In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network
Technology
31
Beiträge
25
Kommentatoren
26
Aufrufe
-
This post did not contain any content.
Don't give hackers a bad name.
-
Also our bank had some kind of port security so if it wasn't a recognized MAC address, the port just switched off.
And serious company will have this as basic security. It's a fundamental function even available on your consumer grade router at home. While it's overkill for that use, it's basic security for a company.
That's why it's not surprising at all that a bank didn't bother to do that. Banks have some of the most egregious security issues.
That's why it's not surprising at all that a bank didn't bother to do that. Banks have some of the most egregious security issues.
And really shitty auditors apparently. A good one would have at least spot checked for unsecured ports.
-
Don't stress mate. We've all aged in the 20 years between 2019 and 2025.
Yeah my beard has gone fully salt-and-pepper, and I’m getting a lot more grays on my head nowadays
-
This post did not contain any content.
Its like Ocean 11
-
This post did not contain any content.
Wouldn't the 4G connection be easily traceable? Like law enforcement could pretty easily figure out who owns the line.
-
This post did not contain any content.
What in the Mr. Robot...
-
Wouldn't the 4G connection be easily traceable? Like law enforcement could pretty easily figure out who owns the line.
It's not too hard to get a SIM in someone else name.
They'd have an account owner name, but that person may not exist or they only remember some person paying them to get a phone in their name which isn't illegal.
-
This is still trivial. A Pi with 2 NICs and a Linux bridge. Using the 2 ports, effectively put the Pi in between the device you want to spoof and the rest of the network. Now you can see the traffic, the MAC addresses etc.
Port security prevents this. As soon as the switch detects a physical disconnect it disables the port.
You could, with some electrical engineer-level tools and hardware, passively read the traffic to determine the MAC and then splice into the wire without disrupting the physical connection. But it would be very hard to do covertly or quickly.
-
That’s why it’s not surprising at all that a bank didn’t bother to do that. Banks have some of the most egregious security issues.
Same as anywhere else. Complacency, lax auditing, temporary fixes which are in place for years, non-technical people making technical decisions (choosing convenience over security, generally).
-
This is quite an awesome attack if you think about it.
Its utterly brilliant. And a huge respect to the team for picking it up!
-
... Which financial company do you work for?
Any of the major banks consider breaches as cost of doing business at their scale compared to smaller banks. My bank prides itself on never having a breach, and it is insufferable to develop code for, but I guess it’s the price of security
-
It's not too hard to get a SIM in someone else name.
They'd have an account owner name, but that person may not exist or they only remember some person paying them to get a phone in their name which isn't illegal.
Don't forget, burner phones still exist.
You can handle everything in cash if you're smart.
The phone isn't important, you just want a cheap sim with no tracks leading to you.
