A developing concern for business and government agencies is that of the sophisticated insider threat. Systems and network administrators often have extraordinary access to sensitive information, far beyond that of any other individual in a large organization. They also tend to be the ones trusted to audit and secure their networks, monitor for data breaches and report employee misconduct, raising the classic conundrum - who watches the watchers? Traditional methods of monitoring the network activities of users suspected of violating their employment agreements or stealing sensitive data are difficult to deploy against a well-established network administrator who would likely notice third party tampering be it through software, traditional network taps or software modifications on network switches.
A parallel concern to all interested in cybersecurity is the fact that, at the end of the day, the cyber world is still a physical one in many respects. This hack demonstrates the importance of physical security for all networked devices in large corporations. A lapse in physical security, such as an unlocked office door or a broken CCTV system, can translate into a nearly undetectable launching point for malicious activity and data breaches. We hope to encourage consideration of the ways in which a sophisticated intrusion could take place without the installation of a single byte of software or the commandeering of a single account on the target IT infrastructure.
What it does
PiSpy is a passive network tap disguised as a standard NIC card. It can be installed in minutes, configured as its own wireless access point for easy out of band exfiltration of packet capture data that leaves no trace on the target network, and it is made entirely from readily available consumer hardware (well over half of the hardware components used in our implementation came from our University's e-waste processing facilities!).
The only outward indications of PiSpy's existence are it's out of band traffic (which could be disguised or converted to GSM fairly easily) and one new port on the back of the target computer. The PiSpy tap is 100% passive meaning that, even in the case of software or hardware failure, network traffic to the target computer will continue as normal. PiSpy's unique positioning physically inside the target machines means that it can draw directly from the target's PSU and is always on when the target's machine is on. There is also no risk of accidentally transmitting information across the target network as the PiSpy is physically restricted from transmitting information at the Link layer of the TCP/IP model.
How we built it
There are four essential components of PiSpy. Each of which needs to operate with extremely high levels of reliability for the device to be useful.
1) "The NIC Trick"
The core of PiSpy's success lies in its ability to blend in. Ideally, a target might use a PiSpy bugged computers for months or years (if the investigation so warranted) without learning of its presence. In order to tap a user's signal in the final milliseconds before it enters or leaves their device, a separate NIC had to be 'floated' inside the desktop tower using a PCIe riser cable - thus rendering it both physically invisible and inaccessible to the outside but the key link between the PiSpy hardware and the target machine. To further decrease the footprint of the PiSpy, an NIC was selected which did not require the installation of any new windows software or drivers. A guiding principle of the PiSpy is that one need not even turn the target machine on in order to complete installation.
2) Physical Tap
PiSpy leverages a physical, passive CAT5 tap based on the splitting of the transit and receive pairs through punch down RJ45 jacks. These split cables are kept tightly wound and were tampered with minimally in the construction of the tap in order to limit signal degradation.
PiSpy is powered entirely off the PSU of its host. This was achieved by soldering spliced micro USB and Molex cables together in the appropriate configuration. One key benefit of this decision is that, any time the target PC is only, the PiSpy is available to sniff its traffic.
The brains of PiSpy are a raspberry pi designed to be operated resiliently in a headless configuration for long periods of time with sustained remote context. In the demonstration iteration we built, the PiSpy communicates to a controller via an out of band wifi network in order to eliminate the need to send potentially noticeable packets across the target network
Due to the large size a full .img of the PiSpy installation SD and configuration is available on request
Challenges we ran into
This project was littered with a smattering of surprises and challenges. From somehow forgetting to bring wire strippers (we resorted to scissors and luck), to spending more than three hours trying to get a faulty ethernet cable to work in our tap before we realized the cause of our woes - we faced a large number of the sort of terrifyingly unexpected challenges that plague hardware hacks. Luckily, we did our best to bring every piece of our computer related equipment with us to Hophacks in addition to the parts we purchased to incorporate in our hacks. We learned the value of planning 3 or 4 different routes to the objective and expecting to be plagued with a few seemingly insurmountable failures.
The most frightening bump in the road for the project came with the discovery of a short in our multimeter which came within seconds of burning out our raspberry pi and maybe our host computer as well. Luckily, years of conditioned fight or flight responses to the triggering smell of burning rubber was sufficient to get us to react quickly and assess and safely resolve the situation.
Accomplishments that we're proud of
We came here with almost no expectation of being able to finish this project but just the hope of being able to make a good start on the road to a functioning device. The moment when our first real packet captures came in from the host device was one of the most exhilarating hacking moments either of us has ever had.
What we learned
One of the biggest takeaways from the PiSpy experience for us was a deeper appreciation for just how complicated and rewarding hardware can be. This was our first 'pure' hardware hack at a Hackathon and it was a bit of a shock how a few inches of copper can be every bit as finicky as a mysterious compiler error on the development side. We also both got a much more nuanced understanding of how the magic of the internet actually works at a level much deeper than code generally reaches.
What's next for PiSpy
Future development possibilities include similarly hidden network devices which manipulate and interact with user data on the fly through a more active mode configuration, guis and selective packet monitoring and condensing of the hardware required to build and deploy in order to reduce the overall size of the device .