Tom Olzak

Hardware Hacking Defense: Can you say physical security?

In Access Controls, Cybercrime, Data Security, Hacking, Security Management on August 5, 2009 at 11:30

I’ve been sort of stuck in the land of physical security lately.  The reason I can’t seem to extricate my brain relates to the dismal facility security many organizations employ.  It’s the lack of good physical security, including employee resistance to challenging strangers browsing the work area, which makes implementation of hardware hacks a real possibility.

Unlike software keystroke loggers and other nasty malware typically obtained via poor user habits—combined with a lack of Web browsing controls—hardware hacks are virtually invisible to AV software.  (See the vendor agnostic whitepaper, Keystroke Logging at http://ow.ly/jaeU.)  For example, a firmware hack for Apple keyboards was demonstrated at DEFCON 2009.  A related video (http://ow.ly/jahK) shows security researcher K. Chen gathering keystrokes from a laptop via a compromised keyboard.  The main difference with this hack is the ability to take over the hardware without taking the keyboard apart to install a logging component.  However, implementation of the hack is similar to other logging issues—physical access to hardware by an attacker means game over.

This hack, and others like it, require physical access to your computers.  How do you keep bad people away from your information resources?

  • Lock your doors.  Only authorized personnel should have access to your business office.  (If you aren’t securing your datacenter, this bullet is meaningless…)
  • Train your employees to notify security—or management if on-site security personnel aren’t available—when someone they don’t recognize is in the office area without a guest badge.  (This assumes your organization actually makes real employees wear employee badges and guests to wear guest badges.)
  • Make sure your employee training includes social engineering issues.  For example, an employee should know that when a stranger tells him or her that they are replacing the widget control on the computer’s frazzilator, there may be something amiss.  In any case, strangers unaccompanied by regular employees—even if carrying a tool bag—are to be considered suspicious and reportable.
  • Even if a person has a guest badge, unexplained lingering around cubicles or use of an employee system should be reported. If unexplained access was gained to a workstation, consider replacing it.  At least ensure,
    • The keyboard is standard company issue.  (You might consider marking keyboards so they are identifiable as yours.)
    • There are no unusual components connected to the keyboard cable.
    • There is no unexplained hardware anywhere in the cubicle.
    • The Event Logs show no trace of an attack.  (Any attacker worth his or her fees will eradicate any traces of unusual activity–if they have enough time.)
    • Your intrusion detection/prevention logs don’t indicate the PC is sending/receiving unusual traffic.
%d bloggers like this: