Security Week 35: keyboard interception via WiFi, attack on ATMs using EMV chip, new IoT botnet

    Intercepting keyboard input is gradually becoming my favorite category of IB news. I already wrote about a series of studies by Bastille Networks: these guys studied in detail the mechanisms of interaction between wireless mice and keyboards and receivers and found out that security is not very good for a number of manufacturers. You can recall even more ancient news about the interception of keyboard input using video analysis.

    They like me by the fact that they are (for now) theoretical studies of potential threats to the future. In practice, passwords are stolen by keyloggers, they are done massively, but this is a different topic. New study ( news and PDF) a team of American and Chinese scientists shows how you can intercept keyboard input, having access to low-level data on the operation of a Wi-Fi router.

    No, well, cool, right? Experts used the usual TP-Link WR1043ND router, and to intercept it was required that the router worked in WiFi 802.11n / ac standards. Of course, access to the router was required, which, as we know, is quite easy to provide - due to vulnerabilities, or due to incorrect configuration. By analyzing the Channel State Information data, they were able to track even small movements in the coverage area of ​​the router. This is due to the fact that CSI contains data on the quality of data transmission, which are usually used for the simultaneous operation of several antennas (MIMO), switching to other frequency ranges and changing the power of the radio signal.

    Insinuations under the cut. All digest editions are here .

    This is what happens if it’s quite simple. A person (cat, flower pot) moves around the room, which affects the quality of data transfer. The router analyzes this data in accordance with the standard and changes the transmission parameters so as to maintain the necessary speed. It turned out that if a person is just sitting at a computer and typing, the smallest fluctuations in the Channel State Information parameters allow you to identify the pressing of a particular key. All in all, that's all. Further, the theory is divided into harsh reality, but not completely. Firstly, you need to hack the router - ok, sorted it out, maybe. Secondly, you need to calibrate the system - the researchers suggest doing this, for example, using chat with the user: when it becomes known on the other side which characters are typed,

    Target parameter values ​​depending on which letter is pressed on the keyboard.

    Thirdly, anything, even neighbors, even a car passing by, can bring down the fine-tuning. Therefore, the study makes a reservation that a successful experiment was conducted under controlled conditions (minimum external factors). Accuracy, however, is phenomenal: 97.5% chance of a successful interception. In real conditions, as the authors of the work suggest, the probability will drop to 77.5%, but this is also a lot. Especially if you have the ability to analyze data for a long time, and it is in such a scenario.

    It seems to me that there will be more and more such “discoveries”, and sometime (not soon), alas, such horror stories will begin to be put into practice. The complexity of computer systems is growing, they are used everywhere and in huge quantities, and the number of people who know how this all actually works does not increase. In general, there is no need: the time has long passed when “using a computer” and “programming” meant about the same thing. In addition, the growing amount of information by which to identify human behavior. New systems are emerging that can catch particles of meaning from seemingly complete chaos. Already, “intercepting the keyboard via WiFi” looks weird, but it still will. Because research and interesting.

    Malicious RIPPER software robs ATMs using prepared EMV chips

    News

    Last year, the United States widely discussed the topic of switching to cards with a chip (known as EMV) to protect against the growing volume of financial-related cyber fraud. Unlike Russia or Europe, the states still use magnetic stripe cards everywhere, and this is completely unsafe by modern standards - it’s easy to clone and it’s easy to steal information, and in general. EMV is still regarded as a reliable technology. This news ... No, this news is not about EMV being hacked. There is a possibility that there was one small step in this direction.

    Recently, a fairly massive attack on ATMs in Thailand was reported, thanks to which a little less than 400 thousand dollars were stolen from them. Researchers at FireEye suggest that the attack could have been related to a malware they found known as RIPPER. To conduct the attack, it was first necessary to infect the ATM. But the trigger for the operation of the malware was a specially prepared chip on the card. That is: we insert the card, the malware recognizes it as ours and opens the Holy Grail. The grail turned out to be somewhat tight-fisted, and did not give more than 40 bills in one go - the criminals had to run. EMV is the main difference between this attack and similar attacks that have been known since 2009, for example, you can read about Skimer .

    This financial cyber attack example confirms that on the user side, EMV technology is reliable. But on the side of the retail network or the bank, nuances are possible. The infrastructure of modern payment systems is constantly under attack, and since we are talking about real money, periodically there are weaknesses somewhere in the way of data movement from an ATM or terminal, and to the bank itself. And one more thing: the fact of using the chip suggests that on the other side this technology is actively checked for weaknesses.

    Botnet of hundreds of thousands of vulnerable IoT devices used for DDoS attacks

    The news . Study Level 3

    The fact that home autonomous devices, such as webcams or digital set-top boxes, are massively hacked and botnets are actively built on them is, unfortunately, not news. It is still being debated whether such devices can be classified as the concept of the Internet of things, but in fact, why not? For me, this is how the IoT of the future will consist of smaller and more numerous devices, and on different platforms, while network webcams are almost full-fledged computers, most often running on almost full-fledged Linux. Otherwise, the criteria are met: the owners of these devices see them as a black box, which is enough to turn on and forget, and do not even think about how protected their device is.


    Nevertheless, Level 3’s research is striking in the scope of the discovered botnet family: it is claimed that the organizers of the attack control hundreds of thousands of devices. Some technical details are also interesting, especially in the light of the inevitable zoo of multi-standard IoT devices in the future. It seems like the differences in software and hardware should complicate the work of crackers. But no. Firstly, the study does not pay attention to hacking methods - hacking does not occur there either. The default passwords that look outside Telnet are our everything (but malware is also used). Secondly, an example of the mechanism for loading and starting the “payload” is given. Botnet builders don't bother at all. They begin to take turns loading their code assemblies for different platforms onto a new device, until one of them starts.

    Definitely, the first step towards building a secure IoT should be to abandon the “everyone can do everything” strategy - well, when the kettle on your local network has as many rights as you yourself.

    What else happened

    Another way to exfiltrate data from air-gapped systems, but even more confused than through rotation of the cooler.

    68 million passwords leaked from Dropbox in 2012, and now leaked to the network. The password change rule is confirmed again at least once every two years.

    And Opera’s passwords may have leaked .

    Antiquities:


    Family "Datacrime"

    Non-resident very dangerous viruses. When an infected file is launched, no more than one .COM or .EXE file is infected in all current directories of all available disks as standard. Depending on the timer and its internal counters, they display the text:

    “Datacrime-1168, -1280” - “DATACRIME VIRUS RELEASED 1 MARCH 1989”
    “Datacrime-1480, -1514” - “DATACRIME II VIRUS”

    And after that they try to format several Winchester tracks.

    Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Page 28.

    Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.

    Also popular now: