The Internet of Things will certainly pose interesting and new challenges for the enterprise. In previous blogs we have seen how ordinary chips can be manipulated to leak usernames and passwords from air gapped systems. And how mobile devices with malware can be tuned to listen for these weak signals in the office and then broadcast them to the outside world. But what about threats from outside the physical office?
Researchers in Singapore have found a credible way for an Android smartphone mounted on a personal drone to eavesdrop on wireless print jobs inside offices. Researchers Jinghui Toh, Hatib Muhammad, and their Professor Yuval Elovici from iTrust, a Center for Research in Cyber Security at the Singapore University of Technology and Design, say they can exploit the fact that most IT departments believe you must be in close physical proximity to a wireless printer in order to capture the data. This is no less true when the office is in a skyscraper, high in the sky. It's just until now it was hard to image how an attacker might climb so high without being noticed. The research team argues that inexpensive personal drones enable any attacker "to access wireless networks unobtrusively via a somewhat less expected attack vector." This includes possible targets located as high as 30 stories above ground.
"After identifying an open printer’s wireless network, the app established a similar wireless access point on the cellphone residing on the drone hovering within Wi-Fi reception range of the office building. The app tricked the office staff to assume they had sent a print job to the departmental printer while in reality they had 'printed a document into the smartphone,' so to speak."
In other words, the office staff connected print jobs intended for the printer across the room to a rogue access point that was mounted on a drone hovering just outside the office window instead. Once the smartphone captured the print job, it sent the data to an attacker's Dropbox via a common 3G/4G cellular connection. To hide the exfiltration of the data, the smartphone would then resend the print job to the intended printer a few seconds later. An alert office worker might notice a slight delay in receiving the print out, though not enough of a delay to be concerned with.
The point of this exercise was not to show that evil drones will soon be used to steal data, but that IT needs to be concerned about unencrypted wireless signals within the office, no matter where that office may be. Perhaps it seems redundant or perhaps even overkill to harden everything, even 30 stories up, yet the old saying holds: The bad guy only has to be right once.
As a means of mitigating this exposure, the team created a second Android app called “Cybersecurity Patrol” to scan for unencrypted printer signals and inform the CIO of which units needed additional security. Again they used a drone. This time, however, the smartphone would extract the manufacturer and printer type from the printer's SSID, then the Android app would print out instructions on the unsecure printer detailing how to secure the machines. What a cool pen test party trick.
The team also strapped a mobile phone to an autonomous vacuum cleaner and let it bump its way through the office. As it did so, it collected information on the security status of each printer it passed. Again, the smartphone app could provide this information to the IT staff or print remediation instructions on each vulnerable machine.
The researchers note that almost any device today could be broadcasting data in the clear. They said they chose wireless printers because often they are the weakest link in enterprises. Even wireless printers located 30 stories off the ground.
Robert Vamosi is a CISSP and award-winning journalist. He is also the author of When Gadgets Betray Us: The Dark Side of Our Infatuation With New Technologies (Basic Books).
Data Protection Vendor Evaluation Toolkit
The toolkit contains an RFI-RFP criteria template and a corresponding vendor evaluation scorecard.
Related ArticlesFriday Five: 3/1 Edition
News on a new data privacy bill, the FTC's latest $5.7M fine, and hacking Instagram profiles - catch up on the week's infosec news with this roundup!Why Data Classification Should Drive your Security Strategy: A Q&A with Tony Themelis
Tony Themelis answers 6 questions about how data classification can bolster your security strategy.Latest HIPAA Settlement Underscores Medical Device Risk
Lahey Hospital and Medical Center will pay $850,000 for losing data on just 600 patients. The cause? Weak security for medical devices.