If attackers decide to sneak a monitoring device into a target network, how might they go about it? A report published in Naked Security provides few ways attackers might take to intrude.
Here’s an excerpt from it.
Approaches the report mentions
The attackers could try soldering a tiny chip onto the circuit board of something like a firewall on the assumption that it will never be noticed.
Or a much simpler approach, which is to hide the device in plain sight, safe in the knowledge that its very conspicuousness means its legitimacy will never be questioned.
The noticed unlabelled box
This was the initial suspicion of a team from UK-based outfit Pen Test Partners when they noticed an unlabelled, “potentially toxic box” . It was connected to the onboard LAN of a ship that the team was performing a security assessment on.
Ship networks feature a lot of specialised equipment, of course, but every box should have a purpose. And yet, after enquiring about its origins, the message came back:
Fleet management told that shoreside had no invoice, record, or inventory listing for it. They were blissfully unaware of its existence.
It had an Ethernet connection to the ship LAN but was also connected to a Windows console on the bridge which was so bright at night that the crew covered it up. The assumption had been that it was meant to be there.
Suspicious
The second Ethernet connection
The box had a second Ethernet connection, which after analysing, the pen testers discovered was UDP encapsulating NMEA data, a format that offers a universal interface for different GPS systems.
That suggested it had something to do with the onboard Electronic Chart Display and Information System (ECDIS).
RS232 Serial converter connected
It also had an RS232 Serial converter connected to it, leading to a cable that disappeared into the deck.
The traffic running across this was Modbus, an ancient master-slave protocol still used by industrial control systems (ICS).
Alarming unknown device connected
After checking to see whether the master/slave would answer when fed data, the other end of the Modbus turned out to be 11 decks down on the ship’s engine, adjacent to its safety systems designed to slow or shut down the engine.
A Windows machine was found that was connected to the main engine controls, which no one knew about.
It was obviously alarming that an unknown device was connected to a system involved in ship safety. Comically, the Windows console was running a long unpatched version of Team Viewer.
The culprit
It turned out that the box had been put there legitimately for monitoring fuel and engine efficiency by a third party some years before, forgotten about, but left running despite the arrangement having ended.
A vulnerable box that no-one knew about with a direct, remote connection to the main engine.
Observation and doubt
One observation from this is that engineers and crew simply assumed it had a right to be there even though nobody knew what it was doing.
This raises the question… how many more mystery boxes might be quietly sitting connected to numerous other networks?
Did you subscribe to our daily newsletter?
It’s Free! Click here to Subscribe!
Source: NakedSecurity