As part of an academic security research that included the scanning of repositories of files, researchers came across classified operational documents that belonged to a large US-based natural gas utility operator. When approached by the researchers, the utility’s security team was surprised to discover that the documents were authentic and there was no internal evidence that had been taken out. The network containing the stolen documents was air-gapped, so there was no possibility that they were leaked through the Internet; the use of all removable media was strictly blocked so the option that someone had saved a copy of the document and taken it out was also ruled out. The investigation concluded that the internal critical network was no longer air-gapped and that it had been breached. The network was therefore not only vulnerable to exfiltration but also to injection and sabotage.
Infected Device as a Functional Mouse
When plugged in, the infected device was detected by the host PC as a combination of a fully functional mouse and HID keyboard – USB Class 3, Subclass 1, Protocol 1. Using keyboard emulation, the HID interface typed a PowerShell script which built and executed a covert channel communication stack.
By creating an out-of-band connection using the infected mouse’s wireless interface, the air-gap was bypassed. Despite keyboards being viewed primarily as input devices, one should be aware that the bidirectional communication channel for controlling keyboard functionality can also be used to exfiltrate data from an enterprise.
Sepio Systems is the leader in the Rogue Device Mitigation (RDM) market and is disrupting the cybersecurity industry by uncovering hidden hardware attacks operating over network and USB interfaces. SepioPrime, which orchestrates Sepio’s solution, identifies, detects and handles all peripherals; no device goes unmanaged.
The only company in the world to undertake Physical Layer fingerprinting, Sepio Systems calculates a digital fingerprint using the device descriptors of all connected peripherals and compares them against a known set of malicious devices, automatically blocking any attacks. With Machine Learning, the software analyses device behavior to identify abnormalities, such as a mouse acting as a keyboard.