1. No category

The Internet of Evil Things:
The Rapidly Emerging Threat of High Risk Hardware
Industry report
Provided by: Pwnie Express
Date: 4/15/2015
Contents:
IoET: The Rapidly-Emerging Threat of High-Risk Hardware
Page 2
Hardware Undermines All: The Business Impact of IoET .........................................................................................Page 3
A Survey: The InfoSec Pro’s Take on High-Risk Hardware .......................................................................................Page 4
The Top IoET Threats of 2015 ............................................................................................................................................................Page 5
Unauthorized & Unchecked: Shadow IT and High-risk BYOx Devices .........................................................Page 6
- Example Devices .............................................................................................................................................................................
- Default Wireless Printer Case Study .............................................................................................................................
- High-Risk BYOx in the Wild ....................................................................................................................................................
- Additional References ................................................................................................................................................................
Page 6
Page 6
Page 7
Page 11
The Internet of Insecure Things: The Proliferation of Vulnerable IoT Devices .................................... Page 12
- Example Devices ...........................................................................................................................................................................
- The VoCore Embedded AP Case Study .....................................................................................................................
- Vulnerable IoT in the Wild .....................................................................................................................................................
- Additional References ...............................................................................................................................................................
Page 12
Page 13
Page 14
Page 14
Plug-and-Play Cyber Espionage: The commoditization of malicious hardware .................................Page 15
- Example Devices ............................................................................................................................................................................
- Wireless KeyGrabber Case Study ...................................................................................................................................
- Malicious Hardware in the Wild .......................................................................................................................................
- Additional References ...............................................................................................................................................................
Page 16
Page 17
Page 18
Page 18
Mitigating the IoET Threat: A Call to Action ...........................................................................................................................Page 19
About Pwnie Express ................................................................................................................................................................................. Page 20
1
IoET: The Rapidly Emerging Threat of High Risk Hardware
“The Internet of Everything is creeping into the enterprise, whether the security team knows about
the devices or not. Most organizations do not understand the risk these devices already present.”
Chris Wysopol, Co-Founder, CTO and CISO at Veracode
MiFi
68
The Internet of Everything has arrived and alongside every great technology trend comes a challenging and
loosely-defined threat vector. With the rush to Internet-enable everything from wristwatches to power grids, the
massive proliferation of smart devices has significantly expanded the attack surface of our interconnected world. This
attack surface has expanded well beyond the visibility of today’s monitoring and intrusion detection systems. As a
result, a little understood and ever expanding threat vector has emerged: The Internet of Evil Things (IoET).
"The promise of the Internet of Things is straightforward: more connected things leads to more efficiency,
more productivity, more profit." said John Pescatore. "But none of that promise gets realized if we can't keep
those things safe and secure. The starting point has to be knowing what things are on our network, what
vulnerabilities are exposed, and how can we mitigate the risks."
John Pescatore, Director of Emerging Security Trends, SANS Institute.
Today’s information security (InfoSec) leaders are concerned about unauthorized and rogue devices on their
network, and for good reason—the 16 billion connected computing devices around the globe include a significant
number of high risk hardware devices. These device threats range from unauthorized bring-your-own-device (BYOD)
and vulnerable IoT devices to a rapidly expanding market of low cost, plug-and-play cyber espionage devices.
A survey of over 600 InfoSec professionals, conducted by Pwnie Express
in December 2014, established that 83 percent of today’s Chief Security
Officers and InfoSec professionals are concerned that rogue devices
could be operating undetected in their network environment already. The
majority of respondents, 69 percent, also report they don't have full
visibility of all wireless devices within their network environment. It is
clear we are reaching a critical tipping point in enterprise security: the
growing IoET needs to be defined and protected against.
The Internet of Evil Things: The Rapidly Emerging Threat of High Risk
Hardware report aims to provide security, IT and businessleaders with:
The key factors of the IoET threat vector and its business impact;
How today’s InfoSec leaders are viewing this threat;
Today’s top IoET related threats, and;
The need for an industry-wide initiative to effectively combat this threat.
2
Hardware Undermines All: The Business Impact of IoET
“The IoET threat is the soft underbelly for enterprise organizations, enabling and exacerbating the
other threats we face by giving would-be attackers low-hanging fruit to bypass our traditional defenses.”
Ed Skoudis, Fellow and Instructor at SANS Institute.
In the days before mobile and wireless dominated the computing landscape, asset monitoring and inventory systems,
vulnerability scanning, intrusion detection and other traditional security controls achieved network device awareness
(SANS Critical Security Control #1). Today, the enormous adoption of wireless, mobile/micro and transient computing
devices has rendered yesterday’s defenses inadequate.
In addition, by operating at the lowest layer of the network stack, rogue hardware can compromise all other layers of
defense. Today’s rogue devices can circumvent Network Access Controls (NAC), domain authentication, network and
wireless intrusion prevention systems (IPS), application aware firewalls, high security wireless deployments and even
HTTPS/SSL encryption.
The business impact of this level of compromise can be
catastrophic. As illustrated by NPR’s Project Eavesdrop, a single
rogue device can expose a tremendous amount of sensitive
information to a cyber criminal, including:
Protected customer data such as personally identifiable
information (PII), social security numbers (SSNs) and credit
and debit card primary account numbers (PANs);
Passwords to internal and third party systems, websites,
cloud services and financial accounts;
Complete email threads, internal documents and protected
intellectual property;
VoIP/SIP phone calls, text or video chat sessions;
Keystrokes, phone numbers, email addresses, GPS coordinates, software application versions, USB and Bluetooth
accessories;
All end user Internet traffic including visited websites, search keywords, session IDs, cookies, and SSL certificates.
This high risk hardware threat vector effectively undermines nine of the SANS Top 20 critical controls, leaving security
teams and organizations unequipped to effectively monitor, detect and respond to a significant and growing class of
intrusions. Areas of deficiency include:
Devices and Assets – It is difficult or not possible to detect unauthorized devices such as BYOD mobile devices, rogue
Access Points (APs), rogue devices, wireless devices and other IoT devices (Violations of SANS Controls #1 and #7);
Distributed Organization – It is difficult or not possible to monitor and assess remote sites with personnel and
security solutions that are unable to work effectively on a remote basis. (Violations of SANS Controls #4 and #18.)
3
Security Controls – Companies are unable to validate security controls and configurations, especially in remote and
wireless environments (Violations of SANS Controls #3, #10 and #11);
Incident Response – It is difficult or not possible to detect or log devices in the vicinity of incidents (Violation of
SANS Control #18);
Security Expertise – The available resources are insufficiently trained. (Violation of SANS Controls #9 and #20).
A Survey: The InfoSec Pro’s Take on High Risk Hardware
An industry survey conducted by Pwnie Express, conducted among 621 InfoSec professionals, discovered that:
83 percent of InfoSec respondents are concerned that rogue devices could be operating undetected in their network
environment already;
Only 31 percent indicate having full visibility of all wireless devices in their network environment;
Of the most concerning high risk device attack types, InfoSec professionals are narrowly divided over insider rogue
device attacks (37 percent), attacks initiated by an external actor using a rogue device (31 percent), and attacks that
stem from the improper use of BYOD (32 percent);
Rogue Access Points, MiFi and mobile hotspots lead the list of high risk devices most concerning to InfoSec
professionals. About 36 percent see a threat in having these devices in their network environment;
Other high risk devices of concern to InfoSec professionals include:
BYOD devices that have been compromised without the users' knowledge
Malicious devices inserted into corporate systems
Drive-by devices
Smart phones with a mobile hotspot
Misconfigured devices
Guest devices dropped into the corporate network, whether intentionally or accidentally
USB human interface devices (HIDs)
Rogue Device Awareness and Concern Survey, Pwnie Express, December 2014
Figure 1: Majority of Respondents from the USA
Figure 2: Mix of Respondent Roles/Titles
4
Figure 3: InfoSec professionals lack visibility into all
wireless devices (Number of Respondents: 621)
Figure 4: InfoSec professionals worry about rogue devices
(Number of Respondents: 621)
Figure 5: Rogue Access Points are of highest concern (646
devices listed, respondents may select multiple devices)
The Top IoET Threats of 2015
“Hands down, BYOx and stealth IT is worrisome. The bottomline is that most users are simply not going to
wait toIT to provision. Oftentimes this may be an executive who just wants to use the shiny new "thingy"
and if they can't they'll find a way to make it happen.”
Mike Saurbach, Manager Information Security, Corning Credit Union
The IoET threat vector encompasses any hardware computing device that poses a tangible security risk to an
organization. This ranges from unsecured mobile hotspots and default-state printers to vulnerable wireless
thermostats and malicious keystroke logging devices.
Based on Pwnie Express’s data and analysis of deployed customer environments, customer feedback, third party
surveys and public reports of real-world breaches involving rogue hardware devices, the InfoSec team at Pwnie
Express assembled a broad set of the top most prevalent hardware device threats affecting today’s global IT
infrastructure. These device threats generally fall into these three categories:
Unauthorized & Unchecked: Shadow IT and high-risk “Bring Your Own Everything” (aka BYOx) devices
The Internet of Insecure Things: The proliferation of vulnerable IoT devices
Plug-and-Play Cyber Espionage Devices: The commoditization of malicious hardware
5
Unauthorized & Unchecked: Shadow IT and High Risk BYOx Devices
This category of IoET hardware encompasses the following types of high risk devices:
Unauthorized personal devices in violation of organizational policy (aka “Shadow IT”);
Corporate-sponsored BYOD hardware;
Devices that fall within the expanding trend of “Bring Your Own Everything” (aka BYOx);
Devices in a default or unconfigured state, including devices with default passwords and default “wide open”
settings;
Unauthorized & Unchecked: Example Devices
Wireless/mobile devices roaming from corporate wireless to “guest” wireless to circumvent corporate security
controls
Wireless/mobile devices connecting to open (unencrypted) third party wireless networks or personal MiFi/mobile
hotspot devices (vulnerable to eavesdropping and Evil AP attacks)
Unauthorized/vulnerable mobile devices
Unauthorized/rogue wireless access points connected to the corporate network
Vulnerable, default-state, or misconfigured printers
4G/LTE USB dongles
Microcells/femtocells
Rooted Androids/iPhones
Default-state wireless access points (pivot point / backdoor into wired networks)
Default-state network equipment
Unsupported / End-Of-Life (EOL) devices with unpatchable security vulnerabilities
Devices in an otherwise misconfigured or vulnerable state, including devices missing security patches or offering
limited/weak encryption.
Unauthorized & Unchecked: Default Wireless Printer Case Study
As wireless printers have become more prevalent, manufacturers often make the process of connecting to wireless
printers even easier. They do so by configuring wireless printers to provide their own wireless access points by
default so that wireless clients can simply connect to the printer itself. There are several issues here. For one, the
default wireless access point the printer broadcasts is usually open, allowing anyone to connect to the printer
directly over WiFi. If the printer is in its default state, an attacker can then access the printer’s configuration and
control with a default admin username and password—assuming an admin account is even present in a default.
6
As wireless printers have become more prevalent, manufacturers often make the process of connecting to wireless
printers even easier. They do so by configuring wireless printers to provide their own wireless access points by
default so that wireless clients can simply connect to the printer itself. There are several issues here. For one, the
default wireless access point the printer broadcasts is usually open, allowing anyone to connect to the printer
directly over WiFi. If the printer is in its default state, an attacker can then access the printer’s configuration and
control with a default admin username and password—assuming an admin account is even present in a default
configuration. The attacker then has the ability to compromise almost anything, similar to when the printer is a
vulnerable wireless client, except now it can also directly attack any other wireless clients connected to the printer’s
wireless access point.
The other major issue for corporate wireless clients is that even if someone eventually locks the wireless printer’s
access point down, any corporate wireless client that has connected to the wireless printer in an open network state
(i.e., no security or encryption) is now potentially vulnerable to an Evil AP attack, regardless of being within range of
the wireless printer. By default, most wireless clients will automatically connect to an open wireless network they
have previously connected to. This gives an attacker the ability to hijack corporate wireless clients, tricking them into
connecting to a malicious wireless access point that is pretending to be the open wireless printer network. Again, if
the corporate wireless client is also plugged into the wired network via Ethernet, the client can then potentially
become a wireless bridge to access the wired network.
Popularity: While it may not be immediately clear that this is a point of attack, wireless printers are becoming both
more common and more vulnerable to attack.
Simplicity: As the attacker has to rely on knowledge of a printer that already exists on the network, the simplicity of
this attack may vary.
Impact: The impact from a successful attack can be quite devastating.By using the misconfigured printer either as a
window into the network or even by simply intercepting the print jobs sent to the printers, sensitive data can be
much more easily accessed.
For more details about our assessment of vulnerable wireless printers:
https://www.pwnieexpress.com/rogue-device-spotlight-wireless-printers/
Unauthorized & Unchecked: High Risk BYOx in the Wild
Pwn Pulse is a rogue device detection system by Pwnie Express. It provides continuous visibility throughout the wired,
wireless and RF spectrum, across all physical locations including remote sites and branch offices, detecting
“known-bad”, unauthorized, vulnerable, and suspicious devices.
Using anonymized data from real-world customer environments, Pwn Pulse provides insight on the prevalence of
unauthorized and vulnerable BYOx devices in organizations today.
The statistics below are based on a sample of over 250,000 wireless devices detected by Pwn Pulse across a variety of
customer environments and industry verticals. Of particular note, these findings
HP printers are the most prevalent wireless devices deployed in a highly vulnerable default configuration state (e.g.,
default passwords, unencrypted WiFi, wide open default config) (83%). As outlined by the “Default Wireless Printer
Case Study” above, these default-state printers can be undermined to expose confidential print jobs, compromise
corporate client devices, and leveraged as a backdoor into private corporate networks.
A complete lack of encryption (“open” network) is the most common risk affecting vulnerable Wireless APs. (69%).
Xfinitywifi dominates the WiFi landscape as the most common open (unencrypted) network. (58%).
7
Samsung mobile devices are the most prevalent devices deployed as vulnerable mobile hotspots with no
encryption (“open” network) or weak encryption. (42%).
Wireless/mobile client devices that had previously connected to a default Linksys AP are most vulnerable to
eavesdropping and man-in-the-middle attacks. (45%).
Wireless/mobile client devices that had previously connected to an “attwifi” AP are most vulnerable to Evil AP
attacks. (36%).
Figure 6: HP printers are the most prevalent wireless devices deployed in a highly vulnerable default configuration state.
8
Figure 7: Lack of encryption is the most common risk affecting vulnerable Wireless APs..
Figure 8: Xfinitywifi dominates the WiFi landscape as the most common open (unencrypted) network.
9
Figure 9: Samsung mobile devices are the most prevalent devices deployed as vulnerable mobile hotspots with no
encryption (“open” network) or weak encryption.
Figure 10: Wireless/mobile client devices that had previously connected to a default Linksys AP are most vulnerable
to eavesdropping and man-in-the-middle attacks.
10
Figure 11: Wireless/mobile client devices that had previously connected to an “attwifi” AP are most vulnerable to
Evil AP attacks.
Additional References
http://smallbusiness.foxbusiness.com/technology-web/2014/10/02/5-tablet-security-threats-are-yours-protected/
http://www.zdnet.com/article/byod-why-the-biggest-security-worry-is-the-fool-within-rather-than-the-enemy-without/
http://www.techrepublic.com/article/byon-is-a-bigger-threat-to-the-enterprise-than-byod-says-sysaid-ceo/
http://midsizeinsider.com/en-us/article/security-risks-from-using-bring-your-own
http://www.pcworld.com/article/254518/your_printer_could_be_a_security_sore_spot.html
https://threatpost.com/majority-of-4g-usb-modems-sim-cards-exploitable/110139
http://www.informationweek.com/mobile/google-glass-security-risk-for-governments/d/d-id/1111246
http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10047
11
The Internet of Insecure Things: The Proliferation of Vulnerable IoT Devices
There’s not a CIO out there who has an effective umbrella strategy for the Internet of Things today, The
attack surface is gargantuan – and continues to grow exponentially. Making matters worse, current
approaches don’t offer the robust, enterprise-level security that’s needed.
Shawn Wiora, CIO and CISO at Creative Solutions in HealthCare
This category of IoET hardware encompasses IoT devices that are physically or logically incapable of complying with
standard, minimum viable or baseline security controls.
At the heart of the IoT are the Internet connected devices. In its 2014 Internet of Everything Market Research,
ABIresearch determined that the installed base of active wireless connected devices would exceed 16 billion in
2014—up more than 20% over 2013's number. Looking ahead to 2020, ABIresearch forecasts the number of devices
to more than double to 40.9 billion. 1
Many manufacturers are bringing devices to market with little attention to security and privacy. According to John
Pescatore, a director of the SANS Institute, "Because so many devices will be coming from consumer markets, the
price, size and power constraints for many of those devices almost guarantee security will be an afterthought."2
The Open Web Application Security Project (OWASP) has created an Internet of Things Top Ten Project to help device
manufacturers, developers and consumers address the most common security shortcomings. OWASP believes it's not
just about the device, or the network, or the client. There are many disparate components involved and securing the
IoT will require a holistic approach.
A 2014 survey conducted by the SANS Institute found the majority of the cybersecurity community is already familiar
with the security issues around the IoT. 78 percent of InfoSec professionals were unsure about their capabilities for
basic visibility and management of these devices, or stated they lacked the capability to secure them. 46 percent do
not feel they have a policy in place that could drive the necessary level of visibility and management of IoT devices. As
the report author wrote, "you need visibility in order to know what you need to protect and how to protect it."3
As the IoT grows exponentially, the ability to monitor and secure these devices lags far behind and, in many cases, is
completely non-existent. Cyber criminals have been quick to leverage these shortcomings to surreptitiously steal data
and information, spread malware, create botnets, launch denial of service attacks, commit industrial sabotage and
infiltrate public and private networks.
The Internet of Insecure Things: Example Devices
Hackable thermostats
Vulnerable burglar alarms
Flawed IP cameras
Hijacked UAVs/drones
Insecure Smart TVs
Limited-security fitness tracking devices
Rooted wearable tech
Vulnerable medical devices
Critically flawed automobiles
Spoofable aircraft controls
Hackable smart meters
Remotely accessible heating/cooling systems
Critically flawed industrial automation devices
1 ABIresearch press release, The Internet of Things Will Drive Wireless Connected Devices to 40.9 Billion in 2020, 20 August 2014
2 John Pescatore, SANS Institute, Securing the "Internet of Things" Survey, January 2014
3 See supra, note 2
12
The Internet of Insecure Things: The VoCore Embedded AP Case Study
The VoCore is a low cost micro computer best known for its diminutive size.At merely 25 x 25mm, it can serve as a
low cost method of Internet enabling almost any IoT device imaginable. The VoCore is an Indiegogo funded project
and can be easily acquired online or assembled or as a DIY kit today.
Out of the box, the VoCore acts as an easy-to-use, transparent wireless bridge. Simply plug this tiny device into your
wired network and, by default, it will immediately start broadcasting an open wireless network. Once a wireless
client connects to the VoCore wireless access point, the wireless client will obtain an IP address directly from the
wired network the VoCore is plugged into. What’s even scarier about this device is because it acts as a “transparent
bridge” it is virtually undetectable on the wired side of the network. It doesn’t get an IP address on the wired or
wireless side, making it invisible and not accessible to detect or configure once plugged into the wire. In addition, the
wireless chipset on this device supports packet injection and can easily be modified to attack wireless networks or
clients and run Evil AP attacks.
Popularity: While not yet commonly used (to our knowledge), the VoCore’s Indiegogo funding helped it to become
well known in theory, if not yet in practice. With its ease of use, low cost and low physical profile, it is likely that the
VoCore will be seen on a more consistent basis in the near future.
Simplicity: The VoCore is extraordinarily easy to acquire and use. While DIY kits are available, for slightly more
money a fully assembled unit can be purchased and deployed with extreme ease.
Impact: The VoCore is the kind of device that can cause substantial damage in the hands of both experienced or
inexperienced users.With some knowledge of how to properly take advantage of its full capabilities, the VoCore can
be used to compromise an entire network. Even an inexperienced user, however, could leave a sizeable security
hole in a network’s defenses by simply plugging the device into an Ethernet jack.
For more details about our assessment of the VoCore device:
https://www.pwnieexpress.com/rogue-device-spotlight-vocore/
13
The Internet of Insecure Things: Vulnerable IoT in the Wild
Below are just a few examples of real-world security breaches caused by vulnerable IoT devices:
http://www.infoworld.com/article/2613909/hacking/researcher-hijacks-insecure-embedded-devices-en-masse-forinternet-census.html
http://blog.trendmicro.com/security-flaw-at-thousands-of-gas-stations-shows-risks-for-internet-of-everything/
https://nakedsecurity.sophos.com/2012/12/12/samsung-tv-vulnerability/
http://www.computerworld.com/article/2496537/security0/wireless-ip-cameras-open-to-hijacking-over-the-internet-researchers-say.html
http://www.wsj.com/articles/SB126102247889095011
http://www.wired.com/2014/08/wireless-car-hack/
http://arstechnica.com/security/2010/08/cars-hacked-through-wireless-tyre-sensors/
http://www.wired.com/2014/04/traffic-lights-hacking/
Additional References
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project#tab=OWASP_Internet_of_Things_
Top_10_for_2014
http://resources.infosecinstitute.com/internet-things-much-exposed-cyber-threats/
http://www.wired.com/2012/12/darpa-drones/
http://www.forbes.com/sites/larrymagid/2014/07/31/safety-security-and-privacy-risks-of-fitness-tracking-andquantified-self/
http://www.computerworld.com/article/2881545/security-privacy-gaps-put-us-drivers-at-risk.html
http://www.bbc.com/news/technology-22608085
http://searchconsumerization.techtarget.com/news/2240242717/IoT-technologies-emerge-to-manage-connecteddevice-deluge
14
Plug-and-Play Cyber Espionage: The commoditization of malicious hardware
“Over the past several years I've witnessed first-hand how malicious devices have become easier to acquire
and deploy. Today, there are several choices using off-the-shelf hardware and software that make it much
easier to pull off attacks such as keystroke logging, MiTM devices which have a physical presence, and
persistent hardware backdoors”.
Paul Asadoorian, Founder and CEO, Security Weekly
Plug-and-play "Evil Access Points" and malicious drop boxes were just the beginning. Over the past 10 years, the
weaponization of IoT has resulted in a plethora of low cost, commercially available malicious hardware devices,
including:
Purpose built, application specific devices designed to capture passwords, credit and debit card numbers, PINs,
keystrokes and confidential or proprietary data;
Devices designed to breach WiFi networks, wireless access points, wireless/mobile client devices and Bluetooth
devices;
Devices that compromise the security of cellular networks, cell towers, base stations, cellular and mobile devices,
SMS and text messaging services and pagers;
Devices designed to attack other commonly used RF technologies, such as RFID and NFC, Zigbee, Z-wave, GPS,
satellite, Wm-bus, Dash7 and 6LoWPAN;
Compromised, counterfeit, modified or backdoored hardware components;
Standalone, purpose built, covert remote access hardware, aka “drop boxes”;
Devices designed to surreptitiously monitor and/or record video, audio, photographic or location tracking data; and
Devices used to compromise the security of Industrial Control Systems (ICS/SCADA environments) and critical
infrastructure systems.
In the past, attacks of this caliber required highly specialized, expensive equipment and a deep level of technical
expertise. Today the proliferation of plug-and-play hacking devices has made many of these attacks easier than setting
up a home router. These malicious hardware devices now come in a variety of portable, stealthy form factors, and
some can be purchased online for as little as $10.
15
In a Financial News article about tools used for cyber espionage, Stuart Poole-Robb of the London-based business
intelligence and cyber security firm KCS Group said, "The wide range of devices made purely for computer hacking is
evidence of the increasing sophistication of the attacks and the degree of forward planning that goes into them.”4
In 2014 security expert Brian Krebs detailed in a blog post how a group of thieves ran a multi-million dollar fraud ring
that involved installing Bluetooth enabled wireless gas pump skimmers at filling stations throughout the southern
United States. The rogue Bluetooth skimming devices used in the attack took just minutes to install and netted more
than $2.1 million for the criminals involved.5
Once deployed, malicious hardware devices can operate for weeks, months or even years without detection, remotely
controlled by covert channels, WiFi, Bluetooth, 4G/LTE cellular and sometimes even text messages. Powered by AC,
USB, PoE or battery packs, many of these devices are small enough to hide almost anywhere. In the wild, they’ve been
spotted under desks, behind baseboards and wall jacks, and inside desk phones, power strips, Ethernet couplers,
UAVs/drones and even custom 3D-printed enclosures.
By operating at the lowest layer of the network stack, the physical layer, malicious hardware can compromise all other
layers of defense. Today’s malicious hardware can circumvent all operating system and application layer security
controls, Network Access Controls (NAC), switch port security, domain authentication, network and wireless IPS,
application aware firewalls, high security wireless deployments, and even HTTPS/SSL encryption.
4 Financial News, Five top cyber espionage devices, September 12, 2014
5 KrebsonSecurity blog, Gang Rigged Pumps with Bluetooth Skimmers, January 22, 2014
Plug-and-Play Cyber Espionage: Example Devices
Evil Twins: Unauthorized/rogue wireless AP using the same network name (i.e., SSID) as the corporate wireless
network name;
Evil APs: An Evil AP cycles through wireless clients' probe requests for open networks to trick them into connecting to
the attacker’s wireless Access Point;
HAK5 WiFi Pineapple: A plug-and-play Evil Access Point designed to hijack and compromise wireless clients;
Keygrabber WiFi: A stealthy USB device used to capture keystrokes from the keyboard of a target computer. Uses WiFi
to upload keystrokes to an attacker over the Internet;
MiniPwner: Hacking and pentesting drop box used to gain backdoor remote access to a target network;
16
Pwn Phone/Pad: Mobile pentesting platform for an Android-based phone or tablet. An unauthorized Pwn Phone/Pad
in the hands of a rogue actor can be used as a malicious attack device.*;
Pwn Plug: Plug-and-play, portable pentesting platform. An unauthorized Pwn Plug in the hands of a rogue actor can
be used as a malicious drop box.*
Kali NetHunter phones: Mobile pentesting platform for Android-based mobile devices;
ANTCOR WiFi Network Unlocker: Automated one-click wireless encryption cracking and bridging device supporting
WEP, WPA and custom password dictionary attacks;
Kali supported covert hardware: Stealthy, small form factor single board computers running a Linux distribution
designed for hacking and pentesting;
* While Pwnie Express devices are marketed to InfoSec professionals and licensed for authorized uses only, Pwnie Express
acknowledges that even its own products can be misused in a malicious or unauthorized manner by a rogue actor.
Plug-and-Play Cyber Espionage: Wireless KeyGrabber Case Study
Created by KeeLog, the KeyGrabber product line includes no less than six distinct types of devices designed for the
express purpose of capturing, storing and reporting intercepted keystrokes from a locally connected keyboard.
Each one is intended for a slightly different deployment, from a bare PCB the user needs to solder into the keyboard
to “nano” sized units that easily slip between the computer and keyboard. KeeLog even offers an open source DIY
keylogger that anyone can build around an Atmel microcontroller. KeeLog’s top of the line product is the
KeyGrabber Wi-Fi Premium, an Internet connected keylogger which allows for device configuration and data
retrieval over the local network or Internet. Once a KeyGrabber Wi-Fi Premium is deployed, it could be left
operational on-site indefinitely.
Popularity: The KeyGrabber is a series of devices, all of which are designed for commercial use in addition to their
use for other, maybe more questionable purposes.
Simplicity: The KeyGrabber stands alone in incredible ease of use. The device is sold commercially as a way of
tracking children’s online whereabouts and employee productivity, so it is designed for the most inexperienced
user. With a DIY kit and multiple models, the tool is also easily accessible.
Impact: The impact of a KeyGrabber is entirely a function of what is typed. While most organizations cannot be
taken down by the contents of an employee’s daily email, a few stolen username/password combinations could
prove disastrous to the organization.
For more details about our assessment of the Wireless KeyGrabber device:
https://www.pwnieexpress.com/rogue-device-spotlight-wireless-keygrabber/
17
Plug-and-Play Cyber Espionage: Malicious Hardware in the Wild
In addition to the example devices noted above, malicious use of the following hardware devices has been either
publicly demonstrated or referenced as an attack vector in real-world security breaches:
Rogue cellular base stations
cell jammers
IMSI catchers
GSM encryption cracking hardware
HackRF/BladeRF/USRP/Realtek SDR
SMS/pager message decoders
RFID cloners (Proxmark, Prox Pik)
Long-range RFID sniffers
Zigbee hacking tools (Kisbee, Killerbee, goodFET)
HackRF/BladeRF/USRP/Realtek SDR
GPS redirection devices
physical security/alarm system hacking devices
WiFi Robin Auto-Hacking Router
Reaver Pro II
r00tabaga MultiPwner
Ubertooth
Keysweeper
Backdoored Cisco hardware
Rakshasa hardware backdoor
Power Pwn
Demyo Power Strip
Pentester's Dreamplug
Raspberry Pi Power Strip
The 3D-printed web enabled power strip
Poor man's Power Pwn
DARPA F-Bomb
Covert micro-hardware (Mouse-Box, Electric Imp,
etc.)
WiFi/Bluetooth/GSM enabled payment card
skimmers
HAK5 Rubber Ducky
The Glitch
SerialGhost
KeyGrabber MultiLogger
Throwing Star LAN Tap
trojan mouse
malicious USB devices
HAK5 USB switchblade/hacksaw
Hidden/spy cameras
hidden microphones
malicious drones/UAVs
GSM bugs
GPS tracking devices
The NSA Playset
Wireless ICS/SCADA attack devices
RF decoders, replayers, sniffers, and RF jammers
Additional References
http://www.csoonline.com/article/2684064/mobile-security/rogue-cell-towers-discovered-in-washington-dc.html
http://www.engadget.com/2010/01/15/3g-gsm-encryption-cracked-in-less-than-two-hours/
https://www.yahoo.com/tech/a-florida-resident-drove-around-with-a-cellphone-jammer-84369099229.html
http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-devices
http://www.securityfocus.com/news/8835
18
Mitigating the IoET Threat: A Call to Action
The IoET represents an emerging threat vector that will only grow as adoption of
connected devices continues to surge across the globe. Cyber criminals are more
determined than ever to infiltrate military, government and business networks, and high
risk hardware has become a significant means of furthering these intrusions.
The Internet of Evil Things: A Rapidly Emerging Threat Vector report is only a first step in an
effort to identify, define, classify and defend against the high risk hardware devices that
fall within this threat vector. We ultimately hope to provide an industry standard
framework that InfoSec professionals can leverage to monitor, detect and respond to
hardware device threats affecting their business critical infrastructure.
But we know this is easier said than done. While Pwnie Express will continue to work
toward a comprehensive solution, combating the IoET cannot and should not be a single
company initiative. We call upon security professionals to help us:
1. dentify and catalog all known IoET devices in a referenceable public database;
2. Formalize an industry standard taxonomy and classification system for IoET devices,
including a risk rating methodology;
3. Assess the scope, prevalence and impact of IoET devices in real-world network
environments.
"A well-researched and thoughtful piece; of high utility to security professionals. The examples are
particularly poignant reinforcements to the threats outlined in the report."ng."
Ed Adams, President and CEO of Security Innovation
Join the IoET SWAT Team
Help Pwnie Express mitigate the global threat of the IoET. We invite InfoSec
professionals, industry experts and security conscious organizations to
contribute to this effort.
Please reach out to us via email: [email protected] or get
involved by signing up at: www.internetofevilthings.com
19
About Pwnie Express
Pwnie Express, the world leader in remote security assessment, enables organizations to detect and deter attacks in
wireless environments and remote locations by mitigating the growing attack surface created by expanding wireless
environments and the emerging threat vector from the IoT. Pwnie Express provides continuous visibility throughout
the wired/wireless/RF spectrum, across all physical locations including remote sites and branch offices, detecting
“known-bad”, unauthorized, vulnerable, and suspicious devices.
Thousands of organizations worldwide rely on Pwnie products for unprecedented insight into their distributed
network infrastructures. The award-winning products are backed by the expertise of Pwnie Express Labs, the
company's security research arm. Pwnie Express is headquartered in Boston, Massachusetts.
About the Authors
This report authored by:
Dave Porcello, Founder & CTO, Pwnie Express
Dave founded Pwnie Express in 2010 with the clear vision of providing unparalleled hardware and expertise in
network security to safeguard enterprises across sectors, enabling them to conduct business from anywhere while
mitigating risk. An accomplished entrepreneur with more than 12 years experience in security, Dave served as IT
Director for Technology Infrastructure at The School for Field Studies, leading six international field stations. Dave also
held a Director of Security position at Vermont Mutual Insurance. Dave draws on his security, business and leadership
background to provide the vision for Pwnie Express’s evolving product line.
Rick Farina, Director of Research and Development, Pwnie Labs
Rick, the lead developer of Pentoo Linux, has dedicated the last 15 years of his life to security research on all kinds of
wireless technologies. In addition to eight years specializing in WiFi technologies at AirTight, Rick has spoken at
numerous Wireless and Security Conferences as well as hosting both free and paid training classes to share his
experience with the community. Rick is the current Director of Research and Development at Pwnie Labs, where his
experience and knowledge are leading Pwnie Labs to the forefront of industry research.
20