There is an understanding in the cybersecurity world that if an attacker has physical access to your computer, it is not your computer anymore. By gaining physical access to a computer, or any endpoint device for that matter, perpetrators can conduct hardware-based attacks that result in a myriad of consequences for the victim. This seems to be an issue for cybersecurity teams, right? Wrong. To gain physical access to a device, attackers need to bypass physical security in some way meaning that the line between physical security and cybersecurity is blurring. Last Wednesday’s riots in the Capitol are a prime example of this. The failure to physically secure the premises meant that the hundreds of rioters that raided the building had physical access to the devices and networks used by US government personnel. And hiding amongst that crowd could have been perilous actors seeking to cause damage to such a target. Brian Honan, CEO of BH Consulting, noted that “anyone with physical access to the computers could have installed malicious software on them to facilitate future cyberattacks”.
Criminal Actors Hidden Amongst the Crowds
The hundreds of rioters invading the Capitol last Wednesday did so as an act of “patriotism”; to protest against the election that was “stolen” from them; and to exhibit their unwavering support for Donald Trump. With such an explicit demonstration of opposition to the incoming administration, what is to say that the protests stopped at the physical activities? It is not implausible to suggest that the attack continued into the cyber realm. Amongst the crowd could have been a cybercriminal(s) seeking to cause damage to the succeeding regime through cyberattacks.
Alternatively, a spy working for an adversary could have been disguised as a protester. With the protests being planned in advance, it is possible that a nation state(s) seeking damage to the US knew of such a plan and saw it as an opportunity to conduct an attack. A spy could have been deployed to use the riots as an access point to the Capitol whereby a cyberattack could be carried out.
The Ideal Scenario
No matter who the perpetrator is, gaining physical access allows them to carry out a hardware-based attack through the insertion of a Rogue Device. According to Christopher Painter, a former top US cybersecurity official, “there’s a lot more you can do when you have physical proximity to a system”. Many laptops were left unlocked due to the rush to evacuate the Capitol, and the premises, often referred to as “The People’s House”, has many open spaces that are easily accessible once inside. These factors enable a hardware-based attack as there are fewer obstacles in place and allow a perpetrator to easily attach a Spoofed Peripheral to an endpoint. Additionally, hardware security is often neglected and is not as heavily invested in as software and network security, thereby it presents further vulnerabilities. Hardware security requires complete device visibility, and if devices are not accounted for then it is impossible to protect them. As such, should a protester have planted a Rogue Device on an endpoint, it would be a long process to find it, let alone detect it, and the types of attacks that these devices can carry out have extreme consequences.
Actions and Consequences
Primarily, Rogue Devices allow perpetrators to conduct attacks that provide access to important data and confidential information, thus facilitating espionage. Other attacks through Rogue Devices can simply shut down certain operations in an effort to undermine the target and cause damage.
- Advanced Persistent Threat
APTs are an advanced form of a data breach. Being very customized and sophisticated, APTs are commonly associated with state-sponsored actors who have both the capabilities, and the motive, to conduct such an attack. The aim is to gain unauthorized access to secured systems and, with the information obtained, cause damage to the victim.
In a MiTM attack, the perpetrator intercepts the communication between two entities without either party knowing. As a result, the malicious actors can obtain sensitive information or credentials that provide access to such information.
- Malware Injection
Malware is the umbrella term given to a number of different malicious software. One type of malware is known as Rogue Access Trojans (RATs) which provide bad actors with a backdoor for remote administrative control. With this control, the attacker can take screenshots, monitor behaviour through keylogging, an even activate the system’s webcam. As a result, the perpetrator can obtain a vast amount of confidential data.
- Distributed Denial of Service
Malware can recruit bots to form a botnet which work to carry out a DDoS attack. These attacks disrupt the normal traffic of a targeted server, service or network. The botnets do this by overwhelming the target, or its surrounding infrastructure, with a flood of internet traffic which can cause it to shut down.
The consequences of a cyberattack on a government entity are extremely pernicious, mainly due to the risk to national security. Should a state-sponsored adversary obtain state secrets, this information could be used to harm the target – either directly or indirectly – and a DDoS attack on critical infrastructure could have serious effects on the wellbeing of citizens. Furthermore, an attack on the government is likely to undermine trust in its ability to protect the nation and its citizens, which has a myriad of detrimental spill over effects.
Evidently, issues of cybersecurity can no longer be the sole jurisdiction of cybersecurity teams, especially when it comes to hardware-based attacks which require physical access to the target. Physical security teams are more frequently becoming the first layer of protection against cyberattacks; and the first layer of obstacles that perpetrators must bypass. So, when the crowd of disgruntled Americans stormed through the Capitol last week, a few of those individuals might have been infiltrating more than just the building and it was the police and security guards who were (or rather, weren’t) the first barrier to such activities.