New EtherOops attack takes advantage of faulty Ethernet cables

EtherOops attack can be used to bypass network defenses and attack devices inside closed enterprise networks.

etheroops.png

Image: Armis

Tomorrow at the Black Hat USA security conference, security researchers from IoT research outfit Armis are set to present details about a new technique that can be used to attack devices located inside internal corporate networks.

The technique, named EtherOops, works only if the targeted network contains faulty Ethernet (networking) cables on the attacker's path to their victim.

The EtherOops technique is only a theoretical attack scenario discovered in a laboratory setting by the Armis team and is not considered a widespread issue that impacts networks across the world in their default states.

However, Armis warns that EtherOops could be weaponized in certain scenarios by "sophisticated attackers (such as nation-state actors)" and can't be discounted for now.

How EtherOops works

The EtherOops attack is basically a packet-in-packet attack.

Packet-in-packet attacks are when network packets are nested inside each other. The outer shell is a benign packet, while the inner one contains malicious code or commands.

The outer packet allows the attack payload to slip by initial network defenses, such as firewalls or other security products, while the inner packet attacks devices inside the network.

But networking packets don't typically change their composition and lose their "outer shells." Here is where the faulty Ethernet cables come into play.

Armis says that faulty cables -- either due to imperfect cabling, or malicious interference attacks -- will suffer from unwanted electrical interference and flip bits inside the actual packet, slowly destroying the outer shell and leaving the internal payload active.

etheroops-scenario.png

Image: Armis

"Complicated? Yes, but not impossible," the Armis team said describing EtherOops attacks. However, when successful, an EtherOops attack can be used to:

  • Penetrate networks directly from the Internet
  • Penetrate internal networks from a DMZ segment
  • Move laterally between various segments of internal networks

EtherOops attacks have a low chance of success

But Armis experts are also the first ones to admit that an EtherOops attack is not simple to pull off, and requires special conditions. For starters, faulty cables must exist inside a network at key positions.

Second, while zero-click (no user interaction) attacks can be performed in some situations, most scenarios will most likely require luring a user on a malicious website in order to give the attacker a direct connection to a user inside a corporate network, so they can deliver their payloads.

Third, bit-flip errors aren't particularly high, meaning the attack effectively means bombarding networks with large quantities of packets, hoping for a lucky bit-flip that ends up exposing the attacker's payload, all of this providing a very low percentage for a successful attack.

Nevertheless, Armis says the attack can be pulled off by determined attackers. The easiest way to protect against these attacks is either by using shielded Ethernet cables, or by using network security products capable of detecting packet-in-packet payloads insider network traffic.

Armis launched today a special website to describe the EtherOops attack, published two demo videos of EtherOops attacks (see below), a 44-page white paper describing the attack at a technical level.