Nov 14 2006
By Kurt Seifried (kurt@seifried.org)
One aspect of information security that is often under looked is physical security. While attention is often paid to secure areas containing servers, network equipment and telecommunication gear not as much attention has been paid to the fringes of the network. Although some security standards such as 802.1x and various network access control (NAC) products exist that can be used to address the network fringe they all contain one major weakness.
Assuming a network has implemented end to end security in the form of 802.1x or a network access control (NAC) solution they all make one major assumption: that a man in the middle attack can’t be executed once the end point has authenticated. For example 802.1x addresses this directly, if the network port detects that the connection is dropped it requires the end point to re-authenticate before it’s allowed to have network access again. If the network hasn’t implemented such a scheme then it becomes trivial to execute a man in the middle attack by physically inserting another computer in between the network equipment and the end machine.
But that would be pretty obvious wouldn’t it? I mean you think a user (even the dullest one) would notice a second machine plugged into their network drop, with their computer daisy chained off of it.
Maybe. Maybe not.
The problem is like most technology computers have gotten smaller, faster, cheaper, and did I mention smaller?
This is a picture of a fully function computer that contains a 32bit ARM processor, a 10/100 network interface, a serial interface, 4 megabytes of flash ram and 8 megabytes of ram. My first computer back in 1994 was a 386 with 4 megabytes of ram. The real difference would be that the Digi Connect ME costs $55 (USD), whereas my first computer was a lot more.
Now granted a device with only one Ethernet port isn’t all that useful for conducting a man in the middle attack (unless you use a hub to split the network connection), but extremely small computers with 2 and even 3 Ethernet interfaces, wireless capabilities, large amounts of storage and so on are easily found online. Devices such as the Soekris, a line of computers about the size of a paperback book with up to 4 Ethernet interfaces, Mini-PCI slots for wireless cards, AES encryption accelerators, and CPU’s such as an Intel compatible 486 running at 133mhz can be bought for around $200. These devices can run Linux or OpenBSD, and with the device running in bridge mode, transparently intercepting and even injecting packets. Thus if such a device were introduced into a network it could easily be used to scan the network for vulnerabilities and launch attacks using tools such as Nmap or Nessus. If network security mechanisms such as 802.1x are in use the device can simply wait for the endpoint to authenticate, and then inject packets into the stream and intercept the responses, bypassing the network security provided by 802.1x neatly.
Alternatively if you’re feeling lazy you can buy a device called the “Yoggie” which is designed as a miniature Firewall and VPN device with two Ethernet ports that runs Linux and repurpose it as a network attack device by loading different software into it.
Yes, it really is that easy.
http://www.projectblackdog.com/
http://linuxdevices.com/news/NS2860172381.html
http://www.digi.com/products/embeddedsolutions/digiconnectme.jsp
Related posts:
Posted by Kurt.Seifried on Tuesday, November 14th, 2006, at 8:00 am, and filed under Articles, Technical.
Follow any responses to this entry with the RSS 2.0 feed.
You can post a comment, or trackback from your site.
Post a Comment