Kaspersky has made another disturbing finding, as security firms often do, and in this case it’s the fact that a corporate network can be cracked wide open using a basic hacking tool. Namely a piece of hardware that costs just $20 (£15) and can be configured in just a few hours by someone with only a basic knowledge of programming.
The experiment Kaspersky conducted involved using a Raspberry Pi which was configured as an Ethernet adapter, had the OS tweaked slightly, with publicly available tools for packet sniffing and data collection then being installed.
Security researchers from the company set up a server to collect the data which this device would intercept, and the Raspberry Pi-powered device was then connected to a target (victim) PC.
The device subsequently fed data back to the server, and Kaspersky says it was able to collect passwords from the corporate network at a rate of 50 per hour – these were hashed passwords, mind, but as the security company notes: “The hashes could be deciphered into passwords, since the algorithms are known or used in pass-the-hash attacks.”
Obviously, this is a pretty worrying observation, particularly as no malicious software was needed at all – just easily available programs downloaded from the internet.
The caveat is that this isn’t something which can be pulled off remotely, as obviously the attacker must have physical access to a PC on the company network, in order to plug the device into a port.
However, this is far from unheard-of in the corporate world. Indeed, Kaspersky’s investigation was inspired by the real-world story of a cleaner at an organisation who used a USB stick to infect the company network with malware.
Kaspersky explains that the attack works because the operating system of the victim PC identifies the Raspberry Pi device as a wired LAN adapter, and gives it access to data exchange within the network. The attack works against both Windows and Mac computers (whether locked or unlocked), but researchers couldn’t pull it off with a Linux computer.
The main defence against attacks like these revolves around educating staff members. For example, when returning to their computers, employees should be aware to check for extra USB devices plugged into their machines. And of course USB sticks from unknown or untrusted sources should never be used with company PCs (or any machine, for that matter).
Beyond that, extra precautions can include changing passwords regularly, and enabling two-factor authentication, so knowledge of a password isn’t enough to log on (because this requires a second factor, like a texted code, when logging in from a new device or location).