10 Devices Attackers May Think About Attacking
Cars, Cell Phone, GPS, and Blenders.... Oh My!I recently read an article titled, 10 Everyday Items Hackers Are Targeting Right Now. It was quite the list, and while possibly a bit far-fetched, it made me think about security in the context of these devices as they relate to enterprise security:
- Your Car - Your company may have vehicles, and certainly a good percentage of your employees drive to work every day. The security implications surrounding company vehicles are not something you need to lose sleep over now, but you may want to keep an eye on this for the future. I had some fun with injecting audio into Bluetooth systems on cars some time ago. While this is a neat “party trick", there is no immediate security threat to your organization's data via audio injection attacks. However, what if I told you I was able to listen to conversations happening in the car? This might be a threat, especially if your executives like to have conversations on the way to work with clients, potential customers or each other. If we take this a step further, what if Wifi systems inside cars could be compromised and used as a trojan horse to get within wireless proximity of a secure building? I don't think this is something that most organizations need to take proactive steps to prevent today, but high security facilities could possibly be infiltrated this way some time in the near future (of course, you could also attach a device to the car that is authorized to enter the secure facility).
- That New GPS Gizmo - There are long-standing privacy concerns surrounding GPS systems. For example, an attacker may be able to see where you've been by looking at the history stored inside your GPS. I think another concern for the enterprise is when these devices are plugged into USB ports of computers within your organization. What if the device was "Certified Pre-0wned" (e.g., a careless employee accidentally compromises a manufacturing plant’s software repository and ships a Trojan on the devices that in turn infects the computer it is plugged into).
- Your Cell Phone - Here is an area where we are seeing lots of bad guys take an increasing interest and looking to turn a profit. As cell phones gain more functionality and become widespread in your enterprise, they are being targeted just like desktop computers. Smart phone have all of the components that make up a desktop: a web browser, an email client and a document reader. For criminals looking for information, this is a popular platform. However, due to their transient nature, low CPU power, short battery life and poor bandwidth, phones will likely not be targeted to build a botnet capable of launching a network-based distributed denial of service attack any time soon (At least one that could make an impact on a target). However, if 50 phones in your environment become compromised there could be local issues, such as if the attacker used them to call one phone number at the same time, activated the Wifi and/or Bluetooth functionality or used in low bandwidth botnet based activity (e.g., online ballot stuffing, CAPTCHA bypass attacks, etc.).
- The Front-Door Security System - Even more so in the enterprise, this is a growing concern because many companies ignore the physical aspect of information security. RFID has become a popular technology to secure building access, even though it has been proven to be easily bypassed. RFID is typically not only in use on the front door but on some inside doors as well, including the ones protecting the server room. I never trust just one security measure to protect my data; having more than one at least slows down the attacker to where the data has a better chance of being protected before an attacker is noticed, so by all means use RFID and put a traditional lock on that door as well!
- Your Blender. Yes, Your Blender - Everyone had a good chuckle at the possibility that an attacker could compromise your blender (for what reason, I’m not exactly sure, but my vote would be to make me a margarita). I did find a USB blender alarm clock, which I suppose could be compromised if connected to a computer, but while your blender may be seemingly safe for now, there are other appliances with far more functionality. The refrigerator is one such appliance that has received attention from manufacturers in the way of “Internet on your appliance”. Both LG and Whirlpool have given it a shot, building in digital cameras, sensors that tell you when you need to buy milk or you are running low on an item, touch screens with Internet access, and more. Largely these have been total flops, but in the future as they become ubiquitous, attackers may take an interest to, well, spoil your milk.
Additionally, don’t forget about the heating, air conditioning and lighting in your home under the control of a computer-based home automation system that could be compromised. Forcing the temperature to rise to 100 in a building to force an evacuation could allow an attacker unchallenged access.
- Your Printer - Another dangerous concept is that an attacker will compromise your printer and steal the information flowing through it. It’s of interest to attackers because it contains (or rather prints) sensitive information that is of value to an attacker and can be sold for real money on the black market.
- Your New Digital Camera - Devices such as cameras, photo frames and more can be used to distribute malware and infect your computer. The attacker doesn't normally care about your pictures, but is merely using it to gain access to your PC. These devices are also subject to being infected at the manufacturing plant and shipped out worldwide.
- The Power Sockets in Your Walls - Once upon a time I was doing a security assessment of an automation system that was being installed into a brand new building. This system controlled the environment and the lighting. Let’s just say that I was successful in demonstrating several security flaws across the system that allowed an attacker to control the HVAC system. To put some business context around it, this was a research facility that was at risk of losing experiments if the environment was not maintained properly.
- The Human Body - I do have grave concerns about technology, specifically wireless, being used in the human body (such as a wireless transmitter in a pace maker). I believe that attackers, with more deadly intentions may be interested in using this to cause harm to others. Other technology, such as RFID, is already being implanted into humans and pets. There could be benefits to embedded technology in the human body (e.g., I don't have to worry about losing my RFID badge), but also security concerns as well (e.g., it’s difficult to detect a chip implanted inside a human).
- Even the Human Brain - Just when I think we are quite a ways off from understanding the human brain, let alone putting computers in it and then using those systems to control people, several areas emerge in brain-computer interfaces. Most of the research is geared towards "neuroprosthetics", or helping the brain overcome illnesses and injuries. I think this is far cry from what the article refers to as "The last frontier of hacking: stealing information directly from your brain.", which I believe does not pose an immediate threat to your organization's security.
Protecting enterprise networks from a wide-array of threats is no easy task. All of the devices listed above could make their way onto your networks and systems, leaving you with the job of analyzing the risk and developing secure solutions. The threats will always be numerous and come in many forms, shapes and sizes. Implementing smart defenses that will catch these threats, no matter how they are packaged, is the real challenge. Monitoring your systems and networks, both actively and passively, can really help gain insight into your environment and increase your chances of finding malicious activity. You can read several posts on this blog on how to use event analysis techniques, passive vulnerability scanning, and configuration and system auditing that will help you detect these behaviors.