The old adage ‘old ways won’t open new doors’ doesn’t necessarily stand true in the field of cybersecurity. Oftentimes, exploitation of old technologies completely circumvents organizational policies, best practices, appliances and protections resulting in compromise, data breaches and overall panic among the C-Suite corporate community. These attacks include events such as buffer overflows, exploitation of dated SSL libraries and speculative execution/cache-side channel attacks that affected every device with a modern x86 and ARM processor. Additionally, physical aspects of cybersecurity are no stranger to threats either. From the BadUSB to the decade-old Evil-Twin WiFi attacks, the exploitation of vulnerabilities within the physical accesses required for business operations can still have a large impact on digital infrastructures, regardless of logical security controls. While information security professionals often overlook the physical attack vector landscape, these attacks remain valid tools in a threat actor’s toolkit.
One of the most recent examples of an attempted physical cybersecurity attack occurred earlier this year at Mar-a-Lago, wherein an individual attempted to infiltrate the US President’s resort and vacation home. The person in question was found with four cellphones and nine USB drives in her room. One of these USB drives was reported to contain malware. Last year in the Netherlands, Dutch authorities thwarted a group of individuals headed to the Organization for the Prevention of Chemical Weapons (OPCW) headquarters with an arsenal of Wi-Fi tools including Alfa cards, Wi-Fi Pineapples, and panel antennas with the intent to disrupt, if not penetrate, the organization’s networks. Clearly, the physical domain remains a relevant option for cyber threat actors.
Concerns about these physical vulnerabilities only grow when realizing the low cost of exploitation. Some professionals might assume that the individuals who attempted to carry out these exploits are well-funded, associated with advanced persistent threats, and that they only pursue high-value targets. But in the examples provided, they did not have anything in their hacking arsenal (publicly known) that isn’t open-source or widely available and cheap to purchase; Wi-FI Pineapples cost around US $100 and USB Rubber Duckies a mere US $40. Some professionals might also describe these attempts as unsuccessful, but as members of the private sector cybersecurity community, most professionals do not have the resources of the U.S. Secret Service or the Dutch Intelligence officials readily available. Also, the two examples provided are only the attacks made public.
The true number of successful attacks may forever remain a mystery, yet certain examples are publicly dissectible. In a document provided by ICS-Shipping.org titled, The Guidelines on Cyber Security Onboard Ships, several real-world examples are cited in which onboard power controls and navigation systems on shipping vessels were infected with malware via USB devices. Even more prominently, the Stuxnet worm was reported to have entered devices via USB drives. Considering these attacks within a broader view than simply the stories that make headlines, it becomes evident that physical cybersecurity must realize there are multiple threats and exploits that are cheap, easy, and un-attributable. This is a recipe for easy attack vectors into organizational networks that are nearly impossible to trace, especially if an organization is complacent or outdated in its security posture.
Physical security isn’t always on the forefront of a cybersecurity professional’s mind. The need for comprehensive, holistic protections and frameworks is paramount. The cybersecurity community also needs to come together and revisit threat tactics, techniques, and procedures, tabletop considerations, and brainstorm new ideas and ways forward. At Infosecurity Europe, ISACA will conduct a workshop, Radio Realities: Hands on WiFi and Physical Access, to demo some of these capabilities and methodologies while facilitating a discussion on what cybersecurity professionals can do to create better controls and inform users and executives of the dangers that are out there.