Virtual Datacenter Infection:Attacking VDI from the Endpoint

John Whaley, Geoffrey Thomas@joewhaley, @geofft

7/20/2014

Not business information:

Not business information:

Not business information:

NOTHING IS LEAVING THE DATA CENTER

Citrix DaaS

DEMO

The Hoff Says...

https://github.com/joewhaley/VirtualRubberDucky

Virtual Rubber Ducky

Rubber Ducky Attacks

Input Injection / Logging

Pasty Attacks

Stealing Data via QR code

DEMO

Secret Channel via Image Steganography

Secret Channel via Audio

pwn the browser

Side-Channel Attacks

Keystroke timings are predictable

…and easy to extract with a packet trace

DEMO

Side-channel attacks on the server

Defending Against Rubber Ducky Attacks

Securing the Client

Doesn’t help:●Password policies●Multifactor authentication

Defense in Depth

Security vs Usability

Host Assessment Check(Malware Scan)

Dumb Terminal(a.k.a. “thin client”)

Locked-Down Environment

Weak Defenses

Run Local, Not Remote

VDI Security

Implementation Challenges

• PCoIP input issues– Drops/reorders keystrokes– Key repeat issues– Happens even with fast typing ☹

• VMware: no accessibility support

• QR code not optimized for screenshots

• RDP sound cuts out too much for modem

7/20/2014

Conclusions

1. There is no defense against a sophisticated, malicious user.

2. There are fundamental architectural limitations to hosted desktops.

3. There are some good reasons to do VDI. Security is not one of them.