Attacking Game Consoles On Corporate Networks

A pair of security researchers speaking at DefCon demonstrated how video game consoles, which are becoming increasingly common break room or team-building toys, can open vulnerabilities in corporate networks. "[They] found that many companies install Nintendo Wii devices in their work places, even though they don’t let you walk into the company with smartphones or laptops. (Factories and other sensitive work locations don’t allow any devices with cameras). By poisoning the Wii, they could spread a virus over the corporate network. People have a false sense of security about the safety of these game devices, but they can log into computer networks like most other computer devices now. In the demos, the researchers showed they could take compromised code and inject it into the main game file that runs on either a DS or a game console. They could take over the network and pretty much spread malware across it and thereby compromise an entire corporation. The researchers said they can do this with just about any embedded device, from iPhones to internet TVs."

Don't plug it to internet

[odies]

You know, you could just not plug the game console into network. There is no reason why a break room and especially team-building games need an internet connection.

Re:

[dltaylor]

And how, exactly, are the "must connect to the server" games, particularly the team games, to be played without either an internet connection (which, in a competent IT setup, would be VLAN'd directly to the internet) or a pirate server?

Re:

[odies]

And how, exactly, are the "must connect to the server" games, particularly the team games, to be played without either an internet connection (which, in a competent IT setup, would be VLAN'd directly to the internet) or a pirate server?

And what are those games requiring an internet connection? I can't seem to recall any on consoles.

Besides if there are such console games, then you just have some other games in the break room. It's not that complicated.

Re:

[shentino]

How about games with obscene DRM that requires you to have an internet connection to an auth server before you're allowed to play?

Re:

[odies]

How about games with obscene DRM that requires you to have an internet connection to an auth server before you're allowed to play?

You have an example of such Wii game? Besides, if it has such an obscene DRM you cannot even run it on a hacked console nor modify the game data. This whole story assumes you're running a hacked Wii so that you can run a pirated version of the game that the hackers had modified.

Re:

[sortius_nod]

I can't say I recall any Wii or Xbox games that require an internet connection, the only ones would be Xbox Live and PSN games, but I can't say I've ever signed in to my own profile and downloaded live games at work when there's been an Xbox. Unplugged is perfect for an office.

Re:

[Richard_at_work]

What about them? How about the games console just gets removed from the break room again? Humanity existed without the instant gratification of the Wii for thousands of years, it can survive a lunchtime at work.

Re:

[icebraining]

Humanity existed without /. too, yet here you are. Having a Wii is fine and probably beneficial to productivity, just don't get games that requires an internet connection.

It's about employee rationale

[tepples]

How about the games console just gets removed from the break room again?

How about key employees quit and go to a company that has a better stocked break room? Competition isn't just about keeping customers; it's also about keeping employees.

Re:

[arth1]

And how, exactly, are the "must connect to the server" games, particularly the team games, to be played without either an internet connection (which, in a competent IT setup, would be VLAN'd directly to the internet) or a pirate server?

And how, exactly, are "must connect to the server" games needed?

Your argument makes about as much sense as complaining about the lack of dildos and handcuffs in the rest room, because how else can one play orgy games?

Dildos and Handcuffs in the Rest Room

[Maarx]

Your argument makes about as much sense as complaining about the lack of dildos and handcuffs in the rest room, because how else can one play orgy games?

There's a few US Senators that would like to have a word with you. [google.com]

Re:

[KDR_11k]

It's a Wii, not a PC running Ubisoft games.

Re:

[Dayofswords]

Not to mention that the Wii doesn't have any good online games. So why connect anyways?

Re:

[simoncpu was here]

Well, you can also say the same thing to your workstation. Ten years ago, people thought that there was no reason why office workstations would need to be connected to a network.

Re:

[CrashandDie]

20, maybe. 10? Definitely.

I remember pulling coax in the early first half of the 90s all over the place. Then ethernet came and made us damn ourselves. Everyone wanted to be connected. Centralised printer, easy file transfer.

Re:

[Lumpy]

10 years ago? REally? in the year 2000 you had businesses saying that?

Us at comcast must have been cutting edge then with every desktop on the network and using really advanced things called "servers" to store files and even databases.

I've been installing networks for computers for 20 years. Even in 1990 networking computers was a big thing and everyone saw that it was a major business advantage.... Novell utterly ruled back then. 10base2 networks roamed the land and every IT guy had a pocket of BNC T's

Re:

[KDR_11k]

1. Not with a Wii.
2. For LAN games just set up a separate LAN for the systems. They're going to be physically close anyway so a cheap consumer-level hub and some cables would be enough.

Re:Don't plug it to internet

[solevita]

The problem isn't network connectivity, the problem would be large flat corporate networks. Why have one network with all your office machines, manufacturing equipment, games consoles and telephones on it? Just create a games console VLAN that has access to the Internet and no routes to any internal networks.

This story is only a story if your Network Admin knows nothing about network admin.

Unfortunately, NetAdmin != Sysadmin

[RulerOf]

This story is only a story if your Network Admin knows nothing about network admin.

Plenty of places make their sysadmins set up the network hardware, but the problem is that we're sysadmins, not network admins. It's annoying as all hell, but the fact is that plenty of businesses will forego hiring a networking expert simply because they don't think they need to.

Given a network and adequate hardware, even I can point out what an appropriate topology would be for the setup, but I just don't know how to do it. I understand the concept of VLANs, routing, DHCP relay, etc., but I just don't

Re:

[drinkypoo]

Given a network and adequate hardware, even I can point out what an appropriate topology would be for the setup, but I just don't know how to do it. I understand the concept of VLANs, routing, DHCP relay, etc., but I just don't know how to configure the hardware.

This stuff is NOT HARD until you get to multi-homing. So there's no excuse for not reading the documentation and just figuring it out. Static routing is really simple. VLANs are really simple. I got hired into Cisco as a lab admin and while I was there I and a coworker co-wrote a tool to permit people to reconfigure their own VLANs. We did it with Filemaker Pro on a Windows box and perl on a Linux one. It wasn't built for security, but it didn't matter in this context and it just goes to show how damned eas

Re:

[RulerOf]

If you can't RTFM and figure out how to configure the hardware ... you're not a Systems Administrator. You're a server admin, or a lab rat.

I very likely could. I've gone from clueless to fully functional on all sorts of applications through simple RTFM and sample setup maneuvers, but when it comes down to it, I think it makes the most sense to leave the network stuff to the network admins and the server stuff to the server admins. While I suppose you could be right---I've never heard an "official" definition of "Systems Administrator"---I've long considered "Network" Administrators to be the ones that handle, set up, and maintain the physica

Re:

[drinkypoo]

I apologize if I've offended you, but I consider "server admin" to be a subset of my skills, and am far more capable than a "lab rat," though I admit I do highly enjoy testing things in a lab.

My title has been "Lab Administrator" before so it would be hard to offend me here, and no offense was meant. I have no real idea what you're actually capable of. Still, I think we have to set some standards :p

...for that matter, and speaking of IPv6, if you can similarly point out instruction for how it works targeted at someone who has a good functional understanding of IPv4, that'd be spiffy too. Similarly, everything I've tried to read simply doesn't explain things well enough and doesn't compare or contrast to IPv4 analogs.

Sorry, I haven't had to learn IPv6 yet so I have no idea where to look. It seems that the demand is pretty close to nil. I had a tunnel once but it caused more problems than it resolved so I abandoned it.

Re:

[egcagrac0]

Networks are systems. Systems are not always networks. It may take a sysadmin longer to figure out the wiggly details that a netadmin would just know (from specializing and doing it all day long), but it should not be impossible.

Don't feel too bad; a lot of people don't understand why trying to do Wake-on-LAN to an IP address doesn't work for more than 15 or 20 minutes after power-off.

Re:

[Lumpy]

Because hiring competent network people is expensive.

And the cheap MCSE's cant configure Cisco gear because it does not have a GUI.

The real reason most small and medium business networks area utter mess is because the idiots in the executive offices can not understand that hiring at least 1 highly competent person to cover IT and networking is worth every dollar. You only need one part time, if you are a small shop... An no, Timmy the computer guy is not looking for a new toy when he asks for a nice cisc

Re:

[PinkyGigglebrain]

if your Network Admin knows nothing about network admin.

Or doesn't know anything about how to lock down a network. Last place I worked had so many holes in the firewall when I took over it made chicken wire look like a brick wall.

Re:

[TheCarp]

Thats no fun! Seriously, its a corperate world we are talking about right? Why not a corporate solution. We deal with devices that need some manner of protection all the time.

You put this into an existing subnet of devices that require internet access but not internal LAN access. If you don't have such a pool of devices, you make such a subnet. Hell you define a game console VLAN, put all the game consoles in it (even a large company shouldn't have more than a handful), give them a small subnet (a /27 or so

Re:Don't plug it to internet

[TheCarp]

Of course, I should have pointed out, the project really dies (in a large corporate world) when you see your managers eyes glaze over as he imagines the hours upon hours of meetings that he will have to attend; to explain to the managers above him, how the networking technology (that he doesn't actually understand) works, so that he can justify asking them to ask the manager of the networking group to assign one of his people to the task of setting up the network portions of this.

I guarantee thats where the whole plan dies and the Wii in the break room becomes not worth it. At least, at some places I know.

-Steve

Re:

[skids]

Much simpler just to ban 802.11a/b less than 5.5Mbps... the Wii cannot go that fast and the rest of the clients don't need to. Then if wired is a concern just configure your NAC not to allow Wii MAC address prefixes, which being closed source are beyond the abillity of ordinary employees to change. Presto, no more network access for Wiis.

Re:

[tagno25]

802.11a cannot do 5.5mbps (not one of the allowed speeds), the Wii cannot talk 802.11a, and the Wii can connect at 54mbps to a 802.11g network

Re:

[TheCarp]

I guess thats one way to "solve" the "problem". Sort of like, if you define concentration camps as a homeland; then Hitler was a zionist!

While you could do all that, my whole point was, this is a pretty simple problem to deal with. You can easily allow the wii or any other device, access to the internet but NOT the internal LAN. Its done all the time for certain types of devices. In fact, the WII is even a simpler case; often such hosts need to allow for internal connections initiated by machines on the LAN

Re:Don't plug it to internet

[Lumpy]

It's also moot. It is far easier to get inside the building and install a trojan machine. Hell a sheevaplug is $99.00 and with the right stickers can be made to blend in behind any copier or printer silently sitting there collecting data and mapping things out and reporting home.

Hell the dual ethernet one in line with the right printer and it will be fed tons of great documents on the companies secrets that it can email home. sitting there ignored because it has a big HP printing sticker on it and reports as if its the printer... Even a super security guru would miss that one in all their security sweeps.

Re:

[BobMcD]

You know, you could just not plug the game console into network. There is no reason why a break room and especially team-building games need an internet connection.

This. Or, just put it on the public wireless. You know, the one for visitors that is in no way connected to your corporate network? You DO have public wireless, right??

Re:

[__aagbsn9250]

Why is everyone trying to reason why a NORMAL person would do or not do something. A target attack is done using non-conventional methods. For instance, you wouldn't even need media in the Wii, or physical connections to the network. The culprit would most likely be an employee or working in conjunction. The Wii could be softmodded, and access it's software via microSD card, which can easily be overlooked as most people don't even know where to find the slot or what it's used for. Wifi in conjunction with

Would they care to share how they do it?

[Nursie]

Perhaps with the homebrew scene? Being able to run arbitrary code on a PS3 (not under the now defunct OtherOS) would be a great help!

Thanks a lot...

[WhitePanther5000]

Now they're going to take away our Wii :(

Re:

[notaspunkymonkey]

Yeah.. my employer is already worried about a rumour that links gaming to violence.. I've no idea why, that guy from accounts who ran rampage shooting people in our office clearly hadn't played that much Halo.. His master chief outfit wasn't even realistic.

s/Wii/Windows

[antifoidulus]

Couldn't you pretty much just replace the word "Wii" with the word "Windows" and have an equally valid article?

Hooray for trolling!

Re:

[Arimus]

To be fair should be :/s/Wii/any\ connected\ device

Can't think of a single network connected device that couldn't potentially offer an attack vector...

Re:

[maxwell demon]

Can't think of a single network connected device that couldn't potentially offer an attack vector...

A hub?

Re:

[RulerOf]

A hub?

THIS SUMMER

Sony Pictures presents:

The HORROR THRILLER that will SCARE your IT department ALL THE WAY TO THE BASEMENT!

________________________

The NETWORK HUB from HELL!
________________________

Network frames will be MANGLED.
Packets will be DROPPED.
User programs will be KILLED.
Connections... will... DIE!

"I've never seen the racks blink that color before... What the hel----*RING*-----What do you mean 'Address Conflict'? No, no, don't kill it with Task Manager, just----Oh... my... God..."

It'

Re:

[Arimus]

Attack vector: I plug in, sniff all your traffic... don't even need valid ip address etc.

Re:

[Eevee]

Couldn't you pretty much just replace the word "Wii" with the word "Windows" and have an equally valid article?

No.

Windows is an attack vector, but it's not being ignored. I suppose it depends on how large the company is, but where I'm at, we have staff whose job it is to keep up with the various security bulletins and make sure that they're being patched.

A gaming system, on the other hand, isn't going to have staff dedicated to keeping it safe.

This isn't going to be a major threat.

[Securityemo]

There are probably much easier ways to perform targeted attacks against most organizations. But imagine someone bribing disgruntled wallmart/other low-wage chain employees into replacing cartridges and discs with what they are told are "just pirate copies that'l most likely play perfectly, no harm done really, you'l get a cut off the sales of the originals up front."

Woot.. ruining the diversion for all!!.

[Tei]

The researchers will claim that are doing something productive, and have a point to that. But for the other 99.9999% of the population this type of stuff is just party-breaking.

Is like wen a researcher get out of the blue and strong-force a open source game dev to fix "important bugs". Now, the problem with what is important for a researcher, and what is important for a game dev is different. A single researcher (can I say hacker?) can efectivelly "DoS" a single game developer sending hole bugs, and forcing

Re:

[Securityemo]

Hmm, yeah. If wikileaks can have an oversight system, couldn't a centralized vulnerability cache manned by trusted volunteers have one, to deal with ethics problems like that? To formalize the whole "full disclosure extortion" process, and make the bug fixing timetables standardized? But the risk of corruption would be extreme.

Wii at work?

[lyinhart]

Wii consoles at work? Never heard of that before. I must be working at the wrong place.

Re:

[arth1]

I too was surprised by the article blurb, because I've never come across any company that provides handheld consoles. Nor one that allows personal equipment to be hooked up to the corporate network.

Of course, there will always be asshats who disregard what they signed in their term of employment, and do things like private cell phone bluetooth connections to their work computer, or plugging in private USB fobs. And some might use a PSP during lunch break or as an MP3 player, which isn't much of a problem.

Re:

[jackbird]

I could see it in some healthcare settings. Hospitals with pediatric inpatient units, or nursing/rehab facilities might legitimately have a Wii for the patients.

Lots of small media/web companies have a console in the break area, too.

I don't see either of those being particularly attractive targets, however.

Re:

[ledow]

I once worked at a school that provided PS2's to their "seclusion rooms". It was a disgusting bit of pandering to the "naughty" kids / special needs kids in order to stop them causing trouble. They were also allowed to use mobile phones and would often phone the children in other school's seclusion units, so we weren't alone in this.

You can imagine the student's thinking - if I smash the teacher I don't like in the face, I get to go to the seclusion room, play Playstation and phone my friends and not have

Re:

[juletre]

We have a Wii and Guitar Hero in one of the meeting rooms. It is hardly in use and when it is, it is when someone stays late after work and plays a bit, drinks a few beers. Small consultancy firm, about 30 employees.

Re:

[Rennt]

Indeed. Inventing a hypothetical scenario then claiming you've discovered a real vulnerability seems to be par for the course at this year's DefCon. Disappointing.

Re:

[omni123]

This is definitely not a hypothetical scenario (from the do-consoles-exist-in-the-workplace-standpoint, but certainly a non-issue if your network admin has a clue). My previous three employers have all had game consoles in meetings room, sometimes one per floor. The most recent is a large Australian bank which has beer in the fridge, consoles in the kitchen and pool/ping pong tables in the meeting rooms; used mainly by software developers and economists.

It's a new age.

Please demonstrate

[Drakkenmensch]

Exactly HOW do you "poison a Wii"?

Network Printers

[nukem996]

The real concern isn't game consoles its network printers. Pretty much every company has at least one these days on their network and most of the machines assume its trusted. All someone would have to do is modify the firmware on one of the printers to start cracking the network. Getting access to the printer would be pretty easy in many cases. Many companies out source their printing to a third party that fixes them and supplies them with ink and paper. All someone would have to do is pretend to be fixing a printer and they're in.

not only that the frimwere is tie to warranty / hi

[Joe The Dragon]

not only that the frimwere is tied to warranty / high cost software maintenance planes. Even some of the printer that use a windows pc for rip and other stuff are locked down so you can't install windows updates no HP or who ever as to do them.

Like all the office pr0n traffic isn't enough...

[Golbez81]

Now we have to worry about our company Wii's! What is this internet coming to....

Am I missing something?

[DickeyP]

If an attacker can even get to such a device, doesn't that imply the network has already been compromised? Perhaps not to the level of full control, but enough to target any device, not just game consoles. Or is the OP assuming physical access to these consoles?

How is this different from any network device?

[DJRumpy]

Any properly fire walled device should be protected for the most part. That said, giving anyone physical access to a network device on your internal network exposes this type weakness. It's a bit ridiculous to state it's on the internal network and then get everyone riled up that it has access to said network resources. The simple fact remains that any network connected device could do this.

TFA states that they could do this with a pirated version of a game. Although this may be much more common in a home environment, I'm thinking a work supplied device that never leaves the office would be a bit harder to do this to? Some simple physical restraints or claims to limit what media can be placed into it, and proper firewall controls to prevent unauthorized browsing should mitigate this is a big exposure.

How is this different from any workstation?

Re:

[DJRumpy]

Apologies for the typos. I have obviously NOT had enough coffee yet this morning...

    physical restraints or claims = physical restraints or CLAMPS

    mitigate this is a big exposure == mitigate this AS a big exposure

You're ignoring the funny part

[tkrotchko]

Read the comments below the article. They're far more entertaining than the article itself.

DMZ

[davidla]

That's why you put it in it's own special little DMZ. Give it access to nothing but the Internet.

Relies on stupidity.

[GrumpySteen]

Everything in the article seems to require getting the user to download compromised code and run it on a game system. If you're stupid enough to download random software and run it, you're going to open yourself up to malware regardless of what OS or hardware you do it on.

Covered at Black Hat like 10 years ago...

[Anonymous Coward]

This has been covered over and over again since at least the mid 90's. The times are changing and the consoles are different but it is the same concept.
http://www.geek.com/articles/games/black-hat-dreamcast-is-choice-console-for-information-warfare-2002082/ [geek.com]

Restricted network

[Cico71]

Given that proper firewalling and DMZs should be in place, they should put it on a restricted network along with guests laptops and other devices that don't really need to be in the corporate network. Nowadays it's simpler to setup such an environment even using windows with NAP http://en.wikipedia.org/wiki/Network_Access_Protection [wikipedia.org]