• Oxford: +44 (0)1865 877830 
  • Manchester: +44 (0)161 713 0176 
  • Edinburgh: +44 (0)131 541 0118 
  • New York: +1 646-781-7580 
  • Minneapolis: +1 612-324-7410 
  • Bucharest: +40 316 301 707 

Using Hardware Devices to Gain Internal Access

You are here

04

Oct

Using Hardware Devices to Gain Internal Access

Many organisations take external IT security very seriously, ensuring web applications are regularly penetration tested and that internet facing systems are appropriately hardened, restricted and segregated in order to prevent an attacker from pivoting into their internal network. A common oversight is that many organisations presume that their internal network is safe as long as it cannot be accessed through the internet. If physical security is high, staff members are trusted and restrictions are in place to protect against phishing attacks, how could an attacker gain access to the internal network?

One real world example of how this could be achieved is the recent high profile Barclays[1] and Santander[2] attacks, in which criminals socially engineered access to high street banks in order to place remote KVM (Keyboard Video Mouse) devices, such as the example pictured in the BBC News articles[1][2].

Both of these attacks involved criminals using social engineering to masquerade as IT engineers in order to plant the devices. These attacks were very high risk and involved alerting staff members of the devices under the pretext that they were legitimate IT hardware. Whilst one attack was unsuccessful, the device at the Barclays bank was only discovered after it was noticed that money had been taken. Even if such devices are placed covertly, they are still likely to stand out as being out of place in any office and would likely be detected by an observant staff member.

What if a different form factor for the devices had been chosen? If the criminals had decided to use a more covert device there is a real possibility that the devices could have remained unnoticed and could still be currently being used to attack the internal network and to steal millions of pounds.

At Dionach’s recent Second Annual Cyber Security Seminar held at the National Space Centre, we demonstrated such a covert device. We decided to build a small computer, with several remote connection methods, in a form factor that is commonplace in every office – a standard power supply.

HumblePi

At first glance, and even close inspection, this device, named the ‘HumblePi’ after the small computer it is built around, looks like any other power supply. The only give away is the fact that the power lead terminates in an RJ45 Ethernet connector rather than a more traditional DC power jack.

The only connectivity the HumblePi requires is a power socket and a network port connected to the internal network. This could easily be placed through social engineering, for example behind a reception desk as the receptionist leaves to make a visitor a drink, or behind the photocopier as a visitor copies some paperwork for his meeting, naturally needing to reach behind the photocopier to turn it off and on following a paper jam. Once placed in any office, the HumblePi disappears into the camouflage of the surrounding power supplies and cables that litter behind every desk and piece of equipment in all offices.

Within seconds of being powered, the HumblePi creates a hidden WiFi access point, which allows direct access to the internal network in the local area, be it the office car park or the coffee shop across the street. An attacker may not want to always be close by in order to attack the internal network, so the HumblePi also creates reverse connections through the internal network’s internet connection as well as over 3G to a server under the attacker’s control. The attacker can then connect to this server and drop straight onto the target internal network from anywhere in the world, as shown in the diagram below. Click the image to view the full resolution.

HumblePi Connectivity

A device this capable and seemingly innocuous may sound expensive and technically challenging to construct. Unfortunately, this is not the case, the HumblePi is based around the RaspberryPi single board computer[3] and was constructed in a few hours using parts available in Dionach’s head office. The image below shows the parts used in construction and, with slight modification, how they can fit into a standard power supply case. Click the image to view the full resolution.

HumblePi Components

An attacker could easily source the required parts for around £50, making the HumblePi a cheap, throw away, covert device that could be planted in any office through the use of social engineering. Once placed, attackers can target the internal network from anywhere in the world. By taking careful measures during the construction of such a device, criminals could make it virtually untraceable making it unlikely they would be caught should the device’s true purpose be discovered.

This form of attack isn’t only limited to skilled attackers, several commercial devices are available, such as the ‘Pwn Plug Elite’[4], which provide a covert single board computer in a power supply form factor, often loaded with remote connectivity options and hacking tools. For those wishing to build their own device using a RasberryPi, there are easy to follow blogs available online[5] as well as a variety of penetration testing Linux distributions designed for the RaspberryPi, such as Kali Linux[6] and PwnPi Linux[7], all loaded with hacking tools.

With devices such as the HumblePi so easy to construct from readily available low cost parts, this method of attacking an internal network is a real concern and there is no way of telling how many devices of this nature could currently be in position and connected to internal networks around the world. It is important for all organisations that staff members are wary of all unrecognised devices, however seemingly innocent, and recognise, challenge and report any potential social engineering attempts and that organisations take internal IT security as seriously as they do for external services and websites.

[1] BBC News, “Barclays Bank computer theft: Eight held over £1.3m haul,” 20 September 2013. [Online].
Available at: http://www.bbc.co.uk/news/uk-england-24172305.

[2] BBC News, “Arrests over 'cyber plot' to steal from Santander bank,” 13 September 2013. [Online].
Available at: http://www.bbc.co.uk/news/uk-england-london-24077094.

[3] Raspberry Pi Foundation, “Raspberry Pi | An ARM GNU/Linux box for $25. Take a byte!,” 2013. [Online].
Available at: http://www.raspberrypi.org/.

[4] Pwnie Express, “Pwn Plug Elite - Pwnie Express,” 2013. [Online].
Available at: http://pwnieexpress.com/products/pwnplug-elite.

[5] TunnelsUp, “Raspberry Pi: Phoning Home Using a Reverse Remote Ssh Tunnel,” 2013. [Online].
Available at: http://www.tunnelsup.com/raspberry-pi-phoning-home-using-a-reverse-remot....

[6] Offensive Security, “Kali Linux | Rebirth of BackTrack, the Penetration Testing Distribution.,” 2013. [Online].
Available at: https://www.kali.org/.

[7] PwnPi, “PWNPI.NET | The Pen Test Drop Box Distro for the Raspberry Pi,” 2013. [Online].
Available at: http://pwnpi.sourceforge.net/.

Posted by Phill

Leave a comment