Do you remember your first port scan? Either seeing it or doing it yourself? You were probably amazed that you could see which applications a server was running just by connecting to ports on the system and try to interact with them. If you can remember that you can also likely remember the first time you ran into a server with a host-based firewall that closed those ports and only opened them to specific IP ranges or had other kinds of protections to keep them from being enumerated.
Port scanning is just one of a number of things that have been used in the past as a way to get into vulnerable systems. Attackers have used tools and techniques in the past that are fairly high on the OSI model stack to get into systems because that’s the easiest way to interact with applications and users. If you can connect as a client of the web server you can do all the things a web browser can. Including things like exfiltrating data or even tunneling obscure protocols over well-known ports to mask the signature.
However, as we have become better at detecting these attacks and methods our adversaries have just been moving further and further down the stack. Once we quashed things in the Transport layer, the attackers moved down into the Network layer. When we stopped them there, the really creative ones figured out how to exploit the Data Link layer with MAC address attacks. But once we stop things in the Data Link layer, how much further down the stack can they go?
Hardware Hijinks
A friend recently made me aware of a device called a mouse jiggler, which is something developed and used by law enforcement to keep computers seized in raids from going to sleep and requiring passwords. It’s basically a USB dongle that acts like a hardware mouse and keeps it moving regularly to avoid triggering a sleep condition on the target PC or laptop. My friend asked me about them in reference to whether or not they could be detected by software as something nefarious. He wanted to use one to look like he was at his desk when he was really taking a tap working from home. As near as I can tell, this device looks like a real mouse to the system.
Then, I went to RSA Conference. I had an opportunity to sit down with Yossi Appleboum of Sepio Systems. And my eyes were opened to a whole new world of hardware craziness. Sepio is specifically in the business of finding rogue hardware and mitigating it to prevent the really ingenious hackers from invading at a low level. Similarly to the mouse jiggler above, attackers that can get in at the physical layer are able to do all kinds of insidious things. I mean, how often do you ask yourself whether or not you mouse is secretly recording every click? Or what if it were harboring an entire Raspberry Pi computer like the one in this picture?
Our hardware is a series of microcomputers now. What if there’s just one more computer in there doing something that isn’t critical to the operation of the device. What if it’s a small system-on-chip (SoC) in a keyboard that’s actually recording every keystroke and sending them out via low-power cellular modem? If the SoC and antenna are integrated into the keyboard enough would you even be able to tell? And that’s assuming it was a job done after the fact. What if the IT department sent you a keyboard? Would you even question it?
That’s where companies like Sepio Systems come into play. They can find these devices and tell you about them. But, unlike existing companies that have to profile hardware and put it in a database, Sepio uses machine learning to figure out what looks “off” about devices. Maybe it’s an impedance mismatch between all the models of Logitech mice they’ve seen. Perhaps it’s a keyboard that pulls more voltage than it should from the USB subsystem. Rather than adding all these data points to a huge, unwieldy database, Sepio is instead doing it all in real-time with advanced software techniques.
Yossi told me that a lot of his experience in looking for these kinds of attacks came from his previous career in the Israeli version of the NSA. He didn’t go into any details about what he did there, but I get the feeling he knows exactly where to look to find these kinds of low-level attacks for a reason. That’s the kind of mindset that helps you realize how important it is to get in front of physical layer attacks before they can proliferate. Imagine something as crazy has having a flash storage area in place of innocuous hardware that allows a polymorphic malware program to hide or copy itself there between removal sweeps and pop back up afterward to continue to cause issues. When it comes to the kinds of hardware that no one thinks twice about you can’t be too careful.
Bringing It All Together
Once you get to the physical layer, you have to be sure you know how to protect yourself. There’s no software at Layer 1. Drivers are about it. AV programs don’t scan keyboards. You can’t run a firewall on a mouse. But if you work at the kind of place where security is of the utmost importance you really need to ensure you have accounted for all the vulnerable points in your organization. A platform like Sepio Systems only adds to the defense-in-depth aspect of what you’re trying to accomplish and gives you visibility into invisible things attached to your systems. After all, you’d rather Sepio help you find something secreted away before the news media asks you some very public questions about it.
For more information about Sepio Systems and their physical hardware security solution, make sure you check out http://sepio.systems
