Security Week 35: intercepting keyboard via WiFi, attacking ATMs with an EMV chip, new IoT botnet

Interception of keyboard input is gradually becoming my favorite category of information security. I already wrote about the Bastille Networks research series : these guys studied in detail the mechanisms of interaction between wireless mice and keyboards with receivers, and found out that a number of manufacturers are not very good at security. You can recall even more ancient news about intercepting keyboard input using video recording analysis.

I like the fact that they represent (so far) theoretical studies of potential threats to the future. In practice, passwords are stolen by keyloggers, they do this en masse, but this is another topic. A new study ( news and PDF ) of a team of American and Chinese scientists shows how you can intercept keyboard input, having access to low-level data on the work of a Wi-Fi router.

No, well, cool, right? The experts used the usual TP-Link WR1043ND router, and for interception, the router was required to work in WiFi 802.11n / ac standards. Of course, access to the router was required, which, as we know, is easy enough to ensure - because of vulnerabilities, or because of the wrong configuration. By analyzing the data of Channel State Information, they were able to track even small movements in the range of the router. This is all due to the fact that CSI contains data transmission quality data, which are usually used for simultaneous operation of several antennas (MIMO), switching to other frequency ranges and changes in radio signal strength.
')
Insinuations under the cut. All issues of digest - here .

This is what happens if it is very simple. The person (cat, flower pot) moves around the room, which affects the quality of the data transfer. The router analyzes this data in accordance with the standard and modifies the transmission parameters so as to maintain the necessary speed. It turned out that if a person just sits at a computer and types text, the smallest fluctuations of the Channel State Information parameters allow identifying the pressing of a particular key. All in all, that's all. Further the theory breaks about a severe reality, but not completely. First, you need to hack the router - ok, you figure it out, maybe. Secondly, you need to calibrate the system - the researchers suggest doing this, for example, using chat with the user: when on the other side it becomes known which characters are typed, and it becomes possible to compare them with the data from the router.

Target values ​​of parameters depending on which letter is pressed on the keyboard.

Thirdly, anything can bring down fine tuning, even neighbors, even a passing car. Therefore, the study makes a reservation that a successful experiment was conducted under controlled conditions (minimum external factors). The accuracy, however, is phenomenal: 97.5% probability of a successful interception. In real conditions, as the authors suggest, the probability will fall to 77.5%, but this is also quite a lot. Especially if you have the ability to analyze data for a long time, and it exists in such a scenario.

It seems to me that there will be more and more such “discoveries”, and once (not soon), alas, such horror stories will begin to be put into practice. The complexity of computer systems is growing, they are used everywhere and in large quantities, and the number of people who know how it all really works does not increase. In general, there’s no need: long gone are the days when “using a computer” and “programming” meant about the same thing. In addition, a growing amount of information on which you can identify human behavior. New systems are emerging that are able to catch grains of meaning from seemingly complete chaos. Already, "intercepting the keyboard via WiFi" looks weird, but there will be more. Because research and interesting.

Malicious software RIPPER robbing ATMs using prepared EMV chips

News

Last year, the topic of switching to cards with a chip (known as EMV) was widely discussed in the United States to protect against the growing amount of cyber fraud connected with finances. Unlike Russia or Europe, states still use magnetic stripe cards everywhere, and by modern standards this is completely unsafe - it is easy to clone, and to steal information easily, and in general. EMV is still regarded as a reliable technology. This news ... No, this news is not about the fact that EMV was hacked. There is a chance that there was a small step in this direction.

Recently it was reported about a massive attack on ATMs in Thailand, thanks to which a little less than 400 thousand dollars were stolen from them. FireEye researchers suggest that the attack could have been associated with the malware they detected, known as RIPPER. To conduct an attack, it was first necessary to infect an ATM. But the trigger to trigger the malware was a specially prepared chip on the card. That is: insert the card, the malware recognizes it as its own and opens the Holy Grail. The grail was somewhat stingy, and more than 40 bills in one go did not give - the criminals had to run. EMV is the main difference of this attack from similar ones known since 2009, for example, you can read about Skimer .

This example of a financial cyber attack confirms that, on the user side, EMV technology is reliable. But on the side of a retail network or a bank, nuances are possible. The infrastructure of modern payment systems is constantly under attack, and since we are talking about real money, from time to time there are weak spots somewhere along the path of data movement from an ATM or terminal to the bank itself. And another thing: the fact of using a chip means that on that side this technology is actively being tested for weaknesses.

A botnet from hundreds of thousands of vulnerable IoT devices is used for DDoS attacks.

News Level 3 study

The fact that home autonomous devices, such as webcams or digital set-top boxes, are massively hacked and botnets are being actively built on them, this is, unfortunately, not news. It is still debated whether it is possible to classify such devices as the concept of the Internet of Things, but in fact, why not? For me, the future IoT will consist of smaller and more numerous devices, and on different platforms, while web-based network cameras are almost full-fledged computers, most often running on almost full-fledged Linux. The rest of the criteria are met: the owners of these devices consider them as a black box, which is enough to turn on and forget, and do not even think about how their device is protected.


Nevertheless, the study of the Level 3 company amazes with the scope of the discovered botnet family: it is claimed that the organizers of the attack control hundreds of thousands of devices. Some technical details are also interesting, especially in the light of the inevitable zoo of multi-standard IoT devices in the future. It seems like the differences in software and hardware should complicate the work of hackers. But no. First, the study does not pay attention to hacking methods - there is no hacking. Telnet default passwords are our all (but malware is also used). Secondly, an example of the mechanism of loading and launching the "payload" is given. Builders botnet do not bother at all. They start downloading the assembly of their code for different platforms to the new device in turn, until one of them starts up.

Certainly, the first step to building a secure IoT should be the abandonment of the “everything is possible for everyone” strategy - well, when you have the same kettle on the local network as many rights as you yourself.

What else happened

Another way to exfiltrate data from air-gapped systems, but even more confused than through rotation of the cooler.

68 million passwords have flowed away at Dropbox in 2012, and now it has flowed to the network. The rule for changing the password at least once every two years was again confirmed.

And Opera's passwords may have leaked .

Antiquities:

Datacrime Family

Non-resident very dangerous viruses. When you run an infected file, it is standard to infect no more than one .COM or .EXE file in all current directories of all available disks. Depending on the timer and its internal counters, the text is displayed on the screen:

"Datacrime-1168, -1280" - "DATACRIME VIRUS RELEASED 1 MARCH 1989"
"Datacrime-1480, -1514" - "DATACRIME II VIRUS"

And after that they try to format several tracks of the Winchester.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 28.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.