Silent Wire Hacking Hack In Paris 2018 erwan.broquaire@cerema.fr - - PowerPoint PPT Presentation

silent wire hacking
SMART_READER_LITE
LIVE PREVIEW

Silent Wire Hacking Hack In Paris 2018 erwan.broquaire@cerema.fr - - PowerPoint PPT Presentation

Aug 16, 2022 46 likes •471 views

Silent Wire Hacking Hack In Paris 2018 erwan.broquaire@cerema.fr pierre-yves.tanniou@cerema.fr Hack In Paris - 2018 Direction territoriale Sud Ouest Silent wire hacking ? You know about TCP hijacking, 802.1x bypass techniques

slide-1
SLIDE 1

Direction territoriale Sud Ouest

Silent Wire Hacking

Hack In Paris 2018

Hack In Paris - 2018

erwan.broquaire@cerema.fr pierre-yves.tanniou@cerema.fr

slide-2
SLIDE 2

Hack In Paris - June 28th 2018 2

Silent wire hacking ?

  • You know about

– TCP hijacking, – 802.1x bypass techniques (Valérian Legrand, HIP 2017), ways to exploit a MITM position with Fenrir

– …

  • We want

– to connect to an ethernet 100Mb cable, – in order to take the man in the middle position – without any warning in supervision :

A silent wire hacking

slide-3
SLIDE 3

Hack In Paris - June 28th 2018 3

Outdoor accessible wires

slide-4
SLIDE 4

Hack In Paris - June 28th 2018 4

Indoor accessible wires

From the ground… ...to the ceiling

slide-5
SLIDE 5

Hack In Paris - June 28th 2018 5

Typical situation

slide-6
SLIDE 6

Hack In Paris - June 28th 2018 6

Naive connection

  • Is not effective
  • Triggers an alert
slide-7
SLIDE 7

Hack In Paris - June 28th 2018 7

Usualy monitored

  • Link status, link down
  • RSTP
  • LLDP
  • Filters on MAC and IP @
  • (802.1x)
slide-8
SLIDE 8

Hack In Paris - June 28th 2018 8

  • TAP: listening only, setup interrupts network

Available solutions

slide-9
SLIDE 9

Hack In Paris - June 28th 2018 9

  • TAP: listening only, setup interrupts network
  • Probe: listening filtering, injection, setup interrupts

network

Available solutions

slide-10
SLIDE 10

Hack In Paris - June 28th 2018 10

  • TAP: listening only, setup interrupts network
  • Probe: listening filtering, injection, setup interrupts

network

  • FO bending: no injection

Available solutions

slide-11
SLIDE 11

Hack In Paris - June 28th 2018 11

  • TAP: listening only, setup interrupts network
  • Probe: listening filtering, injection, setup interrupts

network

  • FO bending: no injection
  • Dedicated hardware solution: not publicly available,

back to standards and datasheets

Available solutions

slide-12
SLIDE 12

Hack In Paris - June 28th 2018 12

  • Taking the Man In The Middle position on a

Ethernet 100Mb/s link

  • Without being detected by switches

– No link_down link_up – No snmp trap – No RSTP topology change – No LLDP detection

Goal of silent wire hacking

slide-13
SLIDE 13

Hack In Paris - June 28th 2018 13

  • Simple solution, DIY
  • Low cost (about 200€)

Intention

slide-14
SLIDE 14

Hack In Paris - June 28th 2018 14

Signal conditioning with operational amplifiers? Classic OA (lm341, lf355): gain.band<10MHz DIY → no surface mounted components Signal manipulation activated by relays, Data manipulation with Raspberry

Technology choice

slide-15
SLIDE 15

Hack In Paris - June 28th 2018 15

  • Opening cable
  • Best twisted pair splitting tool:
  • Connecting

Step1: wire intrusion

slide-16
SLIDE 16

Hack In Paris - June 28th 2018 16

  • First, we gather information:

– Mac @ – IP @ – speed – existing protocols: RSTP, LLDP, SNMP, ETC.

Step2 : gathering information

slide-17
SLIDE 17

Hack In Paris - June 28th 2018 17

Speed and addresses gathering

slide-18
SLIDE 18

Hack In Paris - June 28th 2018 18

Speed and addresses gathering

slide-19
SLIDE 19

Hack In Paris - June 28th 2018 19

  • Auto MDI-X ports on network interfaces detect if

the connection would require a crossover and automatically chooses the MDI or MDI-X configuration to properly match the other end of the link

  • Auto → can’t know wire use

→ To witch side affect collected data? Witch ip@ and mac@ belongs to witch device?

Issue #1: Auto MDIx

slide-20
SLIDE 20

Hack In Paris - June 28th 2018 20

MDI / MDIx

Tx+ Rx+ Rx+ Rx- Rx- Rx- Rx- Tx- Rx+ Tx- Tx- Tx- Tx+ Tx+ Tx+ Rx+

slide-21
SLIDE 21

Hack In Paris - June 28th 2018 21

  • How to ? (without OA, signal comparator...)

Rx and Tx identification

slide-22
SLIDE 22

Hack In Paris - June 28th 2018 22

Identification of Rx et Tx

slide-23
SLIDE 23

Hack In Paris - June 28th 2018 23

Identification of Rx et Tx

slide-24
SLIDE 24

Hack In Paris - 28 june 2018 24

slide-25
SLIDE 25

Hack In Paris - 28 june 2018 25

slide-26
SLIDE 26

Hack In Paris - June 28th 2018 26

  • We can not send

traffic

Issue #2

slide-27
SLIDE 27

Hack In Paris - June 28th 2018 27

  • To inject traffic we will need some electronics.
  • How to place the electronics instead of the wire ?

Step3: apparatus connection

slide-28
SLIDE 28

Hack In Paris - June 28th 2018 28

Step3: apparatus connection

slide-29
SLIDE 29

Hack In Paris - June 28th 2018 29

Step3: apparatus connection

slide-30
SLIDE 30

Hack In Paris - June 28th 2018 30

Step4: switching

slide-31
SLIDE 31

Hack In Paris - June 28th 2018 31

Finally ready for switching !

slide-32
SLIDE 32

Hack In Paris - June 28th 2018 32

  • (somewhat) quick* switching from existing

communication to devices with:

– Same speed – Quiet (no-RSTP, no-LLDP, etc.)

Step4: switching

*5ms (relay switching time; Mosfet would be much quicker)

slide-33
SLIDE 33

Hack In Paris - June 28th 2018 33

  • Even if we switch at 5ms, it is detected.

Issue #3

...how to ?

slide-34
SLIDE 34

Hack In Paris - June 28th 2018 34

  • We add some noise to keep the link up during

transition:

– High enough to keep the link up – Low enough to be considered as noise / signal

Solution

slide-35
SLIDE 35

Hack In Paris - June 28th 2018 35

Tests and proof of Concept

slide-36
SLIDE 36

Hack In Paris - June 28th 2018 36

First design

  • Each steps works alone (POC)
  • Card design, welding, cutting

strips, checking...

  • Didn’t work. Lack of time

to fix it :(

  • → full design to be confirmed
slide-37
SLIDE 37

Hack In Paris - June 28th 2018 37

Demo

  • But we will still show you !

(we will just have to do some steps manually)

slide-38
SLIDE 38

Hack In Paris - June 28th 2018 38

Conclusion

  • 4 ideas in this hack :

– Insertion of the electronics – Identification of Rx and Tx wires – Switching to well-configured devices – Diming legitimate signal during switching

slide-39
SLIDE 39

Hack In Paris - June 28th 2018 39

Conclusion

  • Costs:

– 2 Raspberry Pi: 120€ – electronics: 80€ – (managable switches: 250€) – candy: 5€

…Hacking : priceless

slide-40
SLIDE 40

Hack In Paris - June 28th 2018 40

  • Rebuild full circuit and complete testing
  • Do without additional ethernet switches: Raspberry Pi

ethernet configuration

  • Use one single Raspberry Pi instead of two
  • Scripting information gathering
  • Coping with multicast switching on Raspberry Pi
  • POE compatibility
  • Implementing 802.1x attack
  • Less attenuation in Rx/Tx identification

Possible improvements

slide-41
SLIDE 41

Hack In Paris - June 28th 2018 41

  • Faster link down? Impedance monitoring?

– difficult to implement in real world: Many existing EM perturbations (events on high power lines, lightning, lorries with electromagnetic retarders...) → Not suitable for plants, infrastructure operators...

  • End to end encryption

How to cope?

  • It IS possible to silent take MITM position
slide-42
SLIDE 42

Hack In Paris - June 28th 2018 42

THANK’S

erwan.broquaire@cerema.fr pierre-yves.tanniou@cerema.fr