It鈥檚 Cybersecurity Awareness Month! In honor of the theme 鈥� Do Your Part. #BeCyberSmart 鈥� we鈥檙e doing our part by educating IT teams and organizations on protecting themselves. Throughout October, the 探花大神 blog will focus on top cybersecurity issues, from IT admin best practices to CISO responsibilities. Tune back in throughout the month for new cybersecurity content or check out our archive of existing security articles for cybersecurity insights written specifically for the IT professional.

It鈥檚 Security Awareness Month and we鈥檇 be remiss not to highlight the importance of mitigating hardware-based attacks. These attacks are becoming more commonplace, can bypass most authentication and endpoint security systems, and are challenging to trace. Attackers are adapting their modus operandi to leverage weaknesses in how operating systems manage hardware. The Postal Service, your employees, and even commercial products stacked on the shelves of big box stores are the latest and least understood avenues of attack. Training, internal controls, zero-trust access controls, and supply chain management must adapt in kind.

This problem is so prevalent that Honeywell Cybersecurity Research about it in June, 2021. Key findings were that 79% of cyber threats originating from removable media were 鈥榗ritical鈥� to Operational Technology in heavy manufacturing and that the amount of malware specifically engineered for use with that attack vector doubled year-over-year. The U.S. Centers for Medicare and Medicaid similarly advised about the posed to healthcare devices. A USB drive or rogue device masquerading as a keyboard can bypass and security systems, exposing mission critical systems to MitM attacks, industrial espionage, and ransomware. This was ‘Jame Bond’ stuff 5-6 years ago, but cyber criminals are now targeting industries including manufacturing and healthcare, using the attack vector. Hackers recently out to companies throughout the United States; another threat is coming from ‘inside the house’ as remote workers return to the controlled office environment.

Why Care about Hardware Based Attacks?

Operating Systems are Too Trusting

Hardware-based attacks are happening because the USB standard did too good of a job simplifying the process of connecting peripherals to systems, which is exactly what it was designed for. There are instructional YouTube videos on how to spoof a trusted vendor鈥檚 Device and Class IDs, which are identifiers that operating systems use to recognize hardware such as keyboards. Crooks can replicate the look and feel of a known device, such as a keyboard, but have additional components hidden within the chassis that house a hidden malware payload. 

These can be categorized into the following groups:

Rogue Devices: These include fake peripherals or a Raspberry Pi Zero logical parameters; the and that appear to be legitimate smartphone chargers, but are actually USB implants that are equipped with remote access tools or malware.

• These devices can load malware of become wireless USB interceptors
• IT doesn鈥檛 take the brightest engineer to master how to make one
• Information is available in online

Repurposed Devices: The Proxicast PocketPORT 2 is a tiny 3G/4G/LTE modem-to-ethernet bridge that can serve as a modem or router. Criminals have used this for deep monitoring within  the financial services industry at a Tier 1 bank. Such a device could work over a passive cable connection, siphoning power from your systems. They鈥檙e not easy to find and remain hidden.

Secure IoT Devices: Internet of Things devices aren鈥檛 famous for quality security. There鈥檚 examples where IoTs have been used to clog networks or engage in Bluetooth attacks including and . Other flaws exploit methods that IoT products use to discover one another for easier installations. Malware can utilize that ability to propagate itself. These devices are often not easy to update and can become an underlooked attack vector within the network.

How it Happens

I recently had the pleasure of working with 鈥榬etired鈥� intelligence agents from one of the world鈥檚 leading agencies. They now work with a company that鈥檚 addressing this problem and shared a few tales about how these attacks might (and probably did) occur:

• Devices are mailed to targeted companies
• A rogue state outsourced operations to target a U.S. power plant by way of a criminal syndicate that manages delivering the device onto a plant floor.
• Affluent areas are targeted 鈥榣ike lottery tickets鈥� and thieves swap hardware from big box store shelves and replace the goods with a rigged product. The assumption is that wealthier people have more to hide, and more to lose.
• Fake cable company workers knock on doors within a neighborhood, establishing trust, and then show up at the intended victim鈥檚 domicile with a 鈥榝ree gift鈥�.
• Tailgating, where a friendly looking individual carrying a keyboard is allowed access to an organization鈥檚 facilities, being mistaken for an IT person who will 鈥榝inally fix that problem鈥�. Bearing donuts was a favorite trick of the former intelligence agent I know. Who doesn鈥檛 like someone who鈥檚 carrying a box of goodies?

Threat Mitigation

Technical

There are now purpose-built systems to scan and control access to the physical layer, making it possible to uncover rogue devices without mirroring your network traffic. This is an emerging space where industry analysts and security professionals are paying greater attention to. The founders of some household name security companies are on the boards of start-ups addressing hardware based access control. These are typically not intended for Small and Medium Sized Enterprises (SMEs), however. Your controls are more likely to be targeted.

• Utilize a policy to removable storage media
• Have your security systems configured to check for anomalous behavior such as USB drive activity outside of normal work hours.
• Deploy a quality EDR solution to protect to isolate malware and trigger alerts
  • Have the ability to quarantine/isolate infected devices
• can be utilized to direct a specific host IP address to a Zero Trust Exchange that will assess whether that device should access your network and determine 鈥檛rust鈥�, depending on system state. We鈥檒l link back with instructions about how to accomplish this integration over the coming weeks.
• Consider using a cloud-based least-privilege file sharing platform to control access to sensitive data. There are several excellent options. Alternatively, setup shared NTFS folders on local machines with the before granting anyone access.
• Control access to network storage devices (NAS/SAN, or even online file system) that use LDAP or SAML with a directory using group membership; 探花大神 uses such as job title of department, but Windows uses nested groups. Admins who are following the older nested method of grouping may encounter redundancies and not proactively be alerted if there鈥檚 a violation of a business rule that’s not baked into group membership.
  • Some permissions can be assigned through if you鈥檙e using SAML. Least privilege settings are otherwise commonly configured directly on those devices.
• Use VLANs and network access control as much as possible. You may use VLAN steering to select and define user access to network resources. These are simple RADIUS attributes that are assigned through our RADIUS service.

Administrative

Effective mitigation also comes down to training your staff on the principle of 鈥榠f you see something, say something鈥�. Strangers should be reported, and if possible, leverage proximity badges and employee IDs. More advanced controls can include a , deploying CCTV, or hiring security guards. Also keep in mind that employees could be disgruntled or compromised; ensuring that your people are happy, appreciated, and motivated plays a role in security. Manage your : insider threats can and do occur, especially if someone is motivated to fulfill an , and criminals will try to exploit those pressure points.

You won鈥檛 have that controlled environment at your disposal when employees work from home. Train your employees to be vigilant and on the lookout for scams, odd packages, 鈥榝ree鈥� gifts, and requests for home mailing information in the form of phishing emails. Cyber criminals are well organized and will adapt to changing work conditions as Work from Anywhere normalizes.

Supply Chain Integrity

The worst case is if the rogue device comes from the inside, from you to your employees. Don鈥檛 bow to financial pressure when being pennywise is a pound foolish while rogue devices are infiltrating online merchants. We all think about smart budgeting, but saving a few dollars on inexpensive peripherals may not be worthwhile given rising supply chain risk. Your rationale is that there鈥檚 a very valid reason why the U.S. Federal Government has issued and guidance for government agencies to fully vet suppliers. You may not be the Feds, but taking measures such as having your purchasing department use legitimate suppliers, and avoiding whitelabel and some secondhand devices is advisable in today鈥檚 environment. You may also consider adopting ISO’s supply chain standard.

There are global 鈥榟otspots鈥� for this activity in Asia and Eastern Europe, but it鈥檚 a small, integrated world through global commerce and online auction sites. Don鈥檛 buy from a supplier that you don鈥檛 know and trust and you should be fine. Find other ways to cut your costs.

Conclusion

The IT industry has done a decent job of discussing threats to the network and software buckets of cybersecurity, but hardware-based attacks are something that鈥檚 not frequently talked about or well understood. Be aware that this is an emerging threat that we鈥檒l be hearing more about and take precautions to be proactive before your organization is among the first to get caught unprepared and scratching its head during a post mortem analysis of what went wrong.

探花大神 is free for 10 users and 10 devices, so you can begin to evaluate platform policies (blocking removable media, conditional access), Conditional Access policies, and network segmentation within your own environment. We鈥檒l even include premium 24脳7 in-app live chat support for the first 10 days. Hardware-based attacks are difficult to mitigate, but you can corden off your confidential data and begin raising awareness about this problem among users as well as cohorts in purchasing.