Saturday, February 2, 2013

Pen Testing & Hardware Hacking: Hacking Laptop Docking Station

Very slick idea, by NCC Group's Research Director Andy Davis.

NCC link

I suspect Andy Davis prefers to exploit Hardware vulnerabilities, also found this notice about USB Mac Lion exploit discovered by him

It is an "Arbitrary Code Execution (bug triggered by USB device insertion)."

I think (my opinion, no hard data to support) that providing security from Hardware Hacks like this, is a lot harder than defending against more common Computer threats like Phishing, Java exploits, weak passwords, etc.

Not objectively harder, but practically harder, because providing good security form Hardware Hacks requires people with skills from both Physical Security and Computer Security.

As well as budget support from upper management, the hardest type of support to secure.

The budget support is for good vetting and retention of cleaning personnel, I have mentioned this before in relation to hardware attacks,

It is difficult to convince higher management of the Security need to pay 3-5 times more than a business is used to for custodians.

Think Social Engineering attacks, or working as part of cleaning crew, would allow easy placement of device like this.

How many companies care enough about security to pay good wages to keep good, vetted, in house Custodians vs using a Contractor provided Cleaning Crew?

Those cleaning crews tend to have high turn over, additionally, because of the high turnover, they tend to have low standards for hiring.

They need to keep hiring people that won't be paid much or be treated with much respect, so they tend to hire many people that have problems (criminal records, drug/alcohol, etc).

Even if they use in house custodians, still tends to be a low pay, low status job, with a lot of turnover, and generally low standards for hire.

Remember, Custodians or Cleaning Crews tend to have physical access to entire company, heck they are normally given keys.

It is trivially easy for someone on Cleaning Crew to swap out a hacked dock with existing one, or install hardware keyloggers.

No comments:

Post a Comment