Can You Trust your Network Card?

Recently I have posted here about security threats from devices not traditionally part of the security officers’ paranoia list, like photo-copiers and electric meters.   An interesting presentation at the recent CanSec West conference in Vancouver added another item to the list: your computer’s network interface card [NIC].  The presentation, by Yves-Alexis Perez and Loïc Duflot of the French ANSSI [Agence National de la Sécurité des Systèmes d’Information], discussed some of the capabilities of current network cards, and how they might be exploited.  (The presentation slides are available here [PDF].)

Modern NICs often provide considerably more than a bare interface to the physical transport medium (e..g, the network cable).  Many have on-board memory, and even processors; these are intended to improve performance by providing an additional layer of buffering and  offloading some tasks from the CPU (such as dealing with fragmented packets), and also to provide remote diagnostic and control facilities.  On some cards, this means that:

• Every packet (in- or out-bound) passes through the NIC’s on-board memory
• The NIC has direct access to the main processor’s RAM [DMA]
• The on-board NIC processor runs firmware loaded from an EEPROM, or, via a driver, from the host’s filesystem.
• Remote diagnostic and control protocols allow the NIC to provide a “heartbeat” to the network, and to receive and act on remote commands (to reboot, for example).  These protocols are intercepted by the NIC and not passed to the host.

Potentially, this is a very serious source of risk.  As the presentation summary puts it:

An unauthenticated remote attack on a network card is almost the most efficient attack one can imagine. A remote attacker located anywhere on the network can take full control of the victim’s network in order to: intercept all packets sent to and from the victim’s machine and forwards them to an attacker on the network; perform man in the middle on all unauthenticated network connexion (such as ARP or DNS) to redirect traffic to target machines; remotely shutdown, reset or wake up the machine.

Because the NIC has access to the system’s memory via DMA, it is also potentially possible to alter that memory and inject arbitrary code, unless the host OS defends against such attacks.

The research team demonstrated proof-of-concept attacks of these types, using a specific network card and configuration.  The card vendor has issued a firmware and driver patch for the vulnerability, which in any case is not too likely to be of great practical significance (because it requires a specific configuration).  Still, this is valuable research, to raise people’s consciousness in an area where not much thought is given to security.  As the authors say:

Our goal is to raise awareness on the security problems related to hardware vulnerabilities. We believe that this kind of publication should lead to an improvement of the quality of low level embedded firmware. So far, no research was performed on network card vulnerabilities.

We need to remember that some of the changes that make things easier for the legitimate user and system administrator can make things easier for Other People, too.