Need help from networking genious

[theBadGeek]

So, I'm a somewhat knowledgeable person when it comes to networking, but hardly an expert. Luckily, it's not my job, but being somewhat in know, my team at work looks to me for advice when dealing with our corporate IT department. Recently, they threw us a bizarre reason for not allowing the use of USB-C to Ethernet dongles on the most recent MacBook Pros that new designers are being given.

 

Their reasoning; the dongles store network information allowing for easy attacks on the laptops and our network.

 

Now, I'm tempted to call bullshit on this, but wanted to see if any network gurus on here could give credence to this explanation. I can't find any security advisories on something like this, and in my limited knowledge, don't see any way for a device like this to store any information.

 

Thanks in advance!

[Oshino Shinobu]

I'm not sure how using dongles is going to make it easy for people to attack the network or the laptops. If someone gets hold of one of them (and if they are actually storing information) then maybe, but that really goes for anything that can connect to the network. Maybe secure them in a way that means you can't take them away with you. If someone manages to get access to them within the business, you have a much bigger concern if they can just plug directly into the network at that point. 

 

EDIT: Also, as far as I know, they don't store any sensitive data, or any data at all other than what it needs to function (ie, it knows nothing about the network, that is the laptop and network's job). I've swapped ethernet adaptors between Macbooks before (not the USB C ones, mind you) and the settings from the previous Macbook do not carry over. 

 

The only thing I would be concerned about is if the adaptor is what provides a MAC address and your network uses MAC addresses to filter who is allowed to connect. If so, they could pose a security risk if someone gets hold of one as it could potentially grant them access to the network which they otherwise wouldn't be able to access. If that is the case, banning them is (somewhat) understandable. Then again, if someone really wants to gain access to your network and has the means to get physical access to systems, they can bypass the MAC filter (if there is one) by pinching ethernet/WiFi NICs out of the systems anyway. At that point, I'd be more concerned with them just taking the system if they have that much access. 

 

EDIT2: As for attacks on the laptops, they shouldn't impact that at all. I don't even know what reason someone could give for the adaptor making it easy to attack the laptop unless there is a specific security flaw. 

[Windows7ge]

I have no idea how the dongles work and let me start by saying I'm not a Mac user so my information may not be credible but being a Ethernet port it sounds possible if the dongle holds the MAC address and Ethernet jack configuration then it could get hi-jacked however you'd probably have to have it in your hand to attack it.

 

Now I could very likely be wrong because I know in the new Mac's they have a chip that determines what is plugged into the USB C port and then alters the behavior of the port accordingly so the Ethernet port configuration and hardware could very well be soldered to the Mac's motherboard and the dongle be nothing but a pass through device. The best way to determine if this is a threat would be to crack open one of the dongles and look at the PCB. Unless theirs a memory chip and/or a processor soldered to the dongles PCB then it's unlikely to be any threat on its own.

[brwainer]

The network settings for each adapter are stored in the computer, not in the dongles. Sometimes moving an adapter to a different USB port is enough to cause it to forget which settings to use (this happens to me more on Windows than OSX but it still happens - the address for a USB device includes which port it is connected to, so moving to another port changes the address).

 

On a wired network, unless you are using 802.1X, there isn't any "network information" that could be stored anyway - IP addresses and other info provided by DHCP is never stored in the dongle, and isn't stored long-term on the computer either (and information provided by DHCP doesn't really help you if you are trying to hack into a network - it doesn't help you access the network remotely, and if you are able to plug into the network then you will be able to get all that same information directly). And if the network is using 802.1X, I am fairly sure that you can't do replay attacks on 802.1X anyway because the authentication protocol isn't susceptible to it (using previously captured information, like if it was stored on the dongle, and sending that data again in order to try to gain access is called a replay attack).

[theBadGeek]

Thanks for the replies all, I didn't think it passed the smell test. Unfortunately, I'm not in a position to argue to change the policy, just have to shake my head and shrug when my bosses look at me with confusion.