4 months ago
Most people consider a hack to be something that occurs primarily in the digital space.
However, as technology gets more physically integrated into daily life, hackers have branched out in some devious ways.
Signing into an email account while on a company-wide conference call, for example, could reveal a person’s log-in credentials. Enterprising crooks can record the sound made by keystrokes and analyze them to figure out a username and password.
“These are obviously extreme examples,” cyber security expert and host of the CyberWire podcast Dave Bittner said. But, they still highlight the degree to which unforeseen vulnerabilities in technology can pose a problem.
Naturally, the most valuable information is the most protected and is often stored on air-gapped computers, ones that aren’t connected to the Internet. An air-gap eliminates an entire realm of possibilities for hackers, forcing them to think outside the box.
But it’s not airtight.
Air-gapped computers are mostly used by the military, intelligence community, and private companies with high-value information. It’s unlikely the average person would be using them, but attacks on those computers demonstrate the extraordinary lengths hackers are willing to go.
Bittner said those hacks are “some of the most creative” he’s seen.
Here are five other creative ways hackers have been probing physical flaws for digital exploitation:
It should come as no surprise that something like a USB drive or a CD can be used to upload a virus or steal data. What’s more fascinating, however, is what can be done once a tactic like that has been used. According to the New York Times, American and Israeli intelligence officials collaborated on a virus, called Stuxnet, that damaged the Iranian nuclear weapons program. The virus was introduced into a nuclear enrichment facility in Natanz, Iran via USB drive, causing its centrifuges to lose control and explode.
A blinking LED light is harmless right? Think again. Dr. Mordechai Guri, who specializes in researching ways to penetrate air-gapped networks at Ben-Gurion University’s Cyber Security Research Center in Israel, figured out how to steal data by making a LED light blink extremely fast. The patterns transmitted data in a manner similar to morse code, Wired reports. Once malware is on a computer, perhaps placed there via USB by an unknowing accomplice, it can control the device’s light and covertly send data to a camera recording it. In the video below, Guri uses a drone to show hackers don’t even need to step inside the building to get access to what’s inside.
In the past, RealClearLife has reported on the sound of a fan inside a computer being used as a clever hack (exposed by the same geniuses at Ben-Gurion). More recently, researchers at the University of Michigan demonstrated how specially-crafted acoustic signals could be used to attack a device’s accelerometer. In demos, the team showed it could control a remote control car, trick a Fitbit into tracking steps that weren’t being taken, and even send a worded message to a computer. Their research, and many others like it, demonstrates the hardware flaws that could be exploited to have a disastrous effect, especially if automated systems are involved.
Vibrations, a form of seismic waves, have long been exploited by hackers. According to this 2011 Wired story, a smartphone’s accelerometer can record the vibration of keystrokes and determine what was typed. Achieving the same effect, someone could use a laser pointer targeted at a reflective surface on a computer or nearby object, Gizmodo reports. A sensor can record fluctuations in the laser’s reflection, caused by the vibrations, to determine keystrokes. Both of these hacks obviously have a limited range and require someone to be close to their target for it to work. More recently, Wired reported how malware could basically turn headphones into a microphone by converting vibrations in the air into electromagnetic signals.
Computers generate heat and a result, need to be cooled. The canny researchers at Ben-Gurion showed how manipulating heat generated by a computer to transmit data with an air-gapped one. By using a computer’s built-in heat sensors, hackers could use the technique, called BitWhisper, to steal passwords and other valuable info and transmit it to a nearby device (see video below). Even if hackers can’t get access to the room, Bittner suggests an infrared thermometer could be used to receive the data in a similar manner to the LED hack previously mentioned in the story.
And those are the ones that experts know about. Given enough time and energy, hackers can find a way to exploit almost any physical flaw.
—Matthew Reitman for RealClearLife