A home-made hand-held Ethernet wiretap

[Image: An array of Ethernet ports on a PCB, one of them with a cable connected.]

Sitting in a conference room at work, waiting for others to arrive, I noticed that all Internet traffic to laptops is routed through a classic Ethernet hub in the middle of the table. So I started thinking how easy it would be to eavesdrop everyone in the conference by just innocently plugging myself into the hub. And due to its innocent appearance, could a hub be used as an general eavesdropping device?

Trusting the network

As you know, an Internet user is often warned by her browser that a web transaction is unencrypted and "could easily be read by a third party". So who's the third party? And how can anyone possibly listen in on traffic that's being transferred over a wired network?

To illustrate this approach, I put together a simple device to silently capture traffic from one end of an Ethernet cable, echo it into a laptop to be recorded or analyzed live, and retransmit it into another cable, unmodified. For as you probably know, Internet traffic will be almost guaranteed to go through Ethernet cables and routers at some point along its path. (Acquiring physical access to network infrastructure is beyond the scope here.)

Battery-powered hub

Ethernet hubs were widely used to build home and enterprise networks still in the late 1990s, but have now been largely obsoleted by switches and similar "smarter" devices. But one can encounter them even today, as I did.

A hub receives packets in one of its ports and repeats them to all the others, regardless of where they're going. They operate at the lowest OSI layer, the physical layer, which makes them transparent to other devices in the network (save for the speed limitations and data collisions). Plus they visually look like useful parts of the network. All this makes them perfect wiretapping devices. Furthermore, this used hub cost me about €3.

Hubs come in handy sizes and look pretty innocent. But they need an external power source, because Ethernet doesn't carry power like USB does (edit: at the time). And it's not always easy to quickly find an outlet with your hoodie on and all that. This hub happens to have a 5.0 V low-dropout regulator right after the main fuse, so I just replaced the 7.5 V wall adapter with four AA batteries (totaling 6 V nominal) and it works perfecly.

[Image: A device labeled 'LINKSYS(R) 5-Port Workgroup Hub' with several indicator LEDs, labeled 'Link/Activity' (5 indicators, 1 lit green), 'Collision' (unlit), and 'Power' (lit green). The device is connected to a battery holder with VARTA AA-sized batteries, and to an Ethernet cable going outside of the picture.]

The feat

Disconnecting a cable from a router and rerouting it through our malicious hub only takes around ten seconds, and if done in a relatively low-traffic part of the network, need not even noticeably disrupt connections. This could be done anywhere along the path of the traffic. We could quickly unplug our laptop from the hub if needed without affecting the monitored router; the hub would still continue to redirect the traffic.

If we wanted to be really sneaky, a Raspberry Pi or similar could be used to record the traffic. It could be left recording and we could physically leave the site, perhaps commanding the RasPi to transmit interesting bits over the air. Sadly, I could not test this as I had fried my RasPi during a previous incident.

Video proof

On this film, an anonymous hacker inflitrates a building and plugs the evil hub into a connection wherewith an innocent user is listening to a podcast. The innocent user is using the gray laptop on the left, and the black one on the right obviously belongs to the eavesdropper. The "router" to be compromised can be seen in the background, between the laptops. Observe how the stream automatically comes back on like it was just a little glitch in the connection.

Summary

Never trust the network. Use encryption.

12 comments:

  1. One thing, doesn't this mean that if your eavesdropper laptop isn't configured properly, it may end up transmitting information into the hub (DHCP requests, IPv6 perr discovery, etc), potentially giving your presence away? How would you overcome that?

    ReplyDelete
    Replies
    1. Yes, it's a genuine risk, and in this case the laptop was probably making a lot of failing DNS queries into the cable. A simple solution would be to cut the Tx wires on the eavesdropper's wire to make it physically impossible to transmit.

      Delete
  2. Could a trace route detect this?

    ReplyDelete
    Replies
    1. No, hubs are invisible to traceroute.

      Traceroute works on OSI Layer 3 (IP), whereas hubs operate on Layer 1. Hubs don't have IP or MAC addresses. Indeed, to the rest of the network, they look just like cable. (They are a suboptimal kind of cable however; for example, they have a throughput limitation of 100 Mbps. This facilitates detecting them.)

      Delete
    2. 1. Sorry for the necro post.
      2.Wouldn't the major throughput issues this would cause make them not only easily detectable - but really obvious? I imagine that without switching any decent sized network segment is going to experience the kind of issues that would trigger in any decent network admin to investigate the physical layer - certainly whilst it might not be the case they are visible in the network layers - surely the routers would have an extra light where the object is physically plugged in? And wouldn't this cause a lot of collisions at the physical layer?

      Anyways I just discovered your site - so cool.

      Delete
    3. Yeah, it's a silly way to do it. But lo-tech.

      Delete
  3. Wouldn't a simple RJ45 splitter (i.e. http://i.stack.imgur.com/zYQ2a.jpg) accomplish the same thing as the hub?

    ReplyDelete
    Replies
    1. Yes, it would.

      Originally, I wasn't going to make a portable hub-in-the-middle wiretap. It is unquestionably complex. The post was inspired by a conference room I visited that had all of its network traffic routed through a hub; I started thinking how easy it would be to eavesdrop everyone in the conference by just innocently plugging myself into the hub.

      Delete
  4. Hey, are you aware of the "Throwing Star LAN Tap", it might be relevant to your interests.

    http://ossmann.blogspot.fi/2011/02/throwing-star-lan-tap.html

    ReplyDelete
    Replies
    1. Thank you! Yes, I know about it. I believe its design is similar to the splitter mentioned in the above comment, just with transmission physically disabled.

      Delete
  5. Not possible. Your NIC won't accept data that isn't intended for it (as indicated by the MAC address associated with the low level packets).

    ReplyDelete
    Replies
    1. Hi! Thanks for the comment. You can read more about the NIC "promiscuous mode" here.

      Delete

The comments section is pre-moderated; it will take some time for the comment to show up.

You might want to check out the FAQ first.