A drop box is the malicious corporate insider that you may never notice. It's a backdoor as small as a box of cigarettes and seemingly just as innocuous.
An eagled-eyed staffer may spot the computer board by the illuminated lights perhaps revealing a 3G link used to funnel out corporate packets.
But in all likelihood it would not be found because those attackers willing to plant the dirt cheap do-it-yourself device inside an office would probably want to hide it. perhaps in one of the clean slick white shells resembling something designed out of Cupertino.
It's next to impossible to say if Australian businesses have been owned by one of these devices because they were so hard to detect, yet that doesn't mean it hasn't happened, according to Verizon forensic leader Paul Pratley.
"I have never seen a business that can say hand-on-heart that they know all devices plugged into their network," Pratley said.
"You just wouldn't know."
Drop boxes are security toolkits based on highly customisable single board computers like BeagleBoard or Raspberry Pi.
(See Lizardb0y's Kiwicon talk on pen testing with single board computers.)
A huge array of capabilities can be bolted onto the bare metal boards to create a specialist computer tailored for anything from hacking to horticulture.
But they could also provide an inside link to corporate networks, bypassing perimeters and air gaps.
Drop boxes can be attached by an insider to a computer or an ethernet port but such attacks need not be so overt.
"Imagine if you posted one of these to a target company," Pratley said.
"It might sit on the mail room or a pigeon hole uncollected. Meanwhile it's providing you remote access to attack the wireless network."
Commercial variants were available including the Pwn Plug and the Power Pwn, a power board kitted out with penetration testing features. Users could also deploy Raspberry Pwn, a free platform developed by the makers of the Pwn Plug.
Organisations could ascertain their potential for attack by their position in their market and the value of their data to criminals, Pratley said.
His logic followed that the devices were likely used in bold, targeted and surreptitious attacks against high value victims.
If a drop box was found, it was crucial to not cut its power, according to Pratley. The priority is to preserve digital evidence for forensics specialists, without which it may never be known what the device was doing.
He said look for circuit board text, chip numbers and to identify the IP in use.
Detection techniques include:
- Segment networks and security monitoring. Know your attacker and identify the highest risk assets. Segment those assets.
- Monitor and investigate unauthorised access attempts from within other network segments.
- Deploy rogue system detection
- New devices are flagged with switch and port number for admin review.
- Carry out physical audits prioritising high risk areas including public areas, meeting rooms, printers, inside devices.
- And adopt a default port-down policy
Prately recommended forensics practitioners used the LiME forensics tool developed by researcher Joe Sylve to analyse drop boxes. It allowed for physical memory acquisition from Linux and Android devices.
His slide deck on detecting drop boxes was available online. (pdf)