What is Dark Matter and Why it Puts Your Networks at Risk
By definition dark matter is a hypothetical type of matter that makes up about 27% or so of the mass and energy in the observable universe. In the world of network security, we define the dark matter as that area of a network management plane often ignored and left exposed in the observable network. The areas of concern are these baseline management controllers (BMCs) and intelligent platform management interfaces (IPMI).
Cybercriminals’ Perfect Spying Platform: BMCs
Bruce Schneier, an American cryptographer, computer security and privacy specialist writes:
“The BMC is an embedded computer found on most server motherboards made in the last 10 or 15 years. Often running Linux, the BMC’s CPU, memory, storage, and network run independently. It runs Intel’s IPMI out-of-band systems management protocol alongside network services (web, telnet, VNC, SMTP, etc.) to help manage, debug, monitor, reboot, and roll out servers, virtual systems, and supercomputers. Vendors frequently add features and rebrand OEM’d BMCs: Dell has iDRAC, Hewlett Packard iLO, IBM calls theirs IMM2, etc. It is popular because it helps raise efficiency and lower costs associated with availability, personnel, scaling, power, cooling, and more.”
Schneier goes on to say that “basically, it’s a perfect spying platform. You can’t control it. You can’t patch it. It can completely control your computer’s hardware and software. And its purpose is remote monitoring. At the very least, we need to be able to look into these devices and see what’s running on them…”
IPMI is a low level interface specification that has been adopted by many hardware vendors. It allows a system administrator to remotely manage servers at the hardware level. IPMI runs on BMCs and provides access to the BIOS, disks, and other hardware. It also supports remote booting from a CD or through the network, and monitoring of the server environment. The BMC itself also runs a limited set of network services to facilitate management and communications amongst systems.
How to Mitigate the Risk
Most BMCs open organizations to vulnerabilities across all embedded devices because of default passwords, outdated open source software, and, in some cases, backdoor accounts and static encryption keys. Some common, largely ineffective ways that these security threats are being addressed:
- Some manufacturers publish these default passwords and recommend customers change these defaults FIRST – many customers do not heed this wise advice.
- Industry forums suggest not to leave the iDRAC directly exposed to the internet.
- Many use ACLs in their routers to prevent unauthorized IPs from accessing the internet.
- Others put the BMC on a private IP block so this is less of an issue.
- Customers may restrict IPMI traffic to trusted internal networks such as a management VLAN segment with string network controls, use strong, unique passwords and encrypt traffic.
- Other companies also have LDAP, PAM solutions, password vaults and jump servers.
The challenge for all of these methods is that they don’t solve the real problem of protecting the servers on the management network.
But dark matter will expose you to network security threats so it needs to be addressed.
If BMC/IPMI is making you an easy target, reading our latest infographic can help. It shows an alternative for solving dark matter threats.