Fully Arbitrary 802.3 Packet Injection: Maximizing the Ethernet Attack Surface

Presented at Black Hat USA 2013, Aug. 1, 2013, 10:15 a.m. (60 minutes).

It is generally assumed that crafting arbitrary, and sniffing, Fast Ethernet packets can be performed with standard Network Interface Cards (NIC) and generally available packet injection software. However, full control of frame values such as the Frame Check Sequence (FCS) or Start-of-Frame delimiter (SFD) have historically required the use of dedicated and costly hardware. Our presentation will dissect Fast Ethernet layer 1 & 2 presenting novel attack techniques supported by an affordable hardware setup with customized firmware which will be publicly released. This research expands the ability to test and analyse the full attack surface of networked embedded systems, with particular attention on automation, automotive and avionics industries. Application of attacks against NICs with hard and soft Media Access Control (MAC) on industrial embedded systems will be explored. We will illustrate how specific frame manipulations can trigger SFD parsing anomalies and Ethernet Packet-In-Packet injection. These results are analyzed in relation to their security relevance and scenarios of application. Finally, conditions for a successful remote Ethernet Packet-In-Packet injection will be discussed and demonstrated for what is believed to be the first time in public.

Presenters:

  • Andrea Barisani - Inverse Path
    Andrea Barisani is an internationally known security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break. His experiences focus on large-scale infrastructure administration and defense, forensic analysis, penetration testing and software development, with more than 13 years of professional experience in security consulting. Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is now the founder and coordinator of the oCERT effort, the Open Source Computer Emergency Response Team. He has been a speaker and trainer at BlackHat, CanSecWest, DEFCON, Hack In The Box, PacSec conferences among many others, speaking about TEMPEST attacks, SatNav hacking, 0-days, OS hardening and many other topics.
  • Daniele Bianco - Inverse Path
    Daniele Bianco began his professional career as a system administrator in scientific organizations. His interest in centralized management and software integration in Open Source environments has focused his work on design and development of suitable R&D infrastructures. One of his passions has always been exploring hardware and electronic devices. Currently he is Inverse Path's resident Hardware Hacker. His primary activities focus on hardware customization, embedded system integration and the design of remote monitoring networks for M2M infrastructures. He is an active contributor to the Open Source community and an invited speaker at many international IT security events.

Links:

Similar Presentations: