Virtual Datacenter Infection: Attacking VDI from the Endpoint
Virtual desktop environments have security limitations that can be exploited by attackers. A presentation demonstrated how a virtual "rubber ducky" USB device could be used to inject keystrokes and scripts into a virtual desktop to steal data or take control of the system despite security measures like multifactor authentication. While virtual desktops offer benefits like centralized management, the architecture makes it difficult to fully secure them since all input, output, and processing occurs remotely on a shared server instead of an isolated physical endpoint. Presenters concluded that although virtual desktops have valid use cases, security should not be considered an advantage since fundamental limitations leave these environments vulnerable to sophisticated attackers.
Virtual Datacenter Infection: Attacking VDI from the Endpoint
- 1. Virtual Datacenter Infection: Attacking VDI from the Endpoint John Whaley, Geoffrey Thomas@joewhaley, @geofft
- 2. 7/20/2014
- 7. Not business information: NOTHING IS LEAVING THE DATA CENTER
- 9. Citrix DaaS
- 11. DEMO
- 12. The Hoff Says...
- 18. Input Injection / Logging
- 19. Pasty Attacks
- 20. Stealing Data via QR code
- 21. DEMO
- 22. Secret Channel via Image Steganography
- 23. Secret Channel via Audio
- 24. pwn the browser
- 26. Keystroke timings are predictable
- 27. and easy to extract with a packet trace
- 28. DEMO
- 29. Side-channel attacks on the server
- 30. Defending Against Rubber Ducky Attacks
- 32. Doesnt help: Password policies Multifactor authentication
- 33. Defense in Depth
- 35. Host Assessment Check (Malware Scan)
- 36. Dumb Terminal (a.k.a. thin 界鉛庄艶稼岳)
- 38. Weak Defenses
- 39. Run Local, Not Remote
- 43. VDI Security
- 44. Implementation Challenges PCoIP input issues Drops/reorders keystrokes Key repeat issues Happens even with fast typing VMware: no accessibility support QR code not optimized for screenshots RDP sound cuts out too much for modem 7/20/2014
- 45. Conclusions 1. There is no defense against a sophisticated, malicious user. 1. There are fundamental architectural limitations to hosted desktops. 1. There are some good reasons to do VDI. Security is not one of them.