Time flies ! After hanging out with @repmovsb and @botherder, it’s time for the last talk of the day. In the “To dock or not to dock, that is the question” talk, Andy Davis, research director at NCC Group shares his research around using laptop docking stations as hardware-based attack platforms.
Docking stations sit in an important position – they have access to all the ports and provision additional interfaces that may not be available on the laptop itself. They are commonly used in “hot-deskting” environment and thus might be used by different laptops every day. They are permanently powered on and to the network. IT Admins and users consider these to be “dumb” and trusted devices and treat them as “passive” and anonymous. If a docking is broken, it can be easily replaced (with a device that has been ‘prepared’ by the attacker, for example).
Encrypted data is decrypted at the laptop and is therefore accessible in the clear, including from the dock perspective. Andy believes this is a realistic threat.
Andy mentions that he’s using a Dell E-Port Plus (PRO2X) docking station, which is why he has performed the research on that particular device. The EPORT extends all interfaces and provisions a number of additional devices (additional USB ports through an internal USB hub, as well as a DisplayPort). It has a passive Ethernet switch. The laptop ethernet port gets disabled/disconnected when docket.
There’s not a lot of public information available about the inner workings of the station, so Andy had to do research of his own to figure out how it actually works and what the functionality is of the various components placed on the device circuit board. By default, the dock is extended, allowing you to use a large laptop battery. This also gives room for additional “features”.
Potential attack vectors or purposes might include:
Two interfaces may be required (one for each direction). To make this work, you’ll need to think about downgrading speed on Gigabit networks to avoid that it would send/receive data simultaneously. Passive network tapping is stealthy but not effective against encrypted protocols. The Dell docking station allows you to connect the additional tap at the bottom of the circuit board, where the ethernet/Usb module is placed.
If you’re not concerned about being stealthy, because you want to launch attacks against the network, you’ll need more space inside the device because you’ll need to add some kind of ethernet hub inside the docking. It requires more engineering, because it needs to be inline in between the laptop and the dock. Of course, this won’t be stealthy because as soon as you generate traffic, a new device will be detected on the network
This might allow you to periodically grab screenshots of what is displayed on the screen. It’s very stealthy and all you need to pull it off is a VideoGhost VGA video monitor cable, which has a USB connector allowing you to connect a USB mass storage device to store the images. Unfortunately, the via connector is part of a bigger module, which includes a parallel port. To insert the attack, you’ll have to take the module apart, which complicates matters.
Hardware keyloggers have been around for many years; and PS/2 might sometimes still be useful in “hardened” environments. In fact, a PS/2 tap would actually be easier, because the pins are easily accessible on the circuit board. In any case, if you’re able to insert something, you can also insert keystrokes (Arduino) when the laptop is unlocked. Of course, if someone is looking at the screen, you would see (suspicious) activity.
Sensitive company presentations may be delivered via streamed media. Increasingly more companies are using VOIP with soft phones. Even with strong network encryption, the audio socket will give you plain analog audio… assuming that the audio mini-jack is used rather than USB. If that is the case, tapping the audio can be done easily, the pins are very easily accessible
Laptop webcams are usually directly connected into the internal USB bus of the laptop. If we can tap the upstream USB bus, we can capture the traffic, which may include web/video conferences. Of course, data needs to be decoded. This might be useful to check if someone is present in the office or at the device. Instead of tapping the USB port directly on the port, just tap into the USB controller to tap the upstream ports, which gives you access to all USB traffic on the USB bus… on any USB device. Pins can be accessed quite easily.
The 144 pin proprietary connector attached to current versions of the connector are no longer publicly documented, but there is still information available for the older C-series. Andy mentions that more works needs to be done in order to properly reverse engineer this connector.
The attack implant needs to be small enough to fit into the dock and needs to be configurable enough. It needs to be powerful enough (so we can decode, etc) and remotely controllable via an out-of-band communications channel. Andy continues to explain that his control platform, named “SpyFi” is based on a Raspberry Pi (model B, based on an ARM 11 processor), running Linux. In addition to the Raspberry Pi, we need one additional USB Ethernet adapter and a USB sound card. An Arduino might be required as well to do additional keystroke injection, if necessary. A USB 3G modem would be perfect as an out-of-band communication mechanism to either store-and-forward data at certain points in time, or provide a realtime shell.
Andy continues to demonstrate how he took apart the docking station to fit in the Raspberry Pi and all additional components.
Of course, the Raspberry Pi needs to be connected to a permanent power supply. The DC voltage provided by the power supply of the docking is +19.5V, the Rasberry Pi needs +5V. In any case, the docking station contains sufficient space to fit in all elements.
Laptop docking stations are widely used and trusted. Attackers have a history of using hardware-based attacks (key loggers), so docking stations may be next. There are a couple of techniques available to detect hardware implants (with thermal cameras probably being the best one), but the best approach is to try to avoid that someone would be able to tamper with the docking station. (physical security, anti-tamper stickers). Of course, using smaller-sized docking stations would also make it more complex (not impossible) to insert the implant.
Tags:
© Corelan Consulting BV. All rights reserved. The contents of this page may not be reproduced, redistributed, or republished, in whole or in part, for commercial or non-commercial purposes without prior written permission. See the Terms of Use and Privacy Policy for details.
