As noted by a report from Catalin Cimpanu for Zero Day this month at ZDNet, a newly discovered type of cyberattack would take advantage of faulty, unshielded Ethernet cables and could theoretically be used to bypass network defenses and attack devices inside closed enterprise networks.
At the Black Hat USA 2020 security conference, a virtual event held Aug. 1-6, researchers and executives from IoT security expert Armis presented details about the new cyberattack technique, which they discovered could plausibly be used to attack devices located inside internal corporate networks. Dubbed "EtherOops," the technique would target vulnerable Ethernet networking cables, turning them into the attacker's path.
In their Black Hat conference presentation entitled, 'EtherOops: Exploring Practical Methods to Exploit Ethernet Packet-in-Packet Attacks', Armis representatives Ben Seri, VP of Research, and Gregory Vishnepolsky, Security Researcher, demonstrated that "the concept of physical layer conditions in which a packet is re-evaluated in transit leading to a packet-in-packet attack has been shown in multiple protocols in the past. However, applying this logic to the Ethernet protocol was only considered a theoretical capability," as stated by the presentation's synopis.
In their talk, the researchers explored "various ways in which this attack can become both practical and powerful."
As further outlined by Armis:
Using this attack, we show how an attacker can bypass Firewall and NAT solutions, even when targeting networks directly from the Internet. Combining this attack with fringe use-cases we discovered in the IPv6 implementations in Windows and Linux, we show how an attacker can use this attack to establish a man-in-the-middle position on the Internet traffic of a certain organization, through which he can eavesdrop on corporate communications, or carry out additional attacks.
The talk went on to demonstrate that "the set of circumstances in which an Ethernet packet-in-packet condition can occur are much wider than previously considered." The researchers detailed the physical parameters of Ethernet cables "in which the likelihood of a bit-flip is rather high," and in which this attack can occur within a few minutes. In addition, they explored "the various ways in which interference can be induced in a wide array of Ethernet cable types using certain radio attacks, leading to a remote Ethernet packet-in-packet attack occurring within minutes."
Lastly, the talk detailed various techniques "in which this attack may be triggered from the Internet, in either 1-click attacks that require a user inside the network to click on a certain link, or certain 0-click attacks that work without any user interaction."
"Once the packet-in-packet attack occurs, the attacker can take-over devices using previously discovered vulnerabilities, or establish a MiTM position on an organization's Internet traffic," concluded the researcher's synopsis.
As explained by ZDNet's Cimpanu:
The EtherOops attack is basically a packet-in-packet attack. Packet-in-packet attacks are when network packets are nested inside each other. The outer shell is a benign packet, while the inner one contains malicious code or commands. The outer packet allows the attack payload to slip by initial network defenses, such as firewalls or other security products, while the inner packet attacks devices inside the network. But networking packets don't typically change their composition and lose their 'outer shells.' Here is where the faulty Ethernet cables come into play. Armis says that faulty cables -- either due to imperfect cabling, or malicious interference attacks -- will suffer from unwanted electrical interference and flip bits inside the actual packet, slowly destroying the outer shell and leaving the internal payload active.
Cimpanu's report notes the researchers admitted the likelihood of such attacks occurring was low due to the special circumstances required, and the high level of difficulty in conducting them. Cimpanu added:
Nevertheless, Armis says the attack can be pulled off by determined attackers. The easiest way to protect against these attacks is either by using shielded Ethernet cables, or by using network security products capable of detecting packet-in-packet payloads insider network traffic.
Read the full report at ZDNet.
Download EtherOops Black Hat presentation slides and a white paper from Armis.
