Corelan Cybersecurity Research

Time flies !  After hanging out with @repmovsb and @botherder, it’s time for the last talk of the day.  In the “To dock or not to dock, that is the question” talk, Andy Davis, research director at NCC Group shares his research around using laptop docking stations as hardware-based attack platforms.

Why docking stations as an attack platform?

Docking stations sit in an important position – they have access to all the ports and provision additional interfaces that may not be available on the laptop itself. They are commonly used in “hot-deskting” environment and thus might be used by different laptops every day.  They are permanently powered on and to the network.  IT Admins and users consider these to be “dumb” and trusted devices and treat them as “passive” and anonymous.  If a docking is broken, it can be easily replaced (with a device that has been ‘prepared’ by the attacker, for example).

Encrypted data is decrypted at the laptop and is therefore accessible in the clear, including from the dock perspective.  Andy believes this is a realistic threat.

How do docking stations work ?

Andy mentions that he’s using a Dell E-Port Plus (PRO2X) docking station, which is why he has performed the research on that particular device.  The EPORT extends all interfaces and provisions a number of additional devices (additional USB ports through an internal USB hub, as well as a DisplayPort).  It has a passive Ethernet switch. The laptop ethernet port gets disabled/disconnected when docket.

There’s not a lot of public information available about the inner workings of the station, so Andy had to do research of his own to figure out how it actually works and what the functionality is of the various components placed on the device circuit board.  By default, the dock is extended, allowing you to use a large laptop battery.  This also gives room for additional “features”.

What would a hardware implant do ?

Potential attack vectors or purposes might include:

• capture data from connected laptop via interfaces
• insert data, emulating devices
• exfiltrate stolen data via an out-of-band channel
• identify when different laptops are connected
• remain as stealthy as possible

Passive (non-powered) network tapping

Two interfaces may be required (one for each direction). To make this work, you’ll need to think about downgrading speed on Gigabit networks to avoid that it would send/receive data simultaneously. Passive network tapping is stealthy but not effective against encrypted protocols.  The Dell docking station allows you to connect the additional tap at the bottom of the circuit board, where the ethernet/Usb module is placed.

Active network attack

If you’re not concerned about being stealthy, because you want to launch attacks against the network, you’ll need more space inside the device because you’ll need to add some kind of ethernet hub inside the docking.  It requires more engineering, because it needs to be inline in between the laptop and the dock.  Of course, this won’t be stealthy because as soon as you generate traffic, a new device will be detected on the network

Passive video monitoring

This might allow you to periodically grab screenshots of what is displayed on the screen.  It’s very stealthy and all you need to pull it off is a VideoGhost VGA video monitor cable, which has a USB connector allowing you to connect a USB mass storage device to store the images.  Unfortunately, the via connector is part of a bigger module, which includes a parallel port.  To insert the attack, you’ll have to take the module apart, which complicates matters.

USB /  PS/2 Keyboard monitoring

Hardware keyloggers have been around for many years; and PS/2 might sometimes still be useful in “hardened” environments.  In fact, a PS/2 tap would actually be easier, because the pins are easily accessible on the circuit board.   In any case, if you’re able to insert something, you can also insert keystrokes (Arduino) when the laptop is unlocked.  Of course, if someone is looking at the screen, you would see (suspicious) activity.

Audio monitoring

Sensitive company presentations may be delivered via streamed media.  Increasingly more companies are using VOIP with soft phones. Even with strong network encryption, the audio socket will give you plain analog audio…  assuming that the audio mini-jack is used rather than USB.  If that is the case, tapping the audio can be done easily, the pins are very easily accessible

Webcam/USB monitoring

Laptop webcams are usually directly connected into the internal USB bus of the laptop.  If we can tap the upstream USB bus, we can capture the traffic, which may include web/video conferences.  Of course, data needs to be decoded.  This might be useful to check if someone is present in the office or at the device.   Instead of tapping the USB port directly on the port, just tap into the USB controller to tap the upstream ports, which gives you access to all USB traffic on the USB bus… on any USB device.   Pins can be accessed quite easily.

Proprietary Dock connector

The 144 pin proprietary connector attached to current versions of the connector are no longer publicly documented, but there is still information available for the older C-series.  Andy mentions that more works needs to be done in order to properly reverse engineer this connector.

The Control Platform

The attack implant needs to be small enough to fit into the dock and needs to be configurable enough.  It needs to be powerful enough (so we can decode, etc) and remotely controllable via an out-of-band communications channel.   Andy continues to explain that his control platform, named “SpyFi” is based on a Raspberry Pi (model B, based on an ARM 11 processor), running Linux.  In addition to the Raspberry Pi, we need one additional USB Ethernet adapter and a USB sound card.  An Arduino might be required as well to do additional keystroke injection, if necessary.  A USB 3G modem would be perfect as an out-of-band communication mechanism to either store-and-forward data at certain points in time, or provide a realtime shell.

Andy continues to demonstrate how he took apart the docking station to fit in the Raspberry Pi and all additional components.

Of course, the Raspberry Pi needs to be connected to a permanent power supply.  The DC voltage provided by the power supply of the docking is +19.5V, the Rasberry Pi needs +5V.  In any case, the docking station contains sufficient space to fit in all elements.

Detecting Hardware Implants

• Passive networking:  You might notice the speed downgrade if you’re used to be connected to a Gigabit ethernet port.
• Active network attack: Shows up a new MAC address on the network.
• Keystroke insertion: easily visually spotted
• Weight: the device is slightly heavier.   Simple technique but… labour intensive and weight could be manipulated by removing weight to offset the added weight of the additional electronics
• Heat: the infrared heat signature should highlight additional electronics inside the docking.  Simple and will clearly reveal the place that contains additional electronics. It still is labour-intensive and thermal shields could be used to further hide the implant.
• RF emanations: if you’re using a 3G/HSPA modem, you may be able to pick up signals coming from the docking station.  It does require specialist equipment and there might be other devices using the same frequency range (legitimate 3G connector in the device, phone, etc)
• Current consumed: Any additional electronics are going to increase the current consumption, but it requires very accurate measurement, which is labour-intensive.  On top of that, there may be variations in the baseline current drawn by a dock.

Attack Mitigation

• To prevent the implants from working or being installed in the first place:
• Port level filtering on the switch will help detecting an active adapter
• Ensure confidential data is encrypted
• Physically secure all docking stations
• Use anti-tamper seals
• Use RF shielding to prevent the implant from communicating

Future Research

• More work needs to be done to figuring out what can be achieved via the dock connector
• Look at some other docking stations to identify different capabilities
• Survey corporates to discover if they have encountered any dock “incidents”.  A survey in the audience shows that nobody really considered this type of attack could/might have been deployed at their company

Conclusions

Laptop docking stations are widely used and trusted.  Attackers have a history of using hardware-based attacks (key loggers), so docking stations may be next.  There are a couple of techniques available to detect hardware implants (with thermal cameras probably being the best one), but the best approach is to try to avoid that someone would be able to tamper with the docking station. (physical security, anti-tamper stickers).  Of course, using smaller-sized docking stations would also make it more complex (not impossible) to insert the implant.

© 2013, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

Similar/Related posts:

BlackHatEU2013 – Day1 – Hardening Windows 8 Apps for the Windows Store BlackHatEU2013 – Day1 – Hacking Appliances BlackHatEU2013 – Day2 – Who’s really attacking your ICS devices ? BlackHatEU2013 – Day1 – Practical Attacks against MDM solutions BlackHatEU2013 – Day2 – Advanced Heap Manipulation in Windows 8