Hackers mull physical attacks on a networked world

Aug. 11, 2008
At DefCon conference, hackers share tips on facility infiltration

LAS VEGAS -- Want to break into the computer network in an ultra-secure building? Ship a hacked iPhone there to a nonexistent employee and hope the device sits in the mailroom, scanning for nearby wireless connections.

How about stealing someone's computer passwords? Forget trying to fool the person into downloading a malicious program that logs keystrokes. A tiny microphone hidden near the keyboard could do the same thing, since each keystroke emits slightly different sounds that can be used to reconstruct the words the target is typing.

Hackers at the DefCon conference here were demonstrating these and other novel techniques for infiltrating facilities Friday.

Their talks served as a reminder of the danger of physical attacks as a way to breach hard-to-crack computer networks. It's an area once defined by Dumpster diving and crude social-engineering ruses, like phony phone calls, that are probably easier to detect or avoid.

As technology gets cheaper and more powerful, from cell phones that act as personal computers to minuscule digital bugging devices, it's enabling a new wave of clever attacks that, if pulled off properly, can be as effective and less risky for thieves than traditional computer-intrusion tactics.

Consider Apple Inc.'s iPhone, a gadget whose processing horsepower and cellular and wireless Internet connections make it an ideal double agent.

Robert Graham and David Maynor, co-founders of Atlanta-based Errata Security, showed off an experiment in which they modified an iPhone and sent it to a client company that wanted to test the security of its internal wireless network.

Graham and Maynor programmed the phone to check in with their computers over the cellular network. Once inside the target company and connected, a program they had written scanned the wireless network for security holes.

They didn't find any, but the exercise demonstrated an inexpensive way to perform penetration testing and the danger of unexpected devices being used in attacks. If they had found an unsecured router in their canvassing, they likely would have been able to waltz inside the corporate network to steal data.

To keep the phone running, the researchers latched on an extended-life battery that lasts days on end. But they only really need a few minutes inside a building to test the network's security.

"It's like saying, once you get into Willy Wonka's Chocolate Factory, and you're in the garden where everything's edible, you have it all," Graham said in an interview.

The attack won't work, of course, if a company's wireless network is properly secured. In that case, Graham and Maynor said there's likely no big loss: the package that had been sitting in the mailroom would probably be mailed back to them so they could try it again elsewhere.

Another talk focused on new twists to Cold War-era espionage tactics that could allow criminals to sidestep the locks on computer networks.

Eric Schmiedl, a lock-picking expert and undergraduate at the Massachusetts Institute of Technology, outlined several surveillance methods long used by government intelligence agents that have become more accessible to garden-variety criminals because of the falling price of the technologies.

For example, Schmiedl said even low-budget criminals now have a way to eavesdrop on conversations through a window. It involves bouncing a beam from a laser pointer off the glass and through a light sensor and audio amplifier.

If the people inside the room are close enough to the window, their conversation creates vibrations that the equipment can translate into a crude reconstruction of the conversation, Schmiedl said.

"We're burning the candle at both ends," he said. "The technology is becoming easier and cheaper and anybody can do it. And at the same time there's more incentive now to do it. These are two trains on a collision course. The question is when they're going to collide."

Copyright 2008 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.