See Like a Bat: Using Echo-Analysis to Detect Man-in-the-Middle Attacks in LANs presented at BlackHatAsia2019 2019

by Yisroel Mirsky,

Summary : Although Man-in-the-Middle (MitM) attacks on LANs have been known for some time, they are still considered a significant threat. This is because these attacks are relatively easy to achieve, yet challenging to detect. For example, a planted network bridge or compromised switch leaves no forensic evidence.In this talk, I will present Vesper: a novel plug-and-play MitM detector for local area networks. Vesper uses a technique inspired from the domain of acoustic signal processing. Analogous to how echoes in a cave capture the shape and construction of the environment, so to can a short and intense pulse of ICMP echo requests model the link between two network hosts. Vesper sends these probes to a target network host and then uses the reflected signal to summarize the channel environment (think sonar). Vesper uses neural networks called autoencoders to profile the link with each host, and to detect when the environment changes. Using this technique, Vesper can detect MitM attacks with high accuracy, to the extent that it can distinguish between identical networking devices. Vesper is implimented at the software level and is therefore is cross platform.We evaluate Vesper on LANs consisting of video surveillance cameras, servers, and hundreds of PC workstations. We show how Vesper works across multiple network switches and in the presence of traffic. We also investigate several possible adversarial attacks against Vesper, and demonstrate how Vesper mitigates these attacks. Finally, we show how Vesper can be used to fingerprint network devices remotely (e.g., for tamper protection). To demonstrate this, we show how Vesper can differentiate between 40 identical Raspberry Pis.Vesper's source code will be avalaible for anybody to download, and a white paper will be provided.