Slashdot Mirror
Misusing Ethernet To Kill Computer Infrastructure Dead
Some attacks on computers and networks are subtle; think Stuxnet. An anonymous reader writes with a report at Net Security of researcher Grigorios Fragkos's much more direct approach to compromising a network: zap the hardware from an unattended ethernet port with a jolt of electricity. Fragkos, noticing that many networks include links to scattered and unattended ethernet ports, started wondering whether those ports could be used to disrupt the active parts of the network. Turns out they can, and not just the ports they connect to directly: with some experimentation, he came up with a easily carried network zapping device powerful enough to send a spark to other attached devices, too, but not so powerful -- at least in his testing -- to set the building on fire. As he explains:
I set up a network switch, and over a 5 meters Ethernet cable I connected an old working laptop. Over a 3 meters cable I connected a network HDD and over a 100 meters cable I connected my “deathray” device. I decided to switch on the device and apply current for exactly 2 seconds. The result was scary and interesting as well. The network switch was burned instantly with a little “tsaf” noise. There was also a buzzing noise coming from the devices plugged-in to the network switch, for a less than a second. There was a tiny flash from the network HDD and the laptop stopped working. It is not the cheapest thing in the world to test this, as it took all of my old hardware I had in my attic to run these experiments. I believe the threat from such a high-voltage attack against a computer infrastructure is real and should be dealt with.
If a malicious user gain physical access to your network, a high-voltage attack is the least of your worries. Network sniffers and other tools can quickly own your entire network doing far more monetary damage then some fried networking equipment.
Stupid article that basically says: "You can destroy an electronic device by shoving too much electricity into it!"
Well, DUH! You can also destroy a person by shoving too much food into him, destroy something made of iron by leaving it in salt water, destroy a book by lighting it on fire, etc.
There seem to be a large number of people passing themselves off as "security researchers" and "security consultants" by hyping the obvious to gullible idiots. Must be a good gig. How much does it pay?
There is no way to protect against the sort of attack mentioned in this post, other than keeping dirtbags away from critical infrastructure and not hooking anything to a network if it does not need to be hooked to a network. If you add some circuit to protect ethernet jacks from the energy levels this jerk used, he'll just come back around with a higher energy level, and repeat the process until every ethernet jack is a cubic meter large, weighs more than a bowling ball, and can withstand a million volts at some insane amperage - and THEN he will point out that the some level of current he tries causes the wires in the wall to melt and the building to burn down (Ah ha! the BUILDING has a security flaw!!!)
This is not much different from the idiot "security researcher" who claimed he hacked into an airliner's in-flight entertainment system and made the plane "fly sideways" which got people on Slashdot chattering and caused the 24-7 news idiots to hyperventilate for 2 days. News flash: Had THAT idiot TRULY made an airliner fly sideways the stresses would have sheared-off the vertical stabilizer (for non-aero people: google AA flight 587 - even excessive rudder use at speed can overstress an airliner's vert stab)
" If you're following Information Security best practice you shouldn't have any unconnected sockets in your office"
As in, "If you're following Information Security best practice you shouldn't provision for expansion or unexpected demand".
Sure.
deleting the extra space after periods so i can stay relevant, yeah.
Yup! But then there's two questions
1) will the surge protector protect against this device
2) who has surge protectors on each of their ethernet ports?
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Hammer breaks computer hardware! News at 11.
Fire destroys shit! OMG
I mean seriously, yes this is possible but you could do damage to a network in innumerable ways. Until the problem is actually happening there's no sense protecting against it. At most I could see someone trying this with a school network to get out of having to do a test or a disgruntled employee... it's not going to be a frequent thing.
Or they're disconnected at the switch end in the wiring closet until needed.
" If you're following Information Security best practice you shouldn't have any unconnected sockets in your office"
As in, "If you're following Information Security best practice you shouldn't provision for expansion or unexpected demand".
Sure.
No, you provision sockets and wire them to the network room. Then you have a bundle of unpatched terminals in the panel. Someone authorized comes in and needs the socket you patch in to the switch and it goes live. When they're done you remove the cable and the socket is dead again. 5 seconds on either end protects your network from unauthorized devices
Google is your friend.
No. Google pretends to be your friend. Big difference. Luckily there are less devious alternatives. Stop saying "Google" when you mean "search the web". Thank you :-)