Wireless “Doom” Box

Please excuse me for a moment while I change into my “used cars salesmen” motif: “Welcome to the Wonderful World of Disposable Devices. You can reprogram these with relative ease and leave them behind to conduct the crime for you!” Hmm, I guess I’ll stick with the day job. Anyways, this is the direction that the attackers are taking. Think beyond rogue access points connected into your network, cleverly hidden in strange objects. Think about completely passive devices that can be easily hidden, lurking in the shadows of your environment, sniffing and storing the content of the airwaves.

In my last article, I discussed a couple of attacks that could be carried out against wireless networks. What I want for you to think about right now is the risk versus reward for the attacker. I’ll oversimplify many of the options by saying the risk is being caught and getting to know Bubba, while the reward is your corporate treasure trove of proprietary information. Because the reward is so great and that most of us don’t quite relish the concept of being incarcerated, the attacker would prefer to put themselves as far away from the victim as they can. Historically speaking, the ability to separate the attacker from the victim has been largely impossible. However being that these attacks are WiFi related, and as you’ve guessed correctly, this no longer holds true. With this wireless hack, the attacker can now use their own wireless network to collect the stored information from the appliance.

About three years ago, I gave a demonstration of just this appliance at a security conference in Philadelphia. There were a couple of concerns on how an organization can detect and defend against these kinds of malicious devices. Concerns regarding lack of trespassing (it’s wireless, it doesn’t have to be on your campus), destruction of the evidence (put it in an ammo box with a battery, you can guess what a bomb squad would do), and where exactly the crime in the activity is (the device doesn’t join the network, and when the attacker downloads the data they will be using their own private network). As you know, people are already using rogue 802.11 and Bluetooth access points to infiltrate networks; others have made the leap of putting a battery pack on the device to leave them behind. As such, if it hasn’t happened already, then start keeping your eye’s peeled for suspicious “idling” devices.

What does this mean without the FUD? The real likelihood of being targeted in this manner is realistically low. The devices are still very cheap to assemble, but the “lay-hacker” probably will want to retrieve it due to any number of reasons (emotional attachment, the coolness of the device, not wanting to have to make another, etc). This leaves the last group of likely people to conduct this exercise to be the ones who are determined to get your goods, and if that’s the case you have a bigger problem to solve.

I was asked “How are we all to defend against this particular kind of attack?” This is an interesting problem as it’s not a rogue device that is in the network, and is more of a physical security concern than anything else (remember that it has to be near by). Physical security inspections and plant spot checks would be a good start, but more importantly educating your technical staff to not take things at face value. Looking for “network” devices that are powered but not plugged into any infrastructure is a good start, and if you see a stuffed teddy bear plugged into the wall, unplugging it would be a wise decision. If you see a RJ-45 Ethernet connector in your switch, but no cable, you should raise suspicion. Similarly if your infrastructure if Brand-A and there’s a Brand-X device near by, ask questions as to why it’s there. As networked and computing devices become cheaper, the ability for disposable attacks to occur increases. Stay alert, stay vigilant, and be creative in your solutions.

Extra Resources:




Post a Comment

Your email is never published nor shared. Required fields are marked *