It’s Cybersecurity Awareness Month! In honor of the theme — Do Your Part. #BeCyberSmart — we’re doing our part by educating IT teams and organizations on protecting themselves. Throughout October, the JumpCloud blog will focus on top cybersecurity issues, from IT admin best practices to CISO responsibilities. Tune back in throughout the month for new cybersecurity content or check out our archive of existing security articles for cybersecurity insights written specifically for the IT professional.

It’s Security Awareness Month and we’d be remiss not to highlight the importance of mitigating hardware-based attacks. These attacks are becoming more commonplace, can bypass most authentication and endpoint security systems, and are challenging to trace. Attackers are adapting their modus operandi to leverage weaknesses in how operating systems manage hardware. The Postal Service, your employees, and even commercial products stacked on the shelves of big box stores are the latest and least understood avenues of attack. Training, internal controls, zero-trust access controls, and supply chain management must adapt in kind.

This problem is so prevalent that Honeywell Cybersecurity Research warned about it in June, 2021. Key findings were that 79% of cyber threats originating from removable media were ‘critical’ to Operational Technology in heavy manufacturing and that the amount of malware specifically engineered for use with that attack vector doubled year-over-year. The U.S. Centers for Medicare and Medicaid similarly advised about the threats posed to healthcare devices. A USB drive or rogue device masquerading as a keyboard can bypass EDR and NAC security systems, exposing mission critical systems to MitM attacks, industrial espionage, and ransomware. This was ‘Jame Bond’ stuff 5-6 years ago, but cyber criminals are now targeting industries including manufacturing and healthcare, using the Layer 1 attack vector. Hackers recently mailed devices out to companies throughout the United States; another threat is coming from ‘inside the house’ as remote workers return to the controlled office environment.

Why Care about Hardware Based Attacks?

Operating Systems are Too Trusting

Hardware-based attacks are happening because the USB standard did too good of a job simplifying the process of connecting peripherals to systems, which is exactly what it was designed for. There are instructional YouTube videos on how to spoof a trusted vendor’s Device and Class IDs, which are identifiers that operating systems use to recognize hardware such as keyboards. Crooks can replicate the look and feel of a known device, such as a keyboard, but have additional components hidden within the chassis that house a hidden malware payload. 

These can be categorized into the following groups:

Rogue Devices: These include fake peripherals or a Raspberry Pi Zero impersonating logical parameters; the O.M.G. cable and NSA Cottonmouth that appear to be legitimate smartphone chargers, but are actually USB implants that are equipped with remote access tools or malware.

• These devices can load malware of become wireless USB interceptors
• IT doesn’t take the brightest engineer to master how to make one
• Information is available in public repositories online

Repurposed Devices: The Proxicast PocketPORT 2 is a tiny 3G/4G/LTE modem-to-ethernet bridge that can serve as a modem or router. Criminals have used this for deep monitoring within  the financial services industry at a Tier 1 bank. Such a device could work over a passive cable connection, siphoning power from your systems. They’re not easy to find and remain hidden.

Secure IoT Devices: Internet of Things devices aren’t famous for quality security. There’s examples where IoTs have been used to clog networks or engage in Bluetooth attacks including Blue Borne and Bleedingbit. Other flaws exploit methods that IoT products use to discover one another for easier installations. Malware can utilize that ability to propagate itself. These devices are often not easy to update and can become an underlooked attack vector within the network.

How it Happens

I recently had the pleasure of working with ‘retired’ intelligence agents from one of the world’s leading agencies. They now work with a company that’s addressing this problem and shared a few tales about how these attacks might (and probably did) occur:

• Devices are mailed to targeted companies
• A rogue state outsourced operations to target a U.S. power plant by way of a criminal syndicate that manages delivering the device onto a plant floor.
• Affluent areas are targeted ‘like lottery tickets’ and thieves swap hardware from big box store shelves and replace the goods with a rigged product. The assumption is that wealthier people have more to hide, and more to lose.
• Fake cable company workers knock on doors within a neighborhood, establishing trust, and then show up at the intended victim’s domicile with a ‘free gift’.
• Tailgating, where a friendly looking individual carrying a keyboard is allowed access to an organization’s facilities, being mistaken for an IT person who will ‘finally fix that problem’. Bearing donuts was a favorite trick of the former intelligence agent I know. Who doesn’t like someone who’s carrying a box of goodies?

Threat Mitigation

Technical

There are now purpose-built systems to scan and control access to the physical layer, making it possible to uncover rogue devices without mirroring your network traffic. This is an emerging space where industry analysts and security professionals are paying greater attention to. The founders of some household name security companies are on the boards of start-ups addressing hardware based access control. These solutions are typically not intended for Small and Medium Sized Enterprises (SMEs), however. Your controls are more likely to be targeted.

• Utilize a policy to block removable storage media
• Have your security systems configured to check for anomalous behavior such as USB drive activity outside of normal work hours.
• Deploy a quality EDR solution to protect to isolate malware and trigger alerts
  • Have the ability to quarantine/isolate infected devices
• Conditional Access can be utilized to direct a specific host IP address to a Zero Trust Exchange Platform that will assess whether that device should access your network and determine ’trust’, depending on system state. We’ll link back with instructions about how to accomplish this integration over the coming weeks.
• Consider using a cloud-based least-privilege file sharing platform to control access to sensitive data. There are several excellent options. Alternatively, setup shared NTFS folders on local machines with the appropriate permissions before granting anyone access.
• Control access to network storage devices (NAS/SAN, or even online file system) that use LDAP or SAML with a directory using group membership; JumpCloud uses attribute value conditions such as job title of department, but Windows uses nested groups. Admins who are following the older nested method of grouping may encounter redundancies and not proactively be alerted if there’s a violation of a business rule that’s not baked into group membership.
  • Some permissions can be assigned through attributes if you’re using SAML. Least privilege settings are otherwise commonly configured directly on those devices.
• Use VLANs and network access control as much as possible. You may use VLAN steering to select and define user access to network resources. These are simple RADIUS attributes that are assigned through our RADIUS service.

Administrative

Effective mitigation also comes down to training your staff on the principle of ‘if you see something, say something’. Strangers should be reported, and if possible, leverage proximity badges and employee IDs. More advanced controls can include a mantrap, deploying CCTV, or hiring security guards. Also keep in mind that employees could be disgruntled or compromised; ensuring that your people are happy, appreciated, and motivated plays a role in security. Manage your emotional culture: insider threats can and do occur, especially if someone is motivated to fulfill an emotional need, and criminals will try to exploit those pressure points.

You won’t have that controlled environment at your disposal when employees work from home. Train your employees to be vigilant and on the lookout for scams, odd packages, ‘free’ gifts, and requests for home mailing information in the form of phishing emails. Cyber criminals are well organized and will adapt to changing work conditions as Work from Anywhere normalizes.

Supply Chain Integrity

The worst case is if the rogue device comes from the inside, from you to your employees. Don’t bow to financial pressure when being pennywise is a pound foolish while rogue devices are infiltrating online merchants. We all think about smart budgeting, but saving a few dollars on inexpensive peripherals may not be worthwhile given rising supply chain risk. Your rationale is that there’s a very valid reason why the U.S. Federal Government has issued executive orders and guidance for government agencies to fully vet suppliers. You may not be the Feds, but taking measures such as having your purchasing department use legitimate suppliers, and avoiding whitelabel and some secondhand devices is advisable in today’s environment. You may also consider adopting ISO’s SDPX supply chain standard.

There are global ‘hotspots’ for this activity in Asia and Eastern Europe, but it’s a small, integrated world through global commerce and online auction sites. Don’t buy from a supplier that you don’t know and trust and you should be fine. Find other ways to cut your costs.

Conclusion

The IT industry has done a decent job of discussing threats to the network and software buckets of cybersecurity, but hardware-based attacks are something that’s not frequently talked about or well understood. Be aware that this is an emerging threat that we’ll be hearing more about and take precautions to be proactive before your organization is among the first to get caught unprepared and scratching its head during a post mortem analysis of what went wrong.

JumpCloud is free for 10 users and 10 devices, so you can begin to evaluate platform policies (blocking removable media, conditional access), Conditional Access policies, and network segmentation within your own environment. We’ll even include premium 24×7 in-app live chat support for the first 10 days. Hardware-based attacks are difficult to mitigate, but you can corden off your confidential data and begin raising awareness about this problem among users as well as cohorts in purchasing.