Devious dock is Raspberry-Pi-powered data drainer

The notebook dock is crammed with hardware. The lid is transparent for demonstration purposes.
Source: Andy Davis, NCC Group In his presentation at the Black Hat Europe security conference, Andy Davis from the UK-based NCC Group explained how he turned a Dell docking station (Latitude E series) into a data spy that is difficult to detect. Apparently, the top part of the dock housing provides enough empty space to add various extra hardware components.

The core component is a Raspberry-Pi-based controller that only weighs 45 grams. The controller is hooked up to the docking station's various interfaces – Ethernet, VGA, USB, audio – and combined with a 3G/4G stick and flash memory. This "Spy-Pi" controller will use mobile networks to transmit the harvested data, and it can also receive remote instructions this way.

Davis says that all important interfaces are accessible from the inside, and that a few solder points are all that is required to tap into the ports. Two potential approaches are conceivable in terms of the network interface: either passive sniffing via an Ethernet switch or an active connection that involves inserting a tiny Ethernet hub into the docking station.

The security expert used the Videoghost frame grabber to intercept the VGA signal.

Source: Andy Davis, NCC Group The hacker said that the second approach offers the advantage that it also allows attackers to inject data into a network and infiltrate the intranet. Davis noted that the disadvantage of using a hub is that it adds an extra MAC address that may raise suspicion when the switches are monitored. The researcher continued explaining that the Ethernet switch has the disadvantage that encrypted data traffic can be recorded, but not decrypted. Also, the switch isn't capable of transferring at data rates in excess of 100 Mbits/s, which could potentially be detected when a network is monitored.

Display contents are recorded via the Videoghost component that is available from outlets such as Amazon. The breakout cable will pass through the image signal, create screenshots and store them on the integrated flash memory. Any integrated notebook webcam can also be misused: two pins of the USB controller on the docking station's motherboard are responsible for the upstream USB signal. The hacker soldered two small cables to the pins and connected them to the Raspberry Pi board.

Andy Davis said that it would be difficult to detect a modified malicious docking station. Methods such as regular weighing to detect modifications through weight deviations or thermal imaging to detect the controller are likely far too involved, he added. The expert recommends securing docks with a Kensington lock and using anti-tamper seals or stickers.

(Uli Ries / djwm)