Assume all your gadgets have been hacked or are hackable – security expert
With humanity's deepening love for gadgets, privacy becomes a privilege, not a given. Cyber walls are not enough to repel potential intruders. They may be already in, spying inside your keyboard, mouse, or USB cord.
If the last paragraph sounded a bit paranoid, take a second to think about hardware-based hacking. A tiny microchip planted on a regular input device you were convinced you bought with an unbroken seal. How about a USB cable capable of transferring data elsewhere with only one side connected?
Even though this sounds like something from a spy movie, Bentsi Benatar, a former Israeli intelligence officer and a co-founder of a rogue device mitigation (RDM) company, Sepio Systems, claims financial and industrial systems were penetrated using hacked cables and keyboards.
"Personally, I assume that at any given time, I'm surrounded by devices that are either hackable or have already been hacked. […] If I have something important to tell my wife, I'll whisper it in her ear," Benatar told CyberNews.
Personally, I assume that at any given time, I'm surrounded by devices that are either hackable or have already been hacked,Bentsi Benatar.
Rarely in the front pages, attempts to use compromised hardware to penetrate systems for extortion or intelligence are by no means rare. Reserved for state intelligence services in the past, attempts to hack businesses and individuals have entered the mainstream.
After all, it's much cheaper to hire a cybercrime gang to steal an exclusive design of industrial equipment or parts of it than actually develop one yourself.
As security researcher Monta Elkins showed Wired, it only takes will and around $200 to install a tiny chip that allows creating an invisible back door to bypass any firewall. Or, more recently, when owners of a hardware crypto wallet were sent fake replacements meant to steal contents of the wallet.
According to Benatar, well-executed hardware-based attacks can be indistinguishable from phishing attacks from a forensic point of view. A well-placed interceptor, planted in a Smart TV or a vacuum cleaner, can take over any device in the same network and repurpose it for malicious behavior.
"No one will ever know that the actual attack was conducted by intercepting a wireless keyboard or another wireless device," he explained.
We sat down to discuss why hardware-based attacks are seemingly under the radar, what makes a good CSO and whether some people are rightfully concerned that gadgets like Apples' AirTags are a gift to anyone with a criminal mindset.
There's an endless stream of reports about cyberattacks involving phishing, email spoofing, and whatnot. Very little has been said about hardware hacking attacks. Why is that?
I think there are two main reasons for that. The first is the fact that hardware-based attacks will usually be very pinpointed in their target. The software supply chain attacks like Solarwinds or others, where you hit 80 thousand targets simultaneously, are difficult to hide from the public eye.
Whereas the hardware-based attacks are very pinpointed, and criminals go for the most lucrative targets. That will be a data center, a bank, or critical infrastructure. And because these targets are very specific, it is easier for the entity, be it a commercial entity or a state facility, to keep the lid on that event.
That's where the second reason comes in. Ask yourself, if you knew that the level of physical security or access to a nuclear reactor is not that good, how would that make you feel? With hardware hacking, the attack vector is based either on the supply chain or internal abuser. And if someone got in like that, that means that your sort of physical security is not that good.
That means that your company or a facility wasn't able to clear your subcontractors or that you have a very unprotected supply chain. All of that puts you in a very bad light. So, companies are reluctant to go forward.
Another issue is that from a forensic point of view, some attempts to employ hardware hacking are categorized as phishing attacks due to how they were carried out. So, even though experts think the hack came from the outside, the actual attack could have been carried out by a completely different setup.
Ask yourself, if you knew that the level of physical security or access to a nuclear reactor is not that good, how would that make you feel?Bentsi Benatar.
No one will ever know that the actual attack was conducted by intercepting a wireless keyboard or another wireless device because forensic-wise, the attacks would look identical.
In some ways, hardware hacking is the easiest way. We try to visualize that to our clients by asking them to imagine a house with a huge safe door at the front and an open second-floor window.
You need a ladder to get to that window, and the ladder here is an internal abuse or supply chain. But once you have the ladder, then you don't have to force your way in. You can go in quietly without being picked up.
Hardware hacking sounds like something an intelligence service would do. What ends non-state actors might be after with such a tactic?
Stealing for financial benefit is among the top threats. So, like SWIFT payment fraud, creating a kill switch for critical infrastructure, or attacking a telecommunications provider. There is also an intelligence side since you can trace an individual if you hack a cell phone.
But there are other motivations, for example, theft of intellectual property (IP). If you're a company and you want to copy a particular auto part, and then someone comes in and tells you that they can bring you the actual production files from the production line of an exhaust system.
And threat actors can do that using a very simple method by, for example, connecting a compromised or a tempered mouse into the HMR controller that controls that CNC machine.
There's always an entry point, no matter if the whole production life is cut off from the internet. There's no way for a commercial entity to validate if every piece of hardware is the actual device they bought.
From an outsider's perspective, it would seem that companies prioritize, let's call it 'conventional' hacking, over hardware hacking. From your expertise, do businesses take hardware hacking into account at all?
That depends on the Chief security officer (CSO) in the company. But to go for a long answer, I'll start by saying that we put security CSOs into three categories. There's the evangelizing, the most professional ones that genuinely understand security, and they will be early adopters of innovative security techniques and emerging techniques. The problem is that they are in low numbers.
The other group of CSOs falls into what we call the 'me too' category. The 'me too' will first see what the evangelizing CSOs are doing and will follow them, which is also a good thing. That's a good thing since that spreads the technology and ideas across markets and companies.
The third one, which is most CSOs, is the 'cut and paste' category. They like the old cliche of 'no one got fired for buying an IBM.' They know the grocery list of security solutions they need to have, and they will purchase those solutions. The problem is that 'cut and paste' CSO's will buy specific security solutions without understanding the particular threats within their territory.
For example, some devices, like Apple AirTags, are criticized for their potential to be exploited by threat actors. Do you think some gadgets are more dangerous than others in terms of hardware hacking?
Personally, I assume that at any given time, I'm surrounded by devices that are either hackable or have already been hacked. That means that for the most important information, I will need to use a different approach. Of course, all of us want to enjoy the benefits of streaming a movie, so you want to have a smart TV.
But if you live with the assumption that everything either could be hacked or has already been hacked, you apply basic cyber hygiene to that. If I have something important to tell my wife, I'll whisper it in her ear.
There's a reason some of the most wanted people on the planet use another human being for communication instead of mobile phones or computers. They do that because they know that everything could be hacked.
After all, recently, the news broke that the FBI was capable of hacking into crypto wallets. This is a strategic capability, and if you have it, then you're incredibly thrilled about the fact that attackers are using cryptocurrency.
More from CyberNews:
Subscribe to our newsletter