21C3 Schedule Release 1.1.7

21st Chaos Communication Congress
Lectures and workshops

Picture of Stephen Lewis Stephen Lewis
Day 3
Location Saal 3
Start Time 16:00 h
Duration 01:00
ID 107
Type Lecture
Track Hacking
Language english

Embedded devices as an attack vector

Although attacking embedded devices is not a new idea, little work has been done on using these devices for attack. Here I present work on the insertion of custom code into a network switch in order to carry out attacks on a network.

The use of embedded devices present on a network as a vector for attacks against endstations is a threat that has not yet been realized, despite the knowledge of a number of vulnerabilities affecting such devices. This is probably due to the resistance of such devices to reverse engineering: they frequently run custom operating systems on obscure architectures.

Using embedded devices as a vector for attack does, however, have two significant advantages:

  • Detection of the code running on the embedded device is much harder than it would be on a general purpose computer: few tools are available, and a severely limited interface is presented to the end user
  • Embedded devices in the form of network infrastructure provide an excellent platform for attack, because they are ideally placed for covert monitoring and insertion of traffic

When hard-to-detect malicious code can be uploaded to embedded devices on a network, a number of different attacks become feasible. A packet sniffer running on a network switch itself could be used to forward packets matching a particular signature to a third party. Packets could also be generated on the device itself, perhaps in order to mount attacks on end-systems. An attack mounted in this manner would be far harder to contain than one initiated from an normal PC, especially if the ability to reflash the firmware on the device were disabled by the inserted code.

I am currently working on reverse engineering the firmware present in a widely-used switch based around a Motorola 68EC020 processor, and aim to present a demonstration of the insertion of custom code into this device.