The Jedi Packet Trick Takes Over The Deathstar: Taking Nic Backdoors To The Next Level presented at CanSecWest 2010

by Arrigo Triulzi,

Summary : Arrigo presented on his methods for taking over a theoretical firewall running 2 Broadcom NICs and an Nvidia GPU card. He was able to compromise the external NIC using the remote firmware update capability. He hypothesized that this capability was a vestige of factory testing, but it was still enabled and he was able to use it to take control of the NIC. Once in the NIC, he could traverse the PCI bus and install SSH on the video card. He continued by leapfrogging to the inside NIC and was able to capture, redirect, and alter traffic, through means currently undetectable by the operating system.