On the importance of hardening your physical environment against cyber attacks.
When thinking about cybersecurity, it is easy to get lost in complex scripts, the next zero-day exploit or cutting-edge appliances. However, some of the most (least) obvious paths to your internal network may often be overlooked...
As a penetration testing consultant for several years, I was involved in dozens of physical “red-team” exercises, mainly against offices, hotels and recreational facilities. Despite an organization’s abundance of controls, all it could take is one physical point to gain access to an administrative network. This access may be granted through exposed network sockets, devices that can be tampered with, or unsuspecting employees, to name just a few. In this article, I would like to share some of the most notable physical weaknesses our consultants have discovered, typically leading to administrative network access, and provide a few simple-yet -effective mitigation measures that organizations of all sizes could explore.
To introduce the concept of getting unauthorized network access through physical means, I would like to draw on two case studies: one factual, the other fictional.
Perhaps the most notorious example of when a physical way led to a cyber attack was the deployment of the Stuxnet worm against an Iranian nuclear enrichment facility at Natanz, first detected in 2010. The worm was a very sophisticated piece of malware, designed to spread through a nuclear facility’s network and find particular computers that were connected to SCADA (Supervisory Control and Data Acquisition - a type of industrial control system) controllers for managing uranium centrifuges. The malware would then speed up and slow down these centrifuges periodically beyond maximum levels, resulting in physical degradation and eventual mechanical failure.
Developing this cyberweapon was extremely challenging, supposedly taking an alliance of nation-states several years, relying on multiple zero-day attacks and commanding a complete understanding of a particular type of centrifuges and their related systems. However, there was another major obstacle, not in the malware’s development, but in its deployment: the targeted nuclear facility was “air-gapped” meaning that there was supposedly no digital way in to release the worm. This meant that the attackers had to find a physical way. Although no nation-state openly expressed responsibility for the Stuxnet attack, the most widely-accepted theory now is that human agents acting as inside suppliers physically infiltrated the facility and ensured the worm’s delivery using USB drives against computers deep inside the network. While no actual details of this penetration are reported, one can only wonder about the time, caution and deception required to unsuspectingly enter such a highly-guarded structure, find the chance to plug in a USB drive, and still make it out unharmed.
Another recent example of such an attack, this time from popular culture, can be found in the television show Mr. Robot, during Season 1 Episode 5 ("eps1.4_3xpl0its.wmv"). The protagonist Elliot intrudes the Steel Mountain secure data storage facility (inspired by the actual Iron Mountain facility), used by the E (Evil) Corp conglomerate that he and his hacker collective attempt to destroy. Having ubiquitous surveillance, steel gates, and armed guards, unauthorized access to Steel Mountain is no easy feat, but it has to be done, as the data to be destroyed is “completely off the grid”.
One fine sunny day, Elliot’s team drives a van towards Steel Mountain and park at the building’s public parking lot after being authenticated by the guards. As a timid sales representative meets him in the lobby, Elliot pretends to be a wealthy executive looking for data storage solutions, while his team in the van, listening and giving advice through an earpiece, make a fake Wikipedia page about Elliot’s identity. This convinces the first victim to grant Elliot access to Level 1 of Steel Mountain for a guided tour, which is not yet deep enough.
Elliot uses social engineering to upset the unsuspecting sales representative using personal information his team delivers over the earpiece. This sales representative then calls his supervisor, before departing in tears. The supervisor appears to be a tougher candidate to dupe, but his team manages to find out information of her family and call her cell phone, exclaiming that her loved ones were in an accident, leaving her to rush off in distress, after granting Elliot access to where he needs to go - Level 2.
Throughout this infiltration, Elliot carried his payload - a Raspberry Pi - with the intention to connect it to the building’s HVAC network (Heating, Ventilation and Air-conditioning). After encountering some additional human obstacles, Elliot finally manages to find a bathroom thermostat in which he connects the Raspberry Pi to the climate control system, essentially meeting his objective. A few episodes later, this Raspberry Pi is used by Elliot and his team to remotely hack the Steel Mountain HVAC network and cause the climate control systems to overheat, resulting in the data backup tapes stored there to be destroyed, as part of their plan to bring down E Corp.
Back to reality
While the above two examples may sound far-fetched, real organizations may be just as vulnerable to a cyber attack that starts physically. From our consultants’ experiences, an administrative network may be accessed through the following sample end-points, if they are insufficiently protected:
- Wireless access points;
- Switches and routers;
- Wiring cabinets;
- Ethernet sockets;
- VoIP devices;
- IP-TV and set-top box devices;
- HVAC devices;
- CCTV devices;
- Workstations (e.g. staff, or business center);
- Networked printers;
- Unique devices such as networked gaming machines, networked fitness machines;
- Unlocked doors to restricted areas; and
- Humans. (social engineering)
Below I would like to provide a few notable anecdotes from our consultants that emphasize how easy it sometimes was to gain administrative network access through not-so-obvious ways. This is specifically a concern for organizations that have any kind of publicly accessible areas through which attackers may be able to launch physical attacks.
Case Study 1: Wall Socket to Admin Network
A remote golf course that a consultant tested had very simple guest room systems with analog phones and televisions, and wireless guest internet access. Seeing that not much could be done from there, inspection moved to the spa and fitness area of the property. During daytime observation, several wall sockets were noted, but the area was too crowded to test these sockets without raising suspicion from other guests or staff, even near the closing time of 10 p.m.
However, the guest keycard for the spa area still worked past the official opening hours, and so, it was possible to sneak into that area at around 2 a.m. without the attention of security staff. While almost all wall sockets were not live, there was one in the “ice room” of the spa, which only contained a massive ice dispensing machine. A lot of live traffic was found after connecting a laptop to this socket, and network access was granted automatically with DHCP. After host- and service discovery, it was confirmed that this was the administrative network of the property, which could be tested for a few hours before the sun would rise and the risk of detection would become too high.
No security staff noted this breach until the management of the property was informed by the consultant. Apparently, that room previously housed a staff workstation, but the wall socket was never reconfigured. The wall socket was promptly disabled.
Case Study 2: Printer Wall Socket to Admin Network
In a luxury hotel, an inspection of the guest business center revealed a Fuji Xerox multifunction printer. The business center was unattended for the most part. It was possible to unplug the printer and connect it to the consultant's laptop. Only a static IP address configuration was required, and access to the property’s main administrative network had been achieved.
Case Study 3: VoIP device to Admin Network
In another luxury hotel, a VoIP (Voice over IP) telephony device was found in all guest rooms. Only limited access would be observed when connecting to its socket, but after spoofing the MAC address and VLAN ID (learned through PoE injector assisted power-cycling), a DHCP address was assigned. No other networks were found during a ping sweep from this network, suggesting that there were some access control lists in place.
However, the network’s Cisco gateway was inspected, and it was noted that the Smart Install protocol was still running on its TCP port 4786. The gateway’s configuration could, therefore, be downloaded using the siet.py tool, which revealed a Type-7 reversible password, allowing the complete compromise of this device. It was noted that an access-list configuration was in place, disallowing the access to the main administrative network from the VoIP network. With full administrative access to the device, this configuration could have been changed, likely granting an escalation to the property’s main administrative network.
Case Study 4: Unlocked Server Room Door Overnight
In a small retail office, the consultant was performing a regular internal network penetration test, with grey-box access (i.e. a desk and connectivity were provided). On the last day of the test, the consultant decided to work overtime to get more findings, however, the point-of-contact in charge left the office without checking if any vendors were still inside. The consultant then decided to stay until being kicked out, but no one requested the consultant to leave, allowing access to the office unattended for the entire night.
Then, it was noted that the small server room of the site was not locked (it only had a simple pin and tumbler door lock), presumably forgotten by the IT function. In the server room, several passwords were written down and pasted on the server racks, which could then be used to access several workstations with local administrator privileges and also could be used for a database that contained credit card information.
Case Study 5: Social Engineering into Server Room
A previous boutique hotel client requested social engineering as part of their penetration testing. One particular site had no dedicated IT staff, and all IT matters were handled by contractors. The HQ of the hotel wanted to see if it was possible for someone to dress up as an IT vendor and make their way to the server room.
At the time, the consultant was staying at the same hotel and had a company polo shirt, a lanyard, and business cards. The morning (9:30 a.m.) was chosen as the most realistic time a vendor would show up at the property. The consultant previously learned that the entrance to the back-of-house area of the property was on the basement floor, where the lobby’s toilets were located. The consultant went to that area and loitered around the back-of-house entrance.
Eventually, a regular hotel staff member noticed the consultant and offered assistance. The staff member was told by the consultant that scheduled system maintenance was arranged for today. As the employee did not know about this arrangement, she invited the consultant into the back-of-house area and asked to wait until she makes some phone calls. Her superior was called to resolve the situation, but this only added to the confusion.
Then, the property’s operation manager, who was also supervising IT as a secondary responsibility, was called. The operation manager appeared unsure as well, but the consultant told him that HQ had already been informed of the scheduled maintenance. Indeed, the operation manager remarked that “HQ never informs him of anything” with a sigh, and brought the consultant to the server room. The operation manager was relatively busy that day, as elevator maintenance was being performed by another vendor, and therefore, the consultant was left mostly unattended in the server room, where access to the main administrative network could be obtained without any visitor registration or other authorization.
If any of the above case studies have raised some concern for you, Horangi is more than happy to provide a few simple pointers that can be implemented to greatly reduce the chance of such a physical attack being successful:
- Implement a physical security policy, related procedures and perform a risk assessment for these kinds of attacks
- Include physical security into employee security awareness training, particularly with education about how to handle suspicious devices found around the workspace and how to securely manage guests
- Mandate guest registration, logging, and supervision at all times in internal environments
- Inventory all physical wall sockets and regularly check if they are still required. Disable any unused sockets promptly and perform reviews if the configuration has not been altered
- Consider strong network access control (NAC) technologies such as those requiring registration with certificates for highly-sensitive devices and networks. MAC address whitelisting and VLAN configuration can easily be spoofed!
- Implement and regularly improve network segregation to important administrative networks through VLANs and access control lists to reduce the impact of any particular physical endpoint being attacked
- Harden peripheral networks that could lead to administrative networks well
- Use tamper-resistant hardware such as Ethernet cable locks
- Place devices such as wireless access point out of reach
- Regularly review locks for any cabinets
- Coordinate with security guards, facility management and other related functions about the potential for physical intrusion
Ultimately, I hoped this article could emphasize the holistic nature of cybersecurity and raise awareness about how some basic considerations about physical security can help you to reduce the likelihood of being penetrated through something as trivial as an old wall socket.
For any inquiries on Horangi’s Red Team services, please contact us at firstname.lastname@example.org or book a time to speak to a consultant, here.