Poor Man's Guide To Network Espionage Gear

Shawn MerdingerIndependent Security Researcher

CRT-9Computer Security Institute

NetSec 20062006.06.14

British Spy Rock

First-Gen Spy Rock?

Obligatory Speaker Slide

● Shawn Merdinger– Independent security researcher & corporate irritant– Current indy projects

● VoIP device & Emergency communications systems

– Former positions● TippingPoint ● Cisco Systems

– STAT (Security Technologies Assessment Team)

– Web: www.io.com/~shawnmer

Warnings and Stuff

● This is academic research...the “how” not the “why” ● This is “dangerous information”...however

– You have the right/need to know – I have the right/need to talk

● Oh yeah...and remember– Devices (in context) may be illegal...don't use– Activities (in context) may be illegal...don't do– I’m not a lawyer…

Objectives

● Academic information exchange● My favorite cheap and mean gear● Attacks & countermeasures● Resources

Agenda

● Objectives● Attackers● Network Espionage Devices (NEDs)● Gettin' Spooky with IT● Countermeasures● Looking forward

Got bad soup?

Devestating yet “simple” attack

Attacker Goals

● Attacker wants to accomplish...– Gain internal access via a device at victim location– Attack internal/external hosts via TCP/IP– Attack phone/PDA/PC via Bluetooth– Passively gather information via sniffing– Establish other internal and external access– Impersonate services – Webserver, Database– Target a user's service – VIP VoIP connection

Attack Tools

● Typical opensource methods and tools– Scanning & Probing– Sniffing– Exploiting– Covert communications

● Multiple protocols and entry points– Wired LAN– 802.11b/g wireless– Bluetooth

NEDs

● My favorites– Linksys WRT54G– Nokia 770– Gumstix– PicoTux

● Plenty others!– Access Points– PDAs– Game platforms

NED Characteristics

● Small, unobtrusive, ubiquitous, “cute”● Low-cost, disposable at victim's location● Minimal power requirements

– Power over ethernet, battery, solar potential● Multiple attack vector capability

– Wired, Wireless, Bluetooth, RFID● Traditional forensics very difficult

– Ephemeral filesystems running in RAM & device access– Try that with Encase!

NED Characteristics

● Outbound reverse connections back to attacker– Crypto tunnels bypass firewalls, IDS– “Under the radar” common protocols like DNS

requests, ICMP, HTTP/S – Proxies, anonymizers, etc.

● Ported attack tools and exploits– ARM processor-based– Some hardware and software limitations and trade-offs

● Dependent libraries, GUIs, etc.– E.g. Don't expect a full Nessus client/server on Linksys routers

NED OS & Software

● Stripped-down Linux● BusyBox shell● SSH, HTTP/S management● Features like VPN tunnels, mesh networking● On-the-fly software install as “packages”

– DNS, Apache, Asterisk– Attack tools and exploits– Powerful scripting languages: Python, Ruby– Customizable

Linksys WRT54G● Cheap, cute● Secure with default Linksys firmware?

– Ubiquitous = the “new Windows”– Very likely unpublished exploits in the wild

● Opensource alternatives to Linksys firmware– OpenWRT

● Package system

– Sveasoft● Mesh netwkorking

● Un-leashing the WRT54G....

FairuzaUS for Linksys● FairuzaUS: www.hackerpimps.com

Treo 650 SSH into FairuzaUS

into compromised Windows box

Command line interface over SSH

Nokia 770

● Basics– US $300– Slow CPU, low RAM– 802.11b & Bluetooth– Virtual touchscreen keyboard– Debian Linux PDA– Software

● Lots of development via Maemo project● Many security tool packages by independent folks

– Tcpdump, Nmap, Dsniff, Kismet, Bluetooth audit

Gumstix

● Ultra-small computers ($120 +)● Expandable “snap in” boards

– CF storage and 802.11b wireless– Single and dual Ethernet with POE

● MITM hardware device with dual ethernet

– Bluetooth– USB, serial, PS/2 connectors– Used in BlueSniper, UltraSwarm– Developer CDs and environment

PicoTux

● Picotux 100 and 112 (US $100 +)– World's smallest Linux computer– 35mm×19mm×19mm (size of RJ45 connector)– Power over ethernet– Telnet and HTTP server– Developer CDs and environment

● Attacks– One of these in the plenum off a Cisco CAT switch– “Serial to ethernet connector”

Spooky: Device Enclosures

● Free water cooler offer ;)– Potential for power source– Legitimate reason for physical presence..and returning

● Office décor– Flower safe with X-mas tree & lights...plug 'n play

● Exit Sign, fire extinguisher– *Dangerous to mess with emerg. gear

Spooky: 0wn3d Mesh Network● Municipal networks beware!● Build It

– EVDO gateway for Internet – Drive-by/Walk-by AP 0wn4g3– Senao AP w/ YAGI = Sweeper

● Run It– Karma = DHCP for everybody– Shared crypto keys, cron jobs, remote ssh-fs mounts

● Own it – Attack everything, browser exploits on capture portal

Spooky: In-Transit “Marketing”

● Airports, train stations, bus stations, subways, etc.– Bluetooth spamming with “scary” message content– 0wn3d wifi networks & Windows Messaging

● Multiplier-effect– Simultaneous at multiple hubs in US– “Scary message”

● Huge productivity costs

– Wrong message● Used as diversion, secondary attack, etc.

Spooky: Long-distance,the next best thing to being there

● Home-built Bluetooth/Wifi “Sniper” setups

Bluetooth targets up to one mile 802.11b targets up to...?

How far? 802.11b over 125 miles

Countermeasures

● Know the risks and threats● Know your network devices and traffic● User education, buy-in, ownership of the problem● Policy and “best practices”● Planned response ● Other measures

– Honeypots, Honeynets, Bluetooth-honeypot– Calling the cavelry (private specialists, Johnny Law)– Hack-backs

Looking Forward

● More devices with network access– It's only going to get worse....

● “Why is my refrigerator scanning my network?”● Same old issues: poor QA and security, outsourced, lack-of

ownership, fixes/patching, etc.

● Tied into critical applications– Tele-medicine, mobile data– Emergency Communications Infrastructure

● Vonage over Linksys box was NO lifeline post-Katrina● Plenty others...stay tuned!

Questions?

Thanks!

Contact: shawnmer @ gmail.com