If an attacker wanted to sneak a monitoring device into a target network, how might they go about it?
As Naked Security reported last week, they could try soldering a tiny chip on to the circuit board of something like a firewall on the assumption that it will never be noticed.
But there might be a much simpler approach – hide the device in plain sight, safe in the knowledge that its very conspicuousness means its legitimacy will probably never be questioned.
This was the initial suspicion of a team from UK-based outfit Pen Test Partners when they noticed an unlabelled, “potentially toxic box” connected to the onboard LAN of a ship that the team was performing a security assessment on.
Ship networks feature a lot of specialised equipment, of course, but every box should have a purpose. And yet, after enquiring about its origins, the message came back:
Fleet management told us that shoreside had no invoice, record, or inventory listing for it. They were blissfully unaware of its existence.
It had an Ethernet connection to the ship LAN but was also connected to a Windows console on the bridge which was so bright at night that the crew covered it up. The assumption had been that it was meant to be there.
“Suspicious”
The box had a second Ethernet connection, which after analysing, the pen testers discovered was UDP encapsulating NMEA data, a format that offers a universal interface for different GPS systems. That suggested it had something to do with the onboard Electronic Chart Display and Information System (ECDIS).
It also had an RS232 Serial converter connected to it, leading to a cable that disappeared into the deck. The traffic running across this was Modbus, an ancient master-slave protocol still used by industrial control systems (ICS).
After checking to see whether the master/slave would answer when fed data, the other end of the Modbus turned out to be 11 decks down on the ship’s engine, adjacent to its safety systems designed to slow or shut down the engine.
We’d found a Windows machine that was connected to main engine controls, which no one knew about.
It was obviously alarming that an unknown device was connected to a system involved in ship safety. Comically, the Windows console was running a long unpatched version of Team Viewer.
The culprit
It turned out that the box had been put there legitimately for monitoring fuel and engine efficiency by a third party some years before, forgotten about, but left running despite the arrangement having ended.
A vulnerable box that no-one knew about with a direct, remote connection to the main engine.
One observation from this is that engineers and crew simply assumed it had a right to be there even though nobody knew what it was doing.
This raises the question… how many more mystery boxes might be quietly sitting connected to numerous other networks?
Joshua McCartney
From my experience, A LOT of “black boxes” are plugged in somewhere. I used to do work for a 911 call center connected to a VAST county-wide network, and because it was a call center, it was tied directly into an ISP. Literally 911 call center downstairs, [redacted] upstairs. I had to replace a router in the ISP part of the building that was handing 911 traffic. In the area where I was working there were 2 servers sitting there. Plugged in and running Server 2003. No one knew what or why… I notified the head tech for [redacted], but I’m pretty sure that all the farther that went. Now, I’m sure they were legitimate servers, but who knows what they were doing…
Albatross (@Albatross)
I did a security review of a nuclear power plant, and everyone, EVERYONE claimed as gospel that the plant’s control network was “completely separate” and “air gapped” from the company intranet (which was in turn connected to the Internet via the usual culprits). One day I was following a network cable on the control network and it led to the back of a desktop computer, plugged in right next to a second network line that went to the company intranet. I asked the computer’s owner how the control network was “completely separate” from the intranet if his computer was plugged into both networks at once, and he sneered at me and condescendingly answered, “Well I HAVE a ROUTING TABLE.”
Mike
I can totally believe all that – having worked in a nuclear power installation myself!!
Anonymous
I use a network monitoring tool that scans for new IP addresses and MAC addresses. Any unknowns are flagged up fairly quickly – so far almost all false positives (usually same MAC different IP). It’s handy for catching any rogue devices and runs every fifteen minutes. It also sends out a strong message to fellow colleagues that they are being monitored and not to plug random devices into the network. They’re always amazed that their recently bought laptop is detected so quickly – the “spilled my coffee on the old one” excuse comes up a lot. The MAC could be spoofed but that would mean the genuine PC stops working which I would also know about. (It’s worth trying this out on your network – spoof a MAC and connect. Quite often it will boot the first PC off in preference of the spoofed MAC. Sometimes you end up with two IP’s. Not all switches / routers handle this well). If you can identify the MAC as equipment that shouldn’t be there then an instant ban usually results in a phone call with some lame excuse about how they were “testing the kids Xbox” or something. Obviously dependent on circumstances.
Anonymous
What is the name of the tool that you use?
Judd Franks
That’s not what “begs the question” means.
Paul Ducklin
Historically speaking, you are right – to “beg the question” is to present a conclusion as a fact without arguing it through first. In other words, you bypass any tricky questions that a reasonable listener might ask and that, if addressed, might prove you wrong.
But in contemporary English, the phrase has evolved the additional meaning “to invite an obvious question”. In fact, the Oxford Dictionary of English now lists this as the primary usage.
Nevertheless, I have changed it in the article…
qre22v24v
Is these days…