Rogue Devices Detection

Rogue Device Detection

In an era where cybersecurity is paramount, the importance of robust systems for Rogue Devices Detection has come to the forefront.

A Tier 1 bank audit revealed some irregularities. It became evident that unauthorized rouge devices had continuous access to the internal and secured parts of the network. After investigating the bank’s computing assets, including the servers, desktop workstations, and management’s laptop, the team found no evidence of malware with remote access capabilities.

Subsequently, investigations focused on deep monitoring of the in going and out going communications from the network hoping there would be an indication as to what was occurring. Again, the investigators found no evidence of full remote access. The bank sought assistance from the Cybersecurity Investigations Practice of a leading global consulting firm. The team discovered that the perpetrators had cloned an authentic laptop belonging to the bank. It was connecting to the network infrastructure via an out-of-band channel in parallel to the existing and legitimate laptop.

The network access profile and envelope, in addition to the certificate, were authentic and valid. Meaning that none of the existing security and monitoring tools recognized it as a rogue device. The attackers were using a “ghost” malicious device that was acting in the shadow of the legitimate one. Upon further investigation, the team discovered an unidentified small hardware device installed in one of the distribution cabinets. It was providing the perpetrator with remote access capabilities, with the existing security measures completely oblivious. No one knew what this device was, what it was doing, who brought it in, and when.

Attack Study

With the growing sophistication of cyber threats, the concept of Rogue Devices Detection has become a crucial focus in ensuring network security.

The attackers used a legitimate off-the-shelf network router sold by a third party. Besides its other modus operandi, the device supports a virtual cable mode whereby two devices can be paired, and each installed at different locations while operating as if they are interconnected using a standard passive LAN cable. The two devices are able to reroute and tunnel the communication via a simple switchboard application. The device enables the interception of traffic and injection of data packets, streaming them back into the network. In addition to being able to carry out more complex man in the middle, MiTM attacks.
These devices do not have an IP or MAC address meaning that Intrusion Detection Systems (IDS), Network Access Control (Moving Beyond NACs) and Network Monitoring tools are unable to detect them. The entire manipulation occurs on the Physical Layer (Layer 1 Visibility) and the Data-Link Layer (Layer 2). Therefore, all higher-level communications are deemed authentic and secure.

How Rogue Devices Bypass Authentication Methods

In this specific incident, the perpetrators utilized a BeagleBone board running USBProxy. When attached to the scanning device and the computer system that stores the records of genuine handprints, allowed the attacker to bypass the authentication.
The BeagleBone does not require any extra hardware in addition to its superior set of input/output features, making it easy to interface with exterior electronics.

Sepio’s Rogue Devices Detection and Mitigation

Sepio is the leader in the Rogue Devices Detection and Mitigation (RDM) market and is disrupting the cybersecurity industry by detecting unauthorized rouge devices and thus preventing hardware based attacks operating over network and USB interfaces.

The only company in the world to undertake Physical Layer fingerprinting, Sepio calculates a digital fingerprint using the device descriptors of all connected peripherals and compares them against a known set of malicious devices. This automatically blocks any hardware attacks. With Machine Learning, the software analyses device behavior to identify abnormalities, such as a mouse acting as a keyboard.

See every known and shadow asset. Prioritize and mitigate risks.
Talk to an expert. It will help you understand how to use Sepio’s patented technology to gain control of your asset risks.

Invisible Network Devices Case Study
May 12th, 2020