The perfect Trojan horse

Six weeks ago, I wrote about the challenges of controlling data ingress and egress on a normal business network and offered a frightening scenario based on the possibility of creating an all-but-undetectable back door in a network firewall with the use of common technologies. As if that weren’t enough to worry about, it seems that evil could also be lurking in the nearest power strip.

A company called Pwnie Express is making waves with a new product called the Power Pwn, and it’s clear that this is all at once a very clever, very simple, and very sinister concept. For a vast majority of the corporate networks in existence right now, the clandestine use of this product would all but guarantee a successful and undetectable network penetration. Further, the intruder could conceivably continue to operate undetected for years.

Not so long ago, we were worried about unknown devices on the network and developed tools to combat this in a number of ways. Port security, 802.1x authentication, rogue AP detection, and so on allowed us some peace of mind. We could be confident there were no spies on the wires and that all the devices connected to the corporate network had a good reason to be there. These days, spurred largely by the proliferation of high-speed cellular data networks, devices like the Power Pwn are able to bypass a significant number of those guardposts and usher bad actors into our networks.

Everywhere we go, from meetings to the bank to the grocery store, we see unattended network ports. Many may lack an active switchport on the other side, but an awful lot will have access. It takes but a minute to drop something like the Power Pwn in place, perhaps in a shipping dock area or even in a waiting room, and have a remotely accessible device present on the target network. The Power Pwn evades NAC and 802.1x authentication, creates reverse SSH tunnels through Wi-Fi, 3G, or the wired network, and can even be controlled via SMS text messages. It’s essentially a guaranteed pathway into a network unless it’s physically detected, or the operator gets heavy-handed and triggers internal network monitoring alarms — alarms that would have to be very delicately tuned to detect this intruder in many cases.

Not even network administrators look twice at power strips and UPSes. This one might appear odd at first due to the RJ-45 jacks and the USB port, but many power strips and UPSes have Ethernet surge suppressors built-in, and the USB port could ostensibly be a control port of some type. This isn’t a Wi-Fi AP that someone tucks above a ceiling tile; this is a functional power strip that could sit underneath a secretary’s desk forever without ever being noticed.

The Power Pwn doesn’t really break new ground in terms of functionality — it’s just a power strip with an embedded Debian Linux box, after all — but its capability, camouflage, and commercial availability lower the barrier to entry in virtually every respect: cost, deployment, and skills. This should be worrisome to network security folks the world over.

How many companies can afford to outfit every location with active Wi-Fi sniffers that may or may not detect the presence of a new Wi-Fi network? Or lock down every switch port unless and until someone requests that it be made available? Even then, a Power Pwn could be plugged inline between a switch port and a PC, functioning as a bridge, and assume the MAC address of the PC on the other end to evade MAC-based controls. Beyond even that, barring an endeavor to encase every office and site in a Faraday cage, 3G wireless access will always be there. It’s a fool’s errand.

It seems to me the only way to be 100 percent sure that a device like this could not be used to penetrate your network would be to shut down the network. There’s just no good way to protect against the Swiss Army knife of network penetration at the present time.

Ultimately, what does this mean for network security? Those institutions that have requirements to be protected against any possible intrusion will wind up spending enormous sums of money to combat devices like this. Those Faraday cages will be installed. Wi-Fi, GSM, and CDMA scanners will be installed and monitored, and big money will hit the budget for even deeper network monitoring and alerting tools that may be able to come up with network fingerprints for known devices like the Power Pwn.

For most companies, it means drawing a line in the sand — not against potential threats, but against our security efforts. Beyond that line, we throw up our hands and admit we are unprotected. We can protect against a lot of things, but there’s simply no way that most budgets can support what it would take to deal with this type of subterfuge.

As time has passed, the cat and mouse game of computer and network security has been a fairly even fencing match. Where there’s a parry, there’s a riposte. However, it seems that those who can afford to strike back are dwindling in number, and ultimately, that may turn the match into the favor of the hackers.

This story, “The perfect Trojan horse,” was originally published at InfoWorld.com. Read more of Paul Venezia’s The Deep End blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.