Article by Jon Derrenbacker
Physical Security: Guaranteed Access - From PwnPlugs to Nuclear Power Plants, things have become interesting at Layer 1...
With the advent of Svartkasts and PwnPlugs, physical security is no longer a boring subject for pentesters. To pentesters these devices are some of the most exciting exploits at any level. To businesses they’re a nightmare.
The criticality of physical security can’t be overstated, with high value targets such as the Nuclear Power plants in Iran, and the U.S. Governments Secret SIPR networks being victims to physical layer compromise. If there’s one guaranteed way to gain access to any network, it’s with a physical layer exploit.
Everyone has different ideas of what physical security is, what it encompasses, and how to exploit it. It can include a wide range of exploits, many being surprisingly simple. Regardless of method, going after physical security in a PenTest often proves one of the easiest ways to gain access to a network. Sometimes physical exploits are almost looked on as cheating, simply because some of them are so simple, so obvious, and yet completely unprotected.
There are countless tricks to exploit physical layer weakness. One of the more devious is the concept of creating a 0-day exploit inside of a client side application like Word or Adobe Acrobat, put it on a CD or thumb drive labeled ‘Employee Salary History 2005-2012’ and leave a few copies of it in different bathrooms at the target site. Do this slowly several times over a few months and eventually you’ll have a reverse shell waiting for you when you get back to the office.
There are tricks like dressing up as a legitimate third party vendor like as an electrician, helpdesk employee, or even a firefighter. Once inside any number of physical exploits are at your disposal. Planting a keylogger when under someones desk inspecting a wiring issue is pretty easy. This sounds improbable, but it works time and time again. When enough effort is placed into setup, it can be very effective.
To increase the odds of success some people will not only dressing the part, they’ll have a 2-3 person team with walkie talkies making chatter. They’ll have a Van outside labeled ‘Acme Electrical’ parked in front of the receptionist window and they’ll execute the operation around lunch while all security figures are out. Some will argue this is a Social Engineering attack, but the ultimate exploit will usually be when a physical device is planted. Planting a keylogger, planting a wireless router, etc.
For the more dedicated, there’s the trick of getting a job with the cleaning crew. Your employees have background checks, does your cleaning crew? What about the cleaning crew at your remote offices? A hacker with a few months of access to every desk in your building should make anyone pause.
Stopping an attack like this comes back to the basics. Cameras watching more than just your front door, someone monitoring the cameras, and background checks for anyone who has unsupervised access inside your building. Secondary to this exploit is the concept of exploiting the people who have unsupervised access who aren’t the normal security conscious staff. Telling the cleaning person as they’re taking out the trash that you left your keys on your desk could be the easiest access you ever got.
Physical security can be even simpler. One of the simplest attacks that many people over look is just breaking in and stealing. Smash and grab. Backup tapes are a good target or even entire servers. If someone wants your data and your front door has a weak lock, and no alarm how hard is it? If the walls creating your datacenter are just normal drywall it’s more of an illusion of an obstacle.
In many situations when someone wants your data, it could be easier to just break in. With a cart and a few minutes someone could grab your SAN and several servers. The target may not necessarily be data either; it could be a normal thief targeting high value network equipment. With some network devices costing more than a small house, these devices could easily become financial targets. It’s been a trend for years for thieves to break in to companies and steal laptops to resell on the internet.
They attack over long weekends and usually hit several companies in a row. Sometimes the thief will come in during business hours, and hide in a bathroom or empty office until everyone leaves. The question of course is if they can steal your laptops, is there anything physically stopping them from stealing your SAN? If they kick a hole through the drywall or push up the ceiling tiles and just jump over the wall, are they in?
Protecting against things like this requires alarm systems. Not just on the front door, but motion sensors in the server rooms. The front door alarm can be bypassed by coming in during business hours and hiding, but alarms in the server room should help. Also things like changing the default lock on server racks(many rack vendors use the same key for all racks), actually locking the server racks, encrypting backup tapes and even encrypting data on your servers. It’s security in depth.
Physical security can also be more sophisticated with knockoff routers, NICs, and motherboards with backdoors hard coded into them. Anti-virus isn’t going to pick up a backdoor on the physical level and even a good IPS sensor isn’t going to pick up a backdoor on a knockoff router. Some companies require every new piece of hardware that comes in the door to be tested with a packet sniffer like wireshark to make sure the hardware isn’t dialing home.
While this may currently be overkill for normal businesses who buy from reputable distributors, buying network devices from Ebay for a secure environment is a bad idea. Related to this, just because you didn’t install a knockoff WIC into your router doesn’t mean an attacker can’t.
Breaking into a wiring closet and swapping in a hacked WIC into a router would take 2 seconds in many environments using nothing more than a simple lock pick and a screw driver. It would be noticed as the network goes down, but as the network magically comes back on-line, would anyone take the time to figure it out or would it sit there for years leaking data?
Network equipment isn’t the only thing at risk from physical security. On the end-user side, U3 auto-run memory sticks became popular showing off creativity in getting access to places that had email and web security locked down. U3 thumb drives legitimately create a virtual CD that autoplays like all CDs do, usually to load software that you want. With a hacked U3 thumb drive however, that autoplay virtual CD is auto installing backdoors, and dumping password hashes. While seemly trivial, this attack has gotten into the most secure sites in the world.
The US Government banned USB devices after having its top secret network compromised by this attack. The Stuxnet worm that temporarily took down Irans Nuclear Plant was also initially delivered by gaining physical access and plugging in a USB device, bypassing all higher level network security mechanisms. A simple AD policy blocking autorun should be a minimum for most clients.
There are also tools like Ophcrack where if you have physical access to a computer, you can boot with a linux live CD and crack the local admin password with zero knowledge, zero effort, and zero skill. While this may not seem like the end of the world, how many end user computers have the same local admin password? What about HR computers? Obviously no one in IT with domain admin access has the same local admin password that the end users have…
Secondary, it’s just as easy to install a rootkit with a live CD as it is to break the local admin password. Protecting against this requires the security team to create computer build policies for helpdesk technicians to follow when building end-user laptops and desktops. Polices setting the boot order to boot off the hard drive first, creating a bios password, and locking the bios from changes.
Even more simple than breaking the password on a laptop with a boot CD are tools like ‘FTWAutoPwn’ that allows someone with physical access to simply bypass the password all together on a locked Windows XP or Windows 7 computer. This attack is also very simple requiring the attacker to create a FireWire hack device using the FTWAutoPwn program, and then simply plug the modified firewire device into a locked computer. No more password…
One of the more scary things about attacks like this is how simple they are and how it can be used to pivot to other attacks. Outside of just gaining access to an end users laptop, doing this to a domain admin who locks his computer to go to lunch could gain someone a new AD account.
One of the newest and more interesting attacks is with drop boxes like the PwnPlug. This device looks like a benign box that’s simply plugged into power with a network cable going to it. The type of device that generations of network staff could look at and think ‘I don’t know what it does, but it’s always been there’. These devices are physically planted on a network and once planted; they allow a hacker or pentester to have remote access to said network. They talk home using SSL to encrypt traffic and bypass perimeter IPS sensors.
Certain versions have mechanisms to also bypass NAC/802.1x/Radius. Even more devious they can simply connect back to the attacker using 3G. Hide one of these under a printer and everyone will assume it’s just related to the printer. Three or four years of easy access will follow with the device likely being thrown out with the printer when the printer is end of life. The small form factor is a big part of the danger in these devices. Gone are the days of a drop box needing to be a laptop that anyone can easily spot.
While the thought of losing a $500 device might stop some hackers from using this type of attack, losing a $40 device will stop no one. This is where the svartkast comes in. A svartkast is the concept of a cheap remote access drop box that you can plant on a network and afford loses.
One example is using a pogoplug. A pogoplug is a legitimate home media device that cost around $40. You can use it to share pictures of your vacation, or you can use it to hack into a network. The default operating system is thrown out for a custom install of Linux. Install your tools, ssh tunneled through Tor, and you’re done. You now have a very dangerous device.
It takes a few minutes for the seriousness of this type of attack to set in. Someone breaks in, plants this device and leaves. All you know is a break-in happened and nothing was stolen. But from now on, when you forget to patch your 5 year old copy of Netbackup, you just lost all your data. The PwnPlugs and svartkast boxes aren’t sniffing data; they’re a hacker sitting on the inside of your network running all the tools they want. That legacy server with MS03-026 that isn’t an issue because it’s behind the perimeter firewall? Think again.
Remote offices are often left out of physical security conversations. Remote offices can be overlooked, underfunded and easy targets for all of the above attacks. Using any of the above physical security exploits against a satellite office will produce much better result in general than attacking the corporate datacenters. The corporate headquarters may be locked down with cameras, guards, and network engineers monitoring fine details. How many small remote offices can you same the same of? Many times remote offices have no IT staff at all.
Some people may think the cloud will save them from these attacks, but if anything the more companies adopt the cloud, the worse the issue of physical security may be. More servers in the cloud will likely equal smaller budgets for internal IPS systems and the project time to maintain them. Under high cloud adoption scenarios where fewer higher level engineers are on site, there is little to protect the attacks above.
This may sound counter intuitive as the initial thought is that the data in the cloud is guarded by the best and brightest and therefore more secure. The problem is that the access to that data is still taking place from the same physical locations it was before. Planting a pwnplug in a business without an IT staff could guarantee decades of unnoticed access.
Another thought many have when thinking about securing the physical layer is that they’re not a big enough target for a hacker to go out of their way for. They might be concerned about a generic worm, but not someone breaking in and planting a PwnPlug. The problem is what’s thought of as a traditional hacker is many times not the most likely attacker.
The most likely attacker in many companies is the disgruntled employee. Disgruntled IT employee has always been a fear for businesses, but as the next generations of more and more computer savvy employees enter the workforce, their ability to find and launch relatively simplistic, but highly effective attacks will be a concern. The idea of an intern with a svartkast, or an employee bypassing the password on their boss’s computer is a real possibility.
So how do you protect against physical security, and more specifically the more dangerous PwnPlugs and svartkasts? Using something like Cisco Port Security where the switch knows what mac address is allowed to be on each port would be a good first try. The problem is the PwnPlug can bypass this. They can mimic the mac address if installed in-line with a PC or printer. Using NAC/802.1x/Radius would be another good guess, but the PwnPlug can bypass that as well in the higher end models. For smaller companies, simply doing a periodic visual check would be a good idea.
The problem is something like a PwnPlug could easily be connected to a small UPS battery backup and put up in the ceiling where it could run for days; long enough to allow a hacker to exploit an internal system for more permanent access. Also relying on visual checks ignores the fact that these devices will continue to get smaller and smaller. Some of the devices in the pipeline are the size of a network jack.
Protecting against the initial planting of a device on your network really comes down to the old basics of physical security. Cameras, fences, alarms systems, security guards, policies, background checks, etc. There are also the deterrents like keeping unused switch ports shutdown by default, and monitoring mac-addresses.
To detect devices like the PwnPlug after they’re on your network, scanning for it will not work; physically looking for it isn’t a guaranteed method either. Even if there was a trick to detect the device using a network scanner, the assumption should be that very soon we’ll have dozens of similar products with each generation being more covert. Instead the best way to detect the device is to think in terms of how to detect the actions of the hacker on the device. While many companies do an okay job of looking at the perimeter for hack attempts, also turn your attention to the inside.
You should be alerted to things like nmap scans hitting inside servers, or ‘private’ being incorrectly guessed as your snmp community string, or outbound connections to TOR or to hacker tool repositories where an attacker could be pulling updates. Basically, anything that could be seen as an inside hack, you should be alerted to in real time. In many cases, an internal IPS sensor is more valuable and useful than an external IPS. With these attacks most outbound traffic that leaves the perimeter will be encrypted leaving the perimeter IPS sensor ineffective. For an internal IPS system to work though means custom configuration to look for internal hackers.
Just downloading the latest IPS signatures isn’t necessarily going to give the tools needed. There will need to be staff trained on creating rules and the time to monitoring normal traffic, test rules, and develop rules as techniques change. In addition to an internal IPS sensor, using internal honeypots is a good way to quickly detect new activity. For honeypots, set up a few virtual servers that look like real targets named things like ‘HR015’, or ‘DC005’ and have tripwire or the IPS watch them and alert in real time.
In addition to detecting these attacks, it’s also smart to reduce the internal attack surface area to lessen the damage done between when an attack is detected and when it’s remediated. That comes back to the old adage of not having an ‘egg’ network with a hard shell outside and a soft gooey inside. Make the internal network as locked down and hard as the outside network.
The network ports outside of the core switch should only see a small subset of servers and only a small subset of ports on those servers. For example, end users should never be able to see netbackup ports on any server. A telephone doesn’t need to see file servers. A printer doesn’t need to see other wan links. Locking down internal systems is key.
One thing many companies are doing in response to newer physical threats is having pentests preformed on the inside of the network, and attacked from the perspective that there’s a hacker on a pwnplug. Doing this will pick up security issues that may have been overlooked otherwise.
Second, after all internal issues found are fixed; perform the test again being as quiet as possible to test the alerts and alarms for sensitivity. This also allows the client to see what hack attempts on the inside looks like in terms of what alerts they get.
If anything, physical attacks prove there is no single magic bullet that can protect you. The best defense has always been, and always will be, staff with proper security education to continuously harden systems against emerging threats.
Jon Derrenbacker is an IT professional with 12 years experience in Systems Engineering, 8 years experience in Computer Forensics and 8 years experience in Pen-Testing. In computer forensics he has lead small cases to cases scaling $100 million dollar international fraud. In PenTesting his focus is on community banks, but includes for privately- and publicly-held companies, not for profit organizations, and government agencies. Jon is a systems engineer for KeiterCpa in Richmond Va. You can reach him at email@example.com
Cross-posted from PenTest Magazine