Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/9/2019
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

From Spyware to Ninja Cable

Attackers don't need sophisticated James Bondian hardware to break into your company. Sometimes a $99 device will do.

Up until just a few years ago, unless you were working as a secret agent, your only chance of seeing spy tools and gadgets was in the movies. These days, it still isn't easy to buy a lipstick pistol or a Bulgarian umbrella, but it has become shockingly easy to legally buy hardware-based cyberattack tools.

Although IT security tools have quickly and significantly improved and threat-hunting teams of the leading enterprises have become more professional, cybercriminals aren't giving up.

Document leaks, such as the NSA ANT catalog and the US Central Intelligence Agency's Vault 7, released a huge hacking tool arsenal including concepts of operation, drawings, source code, etc., and allowed individuals and specialized companies to join the game. Hardware cyberattack tools that were in the hands of only governments and intelligence agencies are now available for purchase as legitimate penetration-testing tools starting at less than $10.

A recent example of a dangerous tool is the USB Ninja cable, which was introduced earlier this year. The Ninja cable looks like any ordinary and innocent smartphone-charging cable, and will charge a smartphone as usual. However, this cable's design and internals are inspired by the leaked NSA Cottonmouth, a USB hardware implant that provides a wireless bridge into a target network as well as the ability to load exploit software onto target PCs. (For information on the original device, see the background story here.) When it was a top-secret weapon in use by the government, the unit price was $20,000. These days, when publicly offered as a pen-testing tool, anyone can buy it for around $99.

Now just imagine a cybercrime organization trying to get into a bank's internal network. Chances of being able to overcome the network security tools such as firewalls, email scanners, etc., are not that high, and every failing attempt will just make the systems and security team more alert. But what if the threat actor could drop some of those cables around the company's HQ lobby? What if a cable is left on the cafeteria table? What if the ATM custodian gets one as a freebie? Probably, this cable will be plugged into a corporate laptop sooner rather than later, just for the sake of charging the phone.

The method of using infected hardware devices as attack vehicles and as invisible doors into sensitive infrastructure is even more attractive because the attacker can jump over air gaps and enter into (or steal information from) parts of the network that are segregated from the Internet or other parts of the enterprise network.

There is a huge gap in the awareness of IT and security teams between software deployment and usage policies and those that relate to hardware devices.

Corporate employees or contractors will never be able to install or use uncontrolled software on an enterprise workstation or laptop. There are not only regulations and processes, but the entire system of authorization levels and user management will block it even if they tried.

On the other hand, in many places, anyone can bring in and connect any uncontrolled gadget or peripheral device directly to the infrastructure. Not only are there no policies in place to define what's allowed and what's forbidden, there isn't even a way for CISOs or risk officers to know and understand the attack surface they're in charge of protecting.

Know the Risk
The good news is that it's possible to address this rapidly growing threat. As always, being aware and understanding the risk is the most important step. This change in mindset is quickly taking hold in the industry —the Center for Internet Security (CIS, a nonprofit with large companies, government agencies, and academic institutions as members) has defined inventory and control of hardware assets as a top priority.

CIS urges organizations to actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. For more details, check out the tips from CIS.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Phishers' Latest Tricks for Reeling in New Victims."

Iftah Bratspiess is a cybersecurity leader and entrepreneur with over 25 years of business and technology experience as an engineer, software developer, product line owner, manager, and strategist. Throughout his career, Iftah has successfully navigated multidisciplinary ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.