Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attacking Game Consoles On Corporate Networks

Posted by Soulskill on from the waggle-the-wiimote-to-lock-it-down dept.

A pair of security researchers speaking at DefCon demonstrated how video game consoles, which are becoming increasingly common break room or team-building toys, can open vulnerabilities in corporate networks. "[They] found that many companies install Nintendo Wii devices in their work places, even though they don’t let you walk into the company with smartphones or laptops. (Factories and other sensitive work locations don’t allow any devices with cameras). By poisoning the Wii, they could spread a virus over the corporate network. People have a false sense of security about the safety of these game devices, but they can log into computer networks like most other computer devices now. In the demos, the researchers showed they could take compromised code and inject it into the main game file that runs on either a DS or a game console. They could take over the network and pretty much spread malware across it and thereby compromise an entire corporation. The researchers said they can do this with just about any embedded device, from iPhones to internet TVs."

14 of 79 comments (clear)

  1. Don't plug it to internet by odies · · Score: 3, Insightful

    You know, you could just not plug the game console into network. There is no reason why a break room and especially team-building games need an internet connection.

    1. Re:Don't plug it to internet by odies · · Score: 2, Insightful

      And how, exactly, are the "must connect to the server" games, particularly the team games, to be played without either an internet connection (which, in a competent IT setup, would be VLAN'd directly to the internet) or a pirate server?

      And what are those games requiring an internet connection? I can't seem to recall any on consoles.

      Besides if there are such console games, then you just have some other games in the break room. It's not that complicated.

    2. Re:Don't plug it to internet by Richard_at_work · · Score: 2, Insightful

      What about them? How about the games console just gets removed from the break room again? Humanity existed without the instant gratification of the Wii for thousands of years, it can survive a lunchtime at work.

    3. Re:Don't plug it to internet by solevita · · Score: 4, Insightful

      The problem isn't network connectivity, the problem would be large flat corporate networks. Why have one network with all your office machines, manufacturing equipment, games consoles and telephones on it? Just create a games console VLAN that has access to the Internet and no routes to any internal networks.

      This story is only a story if your Network Admin knows nothing about network admin.

    4. Re:Don't plug it to internet by TheCarp · · Score: 4, Insightful

      Of course, I should have pointed out, the project really dies (in a large corporate world) when you see your managers eyes glaze over as he imagines the hours upon hours of meetings that he will have to attend; to explain to the managers above him, how the networking technology (that he doesn't actually understand) works, so that he can justify asking them to ask the manager of the networking group to assign one of his people to the task of setting up the network portions of this.

      I guarantee thats where the whole plan dies and the Wii in the break room becomes not worth it. At least, at some places I know.

      -Steve

      --
      "I opened my eyes, and everything went dark again"
  2. s/Wii/Windows by antifoidulus · · Score: 3, Insightful

    Couldn't you pretty much just replace the word "Wii" with the word "Windows" and have an equally valid article?

    Hooray for trolling!

    --
    Monstar L
    1. Re:s/Wii/Windows by Arimus · · Score: 2, Insightful

      To be fair should be :/s/Wii/any\ connected\ device

      Can't think of a single network connected device that couldn't potentially offer an attack vector...

      --
      --- Users are like bacteria -> Each one causing a thousand tiny crises until the host finally gives up and dies.
  3. Wii at work? by lyinhart · · Score: 3, Insightful

    Wii consoles at work? Never heard of that before. I must be working at the wrong place.

    --
    Freedom is drinking a beer in the park when you're supposed to be at work.
    1. Re:Wii at work? by arth1 · · Score: 2, Insightful

      I too was surprised by the article blurb, because I've never come across any company that provides handheld consoles. Nor one that allows personal equipment to be hooked up to the corporate network.

      Of course, there will always be asshats who disregard what they signed in their term of employment, and do things like private cell phone bluetooth connections to their work computer, or plugging in private USB fobs. And some might use a PSP during lunch break or as an MP3 player, which isn't much of a problem. But consoles provided by the company, hooked up to the network? I refuse to believe that this is common. It might be rare exceptions that coincide with what the kid^Wresearchers frequent.

    2. Re:Wii at work? by ledow · · Score: 2, Insightful

      I once worked at a school that provided PS2's to their "seclusion rooms". It was a disgusting bit of pandering to the "naughty" kids / special needs kids in order to stop them causing trouble. They were also allowed to use mobile phones and would often phone the children in other school's seclusion units, so we weren't alone in this.

      You can imagine the student's thinking - if I smash the teacher I don't like in the face, I get to go to the seclusion room, play Playstation and phone my friends and not have to do any of this boring school work. Guess what they did again the next day? Or threatened to do if they didn't get their way?

      But yes, it's unusual but not impossible, and in a school we always assume that every computer is compromised anyway. Plugging a Wii in would hardly be unusual, even if just for staffroom hijinks or public display or a million and one other reasons. The difference is - you don't let the damn thing on your administrative networks and don't plug it into the network unless it's 100% necessary, like everything else.

  4. Network Printers by nukem996 · · Score: 2, Insightful

    The real concern isn't game consoles its network printers. Pretty much every company has at least one these days on their network and most of the machines assume its trusted. All someone would have to do is modify the firmware on one of the printers to start cracking the network. Getting access to the printer would be pretty easy in many cases. Many companies out source their printing to a third party that fixes them and supplies them with ink and paper. All someone would have to do is pretend to be fixing a printer and they're in.

  5. Am I missing something? by DickeyP · · Score: 2, Insightful

    If an attacker can even get to such a device, doesn't that imply the network has already been compromised? Perhaps not to the level of full control, but enough to target any device, not just game consoles. Or is the OP assuming physical access to these consoles?

  6. DMZ by davidla · · Score: 2, Insightful

    That's why you put it in it's own special little DMZ. Give it access to nothing but the Internet.

  7. Relies on stupidity. by GrumpySteen · · Score: 2, Insightful

    Everything in the article seems to require getting the user to download compromised code and run it on a game system. If you're stupid enough to download random software and run it, you're going to open yourself up to malware regardless of what OS or hardware you do it on.