Evil Maid Attack

What would you do if you were at work and, suddenly, your laptop or PC started functioning on its own, and you no longer had any control over it?

It might seem like a scenario that only happens in spy movies, but such situations can and do happen in real life, and more often than one would think. Despite the abundance of security measures that organizations put in place to mitigate attacks, malicious actors are deploying increasingly deceptive techniques to bypass such security measures. And it could be taking place right in front of your eyes.

Cleaning or controlling?

In the video below, we demonstrated an attack scenario that threatens organizations all over the world. Yes, a vacuum cleaner is responsible for taking control of the endpoint. Well, it is actually the device hidden inside that is doing the damage, but the vacuum enables deception. The Rogue Device, known as a Raspberry Pi, is small enough to be hidden inside the vacuum cleaner. And, when in proximity to the target laptop, provides the perpetrator with remote control of said laptop through its wireless capabilities. Hardware-based attacks such as this one require the attacker to gain some form of physical access. In this case, the vacuum is a perfect vessel to provide such access. So, next time you are nearby a vacuum cleaner, you might stop to think whether it is just cleaning the floor or if it is controlling a device nearby, too.

One attack; two problems

The attack scenario highlights two worrying threats to all organizations; insiders and the social engineering techniques used by bad actors. Let’s start with the first. Of course, the vacuum concealing the device had to be brought in by someone. It might be concealing the attack, but the vacuum is not sophisticated enough to enter the premises alone…

Insiders are the greatest cybersecurity risk to organizations. According to a report on Insider Threats by Fortinet, nearly 70% of organizations think insider attacks are becoming more frequent. Furthermore, IS Decisions’ research found that businesses in the US encounter around 2,500 internal security breaches daily.

One possibility is that the cleaning lady using the vacuum is a malicious insider who purposely brought the harmful device inside the working environment. Although malicious insiders cause only around 5% of internal cyber incidents, their insider privileges and knowledge mean that such attacks can cause significant damage. According to Fortinet, 60% of enterprises are most concerned about malicious insiders when asked which insider threat concerned them most. Cleaning staff are often outsourced, which increases an enterprise’s vulnerabilities. The outsourced worker may be a malicious actor seeking financial gains or working for an adversary.

For half of organizations, service providers and temporary workers are the most threatening type of insider. Cleaning staff are not typically deemed a security risk and therefore do not raise alarms when doing their job. This of course, gives them the perfect disguise. 

But it is also possible that the cleaning lady unwittingly brought the device into the company’s premises. How, you may ask? That brings us to the next vulnerability, social engineering. 

Social engineering

According to Cyber Observer, 30% of cyber-attacks rely on social engineering. This technique is one of the most common causes of a data breach. As hardware-based attacks require physical access, social engineering techniques can provide external perpetrators with such access. Research by Purplesec found that 56% of social engineering techniques are carried out by malicious outsiders. To have an innocent cleaning lady knowingly bring a device into the office, a malicious actor might use social engineering techniques such as blackmail to do so. However, the attackers themselves might want to enter the office and, again, will rely on social engineering techniques. Simply disguising themselves as part of the cleaning staff is more likely to provide them with internal access than one would think.

How many times have you raised security concerns when you have seen unfamiliar cleaning personnel in the office? My guess is probably zero. Well, we hope that, by the time you have finished reading this, you will be a little more aware and cautious of those around you, even if you think they are not posing a security risk. (Disclaimer: we are not suggesting that you bring up a security concern every time you see cleaning staff around the office, but we do want to highlight the importance of being vigilant of everyone around you).

Sweet like Pi

What exactly is the sneaky little device we call Raspberry Pi? It actually was not designed to be pernicious, but rather to teach the basics of computer science. But, like anything good in life, someone has to ruin it (too sinister?). The Raspberry Pi used in the attack scenario was manipulated on the Physical Layer to act with malicious intent. Operating on the wireless USB interface, the device hides its true identity by impersonating a legitimate HID. A lack of Physical Layer visibility means that such spoofing activities go by undetected.

The Raspberry Pi is just one of the many hardware attack tools available to anyone who wants, or knows how, to use them. Rogue Devices are malicious and covert by nature. This allows them to go under the radar of existing security solutions due to a lack of complete device visibility. As a result, an attacker can use such devices to carry out a range of harmful attacks such as data exfiltration, espionage, MiTM, DDoS, and more. In this specific case, the perpetrator made their presence known, but what happens when the attack occurs behind the scenes? If you cannot see the attack taking place and security solutions cannot detect the presence of the malicious device, how are you, your device, and the organization protected?

Sense and visibility

Sepio Systems has developed the Hardware Access Control (HAC-1) solution to provide a panacea to the gap in device visibility. As the leader in Rogue Device Mitigation, Sepio’s solution identifies, detects, and handles all peripherals; no device goes unmanaged. HAC-1 uses Physical Layer fingerprinting technology and Machine Learning to calculate a digital fingerprint from the electrical characteristics of all devices and compares them against known fingerprints. In doing so, HAC-1 provides organizations with ultimate device visibility and detects vulnerable devices and switches within the infrastructure.

In addition to the deep visibility layer, a comprehensive policy enforcement mechanism recommends on best practice policy and allows the administrator to define a strict, or more granular, set of rules for the system to enforce. When a device breaches the pre-set policy, HAC-1 automatically instigates a mitigation process that instantly blocks unapproved or Rogue hardware.

So, while attackers have found deceitful ways to implant a Rogue Device within a target’s premises, with HAC-1 in place that is about as far as they will go. A vacuum cleaner might be able to hide a Rogue Device from human eyes, but Sepio’s eyes see far deeper.

  • Previous Post

    Zero Trust – Hardware Access

  • Next Post

    Embracing Zero Trust in Critical Infrastructure

Leave a Reply