Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attacking Game Consoles On Corporate Networks

Posted by Soulskill on from the waggle-the-wiimote-to-lock-it-down dept.

A pair of security researchers speaking at DefCon demonstrated how video game consoles, which are becoming increasingly common break room or team-building toys, can open vulnerabilities in corporate networks. "[They] found that many companies install Nintendo Wii devices in their work places, even though they don’t let you walk into the company with smartphones or laptops. (Factories and other sensitive work locations don’t allow any devices with cameras). By poisoning the Wii, they could spread a virus over the corporate network. People have a false sense of security about the safety of these game devices, but they can log into computer networks like most other computer devices now. In the demos, the researchers showed they could take compromised code and inject it into the main game file that runs on either a DS or a game console. They could take over the network and pretty much spread malware across it and thereby compromise an entire corporation. The researchers said they can do this with just about any embedded device, from iPhones to internet TVs."

25 of 79 comments (clear)

  1. Don't plug it to internet by odies · · Score: 3, Insightful

    You know, you could just not plug the game console into network. There is no reason why a break room and especially team-building games need an internet connection.

    1. Re:Don't plug it to internet by Dayofswords · · Score: 2, Informative

      Not to mention that the Wii doesn't have any good online games. So why connect anyways?

      --
      Someday we'll hit the human carrying capacity. And the band will just play on.
    2. Re:Don't plug it to internet by odies · · Score: 2, Insightful

      And how, exactly, are the "must connect to the server" games, particularly the team games, to be played without either an internet connection (which, in a competent IT setup, would be VLAN'd directly to the internet) or a pirate server?

      And what are those games requiring an internet connection? I can't seem to recall any on consoles.

      Besides if there are such console games, then you just have some other games in the break room. It's not that complicated.

    3. Re:Don't plug it to internet by odies · · Score: 2, Informative

      How about games with obscene DRM that requires you to have an internet connection to an auth server before you're allowed to play?

      You have an example of such Wii game? Besides, if it has such an obscene DRM you cannot even run it on a hacked console nor modify the game data. This whole story assumes you're running a hacked Wii so that you can run a pirated version of the game that the hackers had modified.

    4. Re:Don't plug it to internet by CrashandDie · · Score: 2, Interesting

      20, maybe. 10? Definitely.

      I remember pulling coax in the early first half of the 90s all over the place. Then ethernet came and made us damn ourselves. Everyone wanted to be connected. Centralised printer, easy file transfer.

    5. Re:Don't plug it to internet by Richard_at_work · · Score: 2, Insightful

      What about them? How about the games console just gets removed from the break room again? Humanity existed without the instant gratification of the Wii for thousands of years, it can survive a lunchtime at work.

    6. Re:Don't plug it to internet by solevita · · Score: 4, Insightful

      The problem isn't network connectivity, the problem would be large flat corporate networks. Why have one network with all your office machines, manufacturing equipment, games consoles and telephones on it? Just create a games console VLAN that has access to the Internet and no routes to any internal networks.

      This story is only a story if your Network Admin knows nothing about network admin.

    7. Re:Don't plug it to internet by TheCarp · · Score: 2, Interesting

      Thats no fun! Seriously, its a corperate world we are talking about right? Why not a corporate solution. We deal with devices that need some manner of protection all the time.

      You put this into an existing subnet of devices that require internet access but not internal LAN access. If you don't have such a pool of devices, you make such a subnet. Hell you define a game console VLAN, put all the game consoles in it (even a large company shouldn't have more than a handful), give them a small subnet (a /27 or something), and then setup their gateway router to only allow them to connect out the internet pipe and not to the internal network.

      The real problem, I think, is that such devices are easily overlooked. Some manager putting a wii in the break room might not realize whats the exposures are, and just gets a network drop like any old desktop, and plugs it in.

      -Steve

      --
      "I opened my eyes, and everything went dark again"
    8. Re:Don't plug it to internet by arth1 · · Score: 2, Informative

      And how, exactly, are the "must connect to the server" games, particularly the team games, to be played without either an internet connection (which, in a competent IT setup, would be VLAN'd directly to the internet) or a pirate server?

      And how, exactly, are "must connect to the server" games needed?

      Your argument makes about as much sense as complaining about the lack of dildos and handcuffs in the rest room, because how else can one play orgy games?

    9. Re:Don't plug it to internet by TheCarp · · Score: 4, Insightful

      Of course, I should have pointed out, the project really dies (in a large corporate world) when you see your managers eyes glaze over as he imagines the hours upon hours of meetings that he will have to attend; to explain to the managers above him, how the networking technology (that he doesn't actually understand) works, so that he can justify asking them to ask the manager of the networking group to assign one of his people to the task of setting up the network portions of this.

      I guarantee thats where the whole plan dies and the Wii in the break room becomes not worth it. At least, at some places I know.

      -Steve

      --
      "I opened my eyes, and everything went dark again"
    10. Re:Don't plug it to internet by Lumpy · · Score: 5, Informative

      It's also moot. It is far easier to get inside the building and install a trojan machine. Hell a sheevaplug is $99.00 and with the right stickers can be made to blend in behind any copier or printer silently sitting there collecting data and mapping things out and reporting home.

      Hell the dual ethernet one in line with the right printer and it will be fed tons of great documents on the companies secrets that it can email home. sitting there ignored because it has a big HP printing sticker on it and reports as if its the printer... Even a super security guru would miss that one in all their security sweeps.

      --
      Do not look at laser with remaining good eye.
    11. Re:Don't plug it to internet by icebraining · · Score: 2, Funny

      Humanity existed without /. too, yet here you are. Having a Wii is fine and probably beneficial to productivity, just don't get games that requires an internet connection.

      --
      Dilbert RSS feed
  2. s/Wii/Windows by antifoidulus · · Score: 3, Insightful

    Couldn't you pretty much just replace the word "Wii" with the word "Windows" and have an equally valid article?

    Hooray for trolling!

    --
    Monstar L
    1. Re:s/Wii/Windows by Arimus · · Score: 2, Insightful

      To be fair should be :/s/Wii/any\ connected\ device

      Can't think of a single network connected device that couldn't potentially offer an attack vector...

      --
      --- Users are like bacteria -> Each one causing a thousand tiny crises until the host finally gives up and dies.
  3. This isn't going to be a major threat. by Securityemo · · Score: 3, Interesting

    There are probably much easier ways to perform targeted attacks against most organizations. But imagine someone bribing disgruntled wallmart/other low-wage chain employees into replacing cartridges and discs with what they are told are "just pirate copies that'l most likely play perfectly, no harm done really, you'l get a cut off the sales of the originals up front."

    --
    Emotions! In your brain!
  4. Wii at work? by lyinhart · · Score: 3, Insightful

    Wii consoles at work? Never heard of that before. I must be working at the wrong place.

    --
    Freedom is drinking a beer in the park when you're supposed to be at work.
    1. Re:Wii at work? by arth1 · · Score: 2, Insightful

      I too was surprised by the article blurb, because I've never come across any company that provides handheld consoles. Nor one that allows personal equipment to be hooked up to the corporate network.

      Of course, there will always be asshats who disregard what they signed in their term of employment, and do things like private cell phone bluetooth connections to their work computer, or plugging in private USB fobs. And some might use a PSP during lunch break or as an MP3 player, which isn't much of a problem. But consoles provided by the company, hooked up to the network? I refuse to believe that this is common. It might be rare exceptions that coincide with what the kid^Wresearchers frequent.

    2. Re:Wii at work? by ledow · · Score: 2, Insightful

      I once worked at a school that provided PS2's to their "seclusion rooms". It was a disgusting bit of pandering to the "naughty" kids / special needs kids in order to stop them causing trouble. They were also allowed to use mobile phones and would often phone the children in other school's seclusion units, so we weren't alone in this.

      You can imagine the student's thinking - if I smash the teacher I don't like in the face, I get to go to the seclusion room, play Playstation and phone my friends and not have to do any of this boring school work. Guess what they did again the next day? Or threatened to do if they didn't get their way?

      But yes, it's unusual but not impossible, and in a school we always assume that every computer is compromised anyway. Plugging a Wii in would hardly be unusual, even if just for staffroom hijinks or public display or a million and one other reasons. The difference is - you don't let the damn thing on your administrative networks and don't plug it into the network unless it's 100% necessary, like everything else.

    3. Re:Wii at work? by omni123 · · Score: 2, Informative

      This is definitely not a hypothetical scenario (from the do-consoles-exist-in-the-workplace-standpoint, but certainly a non-issue if your network admin has a clue). My previous three employers have all had game consoles in meetings room, sometimes one per floor. The most recent is a large Australian bank which has beer in the fridge, consoles in the kitchen and pool/ping pong tables in the meeting rooms; used mainly by software developers and economists.

      It's a new age.

  5. Network Printers by nukem996 · · Score: 2, Insightful

    The real concern isn't game consoles its network printers. Pretty much every company has at least one these days on their network and most of the machines assume its trusted. All someone would have to do is modify the firmware on one of the printers to start cracking the network. Getting access to the printer would be pretty easy in many cases. Many companies out source their printing to a third party that fixes them and supplies them with ink and paper. All someone would have to do is pretend to be fixing a printer and they're in.

  6. Am I missing something? by DickeyP · · Score: 2, Insightful

    If an attacker can even get to such a device, doesn't that imply the network has already been compromised? Perhaps not to the level of full control, but enough to target any device, not just game consoles. Or is the OP assuming physical access to these consoles?

  7. How is this different from any network device? by DJRumpy · · Score: 2

    Any properly fire walled device should be protected for the most part. That said, giving anyone physical access to a network device on your internal network exposes this type weakness. It's a bit ridiculous to state it's on the internal network and then get everyone riled up that it has access to said network resources. The simple fact remains that any network connected device could do this.

    TFA states that they could do this with a pirated version of a game. Although this may be much more common in a home environment, I'm thinking a work supplied device that never leaves the office would be a bit harder to do this to? Some simple physical restraints or claims to limit what media can be placed into it, and proper firewall controls to prevent unauthorized browsing should mitigate this is a big exposure.

    How is this different from any workstation?

  8. Unfortunately, NetAdmin != Sysadmin by RulerOf · · Score: 2, Interesting

    This story is only a story if your Network Admin knows nothing about network admin.

    Plenty of places make their sysadmins set up the network hardware, but the problem is that we're sysadmins, not network admins. It's annoying as all hell, but the fact is that plenty of businesses will forego hiring a networking expert simply because they don't think they need to.

    Given a network and adequate hardware, even I can point out what an appropriate topology would be for the setup, but I just don't know how to do it. I understand the concept of VLANs, routing, DHCP relay, etc., but I just don't know how to configure the hardware. I really wish I did, too, but on the same token I'd rather spend my time and effort working on hardware and OS level stuff and just be able to tell the network guru[s] how I'd like the connectivity to play out.

    ...To give you an idea of my networking ignorance: In spite of the fact that I know VLAN tagging is a modification to ethernet frames themselves (i.e., I know they're a subset of 802.3), I spent god knows how long trying to forward VLAN traffic over a wireless (or 802.11) connection. It wasn't until I called the VoIP provider that I realized what foolishness I had been pursuing for the better part of an hour :-P (In retrospect, if I had gotten EoIP to work in the first place like I had planned, it should have worked)

    --
    Boot Windows, Linux, and ESX over the network for free.
  9. DMZ by davidla · · Score: 2, Insightful

    That's why you put it in it's own special little DMZ. Give it access to nothing but the Internet.

  10. Relies on stupidity. by GrumpySteen · · Score: 2, Insightful

    Everything in the article seems to require getting the user to download compromised code and run it on a game system. If you're stupid enough to download random software and run it, you're going to open yourself up to malware regardless of what OS or hardware you do it on.