PDA

View Full Version : Hackers mull physical attacks on a networked world



Sporkman
August 11th, 2008, 02:49 PM
http://news.yahoo.com/s/ap/20080808/ap_on_hi_te/tec_hacking_facilities_2


Hackers mull physical attacks on a networked world

By JORDAN ROBERTSON, AP Technology Writer Fri Aug 8, 4:57 PM ET

LAS VEGAS - Want to break into the computer network in an ultra-secure building? Ship a hacked iPhone there to a nonexistent employee and hope the device sits in the mailroom, scanning for nearby wireless connections.

How about stealing someone's computer passwords? Forget trying to fool the person into downloading a malicious program that logs keystrokes. A tiny microphone hidden near the keyboard could do the same thing, since each keystroke emits slightly different sounds that can be used to reconstruct the words the target is typing.

Hackers at the DefCon conference here were demonstrating these and other novel techniques for infiltrating facilities Friday.

Their talks served as a reminder of the danger of physical attacks as a way to breach hard-to-crack computer networks. It's an area once defined by Dumpster diving and crude social-engineering ruses, like phony phone calls, that are probably easier to detect or avoid.

As technology gets cheaper and more powerful, from cell phones that act as personal computers to minuscule digital bugging devices, it's enabling a new wave of clever attacks that, if pulled off properly, can be as effective and less risky for thieves than traditional computer-intrusion tactics.

Consider Apple Inc.'s iPhone, a gadget whose processing horsepower and cellular and wireless Internet connections make it an ideal double agent.

Robert Graham and David Maynor, co-founders of Atlanta-based Errata Security, showed off an experiment in which they modified an iPhone and sent it to a client company that wanted to test the security of its internal wireless network.

Graham and Maynor programmed the phone to check in with their computers over the cellular network. Once inside the target company and connected, a program they had written scanned the wireless network for security holes.

They didn't find any, but the exercise demonstrated an inexpensive way to perform penetration testing and the danger of unexpected devices being used in attacks. If they had found an unsecured router in their canvassing, they likely would have been able to waltz inside the corporate network to steal data.

To keep the phone running, the researchers latched on an extended-life battery that lasts days on end. But they only really need a few minutes inside a building to test the network's security.

"It's like saying, once you get into Willy Wonka's Chocolate Factory, and you're in the garden where everything's edible, you have it all," Graham said in an interview.

The attack won't work, of course, if a company's wireless network is properly secured. In that case, Graham and Maynor said there's likely no big loss: the package that had been sitting in the mailroom would probably be mailed back to them so they could try it again elsewhere.

Another talk focused on new twists to Cold War-era espionage tactics that could allow criminals to sidestep the locks on computer networks.

Eric Schmiedl, a lock-picking expert and undergraduate at the Massachusetts Institute of Technology, outlined several surveillance methods long used by government intelligence agents that have become more accessible to garden-variety criminals because of the falling price of the technologies.

For example, Schmiedl said even low-budget criminals now have a way to eavesdrop on conversations through a window. It involves bouncing a beam from a laser pointer off the glass and through a light sensor and audio amplifier.

If the people inside the room are close enough to the window, their conversation creates vibrations that the equipment can translate into a crude reconstruction of the conversation, Schmiedl said.

"We're burning the candle at both ends," he said. "The technology is becoming easier and cheaper and anybody can do it. And at the same time there's more incentive now to do it. These are two trains on a collision course. The question is when they're going to collide."

DeadSuperHero
August 11th, 2008, 05:30 PM
Well, at least Hacker's are getting more practical.

mips
August 11th, 2008, 06:42 PM
How about stealing someone's computer passwords? Forget trying to fool the person into downloading a malicious program that logs keystrokes. A tiny microphone hidden near the keyboard could do the same thing, since each keystroke emits slightly different sounds that can be used to reconstruct the words the target is typing.

That sounds like a load of BS to me. It's not like keyboards emit DTMF tones or something.

TimboUK
August 11th, 2008, 07:37 PM
The keyboard idea I think is just fantasy. Considering that even if the keys did emit a slightly different sound due to presure on the plastic of the keys, it would be different for every keyboard.

The thing about the hacked Iphone is silly aswell. In most cases, if the wireless network could be accessed from the postroom, I guess it would be accessed from outside as well.

I dont believe any of it for one minute. Its fantasy.

Thanks though to the original poster for sharing the link though!

MaxIBoy
August 11th, 2008, 07:41 PM
Actually, it's safer to send in an iPhone than it is to hang out outside the building with a laptop. You could get photoed by security cameras, which would be checked if an intrusion was detected.

Nepherte
August 11th, 2008, 07:41 PM
The keyboard thing is no fantasy at all. This was a former project subject you can get in one of the year courses here at the department of Computer Science Engineering at the University of Leuven, Belgium. I'm not sure about the accuracy, but I heard they did it pretty well.

MaxIBoy
August 11th, 2008, 07:49 PM
And even if every keyboard's unique, there's a pretty easy way to get a feel for it. Ask someone to send you an email (the longer the better) about any topic. Meanwhile, you record them typing.

Later, you can compare the sounds to the email.

mips
August 11th, 2008, 07:52 PM
The keyboard thing is no fantasy at all. This was a former project subject you can get in one of the year courses here at the department of Computer Science Engineering at the University of Leuven, Belgium. I'm not sure about the accuracy, but I heard they did it pretty well.

I would really appreciated more information on that. As far as I'm concerned all my keys sound the same when I press them.

Nepherte
August 11th, 2008, 08:03 PM
Well, as I said before, I never had that project. All I know is that it has to do with spectral analysis of the recorded sound signal of the different keys. Trust me on this one if I tell you you can't hear the difference. For example, you can't hear sound that have a frequency of 20.000Hz, but they are still there. It's the same thing with dogs for example, they just hear better. We don't hear it, but that doesn't mean it isn't there.

TimboUK
August 11th, 2008, 10:16 PM
Actually, it's safer to send in an iPhone than it is to hang out outside the building with a laptop. You could get photoed by security cameras, which would be checked if an intrusion was detected.

Ok then, put it in a bush or bin outside (If you wanted to be clever you could hand it in at reception and say you think an employee dropped it). Id be supprised if any major company (or company viable to a hacker) would be silly enough to have an insecure wifi anyway. As I said before the WIFI issue is creeping into insurance policies. I really cant see why someone would go to a lame (and expensive) extreme on the off chance someone forgot to secure the WIFI.

and to qoute the person who said "This was a former project subject you can get in one of the year courses.."
Yes and I wonder why? Money can be made with silly courses and theories like this. Just because its worth money to someone to talk this dribble doesnt mean its right. Talking of courses, you can do one in Startrek, does that mean startrek is fact aswell?

Polygon
August 11th, 2008, 10:31 PM
i call bs on the keyboard thing as well. there is no way the 86+ keys on a keyboard all emit a consistently different sound from all the other different keys. and then i bet different keyboards sound different then other ones, so even if they did, you would have no way to know which sounds go to which key

fatality_uk
August 11th, 2008, 10:45 PM
Or alternatively, get the name of one of the directors of a small to mid size businesses with a receptionist. Walk in there just before lunch. Pull out your laptop, drop in to the desk in front of them and say Mr. <Insert directors name> sent you to look at your PC and telephone system which has been playing up and your are from "Bogus PC systems".

Just ask for their login details. 5/10 times they will give it to you! Once you got it, pretend phone calls draw you away ;)

DeadSuperHero
August 11th, 2008, 11:17 PM
i call bs on the keyboard thing as well. there is no way the 86+ keys on a keyboard all emit a consistently different sound from all the other different keys. and then i bet different keyboards sound different then other ones, so even if they did, you would have no way to know which sounds go to which key

It's not impossible. One could calculate the difference in volume to the distance of the keys from the microphone.

TimboUK
August 12th, 2008, 12:15 AM
It's not impossible. One could calculate the difference in volume to the distance of the keys from the microphone.

And how would a hacker be able to predict how far their covert microphone would be from the keyboard. Even if it was possible to measure the sounds from individual keys what about different users applying different pressures as per their typing style.

Even if you had the same user, same keyboard and a set place for the microphone to record, these "experts" are forgetting that a keyboard is made of plastic. What does plastic do at different temperatures? Im sure I dont need to tell you. Suffice to say a change in temperature would alter this frequency and render this "magical" device useless. The only way I could see this "theory" having partial success would be under strict controlled conditions, which in itself would render it a useless tool to any hacker.

I cant believe anyone would entertain this insane notion, and it just goes to show you can make money from talking rubbish as long as your audience dont have the scientific or computer knowledge to know any better.

I think Ill start a series of seminars on the internet becoming self aware...oh no I cant, they did it on Terminator 3. Give me a few hours and Ill come up with a theory silly enough to talk about at a conference, if I can get the same audience that attended the above lectures, Ill make a fortune.

Sporkman
August 12th, 2008, 12:19 AM
so even if they did, you would have no way to know which sounds go to which key

You could infer it by taking into account the frequency of certain letters & punctuation in the english language. That's one method used in cracking cryptographic codes, for example.

TimboUK
August 12th, 2008, 12:24 AM
You could infer it by taking into account the frequency of certain letters & punctuation in the english language. That's one method used in cracking cryptographic codes, for example.

Yes you could, though it would depend on many events happening as planned. You have the different typing styles of users (I type by having my fingers resting on the home keys as I type, so when my fingers move I am scraping over other keys before I hit the one I want.)

I also have a friend that types by hammering the keys individually with one finger. There are far too permutations to take into account. As I say in my previous post, under extreme controlled conditions, you may get some success, but in the real world and as a tool that a hacker could exploit, its absolute rubbish.

Dr Small
August 12th, 2008, 01:28 AM
In reply to the keyboard hack, it's not so much as frequency and sound as it is spacing between keys. First off, if it was me who was recording the sound, when I play it back (and let's say the person typed a password to enter the system, for instances) I would count the characters.

Now, subtract one for the enter key. You now have the length of the password. Depending upon the keyboard layout, memorize it. Next, listen to the keystrokes and the spacing between them. Given enough time and thought along with attempts, one can crack the password on sound alone.

I have done it, although I was beside the person when they typed it. I saw the first letter, counted the keypresses in my head, subtracted one, then had a ruff guess at what it was. I eventually cracked it.

I would not base it so much off of frequency levels as much as movement and timing.

the yawner
August 12th, 2008, 02:22 AM
It's not impossible. One could calculate the difference in volume to the distance of the keys from the microphone.

That's what I thought when I read the article. You don't have to identify the exact sound of each key. Just check if the key pressed is nearer the mic or not. You could probably divide the keyboard area to at least three zones and guess which key was pressed per zone. That would decrease the number of guesses needed to say, guess a 6-character password.

hvac3901
August 12th, 2008, 03:31 AM
Yeah I met a contractor through a conference related to work that did work for the Center for Disease control on a long term basis. He....... well he worked for the CDC in a building that was 70% underground (did you think of resident evil, cause i did when i saw the lay out), no lie. To log into the critical level of his network required a three level login, two web based login's one within the other, and the third has a username / pass combo, topped with a pin code that is updated every three minutes and sent to a pager like device, you dont know the code that lives for 3 minutes, and you dont get access. Thats pretty secure, would take some really thoughtful process to hack that.

Dr Small
August 12th, 2008, 03:51 AM
Yeah I met a contractor through a conference related to work that did work for the Center for Disease control on a long term basis. He....... well he worked for the CDC in a building that was 70% underground (did you think of resident evil, cause i did when i saw the lay out), no lie. To log into the critical level of his network required a three level login, two web based login's one within the other, and the third has a username / pass combo, topped with a pin code that is updated every three minutes and sent to a pager like device, you dont know the code that lives for 3 minutes, and you dont get access. Thats pretty secure, would take some really thoughtful process to hack that.
If you could invent a pager sniffer to read the frequencies, then you could probably get the 3 minute access code.

hvac3901
August 12th, 2008, 04:06 AM
If you could invent a pager sniffer to read the frequencies, then you could probably get the 3 minute access code.

yes but you would first have to know that was the source of the three minute code. or rather that was the information that entry block was looking for, else it just looks like a pin code.

starcannon
August 12th, 2008, 05:31 AM
The keyboard idea I think is just fantasy. Considering that even if the keys did emit a slightly different sound due to presure on the plastic of the keys, it would be different for every keyboard.

The thing about the hacked Iphone is silly aswell. In most cases, if the wireless network could be accessed from the postroom, I guess it would be accessed from outside as well.

I dont believe any of it for one minute. Its fantasy.

Thanks though to the original poster for sharing the link though!

Basic code cracking skills could help you figure out what each key meant though. After listening to a few emails being typed it would probably be fairly easy to get an audio map of the keyboard.

Nepherte
August 12th, 2008, 12:00 PM
and to qoute the person who said "This was a former project subject you can get in one of the year courses.."
Yes and I wonder why? Money can be made with silly courses and theories like this. Just because its worth money to someone to talk this dribble doesnt mean its right. Talking of courses, you can do one in Startrek, does that mean startrek is fact aswell?
Fair enough. I rate a 5 year university computer science engineering study a little more than startrek. Besides, you don't pay for the course, but for the wole study. They didn't mention such projects when you applied at the university either. But hey, if it works for you, fine by me. It just shows how much you know about signal processing. It's based on the same principle of voice recognition: what syllable, is it a man or woman, what dialect, and so on...


If you could invent a pager sniffer to read the frequencies, then you could probably get the 3 minute access code.
That's how those students did it. Your way works too it appears :) Anyways, both methods aren't really viable. As you said, you need to sit next to the typer. We have to get decent sound recordings with as few noise as possible.

TimboUK
August 17th, 2008, 09:58 PM
[QUOTE=Nepherte;5573032]Fair enough. I rate a 5 year university computer science engineering study a little more than startrek. Besides, you don't pay for the course, but for the wole study. They didn't mention such projects when you applied at the university either. But hey, if it works for you, fine by me. It just shows how much you know about signal processing. It's based on the same principle of voice recognition: what syllable, is it a man or woman, what dialect, and so on...


Firstly Id of hoped that if, as you imply you have studied for 5 years, you would have realised that my posts were not knocking uni courses per say. Just particular modules or lectures. Did you not know you could study startrek as a degree? I too have studied for 4 years with a degree covering theoretical physics and software engineering. Now lets move onto this signal processing that you mention.

I resent the implication that I had not grasped the simple theories of signal processing and, if you read my posts you will see that my whole argument on the viability of the theory was based on the presumption that a hacker could realistically use it as a tool to retrieve information.

In that respect it is impractical and prone to many problems of environment (the software that would "learn" the frequencies of the keys would change, depending on user, temperature, distance from keyboard, mic environment. If you have studied a science, surely you can see that unless the environment was controlled, it would be impractical as a hacking tool. Its a silly idea, and the people who have bought this idea seem to forget that if a hacker could get a microphone near to a keyboard to record keystrokes, why not save themselves the bother and either install a USB key logger or a simple TSR made in assembly?

Coincidentally enough, I have, in the last few years had experience in signal processing, The project I was working on was controlling hardware that responded to people with communication difficulties, so I have a little more than a "passing knowledge"

original_jamingrit
August 17th, 2008, 10:49 PM
The keyboard thing is actually pretty old. Groups of similar sounding keys are compared, and assuming you know what language is being typed, it's possible to figure out which keys are being used. But it has more to do with the keys hitting the rubber membrane at the bottom of most keyboards, rather than the keys by themselves clicking. There's a lot of math involved, it's very difficult to get a setup without being noticed. Listening doesn't need to be expensive, but it's still very trivial to protect against (setting your keyboard on a fabric or rubber mat is good enough).

Discussed here: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci963348,00.html
Briefly discussed here; http://www.grc.com/sn/ (http://www.grc.com/securitynow.htm) sn-006.txt (http://www.grc.com/sn/sn-006.txt)
Or do a google search for 'keyboard eavesdropping'

TimboUK
August 17th, 2008, 11:00 PM
The keyboard thing is actually pretty old. Groups of similar sounding keys are compared, and assuming you know what language is being typed, it's possible to figure out which keys are being used. But it has more to do with the keys hitting the rubber membrane at the bottom of most keyboards, rather than the keys by themselves clicking. There's a lot of math involved, it's very difficult to get a setup without being noticed. Listening doesn't need to be expensive, but it's still very trivial to protect against (setting your keyboard on a fabric or rubber mat is good enough).

Discussed here: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci963348,00.html
Briefly discussed here; http://www.grc.com/sn/ (http://www.grc.com/securitynow.htm)sn-006.txt (http://www.grc.com/sn/sn-006.txt)
Or do a google search for 'keyboard eavesdropping'

Completely agree, and this is the point that some seem to have missed. From the point of view of a hacker its a completely impractical way of obtaining information. There is also other factors to consider:

1. The fact that the mic must be sensitive to record the keyboard noise, but not any other office noises. (Id love to see the software filter for that, especially since in our office there is a keyboard about every 2 foot.)

2. It does not account for the fact that your keyboard rarely stays in exactly the same place, therefore distance will change throughout the monitoring.

3. It does not account for the fact that different users will use the keyboard, and presumably if they are striking the keyboard in a different way, the mic and associated software would have to dynamically alter its filter to make accommodation in different volume levels.

This is what I was trying to get over to the poster Nepherte, true, in controlled conditions this is possible. As a hacking tool, absolutely useless.

original_jamingrit
August 17th, 2008, 11:14 PM
It definitely appears pretty silly, but it is still possible. That's what security is about. Anything that's possible in theory is a security threat. People just tend to get too worked up over security threats, whether they're educated on the subject or not.

I think it's kind of just human nature. When you're a child, there's a monster under your bed. When you're an adult, the monster is listening to your keyboard with a laser, using your window as an acoustic pickup :-P

TimboUK
August 17th, 2008, 11:35 PM
It definitely appears pretty silly, but it is still possible. That's what security is about. Anything that's possible in theory is a security threat. People just tend to get too worked up over security threats, whether they're educated on the subject or not.

I think it's kind of just human nature. When you're a child, there's a monster under your bed. When you're an adult, the monster is listening to your keyboard with a laser, using your window as an acoustic pickup :-P

:) and people also seem to be able to make convincing lectures out of it as well. Let us not forget the Y2K bug, that was the day the earth was going to stop. When it didnt who was sillier, the people who made a mint with their wild theories or the people who were suckered into them?

Nepherte
August 18th, 2008, 11:58 AM
[..]

I resent the implication that I had not grasped the simple theories of signal processing and, if you read my posts you will see that my whole argument on the viability of the theory was based on the presumption that a hacker could realistically use it as a tool to retrieve information.

[..]

Coincidentally enough, I have, in the last few years had experience in signal processing, The project I was working on was controlling hardware that responded to people with communication difficulties, so I have a little more than a "passing knowledge"
First of all, I'd like to say that I did not want to offend you, or imply that you didn't grasp theories of signal processing (because if so, who cares. There are so many study objects, you can't cover them all. I certainly can't). I reckon we can continue this conversation in a civilized way.



In that respect it is impractical and prone to many problems of environment (the software that would "learn" the frequencies of the keys would change, depending on user, temperature, distance from keyboard, mic environment. If you have studied a science, surely you can see that unless the environment was controlled, it would be impractical as a hacking tool. Its a silly idea, and the people who have bought this idea seem to forget that if a hacker could get a microphone near to a keyboard to record keystrokes, why not save themselves the bother and either install a USB key logger or a simple TSR made in assembly?
I can nothing but agree that it is very impractical and only possible in a controlled environment. The point I was trying to make is that it is possible to do so, not that it was practical. I guess I should have stressed that part a little more.


and people also seem to be able to make convincing lectures out of it as well. Let us not forget the Y2K bug, that was the day the earth was going to stop. When it didn't who was sillier, the people who made a mint with their wild theories or the people who were suckered into them?Unfortunately there are indeed some people trying to persuade others into believing that this (the whole micro thing recording the keys) is a thread. Personally I believe the ones with the wild theories are to blame, not the ones who sucker into them. Why blame them because of their not knowing, while the persuaders know most of the time very well how untrue their stories are.

TimboUK
August 18th, 2008, 06:37 PM
I thought Id respond again after Nepherte was kind enough to post. I have read my posts and the thread as a whole and believe I came across as rude. Nepherte, I appologise, this was not my intention.

The Ubuntu forums are very different to most, in that the majority of Ubuntu users are educated and/or articulate people (there doesnt seem to be the silly behaviour as in other forums) I believe I got carried away, with a topic that I find interesting (hacking) with a fellow graduate (Nepherte). Im sure Nepherte will agree that uni debates would get heated sometimes! I hope nobody was offended.

Thanks for an interesting debate.

Regards.

Timbo.

adamogardner
August 18th, 2008, 07:31 PM
my mic is built into my laptop. hack that and you've eliminated the distance variable. (note: I'm not actually inviting you to hack my microphone)
two ears are what pinpoint location

TimboUK
August 18th, 2008, 11:10 PM
my mic is built into my laptop. hack that and you've eliminated the distance variable. (note: I'm not actually inviting you to hack my microphone)
two ears are what pinpoint location

Yes, but you could argue that if Id hacked your mic, Id already have enough control over your PC to be able to get the data I needed. Also Id like to know the range of frequencies an internal (and often cheap) mic would be able to record. In addition if your mic is located in the LCD area of your laptop, as you know the screen can be moved back and forward to personal preference, that could also alter the conditions in which the mic was recording.

I personally think that these theories are like aliens in area 51, theres plenty of theories, though its never been proved in real life. - Maybe thats a conversation for a off-topic chat thread?!?

I think the biggest threat to computers security is complacency on behalf of the user. ie obvious passwords, not taking time to hide your entering the password, spoof login screens, spoof WIFI access points, same passwords for multiple sites, the list goes on. The only way to prevent your computer being hacked is to disconnect it from any network and remove your WIFI or similar (and carry your PC around with you 24-7)

sydbat
August 18th, 2008, 11:46 PM
All this talk of listening to keys to get passwords makes me want to write a script for Hollywood and make a movie/TV show that people will watch and say "You know, all that stuff is real"...