Phosphorus Blog Phosphorus LIVE

See through the mask of spoofing MAC addresses!

Don’t get scared, but we’re going to talk about all manner of hauntings. From old-timey costumes to masked IoT and OT devices hiding on your network, James McCarthy takes the driver’s seat to pilot the good ship Phosphorus LIVE through the murky waters of this Halloween event. Down to business: Attackers can disguise devices like Raspberry Pis to look like something they’re not—tricking you into thinking you’re interacting with a legitimate device when it’s actually nefarious. James McCarthy tells guest Dan Craig how…

  • Attackers use MAC address spoofing to “dress up” devices.
  • Passive detection systems relying on MAC addresses can be deceived.
  • Your organization can protect against this kind of trickery and ensure you’re talking to the right device.

This is a must-watch episode if you’re curious about how attackers manipulate xIoT devices and how to stay one step ahead. Every other Thursday, join hosts Mike Huckaby and James McCarthy live (here) for informational and candid discussions aimed at simplifying the world of xIoT and talking about real-world situations, the worst xIoT offenders, and the state of current threats that cybersecurity and IoT/OT leaders face today.

Episode Transcript

 

James McCarthy:
Okay. All right. It is about time to get started. If we want to go ahead and share of our presentation, and we’ll, we’ll get started. Yeah. That’s so pretty fun. One today.

Daniel Craig:
Yeah. James, I’m really glad you asked me to be here, because I love Halloween. And I heard we were going to talk about costumes, so I wanted to bring some of my favorites.

So. Okay. You remember the Michelin man?

James:
I do.

Dan:
Yeah. 100 years ago. This is what he looked like.

James:
That’s terrifying.

Dan:
That’s what Halloween is all about. Speaking of terrifying, it was very common for people to just pick up whatever’s lying around when they are about to step out to a party.

Okay. Apparently, people used to love dogs, and I hear they still do that.

James:
Yeah, a little bit.

Dan:
Yeah, but, what would Halloween be without, a cart of pumpkins? A cart made of a pumpkin, wheels made out of a pumpkin. The longest pumpkin I’ve ever seen as a mask and a football. A big ol football.

James:
Yeah, it’s a lot of pumpkin. It’s very pumpkin centric.

Dan:
Casper. That’s 100% Casper. It’s the Casper that we all know and love. And Casper has never looked any different than this.

James:
Nope. Looks perfect, I love this.

Dan:
Some of the monster man.

James:
The creepy ones in the back right corner are throwing me off a little bit.

Dan:
Teddy. Yeah. And, again, what would Halloween be without, a pumpkin head and a farm? And, this this one? Yeah, sure. Yeah. Yeah. So thanks, everybody, for coming. This has been our talk about costumes. And I think that was it.

James:
That’s as good a segue intro as you could ask for. It also can probably keep me up at night. Was that last image, a little creepy, but, welcome to Phosphorus Live. This is our biweekly look at the very interesting world of IoT. The extended Internet of things. I’m your host: the device obsessed James McCarthy, director of sales engineering here at Phosphorus.

A reminder of the format and how things are going to work. We have a quick discussion here on a specific topic and then a Phosphorus technical perspective related to that topic. Each week is normally less than 30 minutes. We try to shoot for shorter. I think today is going to be a bit shorter than normal.

So we’ll get you guys out there and trick or treating faster than we normally do. So today we have a great topic. Really, the objective here is to talk through, specifically, around the problem of devices masquerading as other devices. That’s, you know, I think a good theme for, for today, considering we’re all about to go do the same thing, with our families.

And so, you know, the concept of masked xIoT, how it’s not just for Halloween. It’s also, for bad actors. And so we’re going to dive in. I’m going to talk a little bit about, you know, the problem of MAC address spoofing, how that affects our customers and potential, partners. And then, what I want to do is actually sit down and show, a little bit of a, you know, how this works.

So I want to actually take a device, spoof the MAC address, show you what it looks like to legacy and other vendors in the world that do what we do. And then I want to show you the opposite and show you what Phosphorus is and how we can kind of see through the mask and see the person behind the screen.

So I think, we’ll go ahead and dive into that. But I first want to start with a quick level set on what we consider xIoT. So, you know, we try to remind people every couple of weeks when we do these, what we define xIoT as is, is kind of extended Internet of Things. And so for us, that can be anything from an infusion pump in a hospital to a flow sensor at an oil and gas customer, all the way to a printer, to an IP camera, and everything in between.

Right. So if it has an IP address and you can’t put an agent on it to, to manage it, then it’s probably going to fall under our purview. And so the great thing about this deep dive today is we get to talk about what happens when one of those IoT devices gets dressed up to look like one of the other ones.

And how that can impact our customer base. And so let’s dive into real quickly here just an overview of what MAC address spoofing really looks like. So in MAC spoofing attacks, what happens is an attacker will take a device, oftentimes this is something that they can control and really fine tune. So you see it with a Raspberry Pi or there’s kind of a handful of other devices that are used, you know, for these types of attacks more often just because they’re so accessible and commoditized.

You can buy a Raspberry Pi for next to nothing these days. And so what will happen is that they’ll buy this device, they’ll spoof the MAC address, they’ll actually modify the hardware ID on the device itself. And then they’ll change it to make it look like to the outside world that it actually belongs to a different vendor or a different manufacturer.

And that’s a relatively easy thing to do. So there are ways to detect that, the attackers are oftentimes going to take the MAC address spoofing. And then what happens is they’ll actually sit on the network, they plug it in and hope that they get lucky that they didn’t, you know, spoof a MAC address or something that’s already on the network.

Most of the time that’s not going to happen. But once that’s plugged into the network, a device might pick that up. And if you have, you know, device centric policies with your firewalls or switches or routers, if they spoof the MAC address the right way, it might actually purport to be something on the network that matches one of those policies.

It might give their device more access to the network than they may should have. If it was something that it was actually like the actual Raspberry Pi device underneath. And so there’s a lot of ways to prevent against that. But the key to prevent against MAC address spoofing is to understand that it’s happening on your network to begin with, and it should not rely on a platform that uses MAC addresses in any kind of meaningful way to do its discovery is the inherent problem with MAC addresses, and this is true across the board, is that the database that people use to, you know, that these vendors used to look up the MAC address itself is not always complete. It’s not up to date. And it’s because it’s a setting or a feature on the device that you can change. In most cases, it ends up not being a reliable source of information.

And so all of those things together, I think it’s good to dive in and show this actually in action so that it’s not just a theoretical attack, it’s a it’s a real attack that we can show and simulate. So you can kind of understand how it works. All right. So I’m going to go ahead and share my screen here.

Give me one moment to, to set it up. You know go ahead and share on zoom there we go. I do see you while I’m setting this up. There was a question that just came in from the chat. So how difficult is something like that to pull off? Well, unfortunately, it’s relatively easy. This is something that with kind of even just a basic level understanding of, you know, the devices and how MAC addresses work.

It’s not a really hard thing to actually go in and pull off, because you take a Raspberry Pi is a great example. There are tools you can download off the shelf that will go in and actually overwrite the automatically generated MAC address that the Raspberry Pi has right. And so if you can go in there and change it to whatever you want, it’s easy enough to just go in there and create a random set of characters.

The way MAC addresses actually work is the first three octets of a MAC address, and I’ll show all of this here in a moment. But the first three octets are what defines the manufacturer. And so as long as you know what those octets are, you can make your Raspberry Pi look like whatever you want to write.

So it’s a really low level or low lift attack type. And if you imagine an attacker taking something like a Raspberry Pi, putting it on your network, if they had physical access to a warehouse or physical access to a corporate office, if they plug that in. I mean, it’s so small. As long as you find a network port somewhere, you can most of the time pretty easily hide those devices.

And to a traditional scanner, it’s just going to look like an IP camera, right. Something innocuous that you would never think of. So it’d be pretty easy to do. So thank you for the question. I’m going to go ahead and share my screen now. And actually, start, the presentation here. So what I’ve got here on the screen, this is a terminal session.

This is an SSH connection directly to a Raspberry Pi that’s sitting in our lab environment right now in Nashville. And I wanted to show you this because, in real time, I’d like to show just how easy it is to identify the MAC address. So I run a simple command here. This is if I have config. What that does is it shows me all of the details about, the network adapters on the Raspberry Pi.

So in this case here, we did enable the wireless network so that what you see here is wlan0. But what we’re looking for here, the key is eth0. So e zero. If you’re not familiar, this is your kind of your regular default port, right? This is just the network card on the raspberry Pi. What we’re looking for, though, and this is the key is we’re looking for this ether data right here.

And so what that is, is it’s telling us what the Ethernet MAC address is. We is essentially the hardware ID for this device. So if I copy this hardware…and remember this is live. This is basically what the Raspberry Pi is telling the network. Its MAC address is. I can go ahead and pull it up one more time and show it.

We can see that Ethernet address right there is showing up. And so now if I take that MAC address and I look up in any of the, you know, databases out there. So Wireshark is a good one. Wireshark is a tool that most security practitioners and network administrators are familiar with and use all the time. It’s great for capturing network data in packets off the network.

But they also happen to have a great OUI lookup tool. When you’re running Wireshark, you can actually go in there and have it show you what the device is that you’re looking at. So if you see something, it’s an IP address and a MAC address and you’re curious what it is, all they’re doing is doing an OUI lookup on the back end and showing you what that MAC address correlates to.

So I’m going to go ahead and do the same thing here. I’m going to go ahead and take in and paste that MAC address that we just pulled from the Raspberry Pi. I’m going to basically query Wireshark and say, hey what is this? What is this device that’s sitting on my network, right? What is what is this thing that’s running around so I could find and scroll down here.

I can see that based on these first three octets of ACCC in 8E, this is an AXIS communications device, which is the same as an IP camera or one of their Tor controllers or their video servers. They all have the same first six characters. And so because of that, anything that relies on the MAC address to do its identification, they’re going to see this incorrectly as an access camera.

And so for us this is where I think the value you’re one of the many, you know, things that we can provide for from a value standpoint is really important because if you’re relying on the MAC address and saying, hey, this is what I’m going to use to dictate what a device is on my network. And then you’re going to try and build policies or security firm around that content.

It’s going to cause an issue because now you’ve got a device purporting and masquerading as one thing when it’s really another. And so I want to actually come in here and move the Zoom screen here, and actually show you what it looks like now that we now that we know it’s sitting on the network and looking like a browser or looking like an AXIS communications device, I want to scan that with Phosphorus.

And I actually want to show how we see that, because again, we’re not relying on the MAC address. So let’s go ahead and give it a name. And then I’m going to give this IP address here. We can take a look 192.168.104.155. So the 192168 perfect and everything is just going to be standard. This is just a default scan.

This is just the regular Phosphorus scan of this IP address. I’m going to go ahead and hit start. And then what’s going to happen is we’re going to go out and talk to this device. And the key here is that when we go in try to start talking to that IP address. What we’re really doing is we’re saying is we’re kind of knocking on the front door and saying, hey, who are you?

All right, give me some more information about who you are. And we’re going to go through all of our tears and our different agendas until we have a positive match in terms of the response coming from that device. And then what we’re going to do is actually attempt to log into the device, and that allows us to actually confirm what the device is.

It allows us to check settings and even allows us to excuse me. It even allows us to go in and verify things like the default credentials or the firmware version that’s running on the device. So there’s a lot of additional context. We’re going to be able to pull, even though this thing right now is sitting on the network telling the world that it’s an AXIS communications device or an IP camera.

So let’s go ahead and move into this. What we’ll see here is very quickly, once the scan engine gets started, you’ll see that will identify the device and be able to provide more context. On the on the network here. Let’s give this just one more second. What’s cool is we can go in here again. I’m going to show, a quick arp -a.

So this is a printout essentially of all of the different IP addresses and their MAC addresses that are associated with those. And so an attacker is sitting on the network right when they start looking for things on the network to attack and different things to it to, you know, kind of target with their payloads. This is one of the things that they’re going to do.

They’re going to get into that network. They’re going to try and enumerate what different devices are on the network, finding a finding their targets, and then they’re actually going to use those MAC addresses. They’re going to do their own or OUI lookup, and they’re going to look for a printer. They’re going to look for that camera. They’re going to look for something that’s for them considered low hanging fruit.

And then that’ll be the thing they focus on. They start trying to attack. Printers are a big target. We’ve covered this on one of our other live webinars where we literally can use access to a printer to dump the spool from the printer and capture all of the information that the company is sending to the printers.

Now, if that’s a printer sitting up front of your general counsel’s office or your CFO, that could be a big deal, right? That’s a huge source of data leakage. But let’s go back here into Phosphorus. So you can see we the scan is completed when we click into this. And we can actually see that even though the MAC address is, you know, purporting to be something that it’s not, we still see this as a Raspberry Pi.

We even went as far as confirming that the default credentials work. In this case, it’s Pi and Pi. In fact, actually, this one has been changed to be Raspberry as the default. But either way, we now see through this. We know, that it’s running at ssh. We know which version of ssh which if you think back to the, the RegreSSHion hack that came out or the vulnerability, that’s actually really helpful information.

But just like that, in just a few minutes, we’re able to, you know, see through the mask, see the person hiding behind it, know that it wasn’t. You know, we don’t show in here anything about an access computer or an AXIS communications device or an IP camera. Because it didn’t trick us.

It didn’t fool us. Right. So now we get to collect our candy, and move on to, you know, more important things mostly, you know, for the security team. Why is there a Raspberry Pi on the network? Right. That would be the first step. But. All right, that’s the end of just the kind of the canned portion of the presentation.

I’m going to go ahead and stop sharing, because what I want to make sure is, a we’re going to, you know, end a little bit early today, get you guys out there to, to get your candy and have fun with kids. But, I wanted to stop and see if there are any questions, from anyone on the on the webinar here today.

And address any of that before, we call our show over.

Let’s give everyone just a minute here to type after question.

All right. Looks like, I don’t know, my temporary co-host for the day. Dan. Is there anything else, any other questions you’re seeing or anything else that you want to, you know, double click on here for today’s presentation?

Dan:
Yes. I would like to know what your favorite candy is.

James:
Oof! Yeah. I’m, I’m a sour candy guy.
I’m a I’m a big fan of sour candy. I like chocolate, fine. But for me. Give me, like, like some Starburst or, the the Mambas. I’m on board all day. Unfortunately, you don’t get too many of those when you’re out trick or treating muscle. What about you?

Dan:
Sometimes, yeah. I’ll come back. Luigi-less.

Okay. Sometimes you’ll get the Starburst with the just two little pieces in there, and those are gone so fast. And if they’re not orange and pink, I don’t know. I’ll give them away.

James:
That’s fair. That’s fair.

Dan:
My favorite are Reese’s, but, chocolate comes at a premium.

James:
That’s good, that’s good. We did have a question about how in this scenario… In fact, I’m going to share my screen, out again one more time so I could show this. How did we actually identify that this was a Raspberry Pi, right? If we weren’t using the MAC address. And so what we can do is in the Phosphorus UI, if we click on scans, you can see exactly how we identified this device.

So if we click on view details we can actually see that this was an SSH probe. That is the classifying probe. You can see it right there. So we can tell that when we were we were going through and seeing what portrait open on this device, we actually received a banner from the device over the SSH port 22 connection.

And we can actually see right here, right in this banner Raspbian 5V1. So we know that is a unique banner response from Raspberry Pi. So we use that as an indicator that this is in fact a Raspberry Pi. And then what we did is we didn’t stop there. We went a little bit further and actually logged into the device and confirmed that the default credentials worked.

And that’s why we have that default credentials alert. There is we said, okay, now we think it’s a Raspberry Pi. That means we should be able to over certain ports and protocols, log in and actually validate the credentials are running defaults. And so that’s how in this case we were able to identify that. And so that’s a much more difficult thing to, to spoof than, you know, just a simple MAC address spoof.

All right. Any anything else from anyone watching here. Otherwise, let’s end things here five minutes early. Came in just under the under the radar. But, let’s get out there and get as much candy and have as much fun with the kids as possible. I’m going to go take off my Bob Ross wig. Because I’m going to have to wear it tonight as I walk around telling people how delightfully accidental their bushes are and their front yard.

Dan:
Happy trees.

James:
Happy trees.

 

Author

Daniel Craig

Dan is a versatile marketing strategist and media aficionado with more than 15 years in the space. Prior to Phosphorus, Dan led social/digital teams at Arc Worldwide, Leo Burnett, and through Trier & Company for brands like Allstate Mayhem, Mandiant, Miller Coors, Samsung, and GaN Systems. He just likes technology and making cool things work.