access of a combination USB drive, keyboard and mouse.
Re: (Score:2)
MSP430, about $20, can be a USB device or host. But it doesn't have any processor power to speak of. It would be fine for that part of the hack, though.
Of course, an Arduino can do this job...
Re: (Score:2)
Arduino can act as both slave and master and get spi access to other busses in the device. It's not uncommon to see both pi and arduino in a project as they have each their strengths and weaknesses. For real-life production, you can then simplify it down to the same ARM and Atmel chips + peripherals on a single board.
Re: (Score:3)
Can you get physical access to the site - just once?. Laptops, computers, code, admins change all the time and are getting smarter with more security options/work loads.
Spy-Pi using a Raspberry Pi Model B would allow for a secure way out for any data obtained via a network that can be updated remotely.
This might be better long term as the main OS, any thin clients, boxes, web 2.0, cloud devices, printers, laptops might be kept ~100% clean over ti
They are late to the party.... (Score:1)
we were doing this with the precursor to the Pi the "sheevaplug" over 4 years ago... doing it with a pi is not innovative or new in any way.
Re: (Score:2)
With 20V at 1A a 7805 would stoke away 15W - that's a big heat sink
Re: (Score:2)
You would use something modern like a 7805SR instead of a voltage divider or an old school 7805 that needs a huge heat-sink.
http://www.murata-ps.com/data/meters/dms-78xxsr.pdf [murata-ps.com]
Re: (Score:1)
Or the Lightning AV adapter for that matter (Score:2)
It was discovered that these adapter cables contain a microcomputer in them. Why not put your backdoor in the cable itself.
Re: (Score:2)
because that's hard - finding a docking stating big enough to slap a raspberry pi with a usb soundcard in it is easy.
isn't thunderbolt directly connected to the bus in the computer anyhow? or at least supposed to.
It's the little things (Score:2)