Jedi Packet Trick punches holes in firewalls

By hacking networking cards, researchers can break into networks and PCs

Hackers have hit on a new way to break into computers: by attacking the firmware used in networking cards.

Independent security researcher Arrigo Triulzi is set to unveil one such attack on Friday at the CanSecWest security conference. He calls his technique the Jedi Packet Trick. It essentially installs a clandestine virtual private network inside a firewall by hacking the firmware of the victim's networking cards.

Using a little-known remote factory diagnostic mechanism used by certain Broadcom cards, Triulzi has developed a way of installing customized firmware that instructs the card to directly pass packets to another card without telling the operating system. "You trick the operating system into believing that packets going between two different network cards don't exist," he said.

Triulzi wouldn't say what cards his attack works on, but he said that he has tried it on two similar cards, both of them about four years old.

He sends specially crafted packets to the network's firewall, which must be running a vulnerable networking card. It receives the packets and then installs the malicious firmware. That update is then leveraged to seek out and attack a second vulnerable networking card, creating a firewall-free tunnel into the network.

Because networking cards have direct access to the computer's memory, Triulzi is able to use his firmware to install code on the computer's graphics card that he can then use as a virtually undetectable back door to his victim's computer. The networking card doesn't have enough memory to handle this kind of space, but today's graphics cards are more than up to the job, he said.

Triulzi isn't the only one looking at networking card vulnerabilities at the conference. Separately, two researchers from the French Network and Information Security Agency, Yves-Alexis Perez and Loic Duflot, developed an attack that exploits a bug in an obscure remote-management feature in Broadcom's NetXtreme cards.

Their attack lets them install a back door on a Linux computer, though it could easily be modified to target any operating system, Duflot said.

For Duflot and Perez's NetXtreme attack to work, the card must have enabled a remote management feature called Alert Standard Format 2.0. Broadcom has worked out a fix for the problem and has pushed that out through its OEM partners.

This work illustrates a new type of attack that can sneak right by traditional detection techniques, said Colin Ames, a researcher with Attack Research in Santa Fe, New Mexico, who is attending the conference. "This stuff is the scary stuff," he said. "Because it's low-level."

None of the researchers at CanSecWest is releasing their code, so it's unlikely that these techniques will be used in any type of widespread attack. However, with security professionals increasingly worried about professional, targeted attacks aimed at stealing state secrets and corporate intellectual property, they raise concerns.

Duflot said hardware companies should be thinking seriously about security, especially as they develop firmware-based technologies such as Intel's Active Management Technology and Intelligent Platform Management Interface. "Nowadays, hardware is using too much embedded software," he said.

That software, he explained, can lead to bugs that give the hacker a way in. And if the hacker comes in through the network card, "the machine itself cannot even see that it has been compromised."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Jedi Packet TrickCanSecWestArrigo Triulzinetworking cards

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?