Raspberry Pi-powered snooping implant highlights docking station threat

Researchers have used a Raspberry Pi to highlight the risk of snooping devices hidden inside laptop docking stations.

The credit card sized Raspberry Pi board  - the $35 machine praised for encouraging kids to learn programming - has been used to build a proof-of-concept eavesdropping device to highlight the threat of snooping devices implanted in laptop docking stations.

The 'Spy-Pi' was built by security researchers from NCC Group to demonstrate how an implant inside a docking station could be used to capture network traffic, as well as keystrokes and audio and video, from attached laptops.

Spy-Pi was built using a Raspberry Pi running a Linux OS, with an additional USB sound card, Ethernet adapter and a 3G/HSPA modem to aid in data capture and retrieval.

The assembled platform fits inside the casing of many types of laptop docking stations, researchers say, as shown below. Power is unlikely to be a problem for the implant, the paper claims, as it could be tapped from the dock's DC power input.

"Laptop docking stations are widely used in organisations, often in hot-desking environments," NCC Group research director Andy Davis writes in the report, presented at the recent Black Hat 2013 conference in Amsterdam.

"However, laptop docks are an attractive target for an attacker. They have access to the network, to all the ports on a laptop, often some that aren't and they are permanently connected to a power supply. But most importantly, they are considered to be trusted, 'dumb' devices – the perception is that they just connect all the ports on your laptop to the ports in the dock."

A Spy-Pi implant installed in a Dell PR02X docking station. Photo: NCC Group

While the prospect of a hardware-based hack may seem remote, the report says such attacks will become easier and cheaper over time.

"As the price of miniaturised PCs and associated interface technology continues to fall, a hardware-based implant can be developed for only a few hundred pounds by an attacker with a moderate skillset," the report says.

The most obvious use for Spy-Pi is passive network sniffing, it adds, where network traffic passing through the dock's Ethernet switch is captured.

However, some filtering would be needed to reduce the size of the extremely large capture files that would be produced by sniffing all network traffic, the research says. Another problem with network sniffing is that Gigabit Ethernet switches would need to be forced to operate at 10 or 100Mbps to allow for passive sniffing.

Spy-Pi could also be used to penetrate the network the docking station is connected to and carry out network-based attacks, according to the paper. This kind of attack would be more complicated, it states, as a hub would need to be inserted between the ethernet connections on the docking station's PCB and the ethernet socket.

At the heart of the implant the research says there needs to be a control system that takes inputs from each of the taps, processes the data where required and forwards it to the attacker via an out-of-band network.

The Spy-Pi control platform. Photo: NCC Group

System administrators looking to spot such a platform could look for several telltale signs, according to the research. A gigabit Ethernet switch being downgraded to 100Mbps could be a sign of passive network tapping and an active network attack would stand out as a new MAC address on the network.

An alternative way to spot these implants could be weighing docking stations or using thermal cameras to spot such implants, it suggests.