I told ya so
In the series of ‘I told you so’, I present an illegitimate, ages old idea of gaining access to computer via alternative ways. One of the most forgotten thinks since online banking safety.
To summ up before my computer closes down – read further if you enjoy
Wild imagination? Maybe, but very little thought has been put on attack vectors allowing access to the systems without need to research and define such delegate approaches in software security – the computers just happens to be connected in many ways. Physical security has been in presence already years, where would this been counted in? Network security? Infrastructure (of what?) security?
Just a thought, then..
Accessing computers through Power Grid: The Basic configuration
So being a electric nerd I started to imagine how ridiculously easy it would be to create such capability by one of the vendors maintaining the world(s) add-on & motherboard markets. Most of the boards are crafted for generic purpose and implemented in various platforms; – for desktops and servers that is.
The interfacing components for the motherboards towards the power or electric grid is standardized and hiding information ‘between the lines’, e.g. faint signal changes or burst of data is not new invention either for covert channels. This, anyway, could potentially require co-operation with transformer manufacturers, but one might work alone pretty well.
Interfacing with our malicious APT board
To make such system operational, the components that would be required are pretty simple. First you need ability to interpret serial -type messages within the motherboard and send data back to the requester, so some sort of identification is needed – and surely, an application to handle all this in place within a chip (so FPGA); like analog to digital converter. There is amount of chips in place on the motherboard, executing several different jobs, so my focus would be directed to any AD/DA capability existing already due the audio, for example. Server boards are in a way much simplified compared to the desktop ones, but carrying more logistics for handling the stability and I/O.
Attaching computer power plug to the wall outlet would not do anything yet solely, so there is need for interfacing capability. Well, already now PLC (Power Line Communication) allows transferring Ethernet over power, so TCP/IP is very capable for such job.
However, that’s too consuming, obvious and requires much of measures to hide the data bursts – so simple serial communications, below, say 9600 bps is enough for most of the needs. The time of deception matters with the objective, not ability to download UI snapshot itself.
Very small deviations. changes, in pure analog ‘SINE’ waveform allows systematic interpretation it as serialized data, which can be carried a far a way towards the targeted motherboards, dismantling filtering capabilities efficiently – or say: electric firewalling (“powerwalling”), useless against such attacks. OR even better, renting next door apartment would do the trick.
So what we have: Shameless motherboard with ability to read data from purified, multi-filtered power source, carrying (as an example) 110/230VAC –> 12VDC or less change, including potential surges, going down to the motherboard ATX or equivalent interface with ‘built in chip’ hooking up functionality to probe such changes.
The function of such application would be data collecting from the stream, interfacing directly with computer I/O by the pre-defined set of instruction or uploaded through the electric grid. This would allow direct interfacing with operations running in very low level of the CPU I/O and most of the data available within the system too. Potential applications includ everything you can do with your beloved Stuxnet already: Collecting intel data, pushing new data in or just making harm for the integrity of connected systems.
The way in and C&C:ing
Then what? We have laptop with our ‘PLC interface’ alike in the next door apartment and we are interfacing with modem a like capability with our neighbours computer(s)? Pretty fancy as we are dismantling efficiently all the firewalls, APT security appliances and security software building up the famous ‘security in depth’ structure for organizations defenses.
However, the need defines the cause – would it be taking down the element, critical computer system, network device or just one critical desktop running the ICS/SCADA or BMS (building management system) software and by manipulating the data highly precisely allowing adversary to stay in resident even while software would be changed – the objectives need to be very clear and there is no capacity anywhere to do it ‘manned’ directly, thus requiring the command and control structure, as any of the APT’s witnessed recently.
Most likely maneuvering for such would be created by defining enough connected hubs for accessing the targeted environments and accessing those hubs remotely from the swarms able to build-up instantly and dismantle even quicker.
How this could been happening?
Again, the correct saying is: Plenty. There are so many possibilities from which, if requested, such capability for someones needs could been implemented. Allowing installation of specific use-case A/D chips could be intentionally agreed or done in covert. This, however is highly speculative. To make such working perfectly, the co-operation with transformer vendors could be important. By who: Well, anyone with enough talent to create custom chips and infiltrate with the manufacturing process.
Well, before COTS (Commercial Off The Shelve) came popular in military and other organizations thinking their security, this could have been avoided. Nowadays, very difficult. Even in trailers. You still need only one computer making possible to interact with others – in many different NETs existing 🙂