What Hackers (and Marketers) Know about You from your Switch

Of all my prized technical books, one of my favorites in the networking space has to be LAN Switch Security : What Hackers Know about your Switches | A Practical Guide to Layer 2 Devices and Stopping Campus Network Attacks by Eric Vyncke.

Though written way back in 2008 -back when we had IoT but called it IP on Everything- Vyncke's book is more than just relevant in 2016, it's a must-have.

Why? Because Vyncke's book is one of only a handful of practitioner resources that explores in-depth a problem we've had in technology for over thirty years: the Address Resolution Protocol. ARP is a fun little plumbing protocol that exists way down at the bottom of the technology stack. I like to think of ARP as a map of both Layer 2 (MAC) & Layer 3 (IP) of the OSI model, but the technical definition is outlined in RFC 826, written way back in 1982.
So what's the problem with ARP you might ask? By its very nature, ARP is a veritable goldmine of useful and interesting information about a network, or more specifically, a broadcast domain. So at work, querying the ARP table on a switch is usually the first thing I do when I'm troubleshooting a LAN issue. And at home, where you also have an ARP table whether you realize it or not, devices and computers query the same table too to learn about each other.

This is the great benefit of ARP; it just runs on your switch automatically, doing its job in the background with zero drama, just the way a plumbing protocol should. But, therein lies the rub friends: because it provides such useful information automatically to devices that need it without any authentication mechanism, ARP is in reality an un-securable information leaker about your network and you, especially at home.

Vyncke, take it away:

All ARP requests are sent as Ethernet multicast and every Layer 2 adjacent host can build a traffic matrix (for example, which IP address talks to which IP address). There is no known way to mitigate [this] information leak vulnerability [in the Address Resolution Protocol]. Although the security impact of this vulnerability is small, paranoid network architects must make a design where the amount of hosts per Ethernet segment is small (even to the point of having a single host plus its default gateway per segment). Hence, an attacker will only be able to learn that some hosts communicate with a router but will not discover the remote hosts’ IP addresses.

I wonder if Vyncke would choose to use the same word "paranoid" if he were writing his book in 2016. Because from my seat, it's no longer considered paranoid to worry about the information my ARP table leaks out. Indeed, I'd argue that you're being negligent if you're not worried about it, especially as we adopt more IoT style technologies in our homes and workplaces.

Remember, this is a goldmine of real, substantive data on your network, its devices, and, well, you. In the enterprise space, we've got tools to deal with this, so typically we just segment our networks into ever smaller broadcast domains, usually via VLAN tagging or, ideally, Private VLANs.

In the home though, router and Wireless AP manufacturers offer little more than a Guest VLAN, if that. Your average home internet network, as a result, will leak out juicy details from your ARP table to whomever -or whatever- connects to it.

Hackers are one thing, but imagine what a Marketer could glean from querying, then storing and uploading data from the ARP table on your home network:

  • When the devices you own come and go on the network
  • Which devices are used the most
  • The type, name, and manufacturer of the devices on your network

Consider that just by querying the ARP table over time, you could construct a detailed picture of a family's life at home: Dad's iPhone connects to the network a little after 6pm and leaves the network routinely at 7am. He must be employed. Junior's iPad is on and connected for about 7 hours a day, but the Wifi interface on the TV is off until late in the evening. Mom must not spend a lot of time with Junior. Meanwhile, the wifi thermostat, the wifi lights, and the daughter's MacBook are alive on this typical /24 network all day long. What's that tell us about this family and how can we tailor our direct-mail & web-based ads to them?

Frighteningly, since ARP and MAC addresses are easy to spoof -especially on a home network-, it's not inconceivable that an automated process inside an IoT device one day starts masquerading as your home's router, which would give you even more great details about this family. Even if your search queries are encrypted, there's still gobs of metadata to be had from such an approach.

All of this is not only possible, it's probable given the fierce competition in IoT, the lack of regulations governing technology use in general, and the fact that, to a marketer, such behavior has a very low risk of being detected due to the nature of a 30 year old plumbing protocol known as ARP.

I don't know of any device doing this of course, but I'm not the only one thinking about it. Steve Gibson dedicated a recent Security Now! show to the problem of ARP at home. His solution? He called it "Three Dumb Routers," a fix that more or less mirrors how enterprises use VLANs to segment broadcast domains.

#Mobile Mondays : Why I still rock a Blackberry

Like a lot of people who work in technology, my approach to mobile phones has always been simple: I want the latest hardware running the latest software and I'm content. I own multiple apps on just about every mobile platform, and since everything these days supports ActiveSync, has mature email/calendar/contact support, and since Microsoft has started developing some awesome applications for iOS & Android, I find I can function on just about any mobile device.

But all that's changed in the last six months or so. Today, a bulky communications device is hanging from my belt. This device comes with gasp a physical keyboard and is decidedly unhip and un-modern, with a square screen, no fingerprint reader, and comparatively few apps.

Yes sir. I rock a Blackberry Classic in an era of cloud, AI, and Uber. Why? Honestly, for one reason:

It gives me nearly full control of my mobile from my PC via Blend: I have observed in many businesses that employees often stop what they are doing on their PC, pick up their mobile phone after a notification, and tap out a response via whatever is hip and cool these days.

I have observed myself doing this as well; for instance I might be coding something cool in Powershell ISE but once my mobile beeps, I stop, move my hands from my awesome mechanical keyboard and pick up my mobile. I wonder how much computing mojo I lose as I switch from computing on a real computer with acres of screen real estate to a tiny computer with a tiny screen and awful keyboard, and then switch back?

I think I lose a lot of mojo, way more, in fact, than when I reach for my cursed mouse. I want to keep my hands on my keyboard because that's where I'm most productive. So how does Blackberry help me do that?
Blackberry Blend Enter Blend, a Blackberry fat client that runs on Windows. Blend essentially tunnels to my phone and allows me to read, respond-to SMS messages, BBM and manage things on my mobile from the comfort of my desktop. It saves me from switching back and forth, in other words, and I find that that fact -incredibly- outweighs all the negatives of rocking a Blackberry in 2016.

There are other ways to make sure your hands never leave your desktop keyboard, but Blend is better than syncing SMS messages to Outlook/Exchange because you won't end up reading the same SMS twice. And it's better than iOS + iMessage + Mac computer because it's agnostic and runs on Windows or OS X when I choose to boot into it. And it's way better than Android's solutions, which involve (where to start?) Hangouts or Push Bullet or AirDroid or some nonsense. Oh, by the way, Blend also has the same UI and fat-client feel on its iPad app.

The way I figure it, the less I'm reaching for and interacting with my mobile device at work, the better. I'd prefer to do all computing & communicating on my workstation as it's built for that purpose and I'm highly-skilled at using it.

When I'm not, Ill, I'll reach for my mobile.