Tag Archives: WiFi

Security Researcher Creates Remote WiFi USB Charging Cable

Early last week; a security researcher has demonstrated a new means of social engineering which could be used to compromise the security of a computer network:

TL DR: This cable poses a threat from a social engineering perspective. Should these cables become widespread: I would recommend being more careful of the cables you use to charge devices and consider using power outlets for charging.

What kind of threat does this pose?
The researcher created a custom USB cable that looks just like a standard cable. This cable could obviously be used to charge a smartphone. This cable however contains a custom printed circuit board (PCB) that allows an attacker to send commands to it via WiFi. The cable “appears” and acts as a keyboard and mouse when connected to a system and allows the attacker to control as if they had physical access to it and allows the opening of a reverse shell to execute commands:

The researcher demonstrated how the “mouse” feature of the cable could be used to prevent a system from locking after the real user has left the system by continually moving the mouse; just as a real person would.

Worse than this the cable has the potential to conduct WiFi deuthentication (de-auth) attacks which will disconnect devices in the vicinity from the WiFi networks they have connected with. This would constitute a denial of service attack and the inconvenience of having to keep re-connecting your wireless devices to the WiFi network again. Whether such an attack could be used to sniff/capture WiFi authentication credentials or to be used to exploit the KRACK vulnerability is not clear:

How could an adversary use this cable in a practical way?
The adversary simply need to wait for you to plug this cable into one of your systems. They don’t need to be nearby in order for them to access the system the cable is connected to (since the cable appears to be accessible over the internet connection in your office). Consider if an adversary left some of these cables on the desks in your organisation. How many people connect the cables to their systems to charge their phone? This would be even more common in older offices were USB charging ports aren’t readily available.

An adversary could also send some cables to your office via postal mail while pretending they came from the marketing department or another office of the same organisation. Cables aren’t considered malicious (like an unknown USB thumb drive should be) and will be used by those who receive them. Employees might also take them home or give these “free” cables to friends and family.

How can I protect myself from this type of threat?
This is not an easy question to answer. While you can educate your employees to not use cables that arrive in the postal mail (or even from your marketing department); what is to prevent them from doing so? Do you then treat every cable as a possible threat? You would need to place your office in a Faraday cage to truly mitigate this! Should you split every cable open to check if it has a WiFi PCB added to it (even if you did; could you tell what you are looking at)?

Given how common and widespread they are; is that even possible? You could ask that charging cables are only connected to power (electrical) outlets (requiring employees to bring the charging adapters for their devices (which almost nobody does) or ask them to use portable battery packs. But again; what is to stop an employee from not doing this especially if they are travelling and need to charge their mobile devices? It’s already difficult to educate your employees about the dangers of BadUSB or juice-jacking (my previous post on that topic) but this is even harder to defend against:

It’s very likely that this cable would have a MAC address and while you can use MAC address authentication to protect your network; that can be bypassed. An adversary can spoof a MAC address (to use a legitimate MAC address from your own network). So, if you deny that MAC access to your network you could block the legitimate device too.

Note: The adversary would need to use some form of software to spoof the MAC address. The cable may not currently accommodate that capability. I assume the adversary can’t manufacture the silicon needed for a WiFi adapter and doesn’t have the ability to “burn” a MAC address of their choice into it.

It’s important to remember this cable is only a proof of concept at this time but the researcher does plan to sell them. They could be used by pen testers in much the same way as Wi-Fi Pineapples or RubberDuckies currently are. Given that the cable looks exactly like a standard USB smartphone charger (for an Apple device); from the photos included you can’t tell the difference between a genuine cable and this pen testing cable.

Can an upcoming standard for USB help with this issue?
Possibly.

Unfortunately, while the new USB Type-C Authentication Program appears to be more of a Digital Rights Management (DRM) feature that may raise charger and cable prices and potentially creating vendor lock-in. While it would help with detecting a malicious cable or a cable that was tampered with; it remains to be seen if the standard in reality increases security. It’s also unclear how the cables will authenticate since we have seen digital signatures being stolen in the past to bypass this form of authentication:

Thank you.

Wifi Devices Leak Potentially Sensitive Information

While I was at a security conference late last year it was demonstrated using the Airodump tool for Linux; the association requests visible for all Wifi devices present within the conference room. The command used was:

airodump-ng wlan0mon -w scan.ams --showack --wps -U -M -e -g

Where scan.ams was the name of a previously gathered packet capture.

I realise this is how Wifi was designed and it is working as intended. I also realise that this issue is not new and may not be of assistance to everyone for that reason.

I was fortunate that my phone had Wifi turned off at the time, especially since I was near the front of the room. The association requests display the SSID (defined) of any previous Wifi access point a device has successfully connected to/has credentials for. These requests were shown to be constantly being sent from the devices present in the room.

Using this list of SSIDs, you can input an SSID into the Wigle website and see where in the world that wireless network is located. If you have a unique SSID that website can show the address of where you work or live.

Further information on the Airodump tool is located in the links below:

Airodump-ng

Aircrack-ng Newbie Guide for Linux

airodump-ng(1) – Linux man page

More information on association requests is available here.

Good advice to prevent this type of information disclosure from the Wifi devices that you carry with you is to turn off Wifi if you are not using it (sorry if that is very obvious). If you administer Wifi access points, set the SSID to something that won’t attract attention and choose a non-unique SSID if you can (this way the exact location of a network will be harder to find).

Thank you.

Blog Post Shout Out: New Wireless Routers Enhance Internet of Things Protection

Happy New Year to all readers of this blog!

With attacks on routers increasing (e.g. this article concerning D-Link) and vulnerabilities being patched within internet of things (IoT) (defined) devices; it’s great news that security technologies are adapting to monitor and protect them.

I wanted to provide a respectful shout out (although not to blog posts) to products from several vendors that promise to better protect from threats such as the Mirai malware and other examples.

Full disclosure: I’m not receiving any incentives or benefits from any of these vendors; I simply wish to promote awareness of existing and upcoming technologies that we can use to better secure the increasing number of IoT devices that we are using in our everyday lives.

For example, early last week Symantec began accepting pre-orders for their new wireless router. Initially this will only be available in the US but will be extended to more regions in the future.

While a wireless router is nothing new, it is one of first that I have encountered that includes protection for Internet of Things (IoT) devices.

In their words it “constantly monitors your connected devices like WiFi thermostats, smart locks, appliances or home security cameras for suspicious activity and identifies vulnerabilities. If a device becomes compromised, it quarantines the threat before it spreads ensuring your digital world is safe.”

A similarly powerful offering from F-Secure is also in progress. Like Symantec, F-Secure’s is scheduled for release in Q2 of 2017.

These solutions are further refinements to wireless router/access point security solutions that have been available since late 2015. For example, Asus’ Ai-Protection feature (using technology licensed from Trend Micro) incorporates most of the features that F-Secure and Symantec offer just without the IoT management and reporting.

There are interesting times ahead as Internet of Things (IoT) devices and wireless router become increasingly more managed and monitored devices allowing us to secure them better. My sincere thanks to a colleague (you know who you are!) for assistance with this post.

Thank you.

Blog Post Shout Out: Securing Internet of Things and WiFi

With Internet of Things (IoT) devices becoming part of everyday life properly implementing public key encryption (defined) within them is a critical step that should not be overlooked.

Facilitating the use of such devices is very widespread wireless access which should also be secured as much as possible (especially in corporate environments) so as not to inadvertently provide an easy means of accessing your internal network.

For both of the above technologies I wanted to provide a respectful shout-out to the following blog posts that provides step by step advice on securing wireless networks (includes physical security and hardening guest network access) as well as how public key cryptography should be implemented and used within IoT devices:

9 things to check after installing wireless access points by Eric Geier (Computerworld)
4.5 million web servers have private keys that are publicly known! by Paul Ducklin (Sophos Security)

I hope that you find the above posts/resources useful. Thank you.