Slashdot Mirror
Misusing Ethernet To Kill Computer Infrastructure Dead
Some attacks on computers and networks are subtle; think Stuxnet. An anonymous reader writes with a report at Net Security of researcher Grigorios Fragkos's much more direct approach to compromising a network: zap the hardware from an unattended ethernet port with a jolt of electricity. Fragkos, noticing that many networks include links to scattered and unattended ethernet ports, started wondering whether those ports could be used to disrupt the active parts of the network. Turns out they can, and not just the ports they connect to directly: with some experimentation, he came up with a easily carried network zapping device powerful enough to send a spark to other attached devices, too, but not so powerful -- at least in his testing -- to set the building on fire. As he explains:
I set up a network switch, and over a 5 meters Ethernet cable I connected an old working laptop. Over a 3 meters cable I connected a network HDD and over a 100 meters cable I connected my “deathray” device. I decided to switch on the device and apply current for exactly 2 seconds. The result was scary and interesting as well. The network switch was burned instantly with a little “tsaf” noise. There was also a buzzing noise coming from the devices plugged-in to the network switch, for a less than a second. There was a tiny flash from the network HDD and the laptop stopped working. It is not the cheapest thing in the world to test this, as it took all of my old hardware I had in my attic to run these experiments. I believe the threat from such a high-voltage attack against a computer infrastructure is real and should be dealt with.
This sounds like something ripped right from the BOFH stories...
They do sell Ethernet surge suppressors.
didn't that happen in the book/movie? Lisbeth showed up as a courier to an office and took them out using an 'ethernet taser' through an empty plug in reception area?
Who would have thought it? This guy reminds me of a man I met at Uni that liked running current through his genitals for pleasure. If you're following Information Security best practice you shouldn't have any unconnected sockets in your office, and they should be audited at least every 3 months. So guess somebody is doing something about it...
Fiber optic cable to all devices would nullify this sort of attack.
High gain RF power beaming can do the same thing. Some of that hardware will go straight through a Faraday Cage. There is no easy cost-effective solution to this problem.
If a malicious user gain physical access to your network, a high-voltage attack is the least of your worries. Network sniffers and other tools can quickly own your entire network doing far more monetary damage then some fried networking equipment.
More adoption of PoE will make this sort of thing even worse.
Lightning strike fried the onboard NIC on one of my PCs once.
yes, plugging twisted pair into a wall socket will burn out network equipment. Etherkiller has been around for a while.
Good old Nortel allowed you to apply current on their PoE switches on any port via a command.
You could login to the switch and just sit there zapping nics in desktops and laptops if you felt like being a dipshit.
I'm assuming you can do the same with modern Cisco layer 3 switches.
Just set the building on fire.
I set up a network switch, and over a 5 meters Ethernet cable I connected an old working laptop. Then I took my pen-testing device aka “hammer”. I decided to vigorously apply. the device to the switch and the laptop. The result was scary and interesting as well. The network switch was a heap of twisted metal after a lot of "banging" noise. It resisted the attack for considerable time due to hard metal shell. The laptop stopped working much faster, after only some application of the device. It is not the cheapest thing in the world to test this, but very satisfying. I believe the threat from such a blunt object attack against a computer infrastructure is real and should be dealt with.
http://www.fiftythree.org/etherkiller/
Etherkiller stikes agian next about about flipping that 120/220 switch? or overdriveing the power grid?
It happens all the time.
Hook a cheater cord up to Ethernet, USB, Firewire, Thunderbolt, Audio In/Out... hell, put 120VAC on _any_ PC Electrical Connector not specifically designed for it, and Smoke Will Escape.
Collateral Damage will vary with Persistence.
Ethernet cables are electrical cables. They conduct electricity. Nowhere in the loop are Ethernet cables protected from surge currents/voltages. It is just assumed that all equipment on the network is behaving within tolerances. One nearby lightning strike and everything Ethernet-connected is fried. (Happened to me once in the 90s.)
people has been making etherkillers since forever. its rather effective.
Obviously there was a hole in one of his rigged cables and it let the smoke out of the interweb tubes.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Or you could, you know, turn up the voltage and just burn the building down, for even more damage. Or use a match to burn the building down.
I do give him some credit for creativity. You might be able to damage something from another room, without the source of the attack being immediately obvious. This increases your odds of escaping, though an incendiary with a timer would also do the trick.
This just in: Copper conducts electricity. Details at 11.
No shit! Com lines are easily taken out by high voltage! OH HOLY SAVIOR! If you've been anywhere near modems, routers, phone lines, hdmi receivers, or other AV equipment in a professional capacity, you should already know that these devices are highly susceptible to voltage spikes/droughts. FFS in my first couple of years in IT I dealt with a jabbering NIC that took out 2 switches before we found it...
I literally thought that it was the year 2000 again.
Holy shit I am so fucking high right now.
This is absolutely nothing new. Back in the early 1990s, I worked with a guy who had "adapters" which were 120VAC to coax Ethernet, 120VAC to serial, 120VAC to thicknet, and 120VAC to SCSI.
One place I worked at had someone use customized surge suppressors on Ethernet drops that went from a public area to a private area, because they were afraid of this.
This is nothing new... This is in the same category of stuff like sticking blobs of Superglue into the locks on a building as part of a "denial of service" attack.
These days, the fix is easy... if really worried and wireless isn't an option, go with single mode fiber if concerned that someone is going to use a network drop for an attack. If someone blows out the NIC on the other end with a 100+ laser, it will only blow out the SFP.
Stupid article that basically says: "You can destroy an electronic device by shoving too much electricity into it!"
Well, DUH! You can also destroy a person by shoving too much food into him, destroy something made of iron by leaving it in salt water, destroy a book by lighting it on fire, etc.
There seem to be a large number of people passing themselves off as "security researchers" and "security consultants" by hyping the obvious to gullible idiots. Must be a good gig. How much does it pay?
There is no way to protect against the sort of attack mentioned in this post, other than keeping dirtbags away from critical infrastructure and not hooking anything to a network if it does not need to be hooked to a network. If you add some circuit to protect ethernet jacks from the energy levels this jerk used, he'll just come back around with a higher energy level, and repeat the process until every ethernet jack is a cubic meter large, weighs more than a bowling ball, and can withstand a million volts at some insane amperage - and THEN he will point out that the some level of current he tries causes the wires in the wall to melt and the building to burn down (Ah ha! the BUILDING has a security flaw!!!)
This is not much different from the idiot "security researcher" who claimed he hacked into an airliner's in-flight entertainment system and made the plane "fly sideways" which got people on Slashdot chattering and caused the 24-7 news idiots to hyperventilate for 2 days. News flash: Had THAT idiot TRULY made an airliner fly sideways the stresses would have sheared-off the vertical stabilizer (for non-aero people: google AA flight 587 - even excessive rudder use at speed can overstress an airliner's vert stab)
I'll try this from my ethernet port to destroy the INTERNET. Wait... now I switch it on.... NO CARRIER
in terms of networking, most 48 volt injectors have caps to dump 'high' voltages. standard network switching however might not expect potentially disastrous voltages. At best, you might be able to fry a switch-worth of connectivity for a few hours or a day but id expect that would be it.
I ran into this problem in an industrial setting. part of the factory contained a particularly nasty unshielded induction furnace. the network card on the machine that controlled SCADA for that furnace had a cable run that was just close enough to pick up a current and fry about a motherboard a month. The solution was a fibre card, ironically provided by the furnace maker.
Good people go to bed earlier.
http://www.zazzle.co.uk/oreall...
captcha: biology
Normally there's a transformer on either end of the cable. Whatever they fed "2 seconds of current" through, it wasn't that. WTF.
CLI paste? paste.pr0.tips!
Comparing this kind of attack to recent malware attacks is not really the same thing. This ethernet killer is something a pissed off employee does as opposed to malware that is not so much of a denial of service as it is a stealth attack to steal data.
This is one of those things that should be awarded an IgNobel.
...means that you can destroy said hardware. What kind of news is that ?!?
Non-Linux Penguins ?
People did this back in high school in the late '90s. Fried all kinds of stuff.
It was even more effective on old token ring networks. Seemed to go right down the line and the cables were generally thicker so they could carry more power.
how is applying high voltage and letting all the smoke out compromising a device? you destroy it, meaning it doesn't work any more. you don't gain access to it at all.
A few years ago, I helped design and build a production-line test system for RJ-45 jacks, and the test spec required us to "HIPOT" test by applying 2,250 volts to the network connections with the shell grounded, verifying that there was no appreciable current leaked to ground. I assume from your description that you applied a fairly high current across the signal lines, which would certainly burn out the windings on the RJ-45 jack isolation transformer was at the other end of that specific cable. How you got the damage to propagate beyond a single RJ-45 termination is something of a mystery to me.
Anyone here remember an old phone phreaker toy that would send a zap down a phone line to cook a modem or a phone and break some FCC laws at the same time? heh I remember them being nicknamed "Piss Boxes", but they may have had a more proper name. This is like a network Piss Box. heh
"Never give up, for that is just the time and place when the tide will change." -Harriet Beecher Stowe ^_^
Well if this counts as a "hack" in the sense that stuxnet (a virus) was mentioned in the post...
I have developed an even better system. You walk into the data center with a sledge hammer and start smashing blades to bits. How is that any different? This isn't clever or sophisticated. It's stupid and impractical.
And how exactly is this going to affect PoE devices? If my switch is a PoE switch, it's already measuring voltages and resistance to ensure it's providing proper power. surely they have surge protectors on those ports right?
I was about to ask how come the spark wasn't stopped in its tracks by the optocouplers in the RJ45-to-board junctions. Then I read TFA (I know, right?!) and saw the pictures.
I don't know what the voltage was, but to maintain a spark over a 5cm air gap I guess it was pretty high. That means optocouplers can't help if you can just jump over them. 5cm could easily cover a small switch, unless once it reaches another RJ45 it can jump another 5cm (i.e. it can cover as much distance as it pleases), in which case it can fry the switch and jump and fry all the connected devices, and other switches and their devices, until the voltage drops enough to be unable to do these jumps anymore.
That leaves this exercise for the reader: how much damage would a Tesla coil plugged into a switch in a datacenter do? :) Sure, it might look suspicious when you pull your truck next to the Ethernet port, but just imagine.
"Everybody's naked underneath" -- The Doctor
Aside from etherkiller being old, you could just as easily set the building on fire if you wanted to kill infrastructure.
This requires you to be in the same building if not the same room as the device you are trying to kill. If you have physical access to a machine... etc...
I'm a good cook. I'm a fantastic eater. - Steven Brust
I used to work for Unisys in Livingston, Scotland in the '80s as a technician, and their corridor doors used swipe-cards for access. That meant lower level staff had to walk miles out of their way every day while managers took the direct route.
We had a zapper (sorry, don't know the correct term) that could fire electric shocks of various voltages so that we could test the electrostatic protection of the banking equipment we produced. One zap to one card-swipe would take down the whole system, and that happened everyday. Management couldn't prove anything and must've known what was going on but refused to back down and remove the system.
However, we never thought to do that to the ethernet, we were Timelords, not animals.
They are cheap and some models put out a high voltage pulse at a adjustable rate. Not sure why the author of the article/blog gets all panicky about this, I laughed about the part about it being done under the watch of a trained electrician- its not new, nor is it hard to pull off.
Hell you can attach high voltage leads to your mains and you will fry plenty of equipment. Attach the ground leg of a branch circuit to a NST (Neon Sign Xfmr) then the other leg to mains through a small air gap.
Obviously you use and isolation transformer and a ballast on the NST so this can run longer and not just die.
Blasting high voltage into things is easy, and guaranteed to cause a deal of damage.
A decent switch will actually trip a fuse at the one port and not propagate the overload to other circuits.
recommended stripping network wires, even in the middle, and just jamming them into the nearest electrical outlet.
That book was far older than the year I obtained it, it was probably referring to serial networking back then, but I doubt 110 AC really cares.
Misusing Ethernet To Kill Computer Infrastructure Dead
Great, you've killed it dead. Now I have to fix it alive.
systemd is Roko's Basilisk.
I would think using something APC ProtectNet would protect against this and EtherKiller.
http://www.apc.com/products/family/index.cfm?id=145&ISOCountryCode=us
Network switch? What kind? consumer? enterprise? I can shutdown unused ports on enterprise network switches. Does it still kill the switch if the shock is applied?
This article was clickbait and nothing more.
What's next? Aiming a water hose at a wireless access point?
"A plan fiendishly clever in its intricacies"- Homer Simpson
You'd only be able to attack one circuit at a time, I suppose, but outlets are everywhere. Much easier to fry devices that way.
Eagles may soar, but weasels don't get sucked into jet engines.
The dielectric breakdown voltage of air is 3kV/mm (give or take, depending on pressure, humidity and electrode shape). That 5cm spark could be as much as 150,000 volts. (Although once initiated the spark doesn't take as much voltage to maintain.)
The portable (trailer-mounted, with auxiliary generator) Tesla coil I've seen will pull an arc a meter or two long -- 3 to 6 megavolts.
Lets call it the Carrington Fuse.
I just wore my old O'Really "Ethernet Killers" t-shirt from the late 90s the other day.
if this is supposed to be a new economy, how come they still want my old fashioned money?
I remember back in the 90's people talking about being so pissed off at their cable company that they wired their coax cable to a NEMA 5-15 connector and plugged it into the wall.
This reminds me back in the days of "phreaking" and "boxes" (eg red box, blue box, beige box), there was a rumored "blotto box" which amounted to attaching a generator to someones TNI or to a big green box and running for the hills.
Back in my day we called this a bullet. "Death ray" sounds megalomaniacal.
There's a BOFH reference or anecdote in there somewheres... Gotta be...
"Don't fear death... fear not living..." -me
Sounds like these devices are not intrinsically safe. Isn't IS a requirement for safety certification?
A very cheap and popular internet access in my area are ISP 1Gbit (sometimes 100Mbit) cooper LANs, spanning few kilometers and tens of buildings in a residential environment. Cables are hooked between roofs and trees and a lot of network hops are near or at the 100m limit. Power for the switches is leeched from everywhere (users, street lights). And then, we have thunderstorms.
They also seem to break if you dunk water on them.
> Do those ethernet filters in surge protectors provide sufficient protection against lightning strikes?
How close is the lightning strike? Very few things will protect against a direct strike to the antenna. If lightning actually hits a nearby tree, it will induce a powerful current in the antenna. That's what you can protect against. More protection is effective for closer strikes. A lightning rod can reduce the risk of a direct strike to the antenna.
> What's the best way to isolate the antenna from the rest of the network? Air-gap it with a wireless transmitter and receiver in the same box?
You could air gap at a convenient point. A different type of air gap is normally added to the coax. This is a tiny gap to a thick ground connector. Lightning jumps the gap.
Assuming the motivation for an attack like this is to disrupt the victim's LAN, a more subtle approach would be more effective. If you simply burn out a switch or NIC, it can be easily diagnosed and replaced. Recall that network interface cards are essentially radio devices that operate over wires instead of over the air. They are as susceptible to interference as the radio in your car.
I once worked for a company where every device connected to their switch would intermittently be unable to communicate. I tracked the problem down to a desktop computer with a flaky NIC that would go nuts every other day and (presumably) broadcast a shitstorm of noise. With a managed switch, it's easy to identify which port the culprit is attached to, but with an unmanaged switch a thing like this could drive you nuts if it only happened intermittently and then stopped for a while.
This is the question I had as well. For those following along, Ethernet is magnetically coupled to isolate the Ethernet PHY (the IC/circuit that (de)modulates signals) from the transmission line. This means the signal is propagated across a transformer; there is no direct electrical path between the Ethernet cable and the host. So an attacker pushing high voltage+current into a drop should only be able to damage part of the isolation transformer, in theory.
I suspect the answer is that real Ethernet ports have compromised this model with highly integrated devices. The transformers are simply not tested to destruction with high power and there are failure modes that include welding the primary+secondary together in unfortunate ways, thermally destroying a package of multiple transformers and/or creating other shorts. Unless an electrical device is actually designed to fail gracefully under high current it probably won't. Thus fuses.
Maw! Fire up the karma burner!
Back when I was in my early teens, the telephone system was almost completely copper to everything. A friend and I got this great idea to send a spike through the line to fry the phone on the other end. It worked within the same town. But I guess there were better protections in place once you got out of the local area. They may have started switching to fiber for long distance around that time too. We never used it maliciously, just tested it on each other's numbers.
I'm not sure why this story is that big of a deal. Once someone has physical access, this sort of vandalism is pretty simple. It's not like most consumer electronics are going to have protections built in for this kind of thing.
I live in a 100+ year old farmhouse; it's not any surprise to me that bad voltage can propagate through the network in funny ways. I go through routers and switches with some depressing regularity...unless everyone else has home-grade switches die every 12-18 months and router maybe every 18m-2yrs?
-Styopa
I looked for the high voltage ethernet zapper on amazon.com, but could not find. Where do I buy one?
Gotta couple networks around here that could use the 'fix' !!
Which switch? The expensive ones are supposed to have optocouplers on the data ports to prevent just this sort of problem. You kill the port but the switch (and everything attached) lives on.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
NON EX TRANSVERSO SED DEORSUM
I found that if I shoot a router with a gun I can kill it with as few as 3 shots. Considering I can fire 3 rounds in just under 1 second, this means all routers within 200 yards of a parking lot are vulnerable to this previously unknown attack. Read my 8 page blog entry (5 paragraphs) for more details.
But only if you can prod them with an etherkiller.
Seems like a simple problem to fix.
In audio gear, you will occasional find hardware with built in fuses to protect against surges and/or incorrect input current. It is much cheaper to replace a 79 cent fuse than a thousand dollar PA speaker. You could probably slap a set of fuses on each input port to protect against this, although, to support something like cat6 (6 wires) you would need 6 fuses. This would get bulky and expensive if you put it in something like a 128 port switch, but it would probably work just fine.
HA! I just wasted some of your bandwidth with a frivolous sig!
The pictures show that he had a VERY high voltage source, high enough to produce visible sparks of significant length (so probablly 10kV or more). It's not clear how he applied it to the devices but I would guess either between two ports or between a port and mains ground (applying it between two pins on the same connector has the problem of how do you stop the connector arcing over to itself).
Isolating transformers are useful things but they do have their limits. The ones in ethernet are designed to deal with mains wiring related faults, not lightning or people with deliberate high voltage sources.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
..... used an unshielded magnetron from a large commercial microwave oven. A nice big blast of the EMPs from that thing killed everything electronic down to and including digital watches in a whole bank branch in the City Of London during a "riot" a few years ago..... Anon for obvious reasons!
A cow-orker this morning just described a situation that drove his old company nuts for months until they finally tracked it down.
Periodically (with no discernible pattern), network performance would get really bad for an hour or two and then go back to normal. It took them weeks to figure out that someone would, from time to time, plug in a managed Ethernet switch with a spanning tree configuration that named it as the root switch, which caused spanning tree throughout the network to reconfigure itself with horrible path choices.
I don't know what the state of the art in spanning tree is these days, but while I would guess there are ways to make this a lot less likely to happen I would bet that many networks don't do whatever that something is and would be very vulnerable to an attack on spanning tree. It could be malicious (wreak havoc with traffic) or even devious, designed to force path selection so that traffic got pushed through vulnerable links that could be tapped.
"not lightning"
Actually, they ARE designed to protect the transceiver parts against lightning... not direct strikes, but the hundreds of volts that can be induced in the cables when the huge currents from nearby* lightning bolts dissipate through the metal beams of a building, or through the ground, or encountered as a power line spike. That's the exact protection designed in with the transformers. Without those, we'd be blasting Ethernet ports all of the time.
*nearby: extremely difficult to pin down due to the large number of variables, but I've seen over two hundred volts at fairly high current (over an amp) induced by ground current from a strike over three hundred feet away.
My company defeated this accidentally by having WIFI routers on the ceiling & a bunch of laptops on WIFI. Even the printer is WIFI. We don't even have Ethernet ports. Blast the electric outlet and you'll just burn-up the power bricks (we had that once: lightning).
The only data cables are to the displays (when not AirPlay/WiDi). Even the keyboard & mouse is wireless.
Does this mean we've already dealt with the problem?
Science & open-source build trust from peer review. Learn systems you can trust.
Misusing Ethernet To Kill Computer Infrastructure Dead
After reading that, I should have already realized this is just going to redundantly restate something obvious.
I mean, do you know of anything that's not dead after being killed?
Free, as in your money being freed from the confines of your account.
I was thinking the same thing. To my understanding, ethernet is transformer-coupled by definition. You'll have to try fairly hard to get DC through the transformer. (i.e. hard enough to melt/burn through whatever isolation on one of the windings and hopefully make contact with the secondary winding/shield)
On the other hand, you might be able to get AC through there without too much trouble.
This is called lightning. Happens all the time. With a long enough link, the EMP from a nearby lightning strike can even take out switches and computers connected by ethernet.
We had a network connected to a 110v power cord with a switch. We would use it on those old blue Linksys routers back when they were common. They would have intermittent problems, but if Linksys didn't see it happen the second they took it out of the box at their testing facility they would send it back claiming it was fine. Easiest way to make them see the problem was to send 110v into it for a moment.
Some years ago my home network was zapped with a lightning strike that came in via the coaxial cable. Modem, router, and two switches died to save my computers. In military designs, we used opto-isolators to shield sensitive circuits from attack.
Despite the hysteria, this is not a 'broad attack threat'. The attacker needs physical access to the network, and will probably only compromise part of the network due to the energies and damage modes involved. Unless he's Nikola Tesla and carrying his own lightning bolt. Then all bets are off.
I do recommend that you isolate your network from power threats with surge suppressors on your coax line or RJ-45 line from your ISP, and of course your power lines.
http://etherkiller.org/
The important part of the described attack is its ability to hop past the fried switch, possibly more than one level, to affect devices elsewhere on the network, possibly hundreds of meters away. That makes it distinct from traditional ethernet killer or hammer attacks.
With about 15 minutes of research and looking at electrical diagrams and discussion with a colleague, I figured out exactly what device he's using. If I can figure it out, so can anybody. Out of respect for the author, I won't disclose it either, but I'm sure most of the Slashdot crowd could figure it out as well. The device in question is not expensive and is portable as he describes and has the right electrical properties to not fry the voltage shielding on the ethernet cables while being able to bridge circuit gaps in a sustained manner, as he demonstrates with the 4-5cm spark distance. It is also distinct from lightning strikes because of the variable duration of application and precision with which it can be controlled, which can result in more damage than a large burst of lightning.
With some tweaking, it is conceivable that a single ethernet port in an unattended area like a hotel lobby or university public area (both of which are common) could be targeted such that in just a couple of seconds, damage could be done to devices throughout the building, even devices not directly connected to the switch to which that ethernet port is wired. It's unclear how many hops are theoretically possible, but I suspect at least 2. Research in a controlled lab environment would be worth exploring.
That's a threat worth serious consideration. None of the network architecture in the many different places I have worked was ever designed with this sort of attack in mind; a fried switch was considered the worst possible scenario. This is much worse. At the very least, it should remind people that unprotected ethernet ports can be a huge risk and encourage them to improve physical security design.
Most enterprise switches will come with user-changeable fuse modules on each individual port for exactly this reason. And for cheaper switches, just buy an inline fuse module that sits in front of your ports. Problem solved.
* I have no idea if either of the above technologies actually exist, but they should.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
You could use this device for a DDos attack against Google - Bring up the google webpage and while it is loading quickly plug it into your router so the voltage spike is directed straight to the Google infrastructure.
APC ProtectNet PENT1 dongle.
Now all we need is some script kiddies and a feedback loop
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
What you are testing is weather the switch will transmit dangerous currents from one port to other ports (while/after it fries itself). So just connect some volt meters to the other ports and fry the switch. No need to destroy a notebook and hdd in the process.
I've seen one made with a USB charger. you know the ones that you can charge your phone with when your on-the-go. It plugged into a usb and would burn up a computer.
Maybe the switch used an ac2dc wall wort with no ground?
LOL php
Change your diet: Eating your words != Good Nutrition Dave420 http://tech.slashdot.org/comme...