Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Uncover hardware-based cyber threats by drilling down into device DNA

August 2024 by Rob Pocock, Technical Director at Red Helix

Picture these scenarios. In one, the office printer breaks down, so a technician is called in for repairs. They stride into the office, fix the printer, and leave with a friendly wave. In another, an employee needs an ergonomic mouse or keyboard and their office manager finds one online for a third of the price of their usual supplier. They make the savvy purchase, and when it arrives, the employee eagerly plugs it into their computer’s USB port. Finally, while attending a bustling trade show, an employee is handed a complimentary charging cable. They return to the office, connect it to their laptop’s USB port, and start charging their phone.

In every scenario, each seemingly innocuous and routine, the company falls victim to a hack. In the first, the technician made changes to the hardware, or installed a recording device, which began monitoring and recording every single file sent to the printer. This information could then be sent via WIFI to a malicious third party. In the second, something similar occurred. The keyboard may have had a keylogger inside that recorded each key stroke made by the employee when they used the device.

Finally, in the third, instead of an official Apple or Samsung cable, the employee received an O.MG Cable – an almost exact replica with one tiny difference – a minute chip embedded inside that can deliver a malicious payload. This technology is cheap, around £200, and can be used for legitimate purposes by red teams, but this low price means many threat actors can easily afford them.

Crucially, these attacks can start with an unassuming technician, a disgruntled employee, or even a cleaner with malicious intent, and are almost entirely untraceable. This type of cyber attack could happen at any time, to any device, and there are very few ways for businesses to detect it. And it starts at the physical layer.

When access discovery tools don’t discover
One of the most common ways to protect layer one, or the physical layer, is with access discovery tools. These can be used to identify devices on a business’ network and determine if the device is what is says it is.
For network devices, they do this by checking identifiers like its Media Access Controller (MAC) address to confirm manufacturer, IP address, the Subnet or VLAN it is on, responses to Simple Network Management Protocol (SNMP) requests, or they can analyse the different protocols the device is using. For USB peripherals, they may look at the Vendor Identifiers (VID) and Product Identifiers (PID).
However, for the determined hacker, all of these identifiers can be easily faked, leaving an enterprise in the unfortunate position of thinking their network is full of genuine authorised hardware, when in reality that is far from the truth.
Now, it may initially sound like an easy fix – don’t let employee’s use unauthorised equipment and only source network hardware from reliable sources. But with long supply chains and delivery times of some network equipment, it’s all too easy to fall short. Likewise, with many employees now working from home (at least some of the time), having control over what they plug into the USB ports is impossible.

Finding a device’s DNA fingerprint
To ensure protection, businesses need a system that stops threats before they can even connect to the network. This is challenging when hackers target the physical layer, because traditional access discovery tools cannot identify these threats, allowing compromised devices to connect unnoticed.
For instance, very few people would question the appearance of an Apple charger cable left in the board room, ready for the CEO to discover when their phone needs a power top-up. There are also very few who would recognise that overnight their wireless Microsoft keyboard had been replaced with a compromised version.
To counter this, companies can use systems that determine a device’s identity by creating a DNA fingerprint. This advanced method provides a deeper level of security, ensuring that devices are authentic and have not been tampered with.
These systems go beyond traditional methods and asses the electrical characteristics of devices, such as by analysing timing and resistance and impedance, among other things, to create a unique DNA fingerprint. This fingerprint is compared against a vast database of 28 million devices to verify authenticity and detect any anomalies. If a device does not match its expected characteristics, the system immediately stops it from functioning and sends an alert for further investigation, even if you have bespoke or unique equipment.
For example, in manufacturing, healthcare and pharmaceuticals, these systems can easily build a DNA profile and, through the use of AI, can learn the characteristics of your equipment, sending an alert when it has been altered and thwarting the attack before the device makes its first connection, providing an instant response and preventing potential breaches.
Unlike Endpoint Detection and Response (EDR) and Network Detection & Response (NDR) solutions, which focus on network traffic and endpoint behaviour, this system scrutinises whether a device is genuinely what it claims to be or if it has been altered to pose a security risk.
The system can be applied across various devices, including servers, laptops, network photocopiers, and Wi-Fi access points. It examines devices physically connected to the network and those directly connected to computers via ports, ensuring comprehensive protection. By focusing on securing the physical layer, businesses can counteract sophisticated attacks that bypass traditional perimeter defences and provide an added layer of security against covert and hard-to-detect threats. Ultimately, this helps secure the supply chain by giving companies the means to test if the devices they use are legitimate.

Stop threats at layer one
Staying vigilant means recognising that threats can originate from the most unexpected sources. The physical layer is often overlooked, yet it is a critical point of vulnerability. By implementing advanced detection systems that operate at this foundational level, businesses can protect themselves from sophisticated and almost untraceable attacks.
The key is to stop threats before they even connect to the network, ensuring the security and integrity of all connected devices – which has been virtually impossible until now.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts