UPDATE: This blog post was written prior to the USB explosive incident in Ecuador. Some edits have been made to note these events.
The following blog post describes a scenario involving a hybrid cyber/kinetic attack by a malicious actor. Most countries have laws against building explosive or incendiary devices and as-such, in any proof-of-concept descriptions we have used a stand-in device as a proof-of-concept to avoid breaking any laws. Do not attempt to recreate at home, especially with actual destructive payloads – as injury, death, or prosecution may occur.
I am also providing this information as proof that this is possible to achieve by a motivated individual with access to open information on the internet.
Additionally, I want to be clear that neither White Oak Security nor I condone the use of such devices and present this information as a proof-of-concept of potential threat vectors in the hope that it will raise awareness and detection efforts. Please do not put me on a watchlist. Thanks.
A Dangerous World
We live in an interesting time. Russia’s ongoing war with Ukraine, North Korea’s instability, and China’s lust to capture Taiwan have caused immense international tension and the rising specter of global conflict. Nation-state cyber-attacks are at an all-time high and recent domestic terrorism attacks on electrical power grids reveal weaknesses in critical systems in the US, as well as other countries.
While, historically, cyber-attacks were limited to the electronic realm, in recent years attacks have escalated to the real world. Ransomware actors have begun to target critical systems such as hospitals. Malicious attackers have targeted water treatment plants in an attempt to poison local populations. Russia has attacked electrical grids and other critical infrastructure in Ukraine through the use of cyberattacks. Several years ago, a notable escalation of the physical effects of cyberattacks was realized through the Stuxnet worm, which destroyed nuclear centrifuge devices in Iran (link, link).
Most recently, several journalists in Ecuador received USB devices which were rigged to explode when plugged in. Although the journalist only received minor injuries, the small form factor and power of the device is alarming. There is a clear path of escalation in terms of real-world effects from the early days of hacking to the present. The question that remains is: what happens next and how can we avoid the potential ramifications of these actions?
Next On The Horizon
Having worked in the defense industry in an engineering capacity, involving novel research and development of software, I recently began mulling over that question. As a pentester, there are always risks to conducting tests of systems; one of these, especially with systems involving industrial control, is real-world damage or loss of life. If you accidentally activate a robotic arm in an automotive manufacturing plant during an engagement, it could potentially cause significant damage to equipment or kill someone. If you take a safety system offline by accident in a facility, will it have lethal consequences? These are all scenarios that any pentester should take seriously when dealing with such an assessment.
However, considering this issue from an attacker’s mindset, it occurred to me that these environments are fairly restricted in most cases. They have also been receiving much more regulatory and defensive attention in recent years from government agencies such as CISA. So the next logical question might be: if an attacker wanted to cause a significant amount of damage via some sort of cyber capability, how or where else could they do so?
Previous cyber-attacks relied on exploiting existing infrastructure to conduct damage. An industrial component could be excessively run to cause failure; settings in a management system could be intentionally turned off or potentially harmful ingredients might be excessively administered. Alternately in the case of hospital ransomware, devices essential for maintaining life could be halted and prevented from functioning. But these all have a common weakness: they rely on the technology currently in place. But what if they didn’t?
In conflicts in the Middle East, IED devices have been unfortunately effective in conducting inexpensive and difficult-to-detect attacks on personnel. It’s not a stretch to think that such devices might be employed in other theatres, given an opportunity. In fact, there is already some precedent for this, such as the Boston Marathon bombings a decade ago.
Situational Assessment Of Kinetic Attacks
Let’s take into account a potential attack scenario combining all of these factors:
- A “cyber” component
- An environment receiving less direct attention/detection than critical infrastructure
- A kinetic payload
- Cheap and difficult to detect
After considering these factors, one potential vector that came to mind were “rogue devices”. A “rogue device”, “implant” or “drop box” in this case is a headless computer in a small form-factor that can be connected to a victim network to perform malicious activities. These can be built using inexpensive COTS (Commercial Off The Shelf) components purchased through electronics stores or online and are also used for hobby projects. Common examples are the Raspberry Pi or BeagleBone SoC (System on a Chip) devices. They are widespread in the tech community and have extensive documentation and sample code available. Additionally, most offer the ability to manipulate external devices through USB or GPIO (General Purpose Input and Output) ports. These devices’ small form factor make them easy to conceal both during the delivery process and while emplaced. These qualities make them an all-around ideal option for this scenario.
During my career as a pentester, I was fortunate enough to be involved on a project involving malicious rogue devices. This project involved implanting a device on the internal network of a Fortune 50 corporation which would then maintain communication with an externally hosted system and perform some actions on the network. For this project, we built a device using the Raspberry Pi platform which was pre-loaded with a custom C2 (Command and Control) agent application. This client would reach out via the victim company’s network using a benign-looking JSON payload with encrypted field values to a host in a foreign (but friendly) country.
To place the device, we selected an open but frequently-used conference room, plugged the device’s network cable into the open network-sharing ethernet port on a VOIP phone, tucked it into the cable organizer underneath the conference room table and plugged the power adapter into the integrated power strip. The device remained in place in the conference room for nearly 6 weeks and was not detected by the incident response team or the building’s physical security. The project was voluntarily shut down by the pentest team after the objective was deemed to be “complete” by management. At that point, incident response was informed and details of the project were shared with them.
I share this story to illustrate how easy it can be to place a device of this nature in even a highly trafficked environment without detection. When discussing the project with the incident response management in an after-action review, the response we received was that “detecting rogue devices is hard” and “there is no budget for it”. This seems to be a common sentiment, both in response to rogue devices on a network, but to security needs as a whole.
However, in light of the previously mentioned escalations, it may be useful to increase efforts to detect these sorts of devices. In the past, such intrusions might mean information leakage or public embarrassment but in the modern world, there is potential for real-world damage.
How Is This Different?
You might ask, how is this any different than just planting an explosive or incendiary device? Or perhaps, how is this different from any other physically-oriented cyberattack? Why would someone do this instead? There are a few differences.
Comparing to a conventional physically-oriented cyberattack, this vector has the advantage of bringing its own payload. There is more control over the amount of damage inflicted, compared to relying on existing physical infrastructure to deliver the result.
The enhanced remote control is another factor. With traditional IEDs, they can be detonated by cell phone or other remote devices, so they do have remote capability. However, the internet-connectedness of these devices extends the range of control and limits the ability to detect where trigger signals came from. It also doesn’t require cell service and reduces cost. This approach provides a platform for much wider coordination of payloads and makes the investigation more difficult.
For example, given the small form factor, it would be possible to plant devices in multiple places, all of which periodically check for a signal at a pre-designated location. The lack of necessity for constant communication could let these devices check in once a week or once a month and would be much harder to detect with incident response tools or threat hunting. A malicious actor could then make a difficult-to-detect change in some public website which the devices are looking for and would then initiate a widespread attack in multiple places simultaneously. If the device is subsequently destroyed by the payload, unraveling the evidence and determining attribution could prove difficult, especially if the devices are placed long in advance, taking advantage of security camera storage rollover.
Remediation Steps For Attacks
While these sorts of devices might be difficult to catch, there are some steps which can reduce the potential attack surface. These can be divided into two distinct categories: physical and digital.
On the physical side, limiting visitor access to potential drop sites is critical. As should always be the case, external visitors within a facility should always be monitored. Rooms in which external entities have visited should be screened for any new devices plugged into open network ports, including those chained from previously connected company assets such as VOIP phones, printers, or switches. Routine checks of a facility by the physical security team should include inspections of potential device drop sites. Note that with the ability of these SoC devices to also contain onboard WIFI functionality, checking physical ports may not necessarily be enough. Aside from devices intentionally planted by malicious actors, devices received from unknown and unvetted sources should never be connected to company-owned devices or to the company network without thorough examination. The implications of such actions are clear after the recent USB bomb attacks in Ecuador.
On the digital side, identifying unknown devices on the network should be a priority. If an unknown device is connected to an internal network port, the incident response team should be able to identify where the device is located. Routinely checking the network for unknown devices should be part of the company’s security program. This includes regular threat hunting for unknown devices and monitoring for unusual activity. If a device is connected to the guest WIFI access point or an internal network port and is routinely beaconing out for an extended period of time, it is worth investigating why.
These sorts of detections can be difficult, costly, and time-consuming. However, given the potential real-world impact, identifying unknown devices on your network is a worthwhile effort both from a cybersecurity standpoint, but also from a physical one.
MORE FROM WHITE OAK SECURITY
White Oak Security provides deep-dive offensive security testing. We are a highly skilled and knowledgeable cyber security and penetration testing company that works hard to help organizations strengthen their security posture by getting into the minds of opponents to try to protect those we serve from malicious threats through expertise, integrity, and passion.
Our unique industry experience allows us to offer a wide range of services to help analyze and test information security controls and provide guidance to prioritize and remediate vulnerabilities.