Slashdot Mirror

← Back to Stories (view on slashdot.org)

Raspberry Pi As Hardware Backdoor

Posted by timothy on from the where-you-can-stick-it dept.

An anonymous reader writes "NCC Group has released a new whitepaper at the Blackhat Europe conference on using a Raspberry PI as a hardware-based backdoor (PDF) in laptop docking stations. From the paper: 'The IT department is typically more concerned about someone stealing your laptop, so they'll ask you to secure your laptop with a Kensington-style lock, but not necessarily to secure the dock. This paper details how attackers can exploit the privileged position that laptop docking stations have within an environment. It will also describe the construction of a remotely controllable, covert hardware implant, but most importantly it will discuss some of the techniques that can be employed to detect such devices and mitigate the risks that they pose.'"

56 of 76 comments (clear)

  1. Surprise!!! by bferrell · · Score: 5, Insightful

    If you have physical access, you can do bad things. Is this really news or simply fear mongering?

    1. Re:Surprise!!! by dreamchaser · · Score: 3, Insightful

      You hit the nail on the head. It's just fear mongering and there is nothing new to see here.

    2. Re:Surprise!!! by blackicye · · Score: 3, Insightful

      This is similar to dropping a Sega Dreamcast into a network as an inexpensive hardware backdoor.

      If your company has been physically compromised you probably need to start sweeping for bugs and bringing in the bomb sniffer dogs as well ;)

    3. Re:Surprise!!! by Garridan · · Score: 4, Interesting

      Naw, the paper is a good read. Fun pictures, funnier security recommendations. I'd love to see the IT guy who goes around weighing people's docking stations. Poor sap would end up taking night shifts just to avoid the teasing.

    4. Re:Surprise!!! by gweihir · · Score: 4, Informative

      It is just a nice demonstration of something that has been known for a long time. As such, the _demonstration_ is news, but not the possibility itself.

      I must say however, that the motto "freedom from doubt" on the paper is pure snake-oil, as IT security cannot achieve that and anybody that claims this is a liar. What IT security can to is reduce risks and make it harder for an attacker to get in. When the attacker has to spend more than the protected information is worth, you could say that you have "perfect security" or "freedom form doubt", but that does not happen in practice. The problem is that you cannot estimate the worth if your secret data to the attacker reliably. For example, your attackers may be fanatics (maybe even in the form of a fanatics-run nation state) and hence may be completely irrational and attribute value to the secret data or the successful break-in itself that is far beyond any rational estimates.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    5. Re:Surprise!!! by Sulphur · · Score: 1

      You hit the nail on the head. It's just fear mongering and there is nothing new to see here.

      I find your lack of faith in the Fear disturbing.

    6. Re:Surprise!!! by Sigg3.net · · Score: 1

      Yup. And at the same time many small-medium businesses run printers with web servers wholly unprotected.

      --
      Defining Statistics and Social Research
  2. Raspberry pi nothing, printers are the real danger by Dwedit · · Score: 5, Insightful

    Forget raspberry pi, the real danger is your printer. Printers can have their firmware upgraded by printing a special PDF file. They are networked devices. Once hacked, they can carry out attacks, act as backdoors, or even send a copy of everything printed to an attacker.

  3. someting so huge by silas_moeckel · · Score: 4, Insightful

    Why use a R pi when you can get linux boxes the size of Ethernet jacks? Because the R Pi is "cool"?

    --
    No sir I dont like it.
    1. Re:someting so huge by gweihir · · Score: 2

      No, because the Pi has the power to actually follow the Ethernet stream and it has the number of needed interfaces. Your miniature Linux device cannot follow both directions passively (the Pi can once you add a second Ethernet interface via USB), and it is far too slow for even one direction. Typically, these small things cannot even handle full-sized Ethernet packets and have to pause after each packet received. The one I have also does not have a "promiscuous" mode at all, making it entirely unsuitable. So, no, not because the R Pi is "cool", but because it can get the job done.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:someting so huge by drinkypoo · · Score: 1

      So, no, not because the R Pi is "cool", but because it can get the job done.

      An old pogoplug not only has the horsepower to handle the traffic, but also the ethernet interface that will reliably deliver the packets. Which is why before we heard about the pwnie pad we heard about the pwnie plug. It has the added benefit of being cheaper than a Raspberry Pi, and the missing video output won't be missed in this context.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:someting so huge by gweihir · · Score: 1

      A PogoPlug is not a "Linux in an Ethernet connector" solution at all. If anything, it is a variation on the Raspberry Pi and its PCB may actually be larger. Whether you use the Raspberry Pi or equivalent hardware for this attack is completely unimportant. Also, the price difference is completely unimportant, as even the Raspberry Pi costs less than one engineering hour and you may already need that hour to get the PogoPlug board out of its case.

      I should also note that there is no "reliably deliver the packets" here, as this is a purely _passive_ sniffer.

      I have no idea where you get your price-estimates: A PogoPlug sells for 2-3 times of what a Raspberry Pi costs. This is not a home-project. If you invest this much effort to place a thing like this, you will use new hardware and a few hundred EUR/USD will be completely immaterial.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:someting so huge by silas_moeckel · · Score: 2

      You think the Pi is going to keep up real time on gige? Not much is running 100bt anymore. Yea the little ones are not that powerful but neither is the Pi.

      --
      No sir I dont like it.
    5. Re:someting so huge by arth1 · · Score: 1

      I have no idea where you get your price-estimates: A PogoPlug sells for 2-3 times of what a Raspberry Pi costs.

      The R-pi doesn't have all you need out of the box - you need to add to it, making the final costs much higher.

    6. Re:someting so huge by gweihir · · Score: 1

      For GbE, this would not work, as the Pi does not do GbE and adding it via USB requires USB3.0, also not present on the Pi. But here is the thing: This is for attack on a corporate network, and these very rarely use GbE for the individual sockets. The standard is to run GbE or faster to the group/department/building-level switch and then distribute with 100Mb/s Ethernet only. As replacing cabling is expensive, GbE cabling is more sensitive and more expensive, GbE department switches are more expensive, and there is no need for the higher bandwidth, I expect this will remain the norm for quite some time. You can still have GbE or faster for servers.

      So, yes, 100Mb/s Ethernet is still pretty much the standard.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    7. Re:someting so huge by arth1 · · Score: 1

      Perhaps where you work - where I work, we replaced 100 Mb with 1000 Mb several years ago. Every desk even has a GbE switch.

      Cat 5e doesn't cost more. Cat 6 does, but you generally only use it for stretches between patch bays, not to individual computers due to the stiffness and lack of need.

    8. Re:someting so huge by gweihir · · Score: 1

      Well, sure, if the network security people are bloody amateurs, that can work. In professionally managed environments, that thing will trigger alerts and may not even get any connectivity at all. Hint: Professionally run networks have inventories of MAC addresses known (look it up if you do not know what an "inventory" or a "MAC" is). This story is not targeted at your amateur-level "hacking", the device demonstrated uses entirely passive Ethernet sniffing for a reason. Of course there are still a lot of company networks, were the network people have no clue and you can connect anything without raising an alert.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    9. Re:someting so huge by dfghjk · · Score: 1

      ...costs less than one engineering hour..."

      Yes, everyone who is implanting backdoors in docking stations is paying an engineer's salary to do so. ;)

      "it is a variation on the Raspberry Pi..."

      Here's a guy who knows his history...

    10. Re:someting so huge by silas_moeckel · · Score: 1

      Are you stuck somewhere in the late 90's? At this point it's not possible to buy a 100bt switch to use in a corp environment. Your bottom end is all ge, 10ge uplinks in the middle and 10ge switches for larger servers. Sure some corp buildings are odd I can think of a couple fortune 500's that are using token ring (replacing it requires lots of demo work).

      You really need a device with USB target support so you can grab all keyboard input. There are plenty of soc's that fit the bill much better than a R Pi. 802.1AE is getting more widespread so a usb target (or pcie) faking a nic that has 802.1AE offload might get you a lot farther. Would also want to see a wifi nic and high powered Bluetooth.

      --
      No sir I dont like it.
    11. Re:someting so huge by BitZtream · · Score: 2

      The Pi can't keep up with any much of an ethernet stream. It might be able to intercept the occasional web page but thats about it.

      My 'docking station' is gigabit ethernet, though most are 100mb still ... Just exactly how do you plan to have the Pi keep up with something it simply doesn't have the bandwidth to follow. People are most certainly going to notice when their email is now suddenly slower to sync at the office than it is over their cell phone.

      It CAN NOT move anywhere CLOSE to 100mb/s of data through its USB subsystem. Hell, the thing goes nuts and has all sorts of crazy issues if you get anywhere near stressing the USB subsystem with 5 or 6.

      USB, and due to design that means ethernet as well, is HORRIBLY BROKEN on the Pi. Using it for a network tool is a bad idea on many levels, the networking being all done over USB would be the first indicator.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    12. Re:someting so huge by gweihir · · Score: 1

      LOL! You quote mass-production in one answer and _then_ you quote prices that you cannot get at quantity? How stupid is that? I think it is pretty clear who is not using his brain here....

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    13. Re:someting so huge by gweihir · · Score: 1

      ...costs less than one engineering hour..."

      Yes, everyone who is implanting backdoors in docking stations is paying an engineer's salary to do so. ;)

      Quite obviously so? Or do you think that amateurs can manage such a project including deployment and use in the field and using the data gained?

      "it is a variation on the Raspberry Pi..."

      Here's a guy who knows his history...

      "A variation of" when commenting on the selection of a component does not imply any temporal order of invention.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    14. Re:someting so huge by servant · · Score: 1

      Why RPi? Easy, cheap, available. Yep, there are others smaller, but being 'less to engineer' and lots of 'howtos' and examples available to promote the use. Make a better equivalent (and promote it), and they will come. ... It used to be Intel and Motorola embedded products, then PIC, not things keep changing and the RPi is the current implementation. ... Wait a while and it will change again.

      --
      ... "When you pry the source from my cold dead hands."
    15. Re:someting so huge by Sigg3.net · · Score: 1

      Because you bought one and can't figure out what to do with it;)

      --
      Defining Statistics and Social Research
  4. article wrong on voltage divider for power source by Anonymous Coward · · Score: 3, Interesting

    The voltage divider shown couldn't deliver any significant current (less than 1 milliamp). The Pi is rated for about 1 Amp. Somebody is proud of their voltage divider equation but doesn't understand it. Unimpressed!

  5. Cellphone by gmuslera · · Score: 2

    Why to bring an obvious "strange device" at the eyes of the unsuspecting to connect to a company laptop if you can bring a cellphone for doing the same task? (if current cellphones are too braindead/locked for that, an N900 should be more than enough).

    If you don't care about being subtle, just rebooting with a bootable pendrive or disarming the notebook to extract the HD should do the word, but a cellphone is something that could not raise suspicion, you can always say that is for recharging the battery (and again, with an N900, will make even more sense)

    1. Re:Cellphone by gweihir · · Score: 1

      Simple: The cellphone does not get wired Ethernet access, it does not get access to the Laptop keyboard, screen, etc. The whole pointy of this demo is that you can watch somebody while they are working.

      You are describing an entirely different type of attack (valid nonetheless).

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Cellphone by SQLGuru · · Score: 2

      I've seen USB dongles that let Android devices have pretty much anything you want. Your phone can have Ethernet access.

      http://usbtips.com/usb-otg-adapter-connects-usb-accessories-to-your-android-device/

    3. Re:Cellphone by gweihir · · Score: 1

      Yes, but how to you insert it for passive eavesdropping? Put the cellphone into the docking station? That does not make sense as it might be possible, but far, far more effort than using something like the Raspberry Pi. Face it: For this type of attack (trojaned hardware), a phone is the wrong platform.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:Cellphone by BitZtream · · Score: 1

      Neither does the Raspberry Pi, technically.

      It certainly isn't doing anything with the screen. Its 'ethernet' is over USB, and its USB implementation is utterly asstastic and has a hard time keeping up with copy/paste over SSH, let alone a real ethernet stream of data. It isn't going to be doing passive monitoring of USB keyboards worth a shit either ... again due to its absolutely shitty USB subsystem.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  6. This article is not about Raspberry Pi... by fufufang · · Score: 3, Interesting

    It is about people hacking the docking station for laptops...

    If the victim is very important to the organisation which conducts hacking, a custom made PCB might be implant into the docking station... There is no need to use Raspberry Pi, which would make the whole thing very amateur.

    1. Re:This article is not about Raspberry Pi... by Dan+East · · Score: 2

      Further, Raspberry Pis cannot act as a slave USB device, only a host (it is a hardware limitation in the way the chipset was physically connected to the USB port - required components for USB slave are not in place). Thus USB could not be the physical connectivity in a dock. The only other option would be to use the GPIO pins directly to try and emulate the OEM's proprietary dock connector, however I very much doubt the pi could communicate at a high enough rate to communicate with the laptop. The bandwidth of the dock port would have to be very high to support USB, LAN, etc, all in parallel.

      It would be far easier to take a stock dock and embed a USB flash drive in it hardwired to one of the existing ports. Then if autorun is still enabled on the laptop the payload would be executed.

      --
      Better known as 318230.
    2. Re:This article is not about Raspberry Pi... by AHuxley · · Score: 2

      It depends on how you look at the ongoing data situation.
      Can you get physical access to the site - just once?. Laptops, computers, code, admins change all the time and are getting smarter with more security options/work loads.
      Spy-Pi using a Raspberry Pi Model B would allow for a secure way out for any data obtained via a network that can be updated remotely.
      This might be better long term as the main OS, any thin clients, boxes, web 2.0, cloud devices, printers, laptops might be kept ~100% clean over time.
      http://www.forbes.com/sites/andygreenberg/2012/01/27/darpa-funded-hackers-tiny-50-spy-computer-hides-in-offices-drops-from-drones/
      is a more easy to understand idea - you "drop" a small computer in to hack from vs trying to "own" an onsite computer over time.
      In this paper the " Raspberry Pi " is used vs say a PogoPlug mini-computer.
      The other neat part about a Pi is you have less info on who planted it if its found. A quality custom made PCB points to a more expensive hackers, state funding, other commercial interests.
      A Raspberry Pi with average code keeps the target guessing for a just a while longer.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:This article is not about Raspberry Pi... by Anonymous Coward · · Score: 5, Interesting

      One approach we've seen on attacks on us, i.e. drives people find in the parking lot, is that the device appears as a composite device. Part of it shows up as an almost empty USB drive with a couple of innocuous Word documents, as long as you don't show hidden files and directories. However, the second and third parts are HID, when idle for too long, the new keyboard will try to do windows key+R -> "iexplore malwaresite". They also do other attacks using that means of access of a combination USB drive, keyboard and mouse.

    4. Re:This article is not about Raspberry Pi... by drinkypoo · · Score: 1

      MSP430, about $20, can be a USB device or host. But it doesn't have any processor power to speak of. It would be fine for that part of the hack, though.

      Of course, an Arduino can do this job...

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    5. Re:This article is not about Raspberry Pi... by guruevi · · Score: 1

      Arduino can act as both slave and master and get spi access to other busses in the device. It's not uncommon to see both pi and arduino in a project as they have each their strengths and weaknesses. For real-life production, you can then simplify it down to the same ARM and Atmel chips + peripherals on a single board.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  7. Re:Raspberry pi nothing, printers are the real dan by gweihir · · Score: 2

    The problem is just that programming a Raspberry Pi is very easy, while programming a printer is pretty hard.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  8. Re:article wrong on voltage divider for power sour by gweihir · · Score: 5, Informative

    Hehehehe, fascinating!

    In addition, these people do not know that a voltage divider is entirely unsuitable for powering anything with variable current consumption. The easy solution would be to use a switching-mode 5V 1A regulator module like the Traco Power TSR 1-2450. My guess is they never powered the Raspberry Pi from the 19V input. These people seem to understand digital electronics to some degree, but gave no clue about analog electronics.

    The demo is nice nonetheless.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  9. Re:article wrong on voltage divider for power sour by Alwin+Henseler · · Score: 3, Informative

    Given the overall level of detail, the stupidity in this chapter "Power considerations" kind of amazed me. Calculations look correct btw, result just doesn't hold up when you draw up to 1A.

    Probably the person(s) who figured out most of the info, person writing this chapter, and person putting everything together, must be different people. Otherwise this chapter would surely have been re-written.

  10. Re:article wrong on voltage divider for power sour by gweihir · · Score: 2

    Sounds plausible to me. I also guess this was finished in some haste to get it to the conference in time. For example, the video-grabbing is not implemented, while I see no fundamental problem with that.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  11. Re:article wrong on voltage divider for power sour by deimtee · · Score: 1

    I was going to suggest a simple 7805, but the TSR-2450 would be much better heat-wise.
    Damn, power supplies are getting small. That thing is 11 x 10 x 7 mm!

    --
    I'm guessing that wasn't on their radar screen...
  12. Re:Raspberry pi nothing, printers are the real dan by BitterOak · · Score: 2

    The problem is just that programming a Raspberry Pi is very easy, while programming a printer is pretty hard.

    But all it takes is one very smart programmer to do that programming, then the exploit code can be distributed or sold to whoever wants to launch an attack.

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  13. Re:article wrong on voltage divider for power sour by gweihir · · Score: 1

    A 7805 would work, but generate a lot of heat and require a relatively large heat-sink. The TSR-2450 is pretty amazing, also because it is probably cheaper than the 7805 when you take the cost of the heat-sink and mounting materials into account.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  14. Re:Raspberry pi nothing, printers are the real dan by gweihir · · Score: 1

    Once it is distributed or sold, it becomes almost worthless. The thing with these attacks is that you need to stay undiscovered for longer times in order for the information you gather to stay valuable. This is not something that is worthwhile doing with bought attack code. People that buy their attack code typically earn very little money from their attacks.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  15. Re:Raspberry pi nothing, printers are the real dan by gweihir · · Score: 1

    All doable and valid. This does not devalue the idea to go into a docking station, and the docking station has some unique advantages,like access to keyboard and video output that a pure network hardware Trojan does not have.

    Not, the demonstration is not any kind of breakthrough, but a nice piece of hardware hacking (if not done too competently here, see e.g. the missing actually working video-grabbing and the botched power supply issue).

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  16. Re:Raspberry pi nothing, printers are the real dan by PolygamousRanchKid+ · · Score: 1

    The problem is just that programming a Raspberry Pi is very easy, while programming a printer is pretty hard.

    Remember the old HP printer message April Fools' gag: http://kovaya.com/miscellany/2007/10/insert-coin.html . . . ?

    How about modifying that so the victims are instructed to enter their userids and passwords . . . ?

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  17. Re:Those are still around? by jawtheshark · · Score: 1

    Yes, very common in companies. Actually, I wouldn't buy laptops that lack them for the company I work for.

    --
    Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
  18. ah yes the raspberry pi fanboys are here to mod by drinkypoo · · Score: 1

    I've had two comments pointing out the truth about the Raspberry Pi modded down. It's a fact that it has flaky USB, and it's a fact that the ethernet is attached to it. Therefore it's a fact that it has poorly-implemented Ethernet. You can argue or abuse moderation all day and it won't change the fact that the Raspberry Pi is a poor choice for a sniffer by any critera. The single most important factor in a sniffer is working networking, which the Pi lacks.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  19. Or the Lightning AV adapter for that matter by gelfling · · Score: 1

    It was discovered that these adapter cables contain a microcomputer in them. Why not put your backdoor in the cable itself.

    1. Re:Or the Lightning AV adapter for that matter by gl4ss · · Score: 1

      because that's hard - finding a docking stating big enough to slap a raspberry pi with a usb soundcard in it is easy.
      isn't thunderbolt directly connected to the bus in the computer anyhow? or at least supposed to.

      --
      world was created 5 seconds before this post as it is.
  20. Easier to extend? by andersh · · Score: 1

    Is it possibly easier to add custom hardware to the Raspberrry Pi? I mean they're both Linux boxes, but one of them is designed to be extended.

    You could add an FM transceiver for remote operations without communicating over LAN/WAN?

    1. Re:Easier to extend? by gl4ss · · Score: 1

      Is it possibly easier to add custom hardware to the Raspberrry Pi? I mean they're both Linux boxes, but one of them is designed to be extended.

      You could add an FM transceiver for remote operations without communicating over LAN/WAN?

      this project of theirs takes so much effort that you might just as well use a custom board with some soc.
      the raspberry is in the mix just for media points. due to it being a raspberry they have to add a bunch of extra stuff(analog in and stuff - to be noted that it also made the mods that they actually did easy to detect! they didn't seem to have build for example anything really fancy like usb interceptors - instead recommending attacking organizations that use ps/2 keyboards etc. so the raspberry helped them to actually put something inside the docking station while avoiding doing anything of the scarier fancier, technologically interesting from just pure hacking for enabling extra functionality point of view, stuff they theorized about).

      the article is just bizarre half-ass proof of concept of some james bond shit you could do after you have physical access and equally bizarre methods to detect such a mod.

      --
      world was created 5 seconds before this post as it is.
    2. Re:Easier to extend? by andersh · · Score: 1

      Yes, I see your point, I suppose it's been possible for some time, but now almost anyone can do it [with other technology than the Raspberry].

  21. It's the little things by kilodelta · · Score: 1

    It's funny, everywhere I've worked that had docks I realized it could be an attack vector. Glad that someone else realizes it too. However the solutions/defenses they provide aren't likely to happen in most I.T. groups. Really? Infrared cameras? RF sniffers?

  22. Re:Voltage divider? by guruevi · · Score: 1

    With 20V at 1A a 7805 would stoke away 15W - that's a big heat sink

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  23. Re:Voltage divider? by nsaspook · · Score: 1

    You would use something modern like a 7805SR instead of a voltage divider or an old school 7805 that needs a huge heat-sink.
    http://www.murata-ps.com/data/meters/dms-78xxsr.pdf

    --
    In GOD we trust, all others we monitor.