How Wi-Fi Spy Drones Snooped On Financial Firm (theregister.com) 52
An anonymous reader quotes a report from The Register: Modified off-the-shelf drones have been found carrying wireless network-intrusion kit in a very unlikely place. Greg Linares, a security researcher, recently recounted an incident that he said occurred over the summer at a US East Coast financial firm focused on private investment. He told The Register that he was not involved directly with the investigation but interacted with those involved as part of his work in the finance sector. In a Twitter thread, Linares said the hacking incident was discovered when the financial firm spotted unusual activity on its internal Atlassian Confluence page that originated from within the company's network.
The company's security team responded and found that the user whose MAC address was used to gain partial access to the company Wi-Fi network was also logged in at home several miles away. That is to say, the user was active off-site but someone within Wi-Fi range of the building was trying to wirelessly use that user's MAC address, which is a red flag. The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device. "This led the team to the roof, where a 'modified DJI Matrice 600' and a 'modified DJI Phantom' series were discovered," Linares explained. The Phantom drone was in fine condition and had a modified Wi-Fi Pineapple device, used for network penetration testing, according to Linares. The Matrice drone was carrying a case that contained a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device. It had landed near the building's heating and ventilation system and appeared to be damaged but still operable. "During their investigation, they determined that the DJI Phantom drone had originally been used a few days prior to intercept a worker's credentials and Wi-Fi," Linares said. "This data was later hard coded into the tools that were deployed with the Matrice."
According to Linares, the tools on the drones were used to target the company's internal Confluence page in order to reach other internal devices using the credentials stored there. The attack, he said, had limited success and is the third cyberattack involving a drone he's seen over the past two years. "The attackers specifically targeted a limited access network, used by both a third-party and internally, that was not secure due to recent changes at the company (e.g. restructuring/rebranding, new building, new building lease, new network setup or a combination of any of these scenarios)," Linares told The Register. "This is the reason why this temporary network unfortunately had limited access in order to login (credentials + MAC security). The attackers were using the attack in order to access an internal IT confluence server that contained other credentials for accessing other resources and storing IT procedures." [...] While the identity of the attacker has not been disclosed, Linares believes those responsible did their homework. "This was definitely a threat actor who likely did internal reconnaissance for several weeks, had physical proximity to the target environment, had a proper budget and knew their physical security limitations," he said.
The company's security team responded and found that the user whose MAC address was used to gain partial access to the company Wi-Fi network was also logged in at home several miles away. That is to say, the user was active off-site but someone within Wi-Fi range of the building was trying to wirelessly use that user's MAC address, which is a red flag. The team then took steps to trace the Wi-Fi signal and used a Fluke system to identify the Wi-Fi device. "This led the team to the roof, where a 'modified DJI Matrice 600' and a 'modified DJI Phantom' series were discovered," Linares explained. The Phantom drone was in fine condition and had a modified Wi-Fi Pineapple device, used for network penetration testing, according to Linares. The Matrice drone was carrying a case that contained a Raspberry Pi, several batteries, a GPD mini laptop, a 4G modem, and another Wi-Fi device. It had landed near the building's heating and ventilation system and appeared to be damaged but still operable. "During their investigation, they determined that the DJI Phantom drone had originally been used a few days prior to intercept a worker's credentials and Wi-Fi," Linares said. "This data was later hard coded into the tools that were deployed with the Matrice."
According to Linares, the tools on the drones were used to target the company's internal Confluence page in order to reach other internal devices using the credentials stored there. The attack, he said, had limited success and is the third cyberattack involving a drone he's seen over the past two years. "The attackers specifically targeted a limited access network, used by both a third-party and internally, that was not secure due to recent changes at the company (e.g. restructuring/rebranding, new building, new building lease, new network setup or a combination of any of these scenarios)," Linares told The Register. "This is the reason why this temporary network unfortunately had limited access in order to login (credentials + MAC security). The attackers were using the attack in order to access an internal IT confluence server that contained other credentials for accessing other resources and storing IT procedures." [...] While the identity of the attacker has not been disclosed, Linares believes those responsible did their homework. "This was definitely a threat actor who likely did internal reconnaissance for several weeks, had physical proximity to the target environment, had a proper budget and knew their physical security limitations," he said.
Trackable.... (Score:2)
Re: (Score:2)
Unless both of those drones were bought with cash it would be fairly easy to track down who bought them.
Why? You think they write down the serial number at Amazon when you order a drone? BestBuy sometimes does this for warranty/return fraud reasons but most retailers don't.
Re:Trackable.... (Score:5, Informative)
DJI does track this information. And Amazon probably does keep track of serial numbers on big ticket items.
There was a case [arstechnica.com] a few years ago where a helicopter and a DJI multicopters collided, and they found the owner of the multicopter based on the serial number on one of the motors that had gotten stuck in the helicopter.
Either way, DJI generally requires that you log into their apps, and from that, they'll know all the serial numbers, and possibly they'll know about all your flights and such.
Personally, I'd never suggest using DJI gear for anything criminal, they just keep too much data, and I'm not sure you can trust their disclosures about exactly what they keep and don't keep. That said, it might not be horrible if you were very, very careful about what information DJI and the place that you bought it (used might be wise) has on you, but you would have to be careful.
Re:Trackable.... (Score:4, Insightful)
That's the point of collecting the data - it stops DJI getting a reputation for supplying criminals with untraceable drones.
They were quick to implement things like forced geofences around airports too. They realized early on that some people are asshats and the potential to end up getting regulated out of business was high.
Re:Trackable.... (Score:4, Interesting)
That's the point of collecting the data - it stops DJI getting a reputation for supplying criminals with untraceable drones.
They were quick to implement things like forced geofences around airports too. They realized early on that some people are asshats and the potential to end up getting regulated out of business was high.
Unless the drone weighs less than .55 pounds (0.2494758 Kg), it has to be registered. https://www.faa.gov/uas/gettin... [faa.gov]
And since commercial entities don't want to be involved in illegal activities, yeah - they'll comply and make certain everything is traceable.
Perhaps if the perp bought all parts of the drone and other equipment for cash off a private seller, they'll be traceable. And then there is that MAC address issue. Spoofable yes, but I'll betchya the the owner of the computer with that address will get a visit. Owner being just a few miles away, drone had to be launched nearby - maybe a completely random coinkydink, but I doubt it.
Re: (Score:2)
Re: (Score:2)
I'd bet it's someone one knows, or knows of, the guy who had the MAC address. Why would you go to the trouble of the drone and spoofed MAC and then leave a calling card that points to you? I know lots of criminals are dumb, and that's how they get caught, but this simultaneously smart/dumb.
Maybe. But I'll bet you the guy gets checked out anyhow, It's just a hellava coincidence, I can imagine the questions, like "Do you know anyone who might have figured out the MAC address of your computer?" And plays with Drones?
In addition, since the drone had a successful mission earlier, if the 4G card was in contact with Cell phone towers, they can track it that way. It is really difficult to work in a vacuum and leave no traces of yourself.
Re: (Score:2)
Re: (Score:2)
Registration is done by the owner, not the retailer. Source: I fly drones. Call me crazy, but I feel someone buying a drone for criminal use would NOT go to the FAA website and register it.
Yah, I fly drones and Model aircraft as well. But it's interesting to see that a lot of Slashdot users believe that the thing is impossible to trace. This is pretty intersting as the can't trace the 4G cellular signal, and that the Spoofed MAC address from a computer a couple miles away has nothing to do with anything.
Anyhow, I was just pointing out the legalities, and yah, I know that they probably didn't register it. But it's a hella leap from that to think that the ultimate untraceable attack vector
Re: (Score:2)
DJI does track this information.
So don't register your account with real info. If you are going to perform corporate espionage, I don't think lying to a Chinese drone maker is going to bother you much.
And Amazon probably does keep track of serial numbers on big ticket items.
Drones are not big-ticket items, and I can assure you, Amazon does not track their serial numbers. Even if they did, there are plenty other retailers and 2nd hand ways to get a drone without being tracable.
There was a case [arstechnica.com] a few years ago where a helicopter and a DJI multicopters collided, and they found the owner of the multicopter based on the serial number on one of the motors that had gotten stuck in the helicopter.
Either way, DJI generally requires that you log into their apps, and from that, they'll know all the serial numbers, and possibly they'll know about all your flights and such.
Again: lie. easy peasy.
Re: (Score:2)
Re: Trackable.... (Score:2)
It is very easy to buy these drones with cash. Any Walmart and outlet mall where they are available will let you use cash.
Re: Trackable.... (Score:2)
Straw buyers (Score:2)
But the purchase can be traced back to time and date, and Walmart and most malls have cameras everywhere... Sprinkle in a little facial recognition tech from your favorite alphabet soup agency and you can probably nail down the identity of the purchaser.
Who is a straw buyer unconnected to the hackers.
Re: (Score:2)
But the purchase can be traced back to time and date, and Walmart and most malls have cameras everywhere... Sprinkle in a little facial recognition tech from your favorite alphabet soup agency and you can probably nail down the identity of the purchaser. And this can be further corroborated with logs of SIM card and/or wifi connections in the area.
It's *a lot* harder to be anonymous than you think it is. Even if you pay someone to buy it for you they can probably pick your picture out when they are detained for "questioning".
But each of the tracking methods mentioned have easy workarounds. Use cash. Don't carry a phone. Wear a throwaway hoodie and a Covid mask. And for extras, park your car half a mile from the parking lot.
Used market (Score:3)
It is very easy to buy these drones with cash. Any Walmart and outlet mall where they are available will let you use cash.
So will those selling their used drone.
Re: (Score:2)
It is very easy to buy these drones with cash. Any Walmart and outlet mall where they are available will let you use cash.
And every part of the device, the RPi, and other external stuff. All would require buying off a private seller for cash. And then there is the spoofed MAC address - from a legit one a few miles away.
I don't think the perp should think that they are completely scott free and untraceable.
Re: (Score:2)
There are many ways to facilitate private transfers, drones and RPi don't expose their serial numbers and at this point, it's easy to buy them anywhere on the globe and get them shipped to you. Amazon etc doesn't keep track of serial numbers, MAC addresses etc - if you buy 1-in-1000 or wherever the serials are located they can also easily be erased/destroyed. The spoofed MAC address is the easiest part of all this, MAC addresses aren't globally unique or fixed.
Re: (Score:2)
There are many ways to facilitate private transfers, drones and RPi don't expose their serial numbers and at this point, it's easy to buy them anywhere on the globe and get them shipped to you. Amazon etc doesn't keep track of serial numbers, MAC addresses etc - if you buy 1-in-1000 or wherever the serials are located they can also easily be erased/destroyed. The spoofed MAC address is the easiest part of all this, MAC addresses aren't globally unique or fixed.
Yes, I can spoof a Mac Address pretty easily. But my spidey senses would be really tingling about the user Mac Address being so close in distance to the spoofed one. A complete coincidence? Oh, I suspect a friendly visit to the coincidental MAC address owners house might clear a lot of things up.
Anyhow, we're going to find out before too long. My bet is if the 4G was working, a perusal of cell phone tower logs would indicate a location and signal strength that would be anomalous in speed and strength to
Re: (Score:1)
Cell phone tower logs don't keep that detailed of a log, until they are explicitly told to go into that mode (eg. debug mode under a warrant). It would be a ludicrous amount of data to keep track of, every second, thousands of wave forms per tower.
The story says they spoofed the MAC address of an employee. So basically, they copied the WiFi signal of the business on one end, moved an AP to the home of an employee, the laptop automatically connected to 'work' and then they had the necessary information for a
Re: (Score:2)
Unless both of those drones were bought with cash it would be fairly easy to track down who bought them.
Whomever sent that drone to the rooftop wasn't expecting it to fly home after, so if they were smart enough to build it they should be smart enough to pay cash or order online to anonymous drop box using a pre-paid credit card.
Re: (Score:3)
Maybe they were intending to fly it home after. It seems pretty clear that they had round-tripped it before, since the employee's credentials were hardcoded. Either the drone was flown to the employee's hypothetical other work location or it had been to the rooftop in the past. It sounds to me like they bumped something on the way down or just didn't notice when they were discovered.
Re: (Score:2)
Unless both of those drones were bought with cash it would be fairly easy to track down who bought them.
Whomever sent that drone to the rooftop wasn't expecting it to fly home after, so if they were smart enough to build it they should be smart enough to pay cash or order online to anonymous drop box using a pre-paid credit card.
If they were so smart, they would have spoofed a MAC address that wasn't just a couple miles away from the Drone.
Of course, why soesn't someone here re-create the incident, then repoort back to us? 8^)
Re: (Score:2)
Not really.
Is the drone really necessary here? (Score:2)
This hack could have been done just the same by someone infiltrating the cleaning company and just put the same equipment in a toolbox left on the roof or in any equipment closet.
Yes, using a drone reduce the need of the hacker to go physically, or hire someone to, but the summary already said the hacker had done internal reconnaissance for several weeks, so he had already successfully gained entry. The use of a drone seemed quite unnecessary.
cleaning company can also get into rooms with netw (Score:2)
cleaning company can also get into rooms with network switches or even plug something into the printer network line.
Re: (Score:2)
And for a properly secured network that won't matter either.
Re: (Score:2)
you can clone the printers mac and / or stick an 2 nic mini system inline.
Re: (Score:2)
And there's 0 reason why a printer would have access to anything production related other than being in the VPN for the printer server.
Re: (Score:2)
HP printers let you install an VPN on the printer / jet direct card?
and what If the printers are managed by some 3rd party that does printers?
Re: (Score:2)
Network VPNs. You know. Network security wise separating your network. (Not the 'internet' kind).
Re: (Score:2)
You are correct. My brain's broken.
Re: (Score:3)
In any real company, janitorial personnel most definitely can NOT access data closets or on-site server rooms. Badge access and cameras in those spaces is the standard for anyone who has any sort of security oversight/regulation at all.
Re: (Score:2)
That is up to how the building is set up and some cases the janitorial personnel works for the building and the building staff may have keys to each door / that can by pass any Badge.
Maybe if the real company owns the building but in some cases that floor network switch may be in the same room with some janitorial / other storage As people may not want to be in an room with an lot of fan sound.
Re: (Score:2)
This hack could have been done just the same by someone infiltrating the cleaning company and just put the same equipment in a toolbox left on the roof or in any equipment closet.
Definitely. And I have no doubt it has been done. But the drone makes it something story-worthy and that is why we get to read about it. Yes, this is stupid.
Protip: Wired Equivalent Privacy isn't. (Score:3)
Re: (Score:2)
Recent changes in the company. Remember bad guys only have to be right one time. Defenders have to be right all the time.
Re:Protip: Wired Equivalent Privacy isn't. (Score:5, Interesting)
Something doesn't add up here. They say that one of the drones was used to intercept a user's credentials. What credentials?
Connection to the WiFi network should be via WPA2 or WPA3, depending on if they need to support older devices. There is currently no known way to recover the pre-shared key for either of those. The only known attacks on them rely on already knowing the pre-shared key.
So it sounds like someone already had access to their WiFi network.
In any case, they should treat the WiFi as insecure. Someone's device with the pre-shared key could be lost or stolen. Any devices connecting over it should only have access to their VPN server and nothing else, and again if they are using up to date software there are no known attacks that can recover credentials for Wireshark or OpenVPN.
From a security standpoint, if someone can land on your roof then they can perform the same attack with a high gain antenna from a nearby location. The drones are a distraction, there is something badly wrong with their network.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
I once did a war-walk in a building with all "RF shielding Glass". Turns out that was for the _last_ generation of wireless only and the current one got though it just fine. Even found one employee that had rented a flat about 300m away with line-of-sight and had the company wireless LAN at home with a somewhat high-gain antenna...
Re: (Score:2)
People don't understand (Score:2)
Countless times I have told people when they come into the office to work they should connect to the network using the network cable, not use the wireless. They give me that bug-eyed look of, "But wireless is so much easier" (because plugging a cable into the machine or docking station is so difficult).
This is just another example, and another reason, of why you use a hardwire at your work. While not in the financial sector, we do have a multitude of personal information which should not get out under any c
Why would wifi and wired be connected? (Score:2)
Countless times I have told people when they come into the office to work they should connect to the network using the network cable, not use the wireless. They give me that bug-eyed look of, "But wireless is so much easier" (because plugging a cable into the machine or docking station is so difficult).
Why not put the wifi on one unroutable IP range and wired on another, 192.168.x.x and 10.x.x.x? Create no bridge between them. You don't plug in you have no access to the resources you need to do your work. Also white list the corporate, no access to social media. You can use your phone on breaks on the wifi for that.
Re: (Score:2)
Because I don't have that option. The network team controls this and they decided the entire building needs to have wireless rather than just the conference rooms.
Mind you, with everyone working from home, there is less than 100 people in the building which normally houses well over 1,000 people on any given day.
If it were up to me, there would be no wireless except the conference rooms.
Re: (Score:2)
Wired can work for conference rooms too.
Interesting Wifi wardriving from a drone (Score:1)
Ocean's Eleven (Score:2)
Danny Ocean has entered the chat.
Bring back wires!! (Score:2)
And move the C-suite away from the top floor...
This is an impressive plot for a thriller!