See Like a Bat: Using Echo-Analysis to Detect Man-in-the-Middle Attacks in LANs

Presented at Black Hat Asia 2019, March 28, 2019, 5 p.m. (30 minutes).

Although Man-in-the-Middle (MitM) attacks on LANs have been known for some time, they are still considered a significant threat. This is because these attacks are relatively easy to achieve, yet challenging to detect. For example, a planted network bridge or compromised switch leaves no forensic evidence.

In this talk, I will present Vesper: a novel plug-and-play MitM detector for local area networks. Vesper uses a technique inspired from the domain of acoustic signal processing. Analogous to how echoes in a cave capture the shape and construction of the environment, so to can a short and intense pulse of ICMP echo requests model the link between two network hosts. Vesper sends these probes to a target network host and then uses the reflected signal to summarize the channel environment (think sonar). Vesper uses neural networks called autoencoders to profile the link with each host, and to detect when the environment changes. Using this technique, Vesper can detect MitM attacks with high accuracy, to the extent that it can distinguish between identical networking devices.

Vesper is implimented at the software level and is therefore is cross platform.

We evaluate Vesper on LANs consisting of video surveillance cameras, servers, and hundreds of PC workstations. We show how Vesper works across multiple network switches and in the presence of traffic. We also investigate several possible adversarial attacks against Vesper, and demonstrate how Vesper mitigates these attacks. Finally, we show how Vesper can be used to fingerprint network devices remotely (e.g., for tamper protection). To demonstrate this, we show how Vesper can differentiate between 40 identical Raspberry Pis.

Vesper's source code will be avalaible for anybody to download, and a white paper will be provided.


Presenters:

  • Yisroel Mirsky - Dr, Ben-Gurion University
    Yisroel Mirsky is a senior cyber security researcher at the BGU Cyber Security Research Center, Israel. Currently, he is the lead researcher in a wide variety of research projects with several different companies. His main research interests include online anomaly detection, adversarial machine learning, isolated network security, and blockchain. Yisroel has published his research in the world's best cyber security conferences: USENIX, NDSS, Euro S&P, CSF, AISec, etc. His research has also been featured in many well-known media outlets (Popular Science, Scientific American, Wired, Wall Street Journal, …). One of Yisroel's recent publications exposed a vulnerability in the USA's 911 emergency services infrastructure. The research was shared with the US Department of Homeland Security and subsequently published in the Washington Post.

Links: