Raspberry Pi-powered snooping implant highlights docking station threat

Raspberry Pi-powered snooping implant highlights docking station threat

Summary: Researchers have used a Raspberry Pi to highlight the risk of snooping devices hidden inside laptop docking stations.

SHARE:
TOPICS: Security, Hardware
4

The credit card sized Raspberry Pi board - the $35 machine praised for encouraging kids to learn programming - has been used to build a proof-of-concept eavesdropping device to highlight the threat of snooping devices implanted in laptop docking stations.

The 'Spy-Pi' was built by security researchers from NCC Group to demonstrate how an implant inside a docking station could be used to capture network traffic, as well as keystrokes and audio and video, from attached laptops.

Spy-Pi was built using a Raspberry Pi running a Linux OS, with an additional USB sound card, Ethernet adapter and a 3G/HSPA modem to aid in data capture and retrieval.

The assembled platform fits inside the casing of many types of laptop docking stations, researchers say, as shown below. Power is unlikely to be a problem for the implant, the paper claims, as it could be tapped from the dock's DC power input.

"Laptop docking stations are widely used in organisations, often in hot-desking environments," NCC Group research director Andy Davis writes in the report, presented at the recent Black Hat 2013 conference in Amsterdam.

"However, laptop docks are an attractive target for an attacker. They have access to the network, to all the ports on a laptop, often some that aren't and they are permanently connected to a power supply. But most importantly, they are considered to be trusted, 'dumb' devices – the perception is that they just connect all the ports on your laptop to the ports in the dock."

spypi
A Spy-Pi implant installed in a Dell PR02X docking station. Photo: NCC Group

While the prospect of a hardware-based hack may seem remote, the report says such attacks will become easier and cheaper over time.

"As the price of miniaturised PCs and associated interface technology continues to fall, a hardware-based implant can be developed for only a few hundred pounds by an attacker with a moderate skillset," the report says.

The most obvious use for Spy-Pi is passive network sniffing, it adds, where network traffic passing through the dock's Ethernet switch is captured.

However, some filtering would be needed to reduce the size of the extremely large capture files that would be produced by sniffing all network traffic, the research says. Another problem with network sniffing is that Gigabit Ethernet switches would need to be forced to operate at 10 or 100Mbps to allow for passive sniffing.

Spy-Pi could also be used to penetrate the network the docking station is connected to and carry out network-based attacks, according to the paper. This kind of attack would be more complicated, it states, as a hub would need to be inserted between the ethernet connections on the docking station's PCB and the ethernet socket.

At the heart of the implant the research says there needs to be a control system that takes inputs from each of the taps, processes the data where required and forwards it to the attacker via an out-of-band network.

spy-pisystem
The Spy-Pi control platform. Photo: NCC Group

System administrators looking to spot such a platform could look for several telltale signs, according to the research. A gigabit Ethernet switch being downgraded to 100Mbps could be a sign of passive network tapping and an active network attack would stand out as a new MAC address on the network.

An alternative way to spot these implants could be weighing docking stations or using thermal cameras to spot such implants, it suggests.

Topics: Security, Hardware

About

Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Far Fetched

    You think people wouldn't notice a pi sized box attached to a docking station? There is a myriad of other ways to do this type of thing much much easier.
    ammohunt
    • Not as far fetched

      How many people get snookered by a skimmer attached to a ATM.
      Scatcatpdx
    • Take a look at that photo ...

      ... notice the Pi board INSIDE the extender's case. It's entirely possible to fit a card the size of the Pi's board inside many devices (incl. most PC cases) without external detection.
      bitcrazed
  • More realistic

    This falls more into the "nation-state level capability" like Stuxnet. A more realistic approach would be to simply remove the docking station guts and put in an entirely new board designed from the start to do the extra activities. Then have those provided by an "independent reseller/value-added consultant". It certainly wouldn't be a problem duplicating logos on boards, etc. As far as getting a third party involved, that could be done by cajoling, political pressure, underbidding, threats, blackmail, bribery, appeals to patriotism, or whatever -- we're not talking about hardware hacking Aunt Mary's laptop to see her private Facebook page. Or just set up a phony supplier -- it's certainly been done before in various law enforcement stings.
    Rick_R