Rogue Device Spotlight: Raspberry Pi

RISK ASSESSMENT RATING: 6.33

 

Popularity: 8

How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

The Raspberry Pi is very cheap and very available, both very attractive features to attackers (both of the white hat and black hat varieties). In addition, the large number of security-related distros tailored for the Raspberry Pi have both fueled the popularity of the Raspberry Pi hardware for rogue devices and stand as a testament to its use.

 

Simplicity: 6

The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.

The Raspberry Pi is uniquely easy and cheap to acquire, making it an almost disposable tool. However, while the Raspberry Pi was built for teaching purposes, it is ultimately a device that requires extensive modification and experience to use effectively as a rogue device. The existence of a number of distros for this purpose and tutorials for the Raspberry Pi help to alleviate the challenge, but some expertise is required to create an appropriately attack-ready Raspberry Pi.

 

Impact: 5

The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.

Extreme covertness and ease of modification make the Raspberry Pi a fairly powerful tool, but its abilities are ultimately limited by its lack of processing power. In addition, its lack of onboard wireless makes it ungainly for wireless attacks and the need for a battery pack to run off the grid negates some of its covertness benefits.

 

 

Raspberry Pi

Released in 2012, the Raspberry Pi is an ARM single board computer which has became immensely popular with the hacker and maker crowd. Originally intended as an educational tool to get children interested in programming and computer science, the incredible flexibility and extremely low cost of the Raspberry Pi made it an instant hit inside and outside the classroom. It has since gone on to sell over 5 million units, and has found its way into more hacks and projects than its creators could ever have imagined. Unfortunately, not all of these projects are entirely without potential ill effects.

Based on hardware originally intended for the smartphone industry, the Raspberry Pi is about as large as a credit card and requires very little energy; making it exceptionally well suited to covert deployments. While not nearly as powerful as a desktop computer, its ARM processor is fast enough to run standard Linux distributions (including security oriented releases such as Kali and customized Pi security distros), as well as many of the most common Linux security tools. As with many of our rogue devices, this makes it perfect both for offensive security and for potential attacks on organizations’ sensitive data and systems.

 

Hardware Specifications

  • CPU: ARM1176JZF-S @ 700 MHz
  • RAM: 512 MB
  • OS: Linux, BSD
  • I/O: Ethernet, USB, HDMI, Composite Video
  • Storage: SD Card (no built-in storage)

 

 

Photos

DSC_2311

 

Notable Features

In order to reach its extremely low purchase price, there is no built-in storage on the Raspberry Pi; the user-supplied SD card holds both the bootable operating system and whatever files need to be saved in the course of operating the device. Without an SD card inserted, the Raspberry Pi will not function. 

While many may see this as a drawback, it has the benefit of allowing the user to maintain separate SD cards for each operating system instance they wish to run. For example, one SD card could be used to boot the Raspberry Pi into a desktop-oriented distribution of Linux such as Ubuntu, and another card could be used to boot Kali for pentesting. The ability to quickly switch operating systems is unique to the Raspberry Pi, and makes it very easy to try out new tools and systems relatively risk-free. It also makes it a useful tool for running different types of attacks with one set of hardware, giving an attacker increased flexibility.

 On the networking side, the inclusion of an Ethernet port on such a small device is welcome, however, wireless was completely omitted. Requiring USB adapters to perform wireless tasks is somewhat ungainly, but not unreasonably so. The onboard Ethernet is connected internally as a USB device, which means it must share bandwidth with other USB-connected hardware. This means users may experience a performance hit when trying to simultaneously use Ethernet and a USB device. As such, the Pi is maybe not the best wireless attack hardware, as this can be especially problematic while attempting to perform advanced network manipulation, such as in a rogue access point. 

The Raspberry Pi is more powerful than many other embedded devices in this size and price range, a major boon for attackers. In the grand scheme of things, however, it isn’t even on par with a mid-range smartphone. While not as powerful as a smartphone, the Raspberry Pi can run some substantial offensive tools relative to its incredibly low cost. While processor intensive tasks such as decryption or real-time network manipulation may not be a great fit for the Raspberry Pi, it can still hold its own in many useful roles, both offensively and defensively.

The Raspberry Pi with a wireless adapter can be used for nearly any attack that does not require intensive processing. Raspberry Pi security distros often run anything from port scanning  (nmap) to packet sniffers and WiFi cracking (aircrack-ng) to Man-in-the-Middle attacks (ettercap), in addition to a large number of other network and wireless offensive tools. As with most easily modified rogue device hardware, the Raspberry Pi’s capacity to “do evil” is heavily dependent upon the tools that the attacker or tester chooses to load and use.

The Raspberry Pi’s small size and modification-ready build lend itself well to disguise, so unlike many rogue devices (which can be conspicuous) the Pi can go completely unseen in most locations. Security researchers have incorporated it into any number of dropbox formulations, even going so far as to actually build it into other devices and items (meaning that the device itself isn’t even externally visible). For a pentester or attacker, the ability to completely hide a rogue device is absolutely invaluable.

 

Conclusion

Costing only $35 and readily available from many online retailers, the Raspberry Pi is perhaps the most easily accessible rogue device hardware currently on the market. Even with the potential added cost of purchasing a USB WiFi adapter and battery pack to keep it running off the grid, the Raspberry Pi is so cheap it’s essentially disposable. A number of groups have seen the attractive possibilities of using the Raspberry Pi as a penetration testing tool, and accordingly a number of security related distributions are now available for it, such as PwnPi, PwnBerryPi, and Raspberry Pwn. With these distros and some experience, the Raspberry Pi can prove to be a fairly serious attack tool.

That said, the last-generation smartphone hardware the Raspberry Pi is based on does trade performance for cost, and some may be frustrated with its rather sluggish performance. The shared USB bus, compounded by the fact the entire operating system runs off of a relatively slow SD card, can lead to some painful bottlenecks, greatly hindering the Raspberry Pi’s real-world usefulness as a legitimate security tool.

Note: A faster version of the Raspberry Pi is currently being rolled out to replace the existing model, which costs the same but features a much more powerful processor. This new version of the hardware should alleviate the performance issues which hold the original Raspberry Pi back, but until it becomes more common, the original version is much more likely to be seen in the wild.

Dev and Ops Coming Together To Combat the Weakest Security Link – BYOD

DevOps.com

Dev and Ops Coming Together To Combat the Weakest Security Link – BYOD

March 16, 2015

By Paul Paget

 

Traditionally, security threats have taken the form of intentional acts by remote attackers: somebody on the outside working covertly to get to the inside. This is the classic scenario that most people associate with IT security, and it’s what most network operators are best prepared for. But these classic threats are eroding rapidly in the era of ubiquitous mobile devices and users who’ve become accustomed to always-on network access. BYOD is the weakest security link today.

The surge in mobile wireless devices has blurred the line between what is inside and outside the network. Mobile devices such as smartphones and tablets are legitimate, and increasingly indispensable, business tools. Immersed in social media and digital technology, many Millennials treat their mobile devices as extensions of themselves, making it very difficult to separate one from the other. The obvious cost of a policy that prevents users from bringing personal devices to work is impacting the recruitment of new staff, and sometimes depriving existing staff of the tools they need to stay competitive, but the risks are also substantial.

 

 

(Original Article)

Rogue Device Spotlight: Wireless Printers

RISK ASSESSMENT RATING: 6.00

 

Popularity: 6

How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

While it may not be immediately clear that this is a point of attack, wireless printers are becoming both more common and more vulnerable to attack.

Simplicity: 5

The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.

Unlike many of our previous posts, the printer is not just a “plug-and-play” rogue device, nor does it have to be built. Instead, the attacker has to rely upon knowledge of a device that already exists on the network and may vary in attack simplicity.

Impact: 7

The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.

The impact from a successful attack can be quite devastating – by using the misconfigured printer either as a window into the network or even by simply intercepting the print jobs sent to the printers, sensitive data can be much more easily accessed.

 

Wireless Printers

Wireless Printers are becoming more and more common around the world, providing convenience in several different ways. However, this convenience comes with a security cost. It is vital to understand the different wireless modes these printers can be in, as well as the dangers of default configurations and how they can be exploited by the bad guys when not properly configured.

 

Hardware Specifications:

CPU: Varies

I/O: Varies

Radio: Varies

Storage: Varies

OS: Varies

 

Photos:

wifiprinter

 

Notable Features:

Wireless printers, while thought of as an office convenience, can also be a convenient way for rogue actors to access your network. There are multiple ways in which wireless printers can be used as rogue devices. These are:

  1. Wireless Client
  2. Wireless Access Point (Infrastructure Mode)
  3. Wireless Access Point (Ad-Hoc Mode)
  4. Wireless Printer Web Interface

Mode 1:  Wireless Client

When using the wireless feature of a printer in an environment with a pre-existing, secured wireless infrastructure, the best way to use the printer is to configure it as a wireless client as it will connect to the secured corporate wireless network.  By default, most wireless printers are NOT configured as wireless access points, although they do usually have WiFi enabled. This wouldn’t necessarily be a security issue if the printer itself wasn’t setup to automatically connect to an open network used in initial configuration from the manufacture. Wireless printer manufacturers like HP and Canon all use open wireless networks with names like “hpsetup” and “default” to configure large numbers of wireless printers at the factory. The problem here are these open wireless networks saved in the printers’ “preferred wireless network list.” When WiFi is enabled on the printer and the printer is in range of an open network with the same SSID name, the printer will automatically connect to that wireless network, thinking that it is the default wireless network used to configure it. This makes the printer a vulnerable wireless client to Evil AP attacks, just like many other types of wireless clients that probe for open networks they have previously connected to.

This can be a real threat for the corporate network when an attacker tricks the printer into connecting to a malicious access point (Evil AP), which can then potentially do things such as take over the printer, dump the memory of sensitive printed documents, install hacker toolsets, and worse – potentially use the printer as a pivot point to gain access to the wired network if the printer is also connected to the network via Ethernet wire. Unfortunately, it is fairly common for someone to order a network printer that also has wireless capabilities, but only configures the wired Ethernet connection and fails to disable WiFi on the printer. In these cases, it is possible for an attacker to potentially access the rest of the wired network through the WiFi card of the printer.

This can be easily solved by disabling WiFi completely if only the Ethernet wired connection is intended to access the printer. If Wireless is the preferred method of connecting the printer to the network, it is vital to ensure that it is connecting to a wireless network with proper security and encryption. If possible, either remove the default open wireless network from the printer’s preferred network list or disable it from automatically connecting to that open network.  This way even if an attacker manages to de-authenticate the wireless printer from the corporate network, it won’t automatically connect to a known open network like “hpsetup”.

 

Mode 2:  Wireless Access Point (Infrastructure Mode)

As wireless printers have become more prevalent, manufacturers often make the process of connecting to wireless printers even easier by configuring wireless printers to provide their own wireless access points by default so that wireless clients can simply connect to the printer itself. There are several issues here: for one, the default wireless access point the printer broadcasts is usually open, allowing anyone to connect to the printer directly over WiFi.  If the printer is in its default state, an attacker can then access the printer’s configuration and control with a default admin username and password – assuming an admin account is even present in a default configuration (which it usually is not). The attacker then has the capability to compromise almost anything, similar to when the printer is a vulnerable wireless client, except now it can also directly attack any other wireless clients connected to the printer’s wireless access point.

The other major issue for corporate wireless clients is that even if someone eventually locks the wireless printer’s access point down, any corporate wireless client that has connected to the wireless printer in an open network state (no security or encryption), is now potentially vulnerable to an Evil AP attack, regardless of being within range of the wireless printer.  By default, most wireless clients will automatically connect to an open wireless network they have previously connected to, giving the attacker the ability to hijack corporate wireless clients tricking them into connecting to a malicious wireless access point pretending to be the open wireless printer network. Again, if the corporate wireless client is also plugged into the wired network via Ethernet, the client can then potentially become a wireless bridge to access the wired network.

The key to avoiding this kind of problem is to properly configure the printer based on what the networking needs are.  If it is intended to be a wireless only printer, configure it to use encryption and do not also plug it into the wired network.  Wireless infrastructure considerations should be made, such as using strong encryption and security, and also using a proper channel to ensure the printer’s wireless network is not causing wireless interference with the rest of the corporate wireless infrastructure. If the printer is intended to strictly be a wired network printer, disable the WiFi card on the device.  To ensure corporate wireless clients are not automatically connecting to open wireless networks, remove open networks from the wireless clients preferred network list or simply disable automatically connecting to a preferred open network when in range.

 

Mode 3:  Wireless Access Point (Ad-Hoc Mode):

This issue has all the same problems as when a printer is a regular wireless access point, except that when wireless clients connect in Ad-Hoc mode they also become open wireless access points themselves that anyone can connect to. Ad-Hoc mode should not be used normally in corporate environments, and is designed to be used more “on the go” in areas where wireless access is not available. These days, it is so trivial to setup a hotspot Access Point on almost any mobile device that Ad-Hoc mode isn’t really needed to provide networking on the fly.

 

Mode 4: Wireless Printer Web Interface

As manufacturers attempt to make connecting to these wireless printers ever easier, many have added web interface functionality. They generally add a hard drive with simple ftp and a web interface, providing a web server that can be an alternate point of attack. The attacker can even then store stolen data on the printer via the network connection. Any hard drive with pre-installed firmware is also potentially vulnerable to attacks that no proper configuration can fix, giving attackers a potential window into an organization’s network through the printer’s wireless connection.

 

Conclusion

Unfortunately, it is still very common to see these types of wireless threats in corporate environments due to a lack of proper and thorough configuration on network printers.  While one of the most critical threats of wireless printers being used as a potentially “wireless bridge” to the wired network, this is just one type of device that can act as a wireless bridge or wireless entry point to the rest of the corporate network. There are many types of wireless bridge devices that can easily be used as rogue devices, and even in environments with no wireless access these devices can be used to create a doorway into the wired network by transparently creating a wireless bridge access point.

Remote Site Security with Pwn Pulse

Continuing in our series about Pwn Pulse and its potential uses is the following “fair weather” example. While many associate Pwnie Express tools with penetration testing, it can also be useful for assessing the health of your security processes.

The day to day security operations of an average network are not terribly exciting. Once everything is setup and running, the routine of checking to make sure everything is working correctly takes up most of your time.

That’s bad enough if you’ve only got one location to contend with, but what if you have remote branches? Hiring staff to handle security issues at the various branches may not be an option, so time will have to be split up between them all. If you have to physically visit these remote locations, the problem becomes even worse. Time spent on the road is time wasted.

The reality is, remote branches are often ignored unless a serious problem develops. There simply isn’t enough time in the day to make a sweep of all the locations to ensure everything is working smoothly. The irony is that if you could keep a closer eye on the remote branches, you’d be able to head off a lot of problems before they took root, saving you time in the long run.

Pwn Pulse provides a window into the devices operating in these. You can use Pwn Pulse to not only keep an eye on your location, but by using it as a comparison to your standing security assessment tools.

 

Practical Example: Small Bank

Imagine that you were in charge of the network for a small independant bank that has a main branch and 6 smaller branches all within a 10 mile radius. The branches are too small and close together to justify the expense of hiring IT staff for each one, so you have to balance your time between them all. But the main branch has the largest number of users and is arguably the most important, so in practice the majority of your time is spent there. The remote branches are left to languish on their own, in hopes that nothing major comes up.

Unfortunately, if something does come up, it could very easily affect your entire network. Remote site security is too often overlooked, the assumption being that no important data is stored in these locations. However, this assumes “perfect security practice,” a situation which can rarely be emulated in real life. Even with appropriate segmentation of the remote site and headquarter networks, login credentials found with an EvilAP could provide an attacker direct access to the sensitive information you keep behind firewalls.

Pwn Pulse is the solution to that remote site gap. Automated asset discovery and rogue device detection give security professionals potentially located at headquarters or another location a fuller picture of security at the remote location. Even more importantly, it is a complete picture. With the ability to run vulnerability scans against your network on a predetermined schedule, you can make sure that all computers are downloading and applying the appropriate updates. If you know an update was pushed out to fix a specific vulnerability, and there are machines in your network still susceptible to them, you’ll know which machines need to be more closely examined.

You can see trends across networks [i.e. seemingly random rogue access points run on similar hardware at three different branches in the same neighborhood], you can pinpoint problem areas across the organization (i.e. guest wireless is frequently used by new employees), and you can understand the behavior not only of your network, but of the devices connecting to it.

 

Infinite Possibilities

These are just a few of the possible applications of Pwn Pulse. Downtime is wasted money, and Pwn Pulse can save security and IT staff effort which is better directed towards larger issues.

 

Data Security Experts Answer: What is the Biggest Misconception Companies Have About Endpoint Security & Protection Tools?

Digital Guardian

Data Security Experts Answer: What is the Biggest Misconception Companies Have About Endpoint Security & Protection Tools?

March 11, 2015

By Nate Lord

 

 

Paul Paget

@pgp2

Paul Paget is the CEO of Pwnie Express.

The biggest misconception companies have about endpoint security is…

Overlooking the importance of detection technology.

The threat landscape is evolving at a break-neck pace and the stakes have never been higher. As a result, organizations’ historic focus on perimeter security solutions has shifted to analytics and monitoring tools that provide enhanced visibility and rapid response. But savvy CISOs/CSOs know that it’s not a question of one or the other: an effective security strategy must encapsulate both traditional end-point security defenses and new, innovative ways to gain greater visibility into potential breach points.

Firewalls, antivirus and other defensive tools are still essential to mitigating risk, but no longer enough to stop today’s increasingly sophisticated, stealthy attackers. To proactively combat endpoint security threats around wireless productivity tools, BYOD, and IoT devices, enterprises must also be proactive in detecting the presence of unknown, unauthorized, rogue and/or misconfigured devices in real-time so security teams can respond quickly and effectively.

(Original Article)

Anthem Refused Security Audit Before and After Data Breach

eSecurity Planet

Anthem Refused Security Audit Before and After Data Breach

March 10, 2015

By Jeff Goldman

 

Following a recent data breach that may have exposed the personal information of as many as 80 million current and former customers and employees, health insurance provider Anthem has refused to allow the federal Office of Personnel Management’s Office of the Inspector General (OIG) to conduct vulnerability scans of its systems,GovInfoSecurity reports.

Anthem also refused to allow the OIG to conduct similar vulnerability scans in 2013.

The OIG told GovInfoSecurity that Anthem refused to permit it to conduct “standard vulnerability scans and configuration compliance tests.”

 

(Original Article)

Rogue Device Spotlight: KeySweeper

RISK ASSESSMENT RATING: 3.33

 

Popularity: 2

How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.

The KeyGrabber can be considered “popular” in the sense that people are talking about it, but real world attacks at this point in its development are unlikely and currently unreported.

 

Simplicity: 3

The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.

While the KeySweeper has impressive documentation, it is meant to be built from scratch and is still not a project for a beginner.

 

Impact: 5

The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.

Like the KeyGrabber, the impact of the KeySweeper is dependent upon what is typed. Though much of the information would most likely be trivial, a long enough period of data (or certain login information) is of immense value to an attacker.

 

KeySweeper

 

Unveiled in January 2015 by security researcher Samy Kamkar, KeySweeper is an open source sniffer for Microsoft wireless keyboards. Built into the case of a standard USB wall charger, the KeySweeper can easily be deployed and hidden without arousing suspicion. Depending on the optional hardware, an individual can construct their own KeySweeper for as little as $10 by following the detailed instructions on Kamkar’s site.

While all of the hardware to construct the KeySweeper is readily available, the skills required to assemble one are far from trivial. In addition, the fact that it targets only a single type of wireless keyboard gives it a rather narrow scope. Still, if taken as a proof of concept for what’s possible with hobby-grade electronics, the KeySweeper is a sobering wake up call.

 

Hardware Specifications

 

  • CPU: Arduino or Teensy Microcontroller
  • I/O: NRF24L01+ 2.4GHz
  • Radio: Quad-Band GSM
  • Storage: 1 MB SPI Flash (Optional)
  • OS: Open Source, written in Wiring

 

 Photos

keysweeper

 

Notable Features

The KeySweeper is undeniably one of the best-disguised rogue devices ever conceived, to the point that it’s essentially undetectable short of the victim opening it up to see what’s inside. It’s important to note that not only does the KeySweeper hardware fit inside of the USB charger case perfectly, the charger still works after the modification. While the KeySweeper device would be slightly heavier than a standard USB charger given the added hardware, the chances that a potential victim would notice this and become suspicious of the device are very slim.

Considerable thought was put into the KeySweeper’s design, including a number of optional contingency features. Kamkar details additional hardware such as an internal battery to power the electronics while the device is unplugged, and onboard storage to retain data in the event it cannot be retrieved wirelessly. These optional hardware and software features show just how much flexibility is possible with these types of devices and gives a glimpse at what’s possible with more development.

While it was technically designed to only target Microsoft keyboards utilizing a specific wireless chipset, Kamkar mentions that other keyboards are likely using similar technology. With open source code and fully documented hardware, it’s possible the KeySweeper, or a device very much like it, will be updated in the future to support keyboards from more manufacturers.

 

Conclusion

Given its exceptionally narrow scope and very public unveiling, it’s best to consider the KeySweeper a proof of concept. Even if it was ready to be used as a practical rogue device, the skills required to construct one are not trivial, and Kamkar’s documentation isn’t quite detailed enough to allow a beginner to build one unaided.

While the KeySweeper itself may not be a practical threat for most organizations, the technology it demonstrates certainly is. The framework laid out in Kamkar’s documentation and code can be adapted to many other tasks which could benefit from the same covert properties that make the KeySweeper so impressive.