Cyber-attacks on supply chains have become a major threat to critical infrastructure. Compromising supply chain integrity by inserting malicious components has become a central discussion topic in black-hat-hacker forums. While most conversations are focused on insertion methods of infected software modules, there has been a recent swell in communications regarding penetration methods of malicious hardware components.
Software Infection vs. Malicious Hardware
Various methods can be used to insert infected software modules into an organization’s software supply chain including code-alteration of 3rd party software libraries and intentional exploitation of zero-day vulnerabilities through code-execution. Once attackers find a way in, the challenge becomes finding a way out. With modern multi-layer security platforms installed in most secured networks, the hacker’s challenge becomes ejecting the stolen data.
Since security solutions have focused on sealing the way out, criminals have sought an alternative–the insertion of malicious hardware.
The insertion of malicious hardware into a secured organization requires “on-the-ground” capabilities, including knowledge of supply chain management and logistics.
Malicious hardware attacks were first thought to be executed by governments. But terrorist and criminal organizations have gained supply chain management capabilities—and understand inserting malicious hardware into a top-secured supply chain is easier and more lucrative than maintaining a cache of illegal weapons and drugs. Inserting malicious hardware may still be considered more difficult than inserting infected software—but the data-way-out path is easier—offering unlimited out-of-band communication paths that avoid monitoring or security measures.
The “50 Keyboards” Question
During a recent meeting with a CISO of a large bank, I posed a theoretical question: “If I send 50 boxes containing keyboards with an authentic-looking bank label and a note that reads:
‘Your division has been selected by the bank IT department to test this new keyboard. We will contact you soon to get your feedback.’
How many keyboards would be installed the next morning?”
The answer was shocking, “More than 45”.
This attack would involve 50 keyboards at $13 each, plus shipping fees. Criminals would need only one to be installed to launch the attack and “kill the bank”.
Building a Malicious HID
Human Interface Devices (HIDs) including keyboards, mice, barcode scanners, andKVM switches can be easily altered to become malicious devices. By “hub-ing” the USB connection to the host and connecting rubber-ducky keyboard emulation devices and wireless communication devices (wifi/bluetooth/cellular) in a parallel , a multi-phased attack can be executed against the computer infrastructure. In less than one business day, a malicious device can be shipped to its destination and an attack is launched the next morning (thanks to overnight shipments). At a cost of less than $500, this malicious device can penetrate a secured facility. Once inside, it runs a script and via a hidden wireless connection (i.e. a cellular modem) sends proprietary data out, injects data and executes commands from a remote location.
Sepio Systems has introduced its USB Security Device that protects against such threats. In the next post we will describe the Sepio solution in greater detail.