Falling Tech Prices Enable Low-Budget Hackers
Hackers at the DefCon conference in Las Vegas demonstrated some of the groundbreaking, but disturbing, new techniques on Friday for breaking into computer networks.
In an era where technology is becoming more powerful and less costly, from mobile phones that act as computers to tiny eavesdropping devices, hackers have found that using these new devices can be just as effective and much less risky than traditional hacking techniques.
For example, thieves hoping to steal a person’s computer password no longer need to download malicious code to the victim’s computer. Instead, they can simply hide a tiny microphone near the user’s keyboard that can detect the sounds emitted by each keystroke and reconstruct the words the user is typing.
Similarly, someone wanting to break into a network located in a highly-secure facility can merely send a hacked iPhone to a nonexistent employee there, and then let the device scan for nearby wireless networks as it sits undeliverable in the company’s mailroom.
The demonstration showed the threat posed by physical attacks as a means to hack into computer networks, a field once defined by Dumpster diving and social-engineering scams, such as fake phone calls, that are easier to detect or avoid.
In the case of Apple Inc.’s iPhone, the device’s processing power and wireless Internet capability make the device an ideal double agent.
Atlanta-based Errata Security co-founders Robert Graham and David Maynor described how they modified an iPhone and sent it to a client company that wanted to determine the security of its internal wireless network. The duo had programmed the iPod to check in with their computers over a wireless network. Once connected inside the target company, their program scanned the wireless network for security vulnerabilities.
Although none were found, the exercise nevertheless showed an inexpensive way to perform penetration testing, and the risks of unexpected devices being used in such attacks. Had the modified iPod discovered an unsecured router, for example, the hackers would have likely been able to access the corporate network and steal data.
To keep the device running, the researchers used an extended-life battery that can last for days. However, only a few minutes were needed to test the network’s security once the iPod was inside the facility.
“It’s like saying, once you get into Willy Wonka’s Chocolate Factory, and you’re in the garden where everything’s edible, you have it all,” Graham said in an interview with the Associated Press.
However, the attack would not be successful as long as the company’s wireless network was properly secure. In that case, there would be no loss, and the package would simply be returned, Graham and Maynor said.
Another conference presentation centered on new approaches to traditional espionage tactics.
Lock-picking expert and MIT undergraduate student Eric Schmiedl presented several surveillance techniques long used by government intelligence agents, but that are now accessible to ordinary criminals due to the ever-decreasing prices of the underlying technology. Even low-budget criminals can now eavesdrop on conversations through a window, Schmiedl said, by bouncing a beam from a laser pointer off the glass and through a light sensor and audio amplifier. Assuming those inside the room are close enough to the window, their conversation causes vibrations that the equipment can translate into a basic reconstruction of the original dialogue, Schmiedl explained.
“We’re burning the candle at both ends,” he told the Associated Press.
“The technology is becoming easier and cheaper and anybody can do it. And at the same time there’s more incentive now to do it. These are two trains on a collision course. The question is when they’re going to collide.”
On the Net: