Exploring Attack Vectors Facilitated by Miniaturized Computers Casey Mortensen, Ryan Winkelmaier, Jun Zheng Department of Computer Science and Engineering New Mexico Institute of Mining and Technology Socorro, NM, USA 87801
{cmortens, rwinkelm, zheng}@nmt.edu
ABSTRACT The development of miniaturized, inexpensive, fully functional computers has opened up new opportunities for a pentester. A device approximately the length and width of a credit card and only a couple inches high, is capable of running a version of the GNU/Linux operating system, which makes the access to many tools such as network mappers and exploitation frameworks possible. Due to its size, the device can be hidden inside a building and attached to the network for as long as it has power, affording a great advantage to an attacker. In this paper, we attempt to explore different attack vectors facilitate by miniaturized computers and identify their feasibilities. We also make recommendations of countermeasures to the potential attacks launched through miniaturized computers.
Categories and Subject Descriptors C.2.0 [Computer Systems Organization]: ComputerCommunication Networks—Security and Protection; C.3 [Computer Systems Organization]: Special-Purpose and Application-Based Systems
Figure 1: What a hidden miniaturized computer could like tucked away in a cupboard
General Terms
In addition to better computational systems on the market, the internet has enabled individuals to utilize crowdsourcing to finance large projects that would exceed a normal hobbyist capacity. The ability to find investors for almost anything in addition to manufacturing improvements allow individuals to do a run of 10,000 PCB’s without the 10 years of lead in and massive costs that prevented anyone without massive capital investment required of a corporation. These factors have created an environment where a few individuals can work together to come up with enough information to base a miniaturized computer on. The prevalence of miniaturized computers leads to an attack vector in which the device is physically hidden on the premises [14]. This gives a prospective attacker prolonged access to the target’s network without physically being there. A man sitting with a laptop around may be suspicious, but a small box behind a copier or in a cupboard will be difficult to find (Fig. 1). With the price dropping sub-$100 it isn’t unrealistic to consider them disposable. The attacker can just leave the device in the place to minimize risk. In this paper, we try to explore the attack vectors facilitated by miniaturized computers that can exploit the vaunarabilites of a network from inside. The aim of this work is to help the community understand this new form of attack and mitigate the potential risks.
Security
Keywords Attack Vector, Miniaturized Computer, Network Security
1.
INTRODUCTION
In today’s world, technology has miniaturized itself on many levels. For example, cell phones and tablets now have more processing power than desktops/laptops did 10 years ago. With the inclusion of multiple cores per chip as well as lower power requirements (such as intel’s introduction of the Atom CPU) a few years ago, technology has reached a point where miniaturized computers will have a large impact on society. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from
[email protected]. SIN’13 , November 26-28 2013, Aksaray, Turkey Copyright 2013 ACM 978-1-4503-2498-4/13/11$15.00. http://dx.doi.org/10.1145/2523514.2527002
203
RCA Video
The following of this paper is oganized as follows. In section 2, we introduce the background informaition of miniatuized computers and attack vector exploration. Section 3 presents possible attack vectors facilitated by miniaturized computers. The testing results of attack vectors are presented in section 4. Finally in section 5 we dicuss briefly the countermeasures and conclude the paper.
2. 2.1
BACKGROUND SD Card
Miniaturized Computers
Since using miniaturized computer for penetration testing is a fairly new subject, not many devices exist in the market for this need. The device we used for this study is the Raspberry Pi (hereby referred to as Pi), which is a credit card size computer that plugs into a TV via a RCA video or HDMI cable and a keyboard via USB port [8]. It can be used for many of the things to be done by desktop PC. Fig. 2 shows the diagram of a model B Pi deivce with 512M B of RAM. The Pi measures 85.60mm × 56mm × 21mm, with a little overlap for the SD card and connectors which project over the edges. The SoC is a Broadcom BCM2835 which contains a 700M hz ARM1176JZF-S CPU with floating point, and a Broadcom Videocore IV GPU. In addition to the default Pi device, we had a generic USB battery with a capacity of 5000mAh, an 8GB SD card, and a wireless adapater. Besides the Pi, there are other similar devices that are currently on the market such as the Pwn Plug Elite [7], the BeagleBone [2] and the WiFi Pineapple [16]. The Pwn Plug elite does not rely on an external power source like the Pi, and instead utilizes an integrated AC adapter while main˘ ˘ I˙ taining a visual look similar to that of a ˆ aAIJwall wartˆ aA in order to evade detection. There are two major downsides of Pwn Plug elite: higher cost and the requirement that it should be always plugged into a functioning wall socket. The BeagleBone and WiFi Pineapple on the other hand is similar to Pi as it requires external power. BeagleBone has a less active community compared to the Pi probably due to the higher cost of the device. The WiFi Pineapple is mainly used to act as a wireless hotspot honeypot instead of a generic penetration suite.
2.2
GPIO
Attack Vector Exploration
Attacks for different technolgies such as biometrics [10], WiFi [3], smartphones [11], metering data in smart grids [13] etc. were explored in the literature to understand the potential security risks. There are also few works on exploring the attack vectors facilitated by a specific device. In [11], it is shown that a smarphone can be used as a tool to carry out a network flooding attack on other mobile devices. To the best of our knowledge, this is the first work attempting to explore potential attack vectors facilitated by miniaturized computers. Most attacks on a network can be categorized into either an active or a passive attack based on the involvement of the rogue system on the network. Our research considered the threats both active and passive attacks that could be launched from the Pi. In particular, the major passive attacks would all fall under network reconnaissance, whereas active attacks cover a much broader spectrum including denial of service (DoS) attacks, man in the middle (MITM) attacks, WPS brute forcing attacks, and reverse connection utilization.
204
Audio LED
512MB RAM CPU & GPU
USB 2.0
LAN Power
HDMI
Figure 2: Diagram of a model B Raspberry Pi device
3.
ATTACK VECTORS FACILITATED BY MINIATURIZED COMPUTER
3.1
Network Reconnaissance
The first step of attacking a network is reconnaissance, which is usually conducted by network attackers to gain unauthorized information or access of a network to identify potential vulnerabilities [12]. We explore two most commonly used network reconnaissance attacks: passive traffic capture and network mapping.
3.1.1
Passive Traffic Capture
Passive traffic capture using pcap (packet capture) is a double edged sword, which is used by network administrators and technicians for traffic monitoring and troubleshooting but also could be used by attackers to sniffer sensitive information in packets. Attackers usually use packet capturing in conjunction with other attacks such as SSL-stripping for maximum effectiveness. When a miniaturized computer is used for packet capturing, the main issues are power and storage.
3.1.2
Network Mapping
When attempting to gather information about a network, networks mappers, such as Nmap [5], are one of the best tools to use. A network mapper works by attempting to connect to popular ports on the target machines to find out which ports have a process listening on them. This will give an attacker valuable information about which roles each computer is fulfilling (web server, email server, workstation, etc.) as well as possibly what operating system and software it is running. With Nmap the attacker can take one step further to perform version fingerprinting. Based on the data sent by the service when it connects, Nmap can attempt to identify the name of the program running on that port and the specific version. This is important because often only specific versions of a program will be vulnerable to an exploit.
3.2
Active Attacks
Through active attacks, the attcker can make changes to system resources or disrupt system operations.
3.2.1
DoS Attack
A potential use of having a hidden miniature device inside the network is to disrupt system service using a DoS attack. In our case, we tested smb-vuln-ms10-054. This exploit will force a blue screen on vulnerable windows 7 computers using a maliciously crafted smb mount packet. Although this exploit has been patched, a network that does not maintain an updating routine, or contains newly installed machines would still be extremely vulnerable. If the above criteria for unpatched machines is met, a single device could regularly force a blue screen of death on all vulnerable workstations, disrupting all business for the duration that the device is active. Although the attack duration would be fairly limited with battery power, the attack could continue for days if an AC adapter was utilized. By constantly changing MAC addresses, a device can avoid blacklisting attempts to block the attack and force the network administrator to go through great lengths to find and stop the attack by having to trace the attack to a specific port, and then to a specific room. If the device is on a wireless network, finding the attacking device would prove even more difficult as there would be no single port to trace back to. There are some other DoS-based attack vectors such as wireless deauthentication. In a wireless deauth attack, malicious packets are sent to deny users wireless access by telling the client that the access point does not want to communicate with them. Once again, if the device is using AC power and well hidden, this attack can make doing business extremely difficult and be very hard to prevent. We discuss in Section 5.1 on how to prevent these kinds of attacks from being as effective.
3.2.2
MITM Attack
Once the miniature device is inside the network, MITM attacks become a very effective method to gain access to secured data. One example is to utilize sslstripping attacks. By setting up a sslstrip attack on the network in question the attacker can start sniffing credentials for any internal (and external) sites that do not force https. This, in conjunction with packet capturing will allow for a wide variety of data to be captured, and possibly allow further escalation within the network thanks to the new credentials. However, depending on how the attacker setups the route poisoning, the miniature device’s battery life could be a problem for the attack to succeed. If the attacker uses a very generic ettercap ruleset, the traffic will start to pass from a vast majority of the network to a computer with very little processing power. Depending on how much traffic is being pushed through, the battery life could be reduced drastically. On the other hand, if the attack is run over AC power, the only issue is being able to route that much data in a timely fashion. However, the traffice routing issue should be much less of a problem if specific hosts are targeted. A MITM approach will be the most effective in an attack that occurs over a long time frame. This will give the attacker time to pick a viable target and wait for them to give the information needed for attacking. As long as the attacker is willing to wait, a MITM attack will get everything from bank account passwords to email passwords.
205
3.2.3
WPS Pin Bruteforcing Attack
Having a device nearby physically doesn’t help a lot if the attacker can’t gain access to the network either through an Ethernet port or through wireless. Because of this, we tested a method of gaining access to a wireless network protected by WPA. It has been found that it is possible to exploit a cryptographic weakness in the Wi-Fi protected setup to gain access to the wireless network [15]. We attempted to do this using a tool called reaver [9]. This attack may take about 8 hours if the access point is vulnerable. This is way beyond the typical battery life of a miniature device, especially with heavy network traffic. However, the attack is doable if the device can connect to a power outlet and go with a slower attack.
3.2.4
Fully Automated Exploitation
Being connected to a wireless network rather than a wired network, makes the miniature device much harder to find. For this reason, being able to break into wireless networks that are normally considered secure (WPA) is a great advantage and is the ideal approach if the attacker has the time. One of the largest limitations of the drop box attack, is that the attacker may not be physically present to interpret results and choose the best way to proceed as in most cases. One options for getting around this is to attempt to fully automate the process of exploiting a machine and leave a back door for later. The idea behind this kind of attack is to try and exploit just one machine on the entire network that can then be used as a more permanent foothold for more attacks. Therefore the attacker don’t necessarily have to exploit any particular machine, but just find one vulnerability on the entire network. There are several different ways to attempt to automate the process. First, the attacker could attempt one or two exploits on all the machines on the network. This kind of attack can be launched against all the hosts on a network in a relatively small time frame and depending on the exploit, couldl be relatively quiet. Another advantage of this method is that it will not be very taxing on the device’s hardware. The downside to this is that without prior knowledge of the network, the attack is unlikely to succeed. Since the effects of this form of attack are going to vary wildly based on the exploits used and the target, we did not test this method in this study. The second method is using an extensive number of exploits which is adopted by us in this study. This is more of a ”shotgun” approach in that it attempts to attack a very large area rather than only one or two processes. For this approach the attacker needs to use a large database of potential exploits. In this study, we chose to use the metasploit framework. The metasploit framework allows exploiting a machine with one of the thousands of potential exploits in its system with a desginated payload. It is written in ruby and is built to be simple to extend. The tools we used to automate the selection and launching of exploits are db nmap and db autopwn. db nmap performs a port scan of a given set of machines and stores the results in the database. db autopwn then uses that set of machines and open ports and launches any exploits in the metasploit database that match the port. This attack is very noisy and each individual exploit has a very low chance of succeeding. But it is hopeful that over the entire network, one of the
exploits will succeed and give the attacker a backdoor into the network.
3.2.5
Reverse Connection
4.1.2
Since the attack to fully automate the exploitation of the network may not work, we also looked at methods of controlling the device without being physically present. This gives the attacker the advantage of being inside the network without the disadvantage of having an automated process making all the decisions. The method we tested was having the device establish a reverse ssh tunnel to an outside machine, allowing the attacker to establish an ssh connection through the tunnel as shown in Fig. 3(b).
Attack Attacker Internal Network
Firewall Internet
(a) Raspberry Pi
4.2.1
Attacker Internal Network
Firewall Internet
(b) Figure 3: Reverse connection attack: (a) The attacker is blocked by the firewall. (b) The Pi connects to the network behind the firewall first. Then the Pi connects to the attacker outside and the attacker uses the Pi to proxy the attacks into the ntework, bypassing the firewall completely.
4.
RESULTS
Fig. 4 shows the battery drain time of each attack vector running on our Pi device with a 5000mAh battery. We explain the result for each attack vector in detail as follows.
4.1 4.1.1
Network Reconnaissance Passive Packet Capture
The main issues of using the Pi for obtaining a pcap are in power and storage of the capture. When dealing with a wired network in our testing, the Pi was able to run a packet capture for about 6 hours, space permitting. Trying to obtain a wireless capture was much more intensive resulting in around 2.5 hour of battery life before the wireless card started providing flaky results. As far as wired input goes, there were no issues besides space for packet captures. With thumb drives becoming cheaper and cheaper, it is not unthinkable to purchase a 128 GB thumb drive to store pcap
206
Network Mapping
Fig. 4 shows that the Pi can run the network mapping for about 4 hours. We also tested the Nmap scan service for different host numbers and various time intervals and the results are shown in Table 1. It can be found that rhe Pi was capable of scanning an entire subnet using Nmap in just over an hour at its normal timing rate (on the command line interface this is -T3). This is acceptable for a device running of battery power and gives it time do other activities such as alternate scans (such as operating fingerprinting) or launching an active attack. However, at the normal timing rate, Nmap may alert an intrusion detection system that is looking for Nmap scans. Lowering the scan speed even slightly (-T2), Nmap takes over 10 minutes per host and that speed is not designed to avoid intrusion detection systems. Quieter scans (-T0 or -T1) would take even longer, possibly not being able to finish more than one or two hosts before running out of power, but this is the ideal situation for scanning a network with a constant power source and plenty of time. It is able to find every computer on the network and what they are running and only have a very small chance of setting of any alarm.
4.2
Attack
t el ou Tunn tack At
data on, or upload it to an off-site source via the internet connection currently on.
Active Attacks DoS Attack
We tested a DoS attack in which we routed all traffic on a /24 subnet to an invalid gateway. We simulated a light amount of traffic on the network as well. The Pi’s battery was able to keep up a DoS attack for approximately two hours before being depleted as shown in Fig. 4. The smb vulnerability discussed in Section 3.2.1 was also tested on a single machine to verify the Pi could actually deliver the exploit on a network. Although actual long term tests were not conducted, it is safe to assume that has minimal power is consumed while idle, similar battery life to that of the wired packet capture battery life (about 6 hours) should be possible.
4.2.2
MITM Attack
The MITM attack in our testing consisted of using the “sslstrip” tool developed by moxie0. As the attack only targeted one host and did not utilize heavy traffic, the actual battery life in a real world scenario should be much lower than that reported in Fig. 4. However, unlike the WPS attack discussed below, only one session ever needs to be hijacked in order to obtain credentials, meaning that despite low time constraints in a real world scenario, it is quite possible for useable credentials to be obtained early on in the attack.
4.2.3
WPS Pin Bruteforcing Attack
As seen in Fig. 4, the WPS attacks suffered the most from battery drain due to not only their CPU utilization, but also the additional drain on a wireless dongle in order to query the router as part of the attack. Due to the short amount of battery life compared to the amount of time needed to launch the attack (normally around 24 hours) it is not feasible to launch this attack with the current sized battery in our Pi device. Either an AC adapter or an incredibly large
Figure 4: Battery darin time of each attack vector for a Pi device with a 5000mAh battery Table 1: Nmap serice scan results for different host numbers and various timing intervals # of Hosts Timing Open Ports Time 1 -T2 3 6 min 55 sec 1 -T2 23 10 min 19 sec 2 -T2 26 10 min 31 sec 10 -T2 26 6 hr 40 min 40 sec 10 -T3 26 49 sec 255 -T3 26 1 hr 11 min 4 sec
battery would be required to make this attack sucessful.
4.2.4
Fully Automated Exploitation
While testing fully automated exploitation, it was found that the metasploit framework was simply too large for our device to handle. The framework quickly used up the small amount of memory which caused db autopwn to run slowly. The battery lasted about 3 hours for running db autopwn as shown in Fig. 4. So we decided that this attack was infeasible in it’s current state. However, there are some things that may be done in the future to improve the effectiveness of this attack: • Increase the clock speed and amount of available RAM. Similar devices with more powerful hardware are likely to be available in the near future. • Cut down the framework. The metasploit framework was not designed to run on low power devices. Instead it is built to run on a full computer and has many unnecessary features. A trimmed down framework could likely be created to use metasploit’s exploit database but be small enough to be handled by a low power device. • Better vulnerability identification. db autopwn uses a very naive method to filter relative vulnerabilities. This is especially relevant in the case of a web server that port 80 includes an excessively large number of
207
exploits for web services that may not be running. Better vulnerability identification would cut down on the number of ineffective exploits and therefore decrease the time required per host. We also found that this method of automating exploits is unreliable without prior knowledge and uses a large amount of the device’s resources. If the attacker trys to do this attack on a battery, it will likely not finish even one host before running out of power. The attack also tends to have a large footprint on the network and will not be acceptable if the attacker is trying to avoid detection.
4.2.5
Reverse Connection
In our tests, we used a reverse ssh tunnel to allow an attacker from the outside to control the device through a firewall. This works because often the devices inside the firewall are fully trusted and allowed to connect to anywhere outside the firewall. Using a reverse ssh tunnel one can tunnel out of the firewall and then use the tunnel to direct traffic anywhere inside without interference. This method is very effective at bypassing the firewall and allowing an outside attacker to attack from inside. Fig. 4 shows that the battery of our Pi device lasted more than 4 hours by estabilishing a reverse ssh tunnel and occationally testing it. Unfortunately, firewalls that prevent some outgoing connections are also common in real world, especially in a corporate environment. In that case there are several methods
that could be tried to avoid the firewall. • If it is a simple case of port 22 traffic being blocked, one may run ssh on an alternate port. Port 80 is a common choice as web pages are the most common things one needs to access outside the network. • In some cases, the firewall may be doing a form of packet inspection. To get around this, one of the forms of TCP over DNS, TCP over HTTP/S etc. could be used. Assuming there is not a whitelist of outside IP addresses being used, this will bypass any protections in place. However, we did not test any of these methods in this study. • If none of the above work, out-of-band communication using some other medium will then to be resorted. This would be something like a 3G cellular connection or a second wireless network.
5. 5.1
DISCUSSION AND CONCLUSION Countermeasures
As this is a fairly new method of attack, our ideas for countermeasures are fairly theoretical. For the most part, the defense of the network from miniature computers should rely on access control and user education. Access control exists to protect areas of the building from unauthorized use. This can entail ensuring outsiders do not have access to Ethernet jacks in the building, or making sure guests are on a segregated network from anything important to the internal users. As far as powered nodes with wireless capacity, it should be sure that the network is not using any encryption schemes with known vulnerabilities or weak passphrases. If a network needs to be made publicly accessible, separate it from core services and important machines on the network. As far as user education goes, if a building follows proper access control, the only methods left to place a hostile device will be via social engineering. If all employees are vigilant in alerting security about suspicious individuals and not allowing tailgating into restricted areas, it should be incredibly difficult for an attacker to find a valid location for their drop boxes. Finally, it would be wise to be vigilant in updating all software on the network to help minimize the possible impact from most automated attack systems (such as metasploit). If the users are not always aware with what should be updated, many popular packages have mailing lists that will inform individuals when critical updates are released.
5.2
Conclusion and Future Work
In conclusion, small footprint, low power devices are a real threat to a network’s security. With a proper attack, it should be almost impossible to detect. Once getting inside the network, an active attack can be much more damaging in attacking all three security fields: availability via DoS attacks (windows exploits and route poisoning), integrity via MITM attacks such as sslstripping, and privacy via packet capturing to gain access to personally identifiable information or credentials depending on other attacks that might be running. Regardless of the capabilities of the Pi, our testing results reveal that there are still many problems associated with it depending on the attack methodology. However, most of these issues can be solved with more money. For
208
example, the lackluster battery performance we had from our USB battery can be solved by buying some of the more expensive USB batteries on the market with upwards of 20,000-25,000mAh capacity. Alternatively one can just use an AC power socket, although that limits locations to hide the node to prevent protection. The other largely limiting factor of the Pi at this moment is its architecture. As the Pi uses an ARM11 CPU which utilizes the ARMv6 architecture, it tends to have less supported applications than similar platforms. For example, many popular embedded applications/operating systems, such as the all-famous backtrack suite run on the ARMv7 architecture. Despite this limitation, more and more applications are being ported to the Pi every day, such as the pwnieexpress [6] which is a project that has ported many of the commonly used backtrack utilities to the Pi. Overall, the Pi is an incredibly versatile device with a growing community that will likely overcome most of its obstacles in becoming a top-rated penetration testing unit. In future, given additional time and money, it would be interesting to buy a high capacity battery for testing WPS attacks as well as additional duration sniffing or sslstripping attack lengths. Other topics include obtaining a 3G USB broadband device in order to transmit recovered data outof-band back to a central control point undetected through 3G cellular network instead of tunneling out through the network. Utilizing the Pi’s GPIO pins to prevent physical tampering with the unit is also a possiblity as one could set up a hardware event to wipe the unit and phone home if someone opens whatever enclosure for holding the Pi. We may also explore the attack vectors of a miniaturized computer with other OS such as the Android mini computer mentioned in [1]. Finally, we will test the idea of coming up with a unified command and control center and then seeding multiple devices to perform different attacks under the commands from the central server.
6.
REFERENCES
[1] New $74 Android mini computer is slightly larger than a thumb drive, http://arstechnica.com/gadgets/2012/05/ new-74-android-mini-computer-is-slightly -larger-than-a-thumb-drive/. [2] BeagleBone, http://beagleboard.org/static/ beaglebone/latest/README.htm [3] H. Berghel and H. Uecker. WiFi attack vectors. Communications of the ACM, 48(8):21–28, Aug. 2005. [4] What is Cotton Candy? http: //www.fxitech.com/cotton-candy/what-is-it/ [5] Nmap, http://nmap.org [6] pwnieexpress. A raspberry pi pentesting suite by pwnie express. https://github.com/pwnieexpress/Raspberry-Pwn. [7] Pwn Plug Elite, http://pwnieexpress.com/products/pwnplug-elite [8] Raspberry Pi, http://www.raspberrypi.org [9] Reaver-wps. Brute force attack against wifi protected setup. https://code.google.com/p/reaver-wps/. [10] C. Roberts. Biometric attack vectors and defences. Computer & Security, 26:14–25, 2007. [11] S. Salerno, A. Snazgiri, and S. Upadhyaya. Exploration of attacks on current generation
smartphones. In Proc. of the 8th International Conference on Mobile Web Information Systems (MobiWIS), pages 546–553, Niagara Falls, Ontario, Canaga, Sept. 19–21, 2011. [12] S. A. Shaikh, H. Chivers, O. Nobles, J. A. Clark, and H. Chen. Network reconnaissance. Network Security, 2008(11):12–16, Nov. 2008. [13] F. Skopik and Z. Ma. Attack vectors to metering data in smart grids under security constraints. In Proc. of IEEE 36th International Conference on Computer Software and Applications Workshops (COMPSAC 2012), pages 134–139, Izmir, Turkey, July 16–20, 2012.
209
[14] A. Sood and R. Enbody. Targeted cyber attacks: a superset of advanced persistent threats. IEEE Security & Privacy, 11(1):54–61, Jan.–Feb. 2013. [15] S. Viehb¨ ock. Brute forcing wi-fi protected setup. http://sviehb.files.wordpress.com/2011/12/ viehboeck_wps.pdf [16] Wifi-pineapple, http://hakshop.myshopify.com/ products/wifi-pineapple
