Tuesday, 22 September 2015

A Weapon for the Mass Destruction of Computer Infrastructures

Disclaimer: This is NOT a weapon. This is AN EXPERIMENT. 
You MUST NOT try this at home. The tests were performed under the supervision of licensed electricians, in a controlled environment. 
I intentionally do not provide any technical details about the devices. The purpose of this blog post is not to tell you how to do this, but to raise the awareness that this can actually happen. I believe, entities should be aware of this threat and take any necessary actions to protect their infrastructures. 

Having done a number of physical security assessments over the years, I started wondering how vulnerable our computer infrastructures are. I tried to think of a way for a malicious insider or an external third-party, to target a company’s computer network and take it down by damaging it (someone who doesn't have physical access to the server room). I started thinking about this from a different perspective and I tried to approach this "question" with an outside-the-box point of view. 


Due to my experience with physical security assessments I noticed that there are many unattended Ethernet ports (sockets) everywhere around a building. These ports might not be “active” but most of the time they are connected at the far-end on a managed or unmanaged network switch

I started wondering what would be the effect if one tried to apply electric current on an Ethernet socket from a power socket directly. The picture on the left illustrates a cable which sends electric current (220V-250V) directly from the power socket to the Ethernet port (This is very dangerous, do not make one, and do not try to use it). In reality, such attempt is actually pointless, as it will only "toast" the device you connect this modified power cable. 

The hypothetical network switch at the other end will end up toasted in a split second and the person doing this will experience a loud bang and a bright flash, along with the smell of burned plastic at the Ethernet socket side. 

This is a very dangerous thing for one to do and not a very convenient or an effective way for taking down the whole computer infrastructure. The whole point is to manage to "fry" all the devices behind the network switch!!! (..even after the network switch is "toasted", and the circuits are burned). Also, without exposing ourselves to any danger, as it would have happen if someone have used the cable mentioned earlier on. 

This made me think of what would happen if the electricity being applied is in the form of a high voltage spark. I tried to find the right device for the job, which would be capable of generating a spark for a designated period of time. 

I ended up with the device on the right hand side. Its dimensions are 8cm x 3cm x 2 cm and can fit in someone's pocket fairly easy. After a couple of tries, I discovered that this device is not powerful enough to do what I wanted to do. It could "kill" a network switch at the far end of a network socket but that about it. There is no bang, flashes or the smell of burned plastic at the socket side. Just for the record, it managed to fry the network switch on the other side, over a 50 meters network cable.

Back to the drawing board. For my experiment I wanted to "jump" the network switch and reach the rest of the devices connected to it. I wanted to assess if it is possible for someone to "fry" the other devices connected to the network switch after the switch is toasted. 

So, I ended up looking for a device that fits in a laptop bag, capable of generating a spark strong enough to jump over to the next device connected to the switch. Also, I wanted to assess how far the spark can travel over an Ethernet cable, while being capable of causing damage. 

I came across a very promising device for what I wanted to do. Its dimensions are 18cm x 14cm x 9cm. I painted it and put a sticker on it just to make it look cool! (It felt like it was intended for an episode of Brainiac.)

The device could generate a strong enough spark that I ended up testing over a 100 metres Ethernet cable. 

I took a few pictures to demonstrate how strong the spark is and how far it can reach. It is not very easy to see in these pictures but I was able to maintain the spark (arc) at 4 to 5 centimetres distance. You can see the arc in the following pictures which I haven't edited or altered in any way.
The electric arc over a 100 meters cable looked as strong as it was over a 1 meter cable. That was very promising for what I wanted to do. The following pictures are actual photos from the spark between two network cables.

I set up a network switch, and over a 5 meters Ethernet cable I connected an old working laptop. Over a 3 meters cable I connected a network HDD and over a 100 meters cable I connected my “deathray” device. 

I decided to switch on the device and apply current for exactly 2 seconds. The result was scary and interesting as well. The network switch was burned instantly with a little “tsaf” noise. There was also a buzzing noise coming from the devices plugged-in to the network switch, for a less than a second. There was a tiny flash from the network HDD and the laptop stopped working. 

It is not the cheapest thing in the world to test this, as it took all of my old hardware I had in my attic to run these experiments. I believe the threat from such a high-voltage attack against a computer infrastructure is real and should be dealt with.

If someone in the industry or in a University research group would like to perform any further experiments with this, I am happy to supply the device and provide some more information. I believe it is very important to:

a) assess how big of a threat this is, and 
b) how easy could it be, taking down a large computer infrastructure from a single Ethernet port
c) if this can affect in any way computer forensics investigations

Also, it is very interesting to conduct research for a solution which will be able to protect a computer infrastructure from such attacks. 

Please, follow me on Twitter (@drgfragkos) and share your opinions and thoughts. I hope you enjoyed reading about my little experiment. 

Once again, DO NOT try this, all experiments were performed with licensed electricians present, within a controlled environment

Please find below a better photo of the electric arc between the two Ethernet cables:

11 comments:

  1. This is a highly dangerous experiment to have performed. The spark device you are using is very likely to have an output voltage that is higher than the wiring's insulation is designed to contain. This means that if the spark device is connected to a network cable, and an experimenter picks up the cable with bare hands, the spark generated could arc through the plastic cover of the network cable and into the experimenter. Network cable insulation is designed to contain 50 volts, while a normal power cord / lamp cord is designed to contain 110 volts (US) or 220 volts (EU). Voltages above 300 volts require special insulation, so if your spark device creates more than 300 volts the risk described to the experimenter is definitely present, and could be present at lower voltages as well.

    ReplyDelete
    Replies
    1. This is why I have included warnings repeatedly throughout the article. I agree about the insulation on Ethernet cable, but as I mentioned in my post, I am using the right amount of high voltage that the cable can handle. As I also mentioned, there are technical details which I haven't include in the text and are about many things one should know in order to replicate the results. I really hope this covers a couple of things and I agree with what you said about voltage and safety! Thank you.

      Delete
  2. An infrastructure with grounded cables might help protect against this.

    ReplyDelete
  3. You know this the famous BOFH Etherkiller, thought up at *least* as far back as 1994 :) http://jedi.ks.uiuc.edu/~johns/links/bofh/bofhlast.html

    ReplyDelete
    Replies
    1. I wasn't aware of this http://www.fiftythree.org/etherkiller/ but my method is intended to take down connected devices beyond the device that is going to be "toasted" first.

      Delete
    2. Since this has existed for at least 20 years can you really consider yourself a "researcher" because you didn't do your research on this before you started this experiment? The photo you posted even looks exactly what they created 20 years ago.

      Delete
    3. Dear James, in the article above I specifically said that this is just an experiment and that I am sharing the findings of what I tried to do, nothing more.
      "Playing" with electrical appliances is not my area of expertise and I did not claim anywhere in the article that this is some kind of proper academic or scientific research.

      Which photo are you referring? If you are referring to the arc between the Ethernet cables, the pictures has been sized down to fit in line with the text. But, thank you for pointing it out. I will add a higher resolution photo at the end of the article.

      As far as I know, people have been toasting appliances for ages by plugging them directly to 220V/110V. The experiment I wanted to do in this case was to find the ideal way of frying the
      a) modern network devices
      b) BEHIND the network switch
      c) even if the network switch that sits in front is toasted in the process
      b) by making the electricity jump (arc) to unconnected parts of the board.

      Also, as I said in the article there are a couple of technical details which I intentionally left out.

      I really hope my answer clarifies my intentions a little bit. Thank you for your comments.

      Delete
  4. This is relevant even without the concern for physical penetration issues. Lightning storms can (and have) induced damaging currents in TV and telephone cables from many miles away. To protect against this, you need "lightning arrestors" on the switch side of the cable at least; prefer one on each end.

    ReplyDelete
  5. This is relevant even without the concern for physical penetration issues. Lightning storms can (and have) induced damaging currents in TV and telephone cables from many miles away. To protect against this, you need "lightning arrestors" on the switch side of the cable at least; prefer one on each end.

    ReplyDelete
  6. Metal Oxide Veristors (MOV's), along with Pass through Capacitors, or other equipment would have protected the switch and the network. A simple circuit board can be put together, like a patch panel, that "clamps down" all conductors to ground in the event of a transient voltage. The sensitivity can be variable.. It would be sacrificial protection (the unit would need to be replaced after an attack), but it would work. Also, it is very important to Isolate major systems with Fiber Optic, as this would not be an issue over glass. Another note, you should always improve on the PHYSICAL access to your network. That is where many problems start!

    ReplyDelete
  7. This can indeed be shrunk down to pendrive size, and my version uses two screen converters from an old Sony Vaio to get +/- 3.3KV which is then dumped into D+, D- and finally into the Vcc line. This also trashes the HDD/SSD as well thanks to the EMP-like effect.

    ReplyDelete