Game of Drones
You might think of a drone as a cool device that can capture incredible aerial footage, or you may know it as a tool that armies across the world use to advance their missions. Drones are used for many other purposes, but did you ever think that they could be used to assist a cyberattack?
Cybercriminals are increasingly turning towards hardware-based attacks due to their extremely covert nature. However, one of the most predominant challenges of these attacks is the need to gain physical access to the target. Social engineering techniques are commonly applied, and the supply chain is frequently used as an infiltration point to overcome this obstacle. But this is not enough; and attackers have discovered a new way to gain physical access, without actually gaining physical access. And yes, you guessed it, this is where the drone comes in. The attacker can remain in a safe, hidden place whilst flying a drone within proximity of the target. But how does the drone carry out a cyberattack? Well, it actually doesn’t – it is purely a tool used to assist in the attack.
So what happens?
The actual attack tool is another device, such as the Raspberry Pi. This device is a small (credit card-like size), inexpensive, portable computer which connects to other devices. Although designed for ethical purposes, when in the hands of a bad actor, the Raspberry Pi can carry out harmful, clandestine activities through a malicious payload. In an attack in which the perpetrator uses a drone, the Raspberry Pi is attached to the UAV and targets a wireless keyboard or mouse. How does this all work? It’s all to do with the USB adapter connected to the endpoint that facilitates the wireless mouse or keyboard connection.
The USB dongle is the device which translates the mouse movements and keystrokes into actions performed on the computer. Think of it as a conversation – the user moves the wireless mouse, and the USB dongle tells the computer that this is the action the user wants to perform. Hence the screen displays the mouse movements. The same happens when a user injects a keystroke. Obviously, this happens at such a speed that the entire process is instant. But that’s the breakdown of how a wireless mouse/keyboard function. Essentially, the USB dongle acts at the wireless device’s connection to the endpoint.
This is where the drone comes in. The drone hovers near a targeted wireless mouse/keyboard, and the attached Raspberry Pi remotely spoofs the connection between the mouse/keyboard and the USB adapter. In doing so, the Raspberry Pi disguises itself as a legitimate HID and uses the USB dongle to “connect” to the endpoint.
What can it do?
The Raspberry Pi can remotely keylog all of the local user’s keystrokes to mimic them remotely when injecting commands.
Since the device is now imitating a legitimate HID, it can use the USB dongle the same way that a keyboard does – by performing keystrokes that translate into actions on the endpoint. This enables a variety of attacks, such as malware injection, data breach and cookie harvesting. In more advanced attacks, the perpetrator can inject a payload the creates an out-of-band connection to bypass an air-gapped network.
It is important to note that, even if the local user is only using a wireless mouse (i.e. the keyboard is wired), the attacker can still perform keystrokes to inject payloads since the USB adapter supports keyboard interfaces.
The ability to spoof an authenticated device and execute payloads allows the Raspberry Pi to bypass NAC software. The Rogue Device can alter its MAC address and gain network access through an 802.1x bypassing module included in the payload. With precisely placed packets, the perpetrator can sniff the private traffic between two hosts. Network Packet sniffing is often used for reconnaissance purposes as the bad actor can capture data on the targeted network. Moreover, by gaining network access, the device can move laterally across the network to other systems, should the network be shared. In 2018, a major US government agency was hacked using a Raspberry Pi. The device was able to move freely between various systems as the network was not segmented. As a result, the perpetrators stole around 500MB of data from 23 files over a period of almost a year.
The persistent attack on the government agency demonstrates the covert nature of such devices (Raspberry Pi). And the lack of device visibility present among many organizations. Enterprises are often unaware of all the devices operating within their infrastructure. This is a blind spot that cybercriminals seek to exploit. More worrisome is that, even if enterprises did have ultimate device visibility, the Raspberry Pi, and other Spoofed Peripherals, can imitate legitimate HIDs which would not raise any security alarms. Hence, it would essentially be impossible to detect the malicious nature of such devices.
The use of a drone alleviates the perpetrator’s challenge of gaining physical access to the target, thus increasing the risk of such an attack. To reduce such risk, you could permanently watch the sky to try and spot a drone hovering nearby. However, not only is this extremely unproductive, but this will also likely not suffice as an effective security measure. Instead, it is essential to gain ultimate device visibility to detect all hardware assets within the organizations’ infrastructure, identify those which are vulnerable, and instantly block devices which are acting maliciously.