28.7.17

Black Hat 2017: Non-standard hacking platforms reign supreme


This year at Black Hat, tiny automated hacking platforms are everywhere, loaded with tasty purpose-built tools that can be used to break into your systems. It’s no surprise really, that deploying a $35 single board computer running server software which can connect to a network can be used as a fire-and-forget attack platform, and at that price you don’t really care about it being discovered.
With a couple of small ARM-based platforms equipped with cheap machine-to-machine data cards, you now have a server that can be embedded into a hostile environment that will phone home and establish a communication session so you can maintain persistence on the network.
Sure, it might be discovered sitting on a network port (maybe, and even then it may take a while), on a switch or a router, but many of these boards come with Wi-Fi functionality, so you can take your time and run a series of wireless attacks to gain network access, even spoofing a legitimate MAC address to pretend to be another computer on the network. With all of these add-ons, your tiny computer probably costs around $100, which is still a small price to pay to launch an attack.
The good news is that the tools shown at Black Hat address both attack and defense, and that there are tools which can be used to defend against this potential threat as well. This is the good part about Black Hat presentations– they usually talk about how to protect/defend against the type of attack they’re presenting on, they (usually) work for the good guys.
But as an enterprise or other organization, it makes sense to keep your ear on the data feeds coming out of Black Hat in order to get access to these tools and techniques, which are often freely available, so that your team can be prepared against the latest attacks to be released into the wild.
Since these tiny boards are very inexpensive, they’re also very affordable in case you want to run tests against your defense for a correspondingly tiny amount of money, and often there are cut/paste tutorials on how to do it.
Also, now is a good time to get up to speed on non-standard platforms, which are being deployed by the millions in IoT contexts, so that your security team will be familiar with the toolset and the nuances of using them as a working Linux security platform (though some of them run other operating systems, Linux seems to be the default).
With the volume of proof-of-concepts and mature software launched on the little devices, it’s no longer a corner of security you can ignore. They have become much more powerful in recent years, often hosting multiple-core CPUs, decent memory, gigabit Ethernet and very capable Wi-Fi chipset integration. In short, they’re very real computers the size of a credit card that can run on flashlight batteries, and that’s something you shouldn’t ignore in your environment.