The Enemy In Your Own Camp
Sega Dreamcast as a Hacker's Tool
Copyright (C) 12/2002 by Howard Fuhs
The Trojan Horse concept is around three thousand years old. The concept of Trojans in connections with software is not exactly a novelty either. All Computer users are now forced to use anti-virus software in order to protect their networks against malware, a lot of which is distributed across the Internet in email messages or by malicious web sites. Well, it is occasionally possible to discover new, interesting and also dangerous things which are variations of wellknown concepts. This is true, for example, of Hardware Trojans.
Last July two American security experts presented an interesting concept used to attack and spy on networks. They took an old Sega Dreamcast game console (which you can get second-hand for less than 50 quid) and configured a Linux operating system with extensive network capabilities on the console.
Once smuggled into a company and connected to the local network the game console is sitting nicely behind the firewall and attempting to connect to the attackers.
If it is successful in establishing the contact to the external world it will use readily and freely available VPN (Virtual Private Network) technology to establish an encrypted communication channel to the attackers.
While attempting to connect to the outer world the Dreamcast console tries different approaches. First it looks for TCP ports that are allowed access through the firewall. If any open ports are available it starts up vtun (Virtual Tunnel).
If no open TCP ports are found through the firewall it will look for UDP ports. If an open port is available the console starts up cipe over UDP on the port. Then it will look for ICMP, and in case it is available Icmptunnel will be started up.
If neither TPC, UDP or ICMP is available the system will look for a suitable proxy server connection. If one is available the system will start PPP and SSH by using proxytunnel through the proxy server.
In case the game console is able to find a communication channel a number of relevant pieces of network information is sent to the attackers' Computer, and a secure VPN- tunnel established through the firewall. The attacker then has full access to the network through the tunnel.
This scheme may sound a bit fanciful but nevertheless it points to a few important issues.
The concept presented here was already used in a case of industrial espionage some years ago. In that particular case a Remote Access Server (RAS) was installed covertly in order to allow spies to dial into the corporate network of a large German company.
Using a Sega Dreamcast game console is admittedly taking an unusual path but the message is clear enough: any type of Computer can be misused for the purpose of carrying out network attacks and thus pose a potential security problem.
Even if a Dreamcast appear conspicuous in a corporate environment because it would not normally be associated with a legitimste work purpose, then what if a similar Trojan was planted in the shape of a PDA, sub-notebook or something similar less conspicuous inside a corporation.
Using a game console successfully in an attack of this type demonstrates clearly that incorrect conceptions still exist with regard to what a computer is. That this demonstration could be carried through with the result that the attackers managed to acquire information to which they would not normally be supposed to have access, demonstrates that people expect Computers to live only in Computer cabinets and that other things are just fun and games - or maybe black magic - that can be used uncritically and pose no threat.
The configuration, the management and the architecture of a firewall still - as always - presume that attacks come from outside the internal network, from the Internet.
Despite that fact that many studies over a long period of time have shown that a large proportion of security-relevant incidents in the IT area are caused by people belonging inside the attacked organisation firewalls or other controls are normally not implemented with the function to protect intranetworks.
It is a particularly interesting factor with regard to this demonstration that the encrypted data traffic through a VPN will probably be seen as completely legitimste by the firewall and other functions that supervise the system, thus opening an unchecked communication channel out of the organisation.
No 'dangerous hacker-tools' were used, only simple network functionality and a number of security software systems that are readily available for all modern operating systems.
Of course this concepts has some downsides.
The IP address of the attacker must be stored on the CD used to run the console in order for the game console to know where it should connect. The console can also easily be detected on the network through MAC address filtering, and removed (or since the VPN channel of course works both ways - hi-jacked by the white hats and used to collect information about the attacker).
Well, this proof-of-concept demonstration may be farfetched but it would be stupid to ignore it.
So next time you see somebody playing Sonic in a corner of the canteen, go see if the console has a network connection!
Copyright (C) 12/2002 by Howard Fuhs. All rights reserved.
Published: Information Security Bulletin December 2002