Everything can be hacked…or can it?

Posted: July 30, 2010 in midnight thoughts, security
Tags: , , , , ,

Everything can be hacked!

That’s a quote I love, you hear it all over the net. Most people reversing software/hardware or people penetrating highly secure (or at least claimed) networks, state that most of today’s applications/hardware/networks can be compromised. Normally you see the vicious circle of stuff being released….hackers attempting to pwn it, vendors claiming it can’t be hacked, hackers publishing the hack. I might be exaggerating a little bit, but usually that’s the general consensus. Of course there are exceptions to the rule and there is hardware/software out there that hasn’t be hacked yet and maybe it really is NOT hackable. Today I wanted to write about one of those exceptions: Unidirectional networks. This post will cover the devices and answer the question if I believe their 100% claim, it will also cover some of my midnight thoughts on how to use alternative ways to maybe get data back even when such a device is in place. These ideas DO NOT BYPASS the device, so don’t get your hopes up, it are just possible ideas to use other vectors instead of routing your traffic through the secure device.

First things first, what is a unidirectional network? Well the name actually spells it out, but here is a nice Wikipedia quote:

A unidirectional network (also referred to as a Unidirectional Security Gateway or data diode) is a network appliance or device allowing data to travel only in one direction, used in guaranteeing information security.

and also:

The physical nature of unidirectional networks only allows data to pass from one side (referred to as the ‘low’ side) of a network connection to another (referred to as the ‘high’ side), and not the other way around.

So if I understand this correctly it’s a 100% guarantee, that it’s physically impossible to send traffic the other way around. Now there is something you don’t see often in the information security industry. Now that’s a real concept to grasp and it took me a few minutes(and some more reading) to actually realize that indeed it’s physically impossible to send traffic back. Fun thing though when I finally understood why it’s impossible to send data back…one of the makers of such a device posted a nice video explaining it all.

For the ones preferring a faster explanation, you could compare it to a normal diode:

From Wikipedia:

In electronics, a diode is a two-terminal electronic component that conducts electric current in only one direction. […]
The most common function of a diode is to allow an electric current to pass in one direction (called the diode’s forward direction) while blocking current in the opposite direction (the reverse direction).

So again we see the physical separation(although if I’m correct, a normal diode leaks a tiny amount of current back into the opposite direction). In the case of the unidirectional device(data diode for short) there is NO flow back, not even a tiny bit.

So how can we be so sure that indeed there is no flow back? Due to it’s certification, to be more precise:

The amount of specialized knowledge that the above company has and the fact that several secret service agencies have tested those unidirectional devices(data diodes) certainly makes a firm statement. Also the fact that physics/logic supports their statement it increases the believe in their 100% safe claim.
Of course I’d love to test it myself, but unless one of those companies donates one it won’t happen anytime soon. On a serious note, the above points certainly give some confidence about the level of testing these things have gone through. So essentially this is why I actually believe these things are as secure as they claim to be.

Well enough of the … WoW … factor let’s see if there aren’t ways to somehow obtain some feedback even if those devices are in place…cause the fact that they are in place doesn’t necessarily mean you have to use them for the information feedback. I have thought of 2 ways to possible get some information feedback using other channels, unfortunately one of these need a certain degree of physical access and the second one is more if a theoretical one.

For all the ideas we will assume the following scenario:

You are targeting a highly secure network, containing highly classified information. Your bad luck however is that they have a unidirectional device(data diode) in place. So even if you manager to infect them, you can’t send data back…or can you? All you need to know is if a certain name is present within their classified network(inside documents/databases/etc). The following are ideas on how to possibly accomplish this.

Plain old virus

Well this idea is based around the concept that you have some kind of interaction with persons working inside that secure network, either physically or by phone. So we use a virus to infect the secure network and search for the information we want. Now to get the information back, we have the virus perform a noticeable action on a certain date. This action has to be something that when you talk with someone working inside that network, it won’t be suspicious when you ask for it, or even better he tells you without asking him for example:

Crash the network/computer
He will certainly tell you, since he can’t perform regular work activities. You can get this confirmed by calling him or meeting with him.

Morse code
This keeps fascinating me… morse code has been around for ages and still you can find practical uses for it. This scenario is based around the concept that almost every office has windows and every computer has a network card with lights on it. So in this case you don’t necessarily need physical access to the persons, but you need a (in)direct line of view to the network card lights. You use them as a morse code transmitter, this way you can even transmit more information then if you just crash his pc/the network. If you want to test this out without writing some complicated tool, under linux you can use ethtool:

ethtool -p|–identify DEVNAME Show visible port identification (e.g. blinking)

Quantum Entanglement

Now this one is purely theoretical, it tries to exploit the property of quantum mechanical state of objects. I’m really no expert on this matter…so if I fuck up DO correct me in the comments :). My idea was to use the quantum entanglement to get information back, for example if you’d manage to hook up a quantum transmitter on one side of a unidirectional device and have it transmit, when the receiving ends receives it the state of the objects get’s altered. This state alteration could be considered an acknowledgment of the sent packet, effectively creating a backchannel.You could then maybe use timing techniques to have the information flow back and forth, a current device is vulnerable for this in the traditional way according to wikipedia:

The US Naval Research Laboratory (NRL) has developed its own Unidirectional Network called the Data Pump. This is in many ways similar to DSTO’s work, except that it allows a limited backchannel going from the high side to the low side for the transmission of acknowledgments. This technology allows a more protocols to be used over the network, but introduces a potential covert channel if both the high and low side are compromised through artificially delaying the timing of the acknowledgment.

As far as I know the current devices don’t really seem vulnerable for the quantum entanglement attack, since they use electronic signals, meaning the state of the objects send gets altered as soon as they arrive at the unidirectional device long before they reach their destination. Who knows maybe it will work in the future when they switch to fiber stuff and light transmissions.

As always this is just one of those things that captured my attention while surfing the web and then at night my head bursted into a total brainstorm session about it. Maybe the next brainstorm session will have me focus on how to use, instead of abusing like now, these devices for other goals then just physically separating different kind of classified networks.

  1. diablohorn says:

    Nice setup! Hope it works as expected.

  2. ephemer1c says:

    Thank you, great post! I managed to build one.


  3. diablohorn says:

    Read up on the subjects that interests you, I’ve published the stuff I read on the right.

    Also don’t rely on tools, but try to understand the techniques behind it and why stuff works. When you understand how something work you can start to break it.

    Having people to ask questions to speeds up the process, but you can still learn a lot on your own by reading, researching and most importantly actually doing stuff.

    Don’t give up when something doesn’t work on your first try, just try again.

    For some nice challenges you could take a look at http://www.vulnhub.com they have some very nice boot2root images. They also have some tutorials and howto’s.

  4. Aileen says:

    Wow… I actually admire you for getting an idea of this type at all ^^

    I really don´t want to inconvenience you and take too much of your time, but you sound like an experienced computer expert or at least advanced hacker.

    I, myself, am currently 15 and have started to try learning more about computers, internet, etc. not too long ago. It is my biggest dream to become an IT-engineer (and maybe a hacker, too) someday, but unfortunately I don´t know anyone that knows really much about PCs in real life.

    I would really appreciate it if you maybe gave me some advise or tip on how and where to start learning more about this subject. I´m currently learning some basics about html 4.01. A reply would be cool and thanks for reading ^.~


  5. anonymous says:

    like i said it would be no different than how people hack games today. you need to educate yourself more and get out in the real world to update yourself on the latest technologies.

  6. anonymous says:

    dude you’re an idiot. ANYTHING CAN BE HACKED. you see it everywhere. in games especially. your “unidirectional network” is just like how a tv works. what’s the point in that? you wouldn’t be able to do much. besides if you gaurantee it to be so successful you’d see more of it being used today don’t you think? but no. your idea is actually a step back from progressing forward. you really are an idiot. you have no idea how a network works. most of all stop lying to people. ANYTHING can be hacked. even your “unidirectional network” if one has “physical access” as you call it.

  7. diablohorn says:

    This is not about sending data securely from point a to point B. This is sending data from point A to point B and preventing point B from sending data back. Hence the diode analogy.

  8. Evan Plaice says:

    Sounds like the marketing hype. Real secure networks only send and accept data from multiple trusted sources. Any data going between two points is split up, encrypted and sent along the wire along multiple different geographic routes. On the other end it is decrypted and re-assembled. That way, if any individual part is intercepted/sniffed it would be completely meaningless on its own.

    The statement that anything can be hacked is pretty far from the truth. If you have physical access then, yes but over the network, not so much. Properly configured networks are inherently secure, it’s the people operating them that aren’t.

    Want to hack windows, load PE (preinstalled environment) with a regedit tool and you have root access to all the security settings on the PC. Can’t load the PE because the bios has a password? Open the case and flash the bios chip to reset the password. With physical access to the hardware there is virtually no protection. Over the internet, only a system that allows defects can be hacked effectively. And, there are plenty of ways to send data from point to point securely without some dumb unidirectional communications link.

    Whereas TCP requires a bi-directional connection to establish a session and communicate, most other networking protocols don’t. The video is nothing but marketing jargon.

  9. Michael says:

    Side thought to make your own unidirectional network for testing.
    Create a Linux box in the so called red network running a sniffer such as driftnet. On the black network terminate a cat 5 cable to only be able to transmit data. Then send a image or video to the red network. the red network will recompile the packet into the original image or video and you will not get any data back to the black network.

    The interesting thing in the video is he is says a tcp protocol call so he must be somehow spooking the state of the packet to successfully create a handshake

  10. Michael says:

    First I got to say I love the Morse code idea.

    My thoughts. Why even bother with the red network at some point the data is on the black network. This is almost the same as when people ask me what I do for a living and when I respond they as me can I hack into a bank. I respond why “hack the bank when I can hack the end user”. In this case the bank is the red network and the end user is the black network.

    In several of your examples you assume you are already on the network in the first place. Why not leverage this to your fullest advantage. The first thing I would look for are interface status. For example an interface with tons of transmits and no receives would stick out like a sore thumb. The next thing I would do is sniff. Gain information that will allow you to maybe craft an email to a certain person asking what machine to send the data to be proxy into the red network. You can prob get all the information you need without ever actually breaching the red network.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s