Slashdot Mirror
Misusing Ethernet To Kill Computer Infrastructure Dead
Some attacks on computers and networks are subtle; think Stuxnet. An anonymous reader writes with a report at Net Security of researcher Grigorios Fragkos's much more direct approach to compromising a network: zap the hardware from an unattended ethernet port with a jolt of electricity. Fragkos, noticing that many networks include links to scattered and unattended ethernet ports, started wondering whether those ports could be used to disrupt the active parts of the network. Turns out they can, and not just the ports they connect to directly: with some experimentation, he came up with a easily carried network zapping device powerful enough to send a spark to other attached devices, too, but not so powerful -- at least in his testing -- to set the building on fire. As he explains:
I set up a network switch, and over a 5 meters Ethernet cable I connected an old working laptop. Over a 3 meters cable I connected a network HDD and over a 100 meters cable I connected my “deathray” device. I decided to switch on the device and apply current for exactly 2 seconds. The result was scary and interesting as well. The network switch was burned instantly with a little “tsaf” noise. There was also a buzzing noise coming from the devices plugged-in to the network switch, for a less than a second. There was a tiny flash from the network HDD and the laptop stopped working. It is not the cheapest thing in the world to test this, as it took all of my old hardware I had in my attic to run these experiments. I believe the threat from such a high-voltage attack against a computer infrastructure is real and should be dealt with.
This sounds like something ripped right from the BOFH stories...
Fiber optic cable to all devices would nullify this sort of attack.
And would that be Layer 1 in the OSI model? or should we just call that a Layer Zero attack.
If a malicious user gain physical access to your network, a high-voltage attack is the least of your worries. Network sniffers and other tools can quickly own your entire network doing far more monetary damage then some fried networking equipment.
More adoption of PoE will make this sort of thing even worse.
Lightning strike fried the onboard NIC on one of my PCs once.
Good old Nortel allowed you to apply current on their PoE switches on any port via a command.
You could login to the switch and just sit there zapping nics in desktops and laptops if you felt like being a dipshit.
I'm assuming you can do the same with modern Cisco layer 3 switches.
Just set the building on fire.
I set up a network switch, and over a 5 meters Ethernet cable I connected an old working laptop. Then I took my pen-testing device aka “hammer”. I decided to vigorously apply. the device to the switch and the laptop. The result was scary and interesting as well. The network switch was a heap of twisted metal after a lot of "banging" noise. It resisted the attack for considerable time due to hard metal shell. The laptop stopped working much faster, after only some application of the device. It is not the cheapest thing in the world to test this, but very satisfying. I believe the threat from such a blunt object attack against a computer infrastructure is real and should be dealt with.
It happens all the time.
Power Over Ethernet (POE) switches are generally more expensive than regular network switches and, in my experience, aren't widely deployed for general use. A regular wall jack near the floor probably won't have POE. A ceiling jack will have POE to power wireless access points and security devices. The network jack for a phone might have POE from the switch or a power injector.
A true faraday cage would protect against RF, but many casings aren't well done.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Obviously there was a hole in one of his rigged cables and it let the smoke out of the interweb tubes.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Even more importantly there are lightning arrestors that are designed to provide a ground-path for lightning when it strikes an outside-mounted AP, camera, or manages to find an underground or aerial pathway between buildings outside of the building's cone of protection, and they even have models that can allow PoE to traverse the device. I'm not sure what happens with lower voltage and amperage though, where the threshold for the device failing-safe and shunting to ground is, nor am I sure of what happens to the cable itself if 120V or 240V with a theoretical maximum of around 20A for household outlets is applied. The Cat5/5e/6/6a cabling is rated to 600V, but 26AWG to 24AWG wire is not very large and cannot handle the same current as a 12AWG wire for the same amount of time. My assumption is that even with a lightning arrestor it'd probably melt the cable up to that arrestor before the electrical circuit breaker shuts off the service to the outlet being used to cause this.
There's a good reason why it's against code to install high voltage wiring and low voltage cabling in the same pathway.
I'm actually curious how much protection is built into the switch. Typically a certain number of ports are grouped to an ASIC, and the switches have to be able to handle a degree of dirty signal anyway, so it's possible that a single household high voltage spike might not hurt the switch or might only burn out a few ports as one ASIC cooks-off. I'm not exactly going to test this out though.
Do not look into laser with remaining eye.
This just in: Copper conducts electricity. Details at 11.
This is absolutely nothing new. Back in the early 1990s, I worked with a guy who had "adapters" which were 120VAC to coax Ethernet, 120VAC to serial, 120VAC to thicknet, and 120VAC to SCSI.
One place I worked at had someone use customized surge suppressors on Ethernet drops that went from a public area to a private area, because they were afraid of this.
This is nothing new... This is in the same category of stuff like sticking blobs of Superglue into the locks on a building as part of a "denial of service" attack.
These days, the fix is easy... if really worried and wireless isn't an option, go with single mode fiber if concerned that someone is going to use a network drop for an attack. If someone blows out the NIC on the other end with a 100+ laser, it will only blow out the SFP.
Usually the best solution is to not patch-in horizontal cables that aren't in-service, and to use station cables that require a special tool to unplug from the wall and from the computer, but there are not very many facilities where this is practiced because it's incredibly labor-intensive to have to send a technician to move every computer and change all of the patching. Some organizations don't let the users move their own computers anyway, so for them it wouldn't be much more difficult to send the technician to the closet to make the change while they're at it, but I know that we don't have that kind of manpower.
Do not look into laser with remaining eye.
in terms of networking, most 48 volt injectors have caps to dump 'high' voltages. standard network switching however might not expect potentially disastrous voltages. At best, you might be able to fry a switch-worth of connectivity for a few hours or a day but id expect that would be it.
I ran into this problem in an industrial setting. part of the factory contained a particularly nasty unshielded induction furnace. the network card on the machine that controlled SCADA for that furnace had a cable run that was just close enough to pick up a current and fry about a motherboard a month. The solution was a fibre card, ironically provided by the furnace maker.
Good people go to bed earlier.
Normally there's a transformer on either end of the cable. Whatever they fed "2 seconds of current" through, it wasn't that. WTF.
CLI paste? paste.pr0.tips!
Comparing this kind of attack to recent malware attacks is not really the same thing. This ethernet killer is something a pissed off employee does as opposed to malware that is not so much of a denial of service as it is a stealth attack to steal data.
It doesn't matter if they do or not because PoE is carried on the third and fourth pair. You inject your dirty power on the first and second pair and PoE is irrelevant.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
It's a Layer 1 attack.
Same as a lightning strike. Rare, but fascinating and devastating when they hit dead on.
deleting the extra space after periods so i can stay relevant, yeah.
" If you're following Information Security best practice you shouldn't have any unconnected sockets in your office"
As in, "If you're following Information Security best practice you shouldn't provision for expansion or unexpected demand".
Sure.
deleting the extra space after periods so i can stay relevant, yeah.
I've worked at a few companies where the cables from walls are not physically plugged into the switches inside the network closet for inactive ports. At one company, this was a security policy. At other companies, they couldn't afford enough switches to plug in all the wall jacks.
And the reason vendors have chosen to NOT include that technology into their actual networking equipment is what again?
Because you-the-consumer won't pay an extra 4 cents per port for hardware that includes it.
...means that you can destroy said hardware. What kind of news is that ?!?
Non-Linux Penguins ?
From my experience with surge protectors on UPSes, a 1Gb connection is reduced to a 10/100Mb connection. Not sure if that has changed in recent years.
Most PC connectors are non-isolated and referenced to the PCs ground. Apply a large voltage in common mode and it will find it's way to ground through all sorts of paths, many of them likely destructive. Ethernet on the other hand has isolation transformers designed to survive a strength test of arround 1.5KV*. 120V (or even 240V) AC in common mode on an ethernet port should have no affect if the device is not defective.
120 VAC in differential mode will definately fry the port, it may fry the rest of the device but it's unlikely to "jump" an ethernet switch to devices behind. The path of least resistance is a short loop through the transciever, not going all over the board, via another transceiver and back out of another port.
* There are several different strength tests with different combinations of voltage and duration of which the standard requires at least one to be passed.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
A few years ago, I helped design and build a production-line test system for RJ-45 jacks, and the test spec required us to "HIPOT" test by applying 2,250 volts to the network connections with the shell grounded, verifying that there was no appreciable current leaked to ground. I assume from your description that you applied a fairly high current across the signal lines, which would certainly burn out the windings on the RJ-45 jack isolation transformer was at the other end of that specific cable. How you got the damage to propagate beyond a single RJ-45 termination is something of a mystery to me.
Anyone here remember an old phone phreaker toy that would send a zap down a phone line to cook a modem or a phone and break some FCC laws at the same time? heh I remember them being nicknamed "Piss Boxes", but they may have had a more proper name. This is like a network Piss Box. heh
"Never give up, for that is just the time and place when the tide will change." -Harriet Beecher Stowe ^_^
Yup! But then there's two questions
1) will the surge protector protect against this device
2) who has surge protectors on each of their ethernet ports?
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
The OP mentioned an "Ethernet Taser" being plugged into the wall to take out the security guards. Hence, you need POE to power that device and I was pointing out that typical wall jack wouldn't have POE. Otherwise, just use a regular Taser to get the job done.
I was about to ask how come the spark wasn't stopped in its tracks by the optocouplers in the RJ45-to-board junctions. Then I read TFA (I know, right?!) and saw the pictures.
I don't know what the voltage was, but to maintain a spark over a 5cm air gap I guess it was pretty high. That means optocouplers can't help if you can just jump over them. 5cm could easily cover a small switch, unless once it reaches another RJ45 it can jump another 5cm (i.e. it can cover as much distance as it pleases), in which case it can fry the switch and jump and fry all the connected devices, and other switches and their devices, until the voltage drops enough to be unable to do these jumps anymore.
That leaves this exercise for the reader: how much damage would a Tesla coil plugged into a switch in a datacenter do? :) Sure, it might look suspicious when you pull your truck next to the Ethernet port, but just imagine.
"Everybody's naked underneath" -- The Doctor
Aside from etherkiller being old, you could just as easily set the building on fire if you wanted to kill infrastructure.
This requires you to be in the same building if not the same room as the device you are trying to kill. If you have physical access to a machine... etc...
I'm a good cook. I'm a fantastic eater. - Steven Brust
The OP mentioned an "Ethernet Taser" being plugged into the wall to take out the security guards. Hence, you need POE to power that device
On this planet, we have electrical potential storage devices we call "batteries".
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Or they're disconnected at the switch end in the wiring closet until needed.
90% of people who use the term "best practice" are idiots that couldn't independently think their way out of a wet bag.
Take it up with the OP, as I was just pointing out the POE aspect.
" If you're following Information Security best practice you shouldn't have any unconnected sockets in your office"
As in, "If you're following Information Security best practice you shouldn't provision for expansion or unexpected demand".
Sure.
No, you provision sockets and wire them to the network room. Then you have a bundle of unpatched terminals in the panel. Someone authorized comes in and needs the socket you patch in to the switch and it goes live. When they're done you remove the cable and the socket is dead again. 5 seconds on either end protects your network from unauthorized devices
We don't patch every drop either. Drops are installed speculatively and usually there are close to twice as many drops as there are devices mainly because the cost to run two cables is not significantly higher than the cost to run one cable, and the utility of having the extra cabling when it's needed is more important than the financial impact of the installation.
The number of ports should equal the number of devices, not the number of cables. As more organizations use wireless devices the number of ports needed has levelled-off, traditionally plugged-in equipment is increasingly wireless and those existing ports, if PoE, can be used for APs or for newer infrastructure like security door keypads, HVAC controllers and other SCADA equipment, or security cameras.
I like having about 20% free switch ports on a new installation, assuming that there are twice the number of cables as there are the number of ports. That usually means that last switch in the stack is a 48-port instead of a 24-port, or that a 24-port is added to the stack at the end if the last 48-port is nearly completely full, but it's nice to have a little room for growth without having to purchase equipment piecemeal and hope that the same model is still available, plus the per-switch cost is much lower when they're bought in larger batches so the cost savings of waiting is almost nonexistent.
Do not look into laser with remaining eye.
Misusing Ethernet To Kill Computer Infrastructure Dead
Great, you've killed it dead. Now I have to fix it alive.
systemd is Roko's Basilisk.
Network switch? What kind? consumer? enterprise? I can shutdown unused ports on enterprise network switches. Does it still kill the switch if the shock is applied?
This article was clickbait and nothing more.
What's next? Aiming a water hose at a wireless access point?
"A plan fiendishly clever in its intricacies"- Homer Simpson
You'd only be able to attack one circuit at a time, I suppose, but outlets are everywhere. Much easier to fry devices that way.
Eagles may soar, but weasels don't get sucked into jet engines.
The dielectric breakdown voltage of air is 3kV/mm (give or take, depending on pressure, humidity and electrode shape). That 5cm spark could be as much as 150,000 volts. (Although once initiated the spark doesn't take as much voltage to maintain.)
The portable (trailer-mounted, with auxiliary generator) Tesla coil I've seen will pull an arc a meter or two long -- 3 to 6 megavolts.
though an incendiary with a timer would also do the trick.
But leaves traces visible to every firefighter. Leading to further investigations, the FBI will check the CCTV recordings, someone will recognize you there or your licence plate. Or the license plate of what you stole to be your getaway car, but left your fingerprints where you stole it...
Anyway: It might be worth something to have the case closed quickly with "faulty electrical device" and no further questions asked.
bickerdyke
If you're following Information Security best practice you shouldn't have any unconnected sockets in your office, and they should be audited at least every 3 months.
So you've raised the bar for the attacker from "zap any random RJ45 jack" to "unplug something and zap that RJ45 jack"? Or am I missing something?
Maw! Fire up the karma burner!
I don't have that problem with the ethernet surge protector built into the big APC UPS (about 6 years old) on my gaming machine.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Stupid article that basically says: "You can destroy an electronic device by shoving too much electricity into it!"
Yes, but it becomes a bit more interesting when you can do that from another location connected by a wire no one thinks of as an attack vector (the port is firewalled after all!) and is often enough freely accessible.
But yes, this tells less about the attackers ingenuity than it tells us about our everyday shortsightedness.
bickerdyke
Re-reread the post. The words "security guards" were never used. The them in the sentence refers to the Ethernet ports.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Stupid article that basically says "Metal wires conduct electricity."
I just wore my old O'Really "Ethernet Killers" t-shirt from the late 90s the other day.
if this is supposed to be a new economy, how come they still want my old fashioned money?
This reminds me back in the days of "phreaking" and "boxes" (eg red box, blue box, beige box), there was a rumored "blotto box" which amounted to attaching a generator to someones TNI or to a big green box and running for the hills.
The first person a courier would meet in a office would be security guards at the reception desk. At some of the companies I've worked at, the security guards were armed with guns. At one company I worked at, the security guards were armed with guns and a K9 attack dog. There are easier ways to subdue an unarmed person than using a makeshift "Ethernet Taser" from a wall jack.
Back in my day we called this a bullet. "Death ray" sounds megalomaniacal.
Maybe we should ask Photonicinduction. He mighr know the answer.
Just because you are too busy to follow the practice, doesn't mean it isn't a good idea.
What is good about an idea that doesn't actually protect anything? All your "best practice" has done is secure unused ports. USED ports can still be zapped, and from either end of the cable too. Or did your "best practice" also assume non-removable and armored Ethernet cables?
Your "best practice" is a fiction inside your head.
Maw! Fire up the karma burner!
You couldn't possibly be as stupid as you are trying to make yourself appear to be. She disabled the fucking Ethernet ports with a taser. She didn't plug a frigging taser into the Ethernet ports to disable securtiy guards. The OP never mentioned security guards. Again. No fucking security guards. You made them up, and now you are refusing to admit you made them up.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
There's a BOFH reference or anecdote in there somewheres... Gotta be...
"Don't fear death... fear not living..." -me
Because it's impossible for someone to unplug a cable to plug in his etherkiller? Google shows that locking ethernet cables exist, but I've never in my life seen them used, and I've been working in IT for decades.
Is the surge protector rated at 1GBps?
That higher frequency requires much tighter tolerances on wire lengths and EM interference, so if a cable, surge protector, or any other passive ethernet device wasn't specifically designed with a 1Gbps connection in mind then it probably will degrade the signal, except for individual devices where random manufacturing variance just happened to fall within the higher-speed tolerances.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
My sugar-free vanilla latte haven't kicked in yet this morning. I read "Ethernet Taser" as a Ethernet-powered Taser and "them" as security guards. I haven't read the books, so I made some assumptions based on my work experience. Or perhaps I'm confusing this with "Snow Crash" by Neal Stephenson, which had a courier who had to get past armed gatekeepers.
I was recently surprised to see unmanaged switches with at least one POE port being available on Newegg. Then again, with the Internet of Everything just around the corner, it shouldn't be surprising to see.
Oh yeah... now I know I'm dealing with a first class BS artist.
So, you propose that every single physical topology change require a visit to the switch closet/server room/whatever to manipulate patch cables?
Jesus H. Christ. How is it possible to be naive enough to think that is plausible and actually type it in a public forum?
While I have never, ever experienced a 90 day unused-port audit, every single site I've ever seen has secured its network hardware behind locked doors, at a minimum. I do that much in my own home. Access is always limited to the few BOFHs trusted with the keys/cards. There is no way in hell IT peons are going to be popping in and out of dark, secured areas every time someone wants to move a printer from one jack to another.
No. Fucking. Way.
Stop typing stuff now. You're just making a fool of yourself. At least you had the good sense to be AC when you started talking out of your ass this morning.
Maw! Fire up the karma burner!
A very cheap and popular internet access in my area are ISP 1Gbit (sometimes 100Mbit) cooper LANs, spanning few kilometers and tens of buildings in a residential environment. Cables are hooked between roofs and trees and a lot of network hops are near or at the 100m limit. Power for the switches is leeched from everywhere (users, street lights). And then, we have thunderstorms.
Sounds like something you'd read in Wired
"First they came for the slanderers and i said nothing."
> Do those ethernet filters in surge protectors provide sufficient protection against lightning strikes?
How close is the lightning strike? Very few things will protect against a direct strike to the antenna. If lightning actually hits a nearby tree, it will induce a powerful current in the antenna. That's what you can protect against. More protection is effective for closer strikes. A lightning rod can reduce the risk of a direct strike to the antenna.
> What's the best way to isolate the antenna from the rest of the network? Air-gap it with a wireless transmitter and receiver in the same box?
You could air gap at a convenient point. A different type of air gap is normally added to the coax. This is a tiny gap to a thick ground connector. Lightning jumps the gap.
Assuming the motivation for an attack like this is to disrupt the victim's LAN, a more subtle approach would be more effective. If you simply burn out a switch or NIC, it can be easily diagnosed and replaced. Recall that network interface cards are essentially radio devices that operate over wires instead of over the air. They are as susceptible to interference as the radio in your car.
I once worked for a company where every device connected to their switch would intermittently be unable to communicate. I tracked the problem down to a desktop computer with a flaky NIC that would go nuts every other day and (presumably) broadcast a shitstorm of noise. With a managed switch, it's easy to identify which port the culprit is attached to, but with an unmanaged switch a thing like this could drive you nuts if it only happened intermittently and then stopped for a while.
This is the question I had as well. For those following along, Ethernet is magnetically coupled to isolate the Ethernet PHY (the IC/circuit that (de)modulates signals) from the transmission line. This means the signal is propagated across a transformer; there is no direct electrical path between the Ethernet cable and the host. So an attacker pushing high voltage+current into a drop should only be able to damage part of the isolation transformer, in theory.
I suspect the answer is that real Ethernet ports have compromised this model with highly integrated devices. The transformers are simply not tested to destruction with high power and there are failure modes that include welding the primary+secondary together in unfortunate ways, thermally destroying a package of multiple transformers and/or creating other shorts. Unless an electrical device is actually designed to fail gracefully under high current it probably won't. Thus fuses.
Maw! Fire up the karma burner!
Back when I was in my early teens, the telephone system was almost completely copper to everything. A friend and I got this great idea to send a spike through the line to fry the phone on the other end. It worked within the same town. But I guess there were better protections in place once you got out of the local area. They may have started switching to fiber for long distance around that time too. We never used it maliciously, just tested it on each other's numbers.
I'm not sure why this story is that big of a deal. Once someone has physical access, this sort of vandalism is pretty simple. It's not like most consumer electronics are going to have protections built in for this kind of thing.
I live in a 100+ year old farmhouse; it's not any surprise to me that bad voltage can propagate through the network in funny ways. I go through routers and switches with some depressing regularity...unless everyone else has home-grade switches die every 12-18 months and router maybe every 18m-2yrs?
-Styopa
FTFY.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Bullshit. They won't go to you, they'll go to Joe's cubicle.
Joe's out for the day and has an active Ethernet port.
Did you encase Joe's entire PC in a locked steel box that's drilled into a hard wall covering the Ethernet port?
No? Joe has an unattended, unsecured Dell sitting under his desk, connected by an aging, crusty Ethernet cable to a wall plate attached to a flimsy cubicle partition?
Welcome to the real world.
I looked for the high voltage ethernet zapper on amazon.com, but could not find. Where do I buy one?
Gotta couple networks around here that could use the 'fix' !!
OK. I actually buy the "It's the Sugar Free Latte's fault" defence :-) Cheers!
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Which switch? The expensive ones are supposed to have optocouplers on the data ports to prevent just this sort of problem. You kill the port but the switch (and everything attached) lives on.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Or when someone works from home for an afternoon. Or a consultant comes in. Or when someone goes to an offsite meeting and takes his laptop. Or goes to an onsite meeting and takes his laptop to the meeting room. Or when a meeting in the meeting room ends and they all take their laptops out...
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Surge protection for Ethernet costs more per port than nearly any switch. Not sure why it's so expensive. Cheaper to just have proper power surge protection.
I have a CyberPower surge protector with a built in 1Gb protector, but when I use it, I sporadically get lots of frame errors for tens of seconds, like in the 1-5% range.
It probably only connected two of the pairs. Gig E needs 4.
Seems like a simple problem to fix.
In audio gear, you will occasional find hardware with built in fuses to protect against surges and/or incorrect input current. It is much cheaper to replace a 79 cent fuse than a thousand dollar PA speaker. You could probably slap a set of fuses on each input port to protect against this, although, to support something like cat6 (6 wires) you would need 6 fuses. This would get bulky and expensive if you put it in something like a 128 port switch, but it would probably work just fine.
HA! I just wasted some of your bandwidth with a frivolous sig!
Well the good news it the higher the voltage the lower the current. The bad news is that the higher voltage (assuming it didn't break down the insulation which won't instantly fail at 600V) will often damage something at either and and cause a short circuit there, THEN you have high current flowing through the cable.
Designing surge arrestors is incredibly difficult that sometimes goes wrong (Raspberry Pi polyfuse causing CPU instability) and other times can only account for a very small use case. One example is USB ports. There are polyfuses / shunts on most motherboards and most boards will withstand a shorted output or an overvoltage input (over voltage in this case meaning a likely amount due to failed equipment on the other end of the cable, quite often not more than 48V). But these things can be defeated like the case a while ago where someone built a device to irrevocably fry a laptop by sending repeated high-votlage but ultimately low current pulses down the USB's data pins until eventually (after about 10 pulese over a several second period) one of the shunts failed (they weren't designed for this) and the entire motherboard got fried.
Lightning protection is similar and very finicky. Often lightning protection is designed to protect one single piece of equipment in one room. I have not so fond memories of replacing computers and a PLC in an equipment room after a lightning strike on a radio antenna outside. The lightning protection worked perfectly and the radio system survived. But it was the only thing to survive. By diverting the strike to ground you end up creating a huge voltage gradient across the building. A few stand alone items survived by equipment that was interconnected from one end of the building to the other or had connections to other buildings all fried, and despite lightning never actually striking our power system all our fault data recorders picked up a big overvoltage surge.
Most equipment will handle a fault here or there, but most will fail catastrophically when it comes to a direct lightning strike or a targetted attack.
And even if they did, high voltage spikes are something that can be inductively induced on the cable. You just need a lot more juice.
The pictures show that he had a VERY high voltage source, high enough to produce visible sparks of significant length (so probablly 10kV or more). It's not clear how he applied it to the devices but I would guess either between two ports or between a port and mains ground (applying it between two pins on the same connector has the problem of how do you stop the connector arcing over to itself).
Isolating transformers are useful things but they do have their limits. The ones in ethernet are designed to deal with mains wiring related faults, not lightning or people with deliberate high voltage sources.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
No, you provision sockets and wire them to the network room. Then you have a bundle of unpatched terminals in the panel. Someone authorized comes in and needs the socket you patch in to the switch and it goes live. When they're done you remove the cable and the socket is dead again. 5 seconds on either end protects your network from unauthorized devices
Virtually on a managed switch? I'm sure that happens all the time in places where you get a device with a particular MAC approved to connect on one particular port on the switch. Until you light it up it's basically dead and you get a nice audit trail of paperwork and access logs. But actually getting into the wiring closet and rewiring the network every time anybody needs a change? That actually sounds like a bigger risk, because who knows what they really do in there. Unless you have a second guy inspecting so the first guy doesn't do anything he's not supposed to. I'd much rather have the switch logs monitored and keep that wiring closet locked as much as possible.
Live today, because you never know what tomorrow brings
A cow-orker this morning just described a situation that drove his old company nuts for months until they finally tracked it down.
Periodically (with no discernible pattern), network performance would get really bad for an hour or two and then go back to normal. It took them weeks to figure out that someone would, from time to time, plug in a managed Ethernet switch with a spanning tree configuration that named it as the root switch, which caused spanning tree throughout the network to reconfigure itself with horrible path choices.
I don't know what the state of the art in spanning tree is these days, but while I would guess there are ways to make this a lot less likely to happen I would bet that many networks don't do whatever that something is and would be very vulnerable to an attack on spanning tree. It could be malicious (wreak havoc with traffic) or even devious, designed to force path selection so that traffic got pushed through vulnerable links that could be tapped.
"not lightning"
Actually, they ARE designed to protect the transceiver parts against lightning... not direct strikes, but the hundreds of volts that can be induced in the cables when the huge currents from nearby* lightning bolts dissipate through the metal beams of a building, or through the ground, or encountered as a power line spike. That's the exact protection designed in with the transformers. Without those, we'd be blasting Ethernet ports all of the time.
*nearby: extremely difficult to pin down due to the large number of variables, but I've seen over two hundred volts at fairly high current (over an amp) induced by ground current from a strike over three hundred feet away.
My company defeated this accidentally by having WIFI routers on the ceiling & a bunch of laptops on WIFI. Even the printer is WIFI. We don't even have Ethernet ports. Blast the electric outlet and you'll just burn-up the power bricks (we had that once: lightning).
The only data cables are to the displays (when not AirPlay/WiDi). Even the keyboard & mouse is wireless.
Does this mean we've already dealt with the problem?
Science & open-source build trust from peer review. Learn systems you can trust.
Misusing Ethernet To Kill Computer Infrastructure Dead
After reading that, I should have already realized this is just going to redundantly restate something obvious.
I mean, do you know of anything that's not dead after being killed?
Free, as in your money being freed from the confines of your account.
You can install secondary protectors near the equipment. These usually have a fused ground connection. This is to stop currents that might exceed the inside wiring limits if the fault passes the primary protector. Otherwise the inside wiring might start a fire. It's still best to go with fiber for external devices like a roof mounted WiFi adapter.
Some years ago my home network was zapped with a lightning strike that came in via the coaxial cable. Modem, router, and two switches died to save my computers. In military designs, we used opto-isolators to shield sensitive circuits from attack.
Despite the hysteria, this is not a 'broad attack threat'. The attacker needs physical access to the network, and will probably only compromise part of the network due to the energies and damage modes involved. Unless he's Nikola Tesla and carrying his own lightning bolt. Then all bets are off.
I do recommend that you isolate your network from power threats with surge suppressors on your coax line or RJ-45 line from your ISP, and of course your power lines.
Almost all WIFI that I've seen has been PoE, so that won't work well with a fiber solution.
Now for a microwave link or other special-purpose wireless point-to-point I agree with you, but I've found that for most campus-sized areas it's better to run fiber in the ground, and for metro-sized areas only the municipality can run point to point microwave as they're the only ones that control the elevations to have line of sight. Admittedly I live in suburbia, so there aren't tall buildings around here to make use of.
Do not look into laser with remaining eye.
"PoE is carried on the third and fourth pair"
Might be carried on the unused pairs (10/100, there are no unused pairs with 1000baseT). It can also be carried on the data pairs. Switches supporting 802.3 PoE usually use the data pairs, while midspan injectors use the unused pairs.
"National Security is the chief cause of national insecurity." - Celine's First Law
You can put a PoE power injector and fiber adapter in a NEMA box next to the WiFi. That would require AC power at or near the antenna (more money) but it keeps the surge out of the data side.
BTW, We had a lightning hit that split a big tree maybe 30m from the building. I just about jumped out of my shoes. The VoIP phones rebooted but the switch supplying PoE took the hit without a reboot. I'm glad there was secondary protection on the POTS gateway.
http://etherkiller.org/
The important part of the described attack is its ability to hop past the fried switch, possibly more than one level, to affect devices elsewhere on the network, possibly hundreds of meters away. That makes it distinct from traditional ethernet killer or hammer attacks.
With about 15 minutes of research and looking at electrical diagrams and discussion with a colleague, I figured out exactly what device he's using. If I can figure it out, so can anybody. Out of respect for the author, I won't disclose it either, but I'm sure most of the Slashdot crowd could figure it out as well. The device in question is not expensive and is portable as he describes and has the right electrical properties to not fry the voltage shielding on the ethernet cables while being able to bridge circuit gaps in a sustained manner, as he demonstrates with the 4-5cm spark distance. It is also distinct from lightning strikes because of the variable duration of application and precision with which it can be controlled, which can result in more damage than a large burst of lightning.
With some tweaking, it is conceivable that a single ethernet port in an unattended area like a hotel lobby or university public area (both of which are common) could be targeted such that in just a couple of seconds, damage could be done to devices throughout the building, even devices not directly connected to the switch to which that ethernet port is wired. It's unclear how many hops are theoretically possible, but I suspect at least 2. Research in a controlled lab environment would be worth exploring.
That's a threat worth serious consideration. None of the network architecture in the many different places I have worked was ever designed with this sort of attack in mind; a fried switch was considered the worst possible scenario. This is much worse. At the very least, it should remind people that unprotected ethernet ports can be a huge risk and encourage them to improve physical security design.
You can put a PoE power injector and fiber adapter in a NEMA box next to the WiFi. That would require AC power at or near the antenna (more money) but it keeps the surge out of the data side.
Honestly, unless it becomes a fad, far cheaper to just replace the fried equipment.
Someone had to do it.
For those who don't want to Google, the 7 layers are numbered 1 through 7, not 0 through 6.
Layer 1 is link layer signalling like HDLC.
We who are actually in the business do indeed use the term "Layer 0" to refer to power/physical cabling/infrastrucuture.
I've even heard "Layer 8" bandied about to refer to managers and politics, but it's less popular.
Someone had to do it.
I meant to say, physical layer, sorry, tired, so NRZI etc. Really the whole thing is rather fungible with protocols that don't fit cleanly into the classifications, but for the most part layer 1 is mostly high frequency bit encodings that don't actually demand certain voltage/current specifications.
Someone had to do it.
But are they compatible with my Monster Cable audiophile grade CAT 5e cables?
Most enterprise switches will come with user-changeable fuse modules on each individual port for exactly this reason. And for cheaper switches, just buy an inline fuse module that sits in front of your ports. Problem solved.
* I have no idea if either of the above technologies actually exist, but they should.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
You mean you googled it after you posted? Because earlier you claimed that "We who are actually in the business do indeed use the term "Layer '0" to refer to power/physical cabling/infrastrucuture (sic)", when of course nothing could be further from the truth, as those things are part of Layer 1. If you are actually "in the business" then you already knew that, though, right?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Layer 1 ends at bit encoding.
Physical Media: Any means in the physical world for transferring
signals between OSI systems. Considered to be outside the OSI Model,
and therefore sometimes referred to as "Layer 0." The physical
connector to the media can be considered as defining the bottom
interface of the Physical Layer, i.e., the bottom of the OSI
Here, and yes, we do. This is not a new thing.
One thing you have to realize about networking career folks is they are always tired and have forgotten more than many people know due to their horrible sleep habits/job requirements, so honestly, it was just a slip of the neurons. Do always ask us to verify our answers though because often we are kinda phasing in and out of reality.
Someone had to do it.
Bullshit. Layer 1 defines, for example, the logical voltage levels and current specifications (i.e. power) as well as the acceptable cable lengths and types (e.g. CAT5 vs. CAT6 and how far they can run). The cable itself is outside the OSI model. The voltages, including polarity, etc. are within layer 1. If you take an unplugged cable and fry it, that is outside the OSI model. If you connect said cable to a phy and fry the phy you have attacked layer 1. Please stop spreading misinformation (and carefully read the second sentence you quoted from RFC1208.) Your apology is accepted.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
A fused ground connection sounds like something that wouldn't pass regulations. Once the fuse is blown, the entire device and everything it is connected to is at a potentially lethal potential.
Gigabit also requires all 4 pairs in the cable. A cheap 10/100 protector is only going to connect up the 2 pairs required for 10/100 to work.
A 10/100/1000 connection will then fallback to 100.
Only if you connect it in the correct direction.
Hey man whatever, I hear the term "Layer 0" at least once a week, so I know I'm no wrog there. We always get a chuckle when a wet-behind-the-ears hire starts making a fuss over OSI mode pedantry, BTW.
An example of a "Layer 1" attack would be an RF interferer. This is clearly a "Layer 0" attack.
Someone had to do it.
You are wrong to believe that slang is part of a specification. The term Layer 0 is used tongue in cheek. It will also surprise you to find out that a crotch rocket isn't actually powered by a rocket and black people aren't all ignorant even though you may hear them referred to as such (i.e. the "N Word") nat least once a week.
I'm not sure what is so fucking hard for you to understand, but again, when you fry the circuitry in a switch it is a Layer 1 attack. The circuitry is Layer 1. Yes, layer 1 includes encoding - which it will evidently surprise you to know is done with hardware such as Op Amps and ASICs, not a software stack - but it also includes the connector specs such as RJ-45 and BNC, for example. The impedance of the cable? You guessed it ... specified in Layer 1. That's why cable length is part of Layer 1. Because impedance is a function of cable length. If you want to refer to the actual cable as "Layer 0" in house go for it, but don't try to pass yourself of as more in the know / "actually in the business" than people who really know what they are talking about. If you want to actually be "in the know" you should start by dropping that slang from your vocabulary.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I never claimed "Layer 0" was specified, don't be a moron, use your reading comprehension skills. You don't win arguments by mischaracterizing your opponent. And stop being so insulting. All I did was point out that "Layer 0" is in parlance, and that the extent to which physical media and infrastructure is "in the ISO model" is, by that own model's admission, been a gray area with gradually scope creep (they probably should have started with layer 3 or so to leave space to grow downward.)
At any rate, I will leave you and your personality disorders to amuse yourself insulting other people.
Someone had to do it.
Bullshit. There is no "scope creep." Layer 1 has always specified hardware characteristics as well as signalling. You clearly thought NRZI was a software protocol, that OSI specifically was a software only model, and that all hardware was "Layer 0". You claimed that you had some special knowledge over and above the actual professionals because you heard a slang term cast about and implied that you were more "in the know" because - unlike me (to hear you tell it) - you were "actually in the business". As recently as the last post you continued to try to mis-characterize this Layer 1 attack as a "Layer 0" attack. You stated, among other ridiculous claims, that " ... for the most part layer 1 is mostly high frequency bit encodings that don't actually demand certain voltage/current specifications." Now that I have exposed your blatant ignorance to the core you have started in with the ad hominem attacks, rather than simply thanking me for teaching you very valuable knowledge. Your welcome.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Now all we need is some script kiddies and a feedback loop
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Might be carried on the unused pairs
You and only you mentioned unused pairs. You can never assume there is any such thing.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Calm down, Francis. Regardless of whether you are right or wrong, your bizarre, APK-esque style of discussing it is making you look the loser in this discussion.
Go smoke another doob Dave 420
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
"You and only you mentioned unused pairs."
Right, because you mentioned the "third and fourth pair," which was obviously completely wrong in context. 10/100baseT uses pairs 2 and 3. 802.3af/at uses ether pairs 2 and 3 or pairs 1 and 4, never the "third and fourth pair." There may be some very odd PoE implementations which do, perhaps you can point to one.
I don't assume. There are pairs which are unused by the 802.3 spec for 10/100baseT. The specification itself labels them as e.g. "Not used by 10BASE-T". It's completely correct to refer to those as the "unused pairs" when discussing Ethernet.
"National Security is the chief cause of national insecurity." - Celine's First Law
The problem with thinking independently means that when it all goes bollock-up, it's youre fault for ignoring best practice..... even when best practice is bollox.
People may know better, but honestly, would anyone take the risk?
So there I was, scribbling down some notes off the PC screen by hand, when I reached for the keyboard and Ctrl-S'd.
I remember in college, they actually did have unconnected ethernet outside of the engineering building. Of course, it hardly mattered since we were the first school in the country to have wifi. Unencrypted, open 802.11b. Oh, and the network was entirely flat and without any firewalls to the dorms. You could drive by, connect to wifi, and execute NETBIOS attacks against students in the dorms.
Sorry for the poor wording. Secondary protectors are placed near the equipment to be protected to suppress over voltages and only if there is a primary protector where the wiring enters the building. The secondary protector might be exposed to a power cross that gets past the primary. As such, the current must be limited to what the inside wiring can safely manage. This is usually done with some type of fuse or current limiting device. This limits current to ground for voltages that exceed the clamping voltage of the surge protection. Typically, this will open the input signal leads to stop the current to ground and take the device out of service. There may be some type of indicator to show a fault is present. Once open, if the power cross is still present, the input wiring might still be at a dangerous potential. Compliance with wiring insulation and clearance standards hopefully prevents contact. The fusing should keep the inside wire from burning and isolate the equipment.