1

I am curious about the transfer of malware from one machine to another by use of a KVM Switch.

I am looking to connect a KVM switch between my computers up to my new testing machine, and want to make sure that if something happens to the testing machine, that I somehow wont infect other computers attached via the KVM Switch.

Note: for those who don't know what a "KVM Switch" is, it is essentially a device that connects a Keyboard, Video-Device, and/or a Mouse between multiple computers that can be switched with the press of a button. There are many kinds that do many things. Some are specific to one or the other( i.e., keyboard and mouse only), and others do all sorts of cool things such as audio.

Note 2: The "Testing machine" is a machine that will be used for vulnerability learning and testing of applications for exploits via sites such as OWASP. I am not sure what I will encounter when doing this, but since these sites are dedicated to vulnerability testing, and meant to be exploited, who knows what people could do to it that could be very bad for the network and it's computers.

So essentially is it possible to transfer malware through a KVM switch, and how likely is something like this to occur?

EDIT: Just found this Can a KVM switch be vulnerable through a VGA port?

Not sure if this would be an issue in my case, but thought it would be an interesting post to add. It seems the issue is the "VGA Port," but I would assume USB could also be interfaced and connected to, to execute malicious code... The question is... How likely is that to happen? I would assume it would be easier to connect over USB, than VGA, but not sure if something special is needed in how the malware transfers over.

Community
  • 1
XaolingBao
  • 897
  • 2
  • 9
  • 21
  • 2
    You've got quite a few questions here, and it would probably be better to split them off into individual ones. Basic KVMs are essentially two way switches, which direct the signals to and from a given device to one of the attached computers, but are themselves invisible to the computers - any attack which can affect the devices should pass through unmodified. If you can get infected by unplugging the device, and plugging it into a different machine, you can still suffer that from a KVM connected device. It gets more complicated with more high-tech KVMs, which have more features... – Matthew Sep 20 '16 at 16:28
  • Sorry, it's kind of a broad question. I maybe should have asked specifically on the KVM switches, because I assume that it is possible to get infected by being connected to anything, right? So what you're saying is that you could not only send malicious code through the devices, but even control the devices with malicious code? I'm now curious the likely-hood of this happening? Thanks. – XaolingBao Sep 20 '16 at 16:31

1 Answers1

1

Theres 3 ways a USB KVM switch could infects its "neighbour":

1: Either, if the KVM switch supports firmware upgrade over USB without any physical button press to put it in "upgrade mode". Then a BadUSB style of attack could be used to reprogram the KVM switch to send commands or similiar.

2: If the KVM switch's USB host accepts anything, including USB drives, and you have connected a USB drive to it. If the "bad" computer infects the drive, and you then push the button to switchover, the infected USB could also infect the "clean" computer.

3: If any device behind the KVM is vulnerable, for example a keyboard or mouse, to BadUSB, and then the device is "infected", and you switchover.

However, a KVM switch that uses PS/2 output, I would say is 100% safe. Even if it's console input is USB. Eg, the following 2 types of KVM switches are safe:

  • 2 USB ports + 1 VGA/DVI/HDMI port --> 2 VGA/DVI/HDMI ports and 2 purple PS/2 and 2 green PS/2
  • 1 purple PS/2 and 1 green PS/2 + 1 VGA/DVI/HDMI port --> 2 VGA/DVI/HDMI ports and 2 purple PS/2 and 2 green PS/2

These types of KVM switches are safe, even if you use a PS/2 to USB adapter, and/or a USB to PS/2 adapter to connect to it, as the PS/2 lines cannot transfer malicious data, thus no malicious data could be transferred over at button-press.

Yes, the PS/2 to USB adapter connected at the "bad" host end, could of course be infected with "BadUSB" malware, but then the infection would be contained to that host, as the "clean" computer has its own adapter, and the transfer to the KVM switch from host are PS/2.

PS/2 devices that are firmware-upgradeable over the PS/2 line without having to switch to USB mode or similiar - i would say, you can count them on one hand.

Image ports, like VGA, DVI and HDMI, are fully safe, as they cannot mount or send commands to the computer. They can send identification strings to the computer, like the manufacturer name of the screen and its supported rates and resolutions, but to actually compromise anything, the device would then need to take advantage of a exploit in the host computer like a buffer overflow or similiar AND the monitor must be firmware-upgradeable over the image port, so the malicious payload can be installed.

Pretty unlikeably that the computer monitor would be firmware-upgradeable via its picture input AND you get a malware in the "bad" computer that supports infecting the monitor AND the "clean" computer is vulnerable (Buffer overflow or similiar) to bad strings sent via the image port.

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
  • I wouldn't say PS2 is bulletproof. It's hard to compromise a PS2 device from a computer (PS2 is unidirectional afaik) however assuming the device is already pwned it can still do BadUSB style attacks by typing in malicious commands. – André Borie Sep 21 '16 at 00:24
  • @AndréBorie But if it cannot be pwned from the computer, then it cannot type malicious commands. Given the OPs prerequistes, the OP intents to run live viruses (or at least, visit malicious websites) on a isolated machine, and wonder if a KVM switch isolate enough. Physical security is not a issue. The question is if a dangerous virus, could traverse the airgap the KVM switch creates between the virus machine and the clean machine. And then I say, as long as the connection to both computers are of PS/2 type (with or without PS/2-->USB adapter) then you are safe. – sebastian nielsen Sep 21 '16 at 04:32
  • Also PS/2 is not unidirectional as the computer can send capslock/numlock status, but PS/2 protocol contains no utilities for firmware upgrade or other exploit vectors. There might be a single vendor that have a FW-upgrade utility that sends capslock-flashes to initiate upgrade mode or other similar vendor-specific "hacks" but these are extremely rare, and thats what I mean on count on one hand, and thus there exist no malware for these either. – sebastian nielsen Sep 21 '16 at 04:36
  • Thanks for the information guys. One thing is, I had posted a link to a question that asks about VGA being able to be controlled and used to transfer malicious code, and one of the answers seemed to indicate this is possible through VGA as well? – XaolingBao Sep 21 '16 at 07:29
  • @XaolingBao I covered this in my answer too. Infection via VGA requires three prerequistes to succeed: Firmware-upgradeability via VGA, that the malware you get in the "bad" computer supports infection via VGA, AND the "clean" computer have a vulnerability such as so it would get "owned" by the payload in the VGA. These three are extremely unlikely, you are more likely off winning like 1 billion $ on lottery. So I would say VGA is safe too. – sebastian nielsen Sep 21 '16 at 10:50
  • 5
    -1 **Image/video ports are NOT fully safe!** They _do_ send commands to the computer. For example, EDID, CEC, HDCP, etc. This not only involve sending commands to the computer, but are known to be exploitable. **Please do not spread misinformation based on naive assumptions.** As someone who has actually compromised systems over EDID, this answer irritates me greatly. – forest Mar 22 '18 at 01:07
  • @forest : I covered that in my answer. EDID and HDCP is pretty safe as it would require a exploit in the target computer to accomplish anything. CEC is a bit more dangerous, but usually requires configuration in the host PC to become fully enabled. If enabled by default, it can easily be disabled so the PC cannot be CEC controlled. – sebastian nielsen Mar 22 '18 at 01:07
  • 1
    They are far from safe. Go read the EDID parser in the Linux kernel, for example. Or should I say, the multiple parsers. So yes, it requires exploitation. How else do you expect malicious code to transfer between machines without a shared filesystem or network? You can say that an exploit is required, but you cannot say that it is "completely safe", or that exploitation is particularly difficult or unheard of. – forest Mar 22 '18 at 01:08
  • What I meant is that it requires a specific chain of events that are extremely unlikely to happen and requires multiple vulnerable targets to accomplish. As I said, the exploit must in some way be planted so it can be sent to the "Clean" computer. And with my suggested setup (PS/2 with no firmware updateability) and the screen in question is NOT firmware-updateable over the image port, how would you accomplish that, assuming you "owned" one of the computers airgapped by said KVM switch. – sebastian nielsen Mar 22 '18 at 01:13
  • You are right about PS/2. It's simple enough that I would be surprised if there were any major bugs. I just take exception with saying that (not ancient) VGA, DVI, etc. are "100% safe". – forest Mar 22 '18 at 01:15
  • The reason I say them are safe, is that displays that have any form of perstistent ability to store malicious data, is very uncommon. To accomplish an attack, you would need to infect either the screen or KVM switch *VIA* the image port. And that requires the device to actually support firmware-updates via that way. For the sake of the question, I would say 100% safe. For a targeted high-value attack against him, lets say if he would work for the defense department - not 100% safe. You understand? – sebastian nielsen Mar 22 '18 at 01:18
  • You still overestimate the difficulty of this kind of exploitation. It most certainly is not limited to nation-state actors. Yes, it's not a likely concern for J. Random Hacker, but that doesn't mean it is "100% safe". For hardware vulnerabilities overall, I would say this is up there. Easier than exploiting a USB hub (but not necessarily class drivers, of course). – forest Mar 22 '18 at 01:30