A recent attack on a French ferry, in which an attacker reportedly plugged a tiny computer called a Raspberry Pi into the network in an attempt to break into the vessel’s operations, offers an important lesson for enterprise CISOs: one analyst estimated that half of all enterprises would likely be compromised by the same attack on their physical environment.
The ferry was “immobilized Saturday in the southern French port of Sète as it prepared to sail to Algeria” because of the attack attempt, according to a report from Bloomberg. The Raspberry Pi device “was paired with a cellular modem, enabling remote access to the ferry’s internal computer network and external connections.”
The good news was that the attack attempt was halted because of good security procedures onboard, the story said. “Investigators said segregation between office and operational networks, along with the absence of remote access to critical controls, prevented lateral movement and ruled out sabotage or hijacking scenarios.”
Enterprise controls ‘watching the wrong roads’
The question for enterprise cybersecurity executives is how well their land-based buildings — offices, stores, gas stations, bank branches, manufacturing facilities, and so forth — would have held up under a similar physical attack. Analysts and other security experts were not optimistic about how they would have fared.
“Most enterprise security programs are still built for the wrong kind of intruder. They are built for the person who breaks in, not the person who walks in. And the rogue device story is the clearest signal of that shift,” said Sanchit Vir Gogia, the chief analyst at Greyhound Research. “A Raspberry Pi class device with a cellular modem is not just a clever gadget, it is a way to create a new perimeter from inside your building.”
He pointed out that an attacker “does not have to fight your firewalls if they can step around them. They do not need to beat your VPN if they can bring their own internet connection into your wiring closet. That is the part that should keep CISOs awake, because it means a lot of the controls we celebrate are watching the wrong roads. If the traffic leaves through cellular, it does not cross your monitored gateways. Your SOC can be doing everything right and will still see nothing.”
Fred Chagnon, principal research director at Info-Tech Research Group, agreed with Gogia’s concerns.
“Most offices have dozens of live Ethernet ports in lobbies, under conference tables, and in hallways. These should be administratively disabled at the switch level by default. A port should only be activated when a specific, authorized MAC address is verified via 802.1X authentication,” Chagnon said.
He added, “modern threat actors use MAC Spoofing to make a Raspberry Pi look like a legitimate VoIP phone or printer. CISOs should invest in tools, like Sepio or advanced NACs, that perform physical layer fingerprinting. These tools analyze the electrical and timing characteristics of the hardware to detect if a ‘printer’ is actually a Linux-based implant.”
Chagnon also encouraged extensive use of port locks that require a key, and some type of tamper-evident tape over chassis and ports. “Security sweeps should include looking for extra wires, unauthorized USB hubs, or small boxes that don’t match the asset inventory,” he added. “If a door to a restricted area is opened and a new, unknown device simultaneously appears on that local switch, the SOC should receive a high-priority correlated alert.”
Forrester Senior Analyst Paddy Harrington said that many enterprise security executives “forget how susceptible these things are to attack” and specifically pointed to IoT and OT devices as prime targets. Too many security people, Harrington said, are looking at what shadow devices, such as fitness trackers, are supposed to do, and not focusing on the access the device could get as the start of a backdoor attack.
“You shouldn’t be able to walk up to an Ethernet port and plug in anything. That device needs to be authenticated,” Harrington said, adding that he estimates that 50% of all enterprises cut too many corners on device security. “Why should any IoT lightbulbs have access to financial data?” he asked.
When he confronts enterprise security leaders on physical security, he said, he gets pushback. For example, in a recent discussion about network segmentation, the executive told him, “To segment our environment to that degree is going to take a lot of time and effort, and we are redirecting our money elsewhere.”
Harrington said, “I’m sorry, but that is a poor excuse.”
However, one security executive, Flavio Villanustre, CISO for the LexisNexis Risk Solutions Group, said that these types of physical attacks can be challenging to block.
“The proliferation of inexpensive and very capable single board computers such as the Raspberry Pi have made this problem much harder. Intrusion detection in the network should have detected behavioral anomalies, but that’s easier said than done if you have a large complex network and the Raspberry Pi looks like just another normal IoT device,” Villanustre pointed out. “And this is assuming that it was even connected to the network, rather than [to] some ancient serial bus in the ship’s control systems.”
Proceed with caution
Villanustre encouraged anyone discovering such a device to proceed cautiously.
“Disconnecting the device could result in losing important forensic information if not careful. It’s not too hard to equip the device with a tiny battery or supercapacitor that would give it enough time to wipe itself out if disconnected from the network or somehow tampered with,” Villanustre said. “Trying to send false information is even harder, because you would need to identify the protocols used by the device to know what to send. A bigger concern is if the device is connected to perhaps another device in the ship and could trigger a damaging action if tampered with. It could even detonate explosives.”
Whisper Security CEO Kaveh Ranjibar added that his advice for dealing with this kind of physical discovery is “immediate isolation and forensic analysis, but with one critical step before physical removal: map the blast radius. Before you pull the plug, capture the device’s network traffic. Who is it talking to? What domains is it querying?”
“Using infrastructure intelligence, you can often attribute the actor based on the neighborhood of the command-and-control servers they use, allowing you to understand if this is a script kiddie or a GRU operation before you touch the hardware,” Ranjibar said.
Ranjibar said that when such devices phone home, they may reveal a lot of usable information.
“A rogue device like a Raspberry Pi, even with a cellular modem, isn’t invisible. It has to phone home to receive commands or exfiltrate data. It creates an infrastructure footprint: a new IP address, a DNS resolution or a connection to a specific Autonomous System Number (ASN),” Ranjibar said.
“CISOs need to move beyond just monitoring their internal LAN,” he added. “They need continuous external infrastructure monitoring. If a device on your vessel or in your building starts communicating with a network block known for hosting state-sponsored malware, or if a new shadow asset appears on your perimeter, that is your tripwire. You might not catch the person planting the device, but you should instantly catch the device when it connects to the internet.”