Like me, many of you probably watched episode 4 of Mr Robot, the TV show that’s popular these days among the cyber security industry. In that episode, Elliot installed a Raspberry PI (a mini computer the size of a credit card) to remotely control the A/C systems of the data facility where Evil Corp stores its backup tapes.
The episode demonstrates how far computing power has come, and how Moore’s Law will certainly have unintended consequences that both benefit and potentially harm us.
Like Mark Zuckerberg recently said, when unveiling Facebook’s new solar-powered internet plane Aquila – science fiction is usually science before its time.
Throughout history, criminals have leveraged physical devices to help commit digital fraud. An early example was the skimming of ATMs back in the mid 80s, with ATM trapping devices and keyboard overlays, which were used to physically obtain credit and debit cards.
This quickly evolved into the modern concept, known today as ATM skimming, which typically involves getting access to the data in the card. Just recently, Brian Krebs blogged about a potential spike in card skimming in México. An age-old scheme is continuing to reap benefits for criminals. In addition, with the adoption of EMV across various geographies, we are also starting to see card trappers again, as the criminals evolve with the technology.
Criminals know that there is a significant benefit to being inside an organization, and having 100% control of the outcome of an attack. That’s why for years they have been paying insiders in financial institutions to install wireless keyloggers to steal usernames and passwords of cashiers/office managers at bank branches, and set up mini wireless access points to access this information from outside the bank (sometimes hiding as an electrical odor eliminator spray device).
Now, imagine what future they see, when they can pay these insiders to install far more powerful devices within an organization. It’s one thing to infiltrate an organization with a keygrabber and a closed access point. It’s another entirely to control a computer the size of a credit card that’s fully programmable, costs less than US$35, and can run web servers and deliver exploits. The Evil power of these devices installed within a corporation and controlled by the wrong hands is incredible.
There is no question that criminals are already evaluating how they can use these new, cheap, ubiquitous devices to their advantage.
The Power of Pi
For years, criminals have used more expensive, less versatile devices than the Raspberry Pi. But now, for 35USD, you can get enough computational power to host all kinds of fully qualified servers and tools, from a traditional web server, to network manipulation tools. In a simple scenario, a Pi could be used to deploy an ARP spoofing attack, which enables the device to impersonate the network gateway and perform a man-in-the-middle (MITM attack), as described in this post http://jeffq.com/blog/setting-up-a-man-in-the-middle-device-with-raspberry-pi-part-1/.
The power of Raspberry Pi is not based just on it hardware, but also on a very active community, which keeps it up to date with the latest tools available, in the same way that any debian-based Linux distribution is kept updated. Once you have it up and running, deploying lateral movements is easy, thanks to all the tools available just by executing “apt” commands.
Pi in Your Face
Raspberry Pi is also getting a lot of attention for legitimate use, across different industries and companies, for its ability to help optimize operations and costs. The Pi is not only affordable, but offers low levels of power consumption, a small form factor, no noise, expansion capabilities, built-in HDMI capabilities, and huge community support – all things you look for in an ideal piece of corporate hardware.
You can find reports of people using a Pi to perform a diverse set of tasks that otherwise would need a more expensive computer, with bigger space needs and higher power requirements. People are testing out Pis as simple Web servers and print servers, and experimenting with them for server monitoring, ticketing services, backup services, CVS, dashboard system in SOCs, and in lieu of a plethora of different systems that otherwise would waste money on overpowered equipment. This kind of innovation is healthy for companies, but history tells us that organizations often underestimate the risks that the use of new technology brings.
As simple as the setup of a server in a Raspberry Pi is, it carries the same responsibilities as setting up a corporate server. With a device so small and seemingly harmless (and certainly untested), system administrators are likely to underestimate the importance of keeping security a top priority. Allowing these kinds of devices on to a network, without all the corresponding security controls, is opening the door to attackers willing to take advantage of any weak point.
A bad configured Raspberry Pi that gets owned by a hacker is as dangerous as one implanted by criminals in your network, or as dangerous as any of your corporate servers in the wrong hands.
It’s only a matter of time before we see what happens when science fiction meets reality. Organizations with a lot to lose will always embrace a proactive defense strategy. They must keep in mind that this kind of attack, although not popular yet, is likely to soon turn from fiction to reality. Companies would be advised to tune their already deployed defenses in order to alert to the presence of any kind of unknown devices on their network.