Attacking Game Consoles On Corporate Networks

A pair of security researchers speaking at DefCon demonstrated how video game consoles, which are becoming increasingly common break room or team-building toys, can open vulnerabilities in corporate networks. "[They] found that many companies install Nintendo Wii devices in their work places, even though they don’t let you walk into the company with smartphones or laptops. (Factories and other sensitive work locations don’t allow any devices with cameras). By poisoning the Wii, they could spread a virus over the corporate network. People have a false sense of security about the safety of these game devices, but they can log into computer networks like most other computer devices now. In the demos, the researchers showed they could take compromised code and inject it into the main game file that runs on either a DS or a game console. They could take over the network and pretty much spread malware across it and thereby compromise an entire corporation. The researchers said they can do this with just about any embedded device, from iPhones to internet TVs."

Don't plug it to internet

[odies]

You know, you could just not plug the game console into network. There is no reason why a break room and especially team-building games need an internet connection.

Re:Don't plug it to internet

[solevita]

The problem isn't network connectivity, the problem would be large flat corporate networks. Why have one network with all your office machines, manufacturing equipment, games consoles and telephones on it? Just create a games console VLAN that has access to the Internet and no routes to any internal networks.

This story is only a story if your Network Admin knows nothing about network admin.

Re:Don't plug it to internet

[TheCarp]

Of course, I should have pointed out, the project really dies (in a large corporate world) when you see your managers eyes glaze over as he imagines the hours upon hours of meetings that he will have to attend; to explain to the managers above him, how the networking technology (that he doesn't actually understand) works, so that he can justify asking them to ask the manager of the networking group to assign one of his people to the task of setting up the network portions of this.

I guarantee thats where the whole plan dies and the Wii in the break room becomes not worth it. At least, at some places I know.

-Steve

Re:Don't plug it to internet

[Lumpy]

It's also moot. It is far easier to get inside the building and install a trojan machine. Hell a sheevaplug is $99.00 and with the right stickers can be made to blend in behind any copier or printer silently sitting there collecting data and mapping things out and reporting home.

Hell the dual ethernet one in line with the right printer and it will be fed tons of great documents on the companies secrets that it can email home. sitting there ignored because it has a big HP printing sticker on it and reports as if its the printer... Even a super security guru would miss that one in all their security sweeps.

s/Wii/Windows

[antifoidulus]

Couldn't you pretty much just replace the word "Wii" with the word "Windows" and have an equally valid article?

Hooray for trolling!

This isn't going to be a major threat.

[Securityemo]

There are probably much easier ways to perform targeted attacks against most organizations. But imagine someone bribing disgruntled wallmart/other low-wage chain employees into replacing cartridges and discs with what they are told are "just pirate copies that'l most likely play perfectly, no harm done really, you'l get a cut off the sales of the originals up front."

Wii at work?

[lyinhart]

Wii consoles at work? Never heard of that before. I must be working at the wrong place.