EtherOops – A New Attack Let Hackers Exploit a Bug in Ethernet Cables to Bypass Firewall and NATs

Researchers unveiled a very new method that helps to exploit a vulnerability in Ethernet cables to bypass firewalls and NATs. 

Earlier, this exploitation is considered as non-exploitable; but, now the weakness was named as Etheroops. This vulnerability works only if the targeted system network includes faulty Ethernet cables on the path from attackers to the victims.  

How Etheroops Works

The research team at Armis described that the Etheroops attack is primarily a packet-in-packet attack. These attacks generally used when the network packets are placed inside each other. 

The outermost case is an excellent packet, whereas the inner one carries all sought of malicious code or various commands. The outermost case is benign, and it enables the attack payload to move in with the help of first network protection, like firewalls, or other security commodities. 

While the inner case attacks are the devices that are inside the network, that’s why the networking case does not alter their production and dissipate their “outer case.” 

Now the faulty Ethernet cables come into action, but defective Ethernet cable experiences undesired electrical intervention, and the inside parts of the actual packet start flipping. This action starts damaging the outermost case slowly and leaves the innermost case active.

Prerequisites for a Successful Attack

The security researchers have asserted that there are some prerequisites for making this attack successful, and we have mentioned below the necessities of this attack step by step.

1) Sending benign packets through the Firewall/NAT

This step includes the process of sending a stream of benign packets, by a firewall/NAT.

2) The occurrence of bit-flips (or: Bad Cables)

In this process, the bit-flips are expected to work correctly as it requires random occurrence on target Ethernet cables. But, when the security experts observed over different segments of their install base, they remarked different error rates.

3) Checksum manipulation (or: Finding out internal MAC Addresses)

This process works after the Ethernet cable occurs, that’s why a checksum tool that is available in the framing headers of the Ethernet helps to identify the corrupted files.

Proximity Attack Based on EMP

According to the researchers, the faulty Ethernet cable has a background of electromagnetic interference (EMI). That’s why the researchers carried out an experiment, which is a cable that is not being guarded, conducting an attenuated signal, and this signal becomes susceptive at higher levels of EMI. 

There might be some specific devices that transmit an electromagnetic pulse that can create this type of disturbance that are the EMP weapon. These device uses wideband vibrations that lie between 100MHz – 2GHz to interfere with any cabling as lengthy as 5 centimeters.

The internal cell that is the innermost case is not as safe as it contains all sorts of malicious data and commands.

One-Click Attack Scenario

In this scenario, the threat actors lead their target to a malicious website, that is controlled by them, by sending the objectives a malicious link. Once the user submits the outbound packets to the server controlled by the attacker, they get the authorization to send a surge of good packets to the targets that will travel within the whole network.

Zero-Click Proximity Attack Scenario

In this attack scenario, the stream of good packets moves within the network perimeter security defenses (firewall/NAT) of the user, and this is possible only if the attacker manages to trick the DNS reply from the IP address of the user’s DNS resolver.

All these procedures depend upon the threat actor, as he/she gets to decide which method he/she will prefer among all these various methods of Ethernet cable. 

Moreover, the security researchers are finding all the variants so that the users can get know the EMI procedures perfectly.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.