Slashdot Mirror

← Back to Stories (view on slashdot.org)

Misusing Ethernet To Kill Computer Infrastructure Dead

Posted by timothy on from the might-want-to-pull-out-some-of-these-cables-frank dept.

Some attacks on computers and networks are subtle; think Stuxnet. An anonymous reader writes with a report at Net Security of researcher Grigorios Fragkos's much more direct approach to compromising a network: zap the hardware from an unattended ethernet port with a jolt of electricity. Fragkos, noticing that many networks include links to scattered and unattended ethernet ports, started wondering whether those ports could be used to disrupt the active parts of the network. Turns out they can, and not just the ports they connect to directly: with some experimentation, he came up with a easily carried network zapping device powerful enough to send a spark to other attached devices, too, but not so powerful -- at least in his testing -- to set the building on fire. As he explains: I set up a network switch, and over a 5 meters Ethernet cable I connected an old working laptop. Over a 3 meters cable I connected a network HDD and over a 100 meters cable I connected my “deathray” device. I decided to switch on the device and apply current for exactly 2 seconds. The result was scary and interesting as well. The network switch was burned instantly with a little “tsaf” noise. There was also a buzzing noise coming from the devices plugged-in to the network switch, for a less than a second. There was a tiny flash from the network HDD and the laptop stopped working. It is not the cheapest thing in the world to test this, as it took all of my old hardware I had in my attic to run these experiments. I believe the threat from such a high-voltage attack against a computer infrastructure is real and should be dealt with.

22 of 303 comments (clear)

  1. Simon Travaglia would be proud by RogueyWon · · Score: 4, Funny

    This sounds like something ripped right from the BOFH stories...

    1. Re:Simon Travaglia would be proud by Falconhell · · Score: 5, Informative

      Yep, in the 90's
      https://en.m.wikipedia.org/wik...

    2. Re:Simon Travaglia would be proud by Falconhell · · Score: 5, Informative

      Original episode from 94

      http://bofh.ntk.net/BOFH/0000/...

    3. Re:Simon Travaglia would be proud by rainwalker · · Score: 5, Informative

      Yep. Etherkillers have been around since forever. The oldest link I could find in 30 seconds is one one from 1999, but I'm sure I had one before than, and I certainly didn't come up with the concept. It's nice that he re-invented the etherkiller, but man, Google is your friend.

    4. Re:Simon Travaglia would be proud by JMJimmy · · Score: 3, Insightful

      Hammer breaks computer hardware! News at 11.

      Fire destroys shit! OMG

      I mean seriously, yes this is possible but you could do damage to a network in innumerable ways. Until the problem is actually happening there's no sense protecting against it. At most I could see someone trying this with a school network to get out of having to do a test or a disgruntled employee... it's not going to be a frequent thing.

    5. Re:Simon Travaglia would be proud by RenderSeven · · Score: 4, Interesting

      I made one in '81 long before I heard of BOFH and way before Ethernet. Our network was serial with some ARCNET and made a mains cable for each as a joke, back when bosses generally had a sense of humor.

  2. Stupid FUD by slacka · · Score: 3, Insightful

    If a malicious user gain physical access to your network, a high-voltage attack is the least of your worries. Network sniffers and other tools can quickly own your entire network doing far more monetary damage then some fried networking equipment.

    1. Re:Stupid FUD by TWX · · Score: 3, Insightful

      Not all interfaces that are patched are necessarily live. Not all interfaces that are patched will let just any MAC address on to the network. Not all interfaces that will let one new MAC address on to the network will allow for MAC table flood attacks as they will cut-off the interface if too many MAC addresses attempt to use the interface too quickly. There are means to reduce the problem if one wants to take the time to implement and maintain them, and if the organization will hire enough people to do the job.

      --
      Do not look into laser with remaining eye.
  3. Hammer Attack by sinij · · Score: 5, Funny

    I set up a network switch, and over a 5 meters Ethernet cable I connected an old working laptop. Then I took my pen-testing device aka “hammer”. I decided to vigorously apply. the device to the switch and the laptop. The result was scary and interesting as well. The network switch was a heap of twisted metal after a lot of "banging" noise. It resisted the attack for considerable time due to hard metal shell. The laptop stopped working much faster, after only some application of the device. It is not the cheapest thing in the world to test this, but very satisfying. I believe the threat from such a blunt object attack against a computer infrastructure is real and should be dealt with.

    1. Re:Hammer Attack by sinij · · Score: 5, Interesting

      Actually, in all seriousness, I had to do this 'hammer attack' in the past as part of FIPS 140 physical security mechanisms testing. Was a hardened case with interlocking plates, and after 30 minutes of banging on it I only succeeded denting it. I had to write in the report that I needed a bigger hammer. No kidding.

  4. Re:Surge suppressor by TWX · · Score: 5, Informative

    Even more importantly there are lightning arrestors that are designed to provide a ground-path for lightning when it strikes an outside-mounted AP, camera, or manages to find an underground or aerial pathway between buildings outside of the building's cone of protection, and they even have models that can allow PoE to traverse the device. I'm not sure what happens with lower voltage and amperage though, where the threshold for the device failing-safe and shunting to ground is, nor am I sure of what happens to the cable itself if 120V or 240V with a theoretical maximum of around 20A for household outlets is applied. The Cat5/5e/6/6a cabling is rated to 600V, but 26AWG to 24AWG wire is not very large and cannot handle the same current as a 12AWG wire for the same amount of time. My assumption is that even with a lightning arrestor it'd probably melt the cable up to that arrestor before the electrical circuit breaker shuts off the service to the outlet being used to cause this.

    There's a good reason why it's against code to install high voltage wiring and low voltage cabling in the same pathway.

    I'm actually curious how much protection is built into the switch. Typically a certain number of ports are grouped to an ASIC, and the switches have to be able to handle a degree of dirty signal anyway, so it's possible that a single household high voltage spike might not hurt the switch or might only burn out a few ports as one ASIC cooks-off. I'm not exactly going to test this out though.

    --
    Do not look into laser with remaining eye.
  5. Re:Surge suppressor by __aaclcg7560 · · Score: 3, Informative

    From my experience with surge protectors on UPSes, a 1Gb connection is reduced to a 10/100Mb connection. Not sure if that has changed in recent years.

  6. Re:Fiber by penguinoid · · Score: 5, Funny

    Fiber optic cable to all devices would nullify this sort of attack.

    But won't protect it against a laser shark.

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  7. How many volts and milliamps did you hit it with? by RHenningsgard · · Score: 4, Interesting

    A few years ago, I helped design and build a production-line test system for RJ-45 jacks, and the test spec required us to "HIPOT" test by applying 2,250 volts to the network connections with the shell grounded, verifying that there was no appreciable current leaked to ground. I assume from your description that you applied a fairly high current across the signal lines, which would certainly burn out the windings on the RJ-45 jack isolation transformer was at the other end of that specific cable. How you got the damage to propagate beyond a single RJ-45 termination is something of a mystery to me.

  8. Re:Surge suppressor by penguinoid · · Score: 3, Insightful

    Yup! But then there's two questions
    1) will the surge protector protect against this device
    2) who has surge protectors on each of their ethernet ports?

    --
    Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
  9. Re:girl with dragon tattoo did it by drinkypoo · · Score: 4, Funny

    The OP mentioned an "Ethernet Taser" being plugged into the wall to take out the security guards. Hence, you need POE to power that device

    On this planet, we have electrical potential storage devices we call "batteries".

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  10. Re:Running power through wires shock!! by Anonymous Coward · · Score: 5, Insightful

    Or they're disconnected at the switch end in the wiring closet until needed.

  11. Re:Running power through wires shock!! by KlomDark · · Score: 3, Funny

    90% of people who use the term "best practice" are idiots that couldn't independently think their way out of a wet bag.

  12. Re:Running power through wires shock!! by Anonymous Coward · · Score: 3, Insightful

    " If you're following Information Security best practice you shouldn't have any unconnected sockets in your office"

    As in, "If you're following Information Security best practice you shouldn't provision for expansion or unexpected demand".

    Sure.

    No, you provision sockets and wire them to the network room. Then you have a bundle of unpatched terminals in the panel. Someone authorized comes in and needs the socket you patch in to the switch and it goes live. When they're done you remove the cable and the socket is dead again. 5 seconds on either end protects your network from unauthorized devices

  13. Re:Running power through wires shock!! by Tailhook · · Score: 3, Informative

    If you're following Information Security best practice you shouldn't have any unconnected sockets in your office, and they should be audited at least every 3 months.

    So you've raised the bar for the attacker from "zap any random RJ45 jack" to "unplug something and zap that RJ45 jack"? Or am I missing something?

    --
    Maw! Fire up the karma burner!
  14. optocouplers by Spazmania · · Score: 4, Informative

    Which switch? The expensive ones are supposed to have optocouplers on the data ports to prevent just this sort of problem. You kill the port but the switch (and everything attached) lives on.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    1. Re:optocouplers by msauve · · Score: 4, Informative

      No, regular Ethernet (i.e. copper) connections are almost always transformer isolated. A typical spec for the isolation they provide is 1500 VRMS for 60 seconds. But, even if using optoisolators weren't cost prohibitive, they only increase the breakover voltage, which doesn't prevent someone from causing deliberate damage using even higher voltages.

      If you want to avoid the issue, use fiber connections instead of copper.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law