Everything can be hacked!
That’s a quote I love, you hear it all over the net. Most people reversing software/hardware or people penetrating highly secure (or at least claimed) networks, state that most of today’s applications/hardware/networks can be compromised. Normally you see the vicious circle of stuff being released….hackers attempting to pwn it, vendors claiming it can’t be hacked, hackers publishing the hack. I might be exaggerating a little bit, but usually that’s the general consensus. Of course there are exceptions to the rule and there is hardware/software out there that hasn’t be hacked yet and maybe it really is NOT hackable. Today I wanted to write about one of those exceptions: Unidirectional networks. This post will cover the devices and answer the question if I believe their 100% claim, it will also cover some of my midnight thoughts on how to use alternative ways to maybe get data back even when such a device is in place. These ideas DO NOT BYPASS the device, so don’t get your hopes up, it are just possible ideas to use other vectors instead of routing your traffic through the secure device.
First things first, what is a unidirectional network? Well the name actually spells it out, but here is a nice Wikipedia quote:
A unidirectional network (also referred to as a Unidirectional Security Gateway or data diode) is a network appliance or device allowing data to travel only in one direction, used in guaranteeing information security.
The physical nature of unidirectional networks only allows data to pass from one side (referred to as the ‘low’ side) of a network connection to another (referred to as the ‘high’ side), and not the other way around.
So if I understand this correctly it’s a 100% guarantee, that it’s physically impossible to send traffic the other way around. Now there is something you don’t see often in the information security industry. Now that’s a real concept to grasp and it took me a few minutes(and some more reading) to actually realize that indeed it’s physically impossible to send traffic back. Fun thing though when I finally understood why it’s impossible to send data back…one of the makers of such a device posted a nice video explaining it all.
For the ones preferring a faster explanation, you could compare it to a normal diode:
In electronics, a diode is a two-terminal electronic component that conducts electric current in only one direction. […]
The most common function of a diode is to allow an electric current to pass in one direction (called the diode’s forward direction) while blocking current in the opposite direction (the reverse direction).
So again we see the physical separation(although if I’m correct, a normal diode leaks a tiny amount of current back into the opposite direction). In the case of the unidirectional device(data diode for short) there is NO flow back, not even a tiny bit.
So how can we be so sure that indeed there is no flow back? Due to it’s certification, to be more precise:
- physics concepts
- Several Secret Services
The amount of specialized knowledge that the above company has and the fact that several secret service agencies have tested those unidirectional devices(data diodes) certainly makes a firm statement. Also the fact that physics/logic supports their statement it increases the believe in their 100% safe claim.
Of course I’d love to test it myself, but unless one of those companies donates one it won’t happen anytime soon. On a serious note, the above points certainly give some confidence about the level of testing these things have gone through. So essentially this is why I actually believe these things are as secure as they claim to be.
Well enough of the … WoW … factor let’s see if there aren’t ways to somehow obtain some feedback even if those devices are in place…cause the fact that they are in place doesn’t necessarily mean you have to use them for the information feedback. I have thought of 2 ways to possible get some information feedback using other channels, unfortunately one of these need a certain degree of physical access and the second one is more if a theoretical one.
For all the ideas we will assume the following scenario:
You are targeting a highly secure network, containing highly classified information. Your bad luck however is that they have a unidirectional device(data diode) in place. So even if you manager to infect them, you can’t send data back…or can you? All you need to know is if a certain name is present within their classified network(inside documents/databases/etc). The following are ideas on how to possibly accomplish this.
Plain old virus
Well this idea is based around the concept that you have some kind of interaction with persons working inside that secure network, either physically or by phone. So we use a virus to infect the secure network and search for the information we want. Now to get the information back, we have the virus perform a noticeable action on a certain date. This action has to be something that when you talk with someone working inside that network, it won’t be suspicious when you ask for it, or even better he tells you without asking him for example:
Crash the network/computer
He will certainly tell you, since he can’t perform regular work activities. You can get this confirmed by calling him or meeting with him.
This keeps fascinating me… morse code has been around for ages and still you can find practical uses for it. This scenario is based around the concept that almost every office has windows and every computer has a network card with lights on it. So in this case you don’t necessarily need physical access to the persons, but you need a (in)direct line of view to the network card lights. You use them as a morse code transmitter, this way you can even transmit more information then if you just crash his pc/the network. If you want to test this out without writing some complicated tool, under linux you can use ethtool:
ethtool -p|–identify DEVNAME Show visible port identification (e.g. blinking)
[ TIME-IN-SECONDS ]
Now this one is purely theoretical, it tries to exploit the property of quantum mechanical state of objects. I’m really no expert on this matter…so if I fuck up DO correct me in the comments :). My idea was to use the quantum entanglement to get information back, for example if you’d manage to hook up a quantum transmitter on one side of a unidirectional device and have it transmit, when the receiving ends receives it the state of the objects get’s altered. This state alteration could be considered an acknowledgment of the sent packet, effectively creating a backchannel.You could then maybe use timing techniques to have the information flow back and forth, a current device is vulnerable for this in the traditional way according to wikipedia:
The US Naval Research Laboratory (NRL) has developed its own Unidirectional Network called the Data Pump. This is in many ways similar to DSTO’s work, except that it allows a limited backchannel going from the high side to the low side for the transmission of acknowledgments. This technology allows a more protocols to be used over the network, but introduces a potential covert channel if both the high and low side are compromised through artificially delaying the timing of the acknowledgment.
As far as I know the current devices don’t really seem vulnerable for the quantum entanglement attack, since they use electronic signals, meaning the state of the objects send gets altered as soon as they arrive at the unidirectional device long before they reach their destination. Who knows maybe it will work in the future when they switch to fiber stuff and light transmissions.
As always this is just one of those things that captured my attention while surfing the web and then at night my head bursted into a total brainstorm session about it. Maybe the next brainstorm session will have me focus on how to use, instead of abusing like now, these devices for other goals then just physically separating different kind of classified networks.