Have you ever considered the mouse in your hand is stealing data? What about your connected devices? Can you be sure that they are not spying on you?
Government agencies have developed cyber weapons that can cause massive damage to enemies. These weapons were once top-secret tools, but in recent years they have been leaked and are now in the hands of criminal organizations and nefarious hackers buying and selling the devices on the dark web. Hundreds of these cyber-attack tools have been stolen, among them dozens of hardware devices.
In recent weeks, experts have witnessed two of these stolen tools being used. The WannaCry and Petya cyber-attacks are startling examples of the potential damage these tools can create when applied by a hacker. Although these ransomware attacks gained significant media attention, the most frightening issue in the endlessly complex cyber puzzle is the carrier or the attack-vehicle that successfully carries these attacks to the targets.
Some of these attack-tools can be stopped by updating software and maintaining up-to-date endpoint security, while others are much harder to detect. Among these are the hardware devices that can attack organizations without any prior warning, leaving them without a fighting chance for protection or cure.
Why Is Hardware So Dangerous?
It may sound crazy that computer peripherals like mice, keyboards and network devices like printers and IP phones will be used for cyber attacks on commercial targets, but the fact is, these attacks are already happening. The cost of these tools is dropping rapidly, as are the required skills for executing attacks. Criminals are now selling plug-and-play “attack sets for dummies” on the dark web that require no coding or hacking expertise to be able to exfiltrate sensitive data from systems.
Hardware attacks are the new cyber frontier. Hardware devices can wreak havoc on the system if installed directly into the network, and hackers are finding more sophisticated ways of doing it. They can be in the form of a camouflaged hardware interface device (HID), or a ghost wiretapping device that sifts through data, make copies and sends the data along its journey without any indication of a breach.
In recent years, the methods by which cyber attacks are identified, detected and prevented have changed. CISOs are now looking for a complete visibility of their assets. Most of them will tell you that with a robust cyber environment incorporating search, SIEM and analytics capabilities, they can recognize and defend against any threat coming at them. I agree, for the most part.
However, what most CISOs fail to recognize is that these attacks may come through connected hardware devices. They do not have visibility on their physical assets, which allows rogue devices to cause massive damage to their infrastructure. They invest tens of millions of dollars protecting their infrastructure against the common attack-vectors but fail to recognize the vulnerabilities in hardware. CISOs I have talked to claim it is impossible for someone to install something in their system without them knowing about it. Even with extensive monitoring, they can miss the easy-to-overlook end-user activity that can cause the most secure data networks in the world to open the front gates to welcome in enemies without knowing about it.
To understand how a device could plausibly be implanted in a system, consider how the ancient Greeks conquered Troy with the Trojan Horse. The Greeks had to contend with impenetrable walls, robust defense systems and the vast armies of Troy to win the war – which they failed time and again. And they wouldn’t see victory until they left a beautiful wooden horse as a parting gift, and the Trojans let down their guard and brought it into the middle of their city to display. Little did they know, the Greeks strategically placed the horse so the people of Troy would take it into their city, behind the impenetrable walls, where the soldiers within the horse could wreak havoc from the inside once the citizens of Troy had gone to sleep.
To put it in modern terms, imagine a new, sleek-looking mouse was left lying around your office. What are the odds that someone in the office would plug it in and start using it? Any employee looking for a quick desk upgrade could perform this simple act, which seems completely innocent in theory. However, in practice, it could irreversibly change the security status of your data environment, allowing hackers to bypass security measures without any effort – much like the Greeks did to the Trojans and countless other tacticians have copied to take advantage of their adversaries over the millennia.
This is a new form of “social engineering,” or simply put, psychological manipulation that hackers leverage against innocent employees to gain access to data. Crafty ‘social engineers’ can convince people to give them sensitive information like passwords and network logins, or attach devices to their printer or computer for the sake of the network’s health. This may seem like a complex route to the inside, but it is the new normal for how hackers are gaining access to data environments.
Once data is out, there is no getting it back – the proverbial toothpaste is out of the tube. There is no way to retroactively secure data once it is gone. Understanding how hardware hacking circumvents security monitoring is critical in stopping the threats of the future.