Researchers at the Stevens Institute of Technology have developed ‘SkyNET’, a stealth network that connects hosts to a botmaster through a mobile drone.
Measuring 13×18 inches, the drone is fitted with Wi-Fi, 3G mobile data link, a Linux Operating System, and is programmed to scour an urban area and compromise wireless networks, mostly used at homes.
Personal networks are the most unsecured networks on the Internet. They often contain no security controls, unpatched machines, no logging or auditing, bad password management, and typically run wireless radio with poor security.
Researchers Theodore Reed, Joseph Geis and Sven Dietrich hope that their experiment could preempt attacks that use out-of-band communication to control Internet hosts.
They say that the SkyNET is used by a botmaster to command their botnet(s) without using the Internet. The network comprises machines on home Wi-Fi networks in a proximal urban area, and one or more autonomous attack drones.
When a host is compromised it joins both the Internet-facing botnet, and the sun-facing SkyNET, say the researchers. Subsequent drone flights are used to issue command and control without ever linking the botmaster to the botnet via the Internet.
The researchers say that SkyNET takes advantage of poorly configured wireless network security, and poor trust configurations on mobile devices, to join networks and access devices locally using a mobile attack drone.
The SkyNET drone is controllable via auto-pilot or via a 3G connection.
The researchers say, "Once network access is acquired, the drone utilises an array of existing tools to compromise hosts, such as the Metasploit framework…The drone implements a 4-step attack procedure to enlist hosts into the network. We call this procedure PAAE (pilot, attack, attack, enlist)."
To compensate for the limited computational power, the drone uses a 3G mobile data link to off-load computation to an Amazon Elastic Compute Cloud (EC2) GPU Cluster instance running cracking software.
The researchers say, "Once the drone has access to a compromised network its second task is to attack hosts; preferring non-mobile hosts. The botmaster can deploy an array of attack scripts or frameworks."
"Once a host is compromised, the drone exchanges identification information, configures a callback mechanism, and secures the host as it is now a potential asset to SkyNET."
They suggest that detection of a SkyNET may be possible by observing the behavior of the underlying botnet and discovering the geolocation of the bots.