Dell E-Port Plus User Manual download pdf (Page 22)

10 Detecting docking station-based hardware implants

Just as important as understanding how a hardware implant would be constructed is understanding

how one would be detected. This section therefore, discusses approaches for detecting each

proposed interception technique.

10.1 Passive network tapping

If the Ethernet network being tapped is 1000BASE-T then in order to tap the network a hardware-

based downgrade attack is required (using capacitors to filter the high frequency signals) to force the

link to use 100BASE-TX. A network administrator monitoring the switch connected to the docking

station would therefore, be able to see that the Ethernet connection was running at a lower speed.

Recommendation: If when monitoring switch ports, a port which is connected to a laptop should be

configured to be 1000BASE-T, but it appears to be 100BASE-TX this should be investigated, as it

could indicate a downgrade attack associated with a passive Ethernet tap.

10.2 Active network attack

A new MAC address will appear on the network and it would be pretty straightforward to track down

from a traditional network diagnostics perspective

Recommendation: Active monitoring of the network for previously unseen MAC addresses may

reveal unwanted devices.

10.3 USB / PS/2 keyboard monitoring

A number of ways have been proposed

[32][33]

to detect hardware-based key loggers. However, this

does not appear to be a simple problem to solve.

Recommendation: The best long-term solution is prevention rather than detection through the use

of “Trusted hardware”

[34]

10.4 Keystroke insertion

In order to insert keystrokes via USB a new HID device must be added to the USB bus. If there are

three USB HID devices connected to your laptop (when you only have a keyboard and mouse

connected) then something malicious may be happening.

Recommendation: A simple USB monitoring tool

[35]

could be used to detect this scenario

10.5 Audio monitoring

As mentioned earlier, if headphones or a microphone are connected to the laptop then the signals

associated with any connected to the dock as severely attenuated.

Recommendation: As a detection technique is not known here, a mitigation approach could be to

ensure that when sensitive communication is due to take place using the audio connections, the best

approach is to connect directly to the laptop.

1 2 ... 17 18 19 20 21 22 23 24 25 26 27

No comments

Dell E-Port Plus User Manual Page 22