Staying Persistent in Software Defined Networks

Black Hat USA 2015

Presented by: Gregory Pickett
Date: Thursday August 06, 2015
Time: 11:00 - 11:50
Location: South Seas GH

The Open Network Install Environment, or ONIE, makes commodity or WhiteBox Ethernet possible. By placing a common, Linux-based, install environment onto the firmware of the switch, customers can deploy the Network Operating Systems of their choice onto the switch and do so whenever they like without replacing the hardware. The problem is, if this gets compromised, it also makes it possible for hackers to install malware onto the switch. Malware that can manipulate it and your network, and keep doing it long after a Network Operating System reinstall.

With no secure boot, no encryption, no authentication, predictable HTTP/TFTP waterfalls, and exposed post-installation partition, ONIE is very susceptible to compromise. And with Network Operating Systems such as Switch Light, Cumulus Linux, and Mellanox-OS via their agents Indigo and eSwitchd not exactly putting up a fight with problems like no authentication, no encryption, poor encryption, and insufficient isolation, this is a real possibility.In this session, we'll cover the weaknesses in ONIE, ways to reach the platform through these Network Operating Systems, and what can happen if we don't properly protect the Control Plane these switches run on. I'll even demonstrate with a drive-by web-attack that is able to pivot through a Windows management station to reach the isolated control plane network, and infect one of these ONIE-based switches with malware, malware that's there even after a refresh. You'll even get the source code to take home with you to see how easily it's done. Finally, we'll talk about how to compensate for these issues so that your network doesn't become infected with and manipulated by this sort of persistent firmware-level malware.

Gregory Pickett

Gregory Pickett CISSP, GCIA, GPEN has a background in intrusion analysis for Fortune 100 companies but now heads the Hellfire Securitys Managed Security Services efforts and participates in their assessment practice as a network security subject matter expert. As a security professional, his primary area of focus and occasional research is networks with an interest in using network traffic to better understand, to better defend, and sometimes to better exploit the hosts that live on them.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats