Asher Dahan, creator of Block Ransomware was recently featured in the Journal of Cyber Policy. You can read the post in its entirety on the Journal of Cyber Policy website. The post from the Journal of Cyber Policy on hardware vulnerabilities has been re-posted below:
Are there hardware vulnerabilities in the electronics used by the U.S. Cyber Command? That is the question I posed to several cyber security experts. Having read recently on Business Insider that computer monitors present an unexpected and often overlooked exposure to risk, I wondered what experienced security professionals would make of the image shown here. It’s a shot of the Cyber Command’s 624th Operations Center, which is where the Air Force conducts cyber ops.
A Shocking Photo
Several people told me I was irresponsible for even asking this question in public—that I should think twice before circulating such a photo. I understand the concern, but I am not the one who published it. The photo was posted on Military.com.
Still, the photo shocked several of my experts. Asher Dahan, CEO of Block Ransomware, commented, “It is a bit concerning to me coming from the Israeli military that in the US it is legal and allowed to take picture of Cyber security room and personnel. In Israel you will find your place in jail for taking such pictures (all cameras disabled within security zones), and it will not make it to the web.”
Do COTS Products in the Military Have Hardware Vulnerabilities?
Are “Commercial Off the shelf” (COTS) hardware products risky for the military? Ondrej Krehel, CEO and Founder of LIFARS spoke to such potential hardware vulnerabilities, saying, “Since most of the manufacturing is conducted overseas, it is very unclear who screens electronic boards of these devices before they reach the customer. Just look at the hard disk drives. The NSA has ways to include malicious spying code embedded into the electronic chip.” Krehel also expressed concern about the software layer, citing an episode where Lenovo malware from Nation State actors was manipulated to spy on the end consumer.
According to David Dingwall, Senior Cybersecurity Strategist at HelpSystems, there is a risk, but it’s not very significant. He said, “Most of the hack possibilities are physical. If the hacking (country/organization) was willing to take time over months the best methods of attack is to pollute the inbound and outgoing logistics chain of replacement desktop devices. The photo shows a lot of consistency of equipment on all the desks, and the military have long multi-year procurement contracts requiring like-for-like replacements.”
Dingwall added, “Since this is a cyber-operations center, all devices’ screens, mice, keyboards, phones are attached with wires. My working assumption is staff are monitored to not bring in cell phones, or anything in their pockets, and random searches are carried out. Hacking live data in transit is therefore unlikely.”
That said, he was concerned about data storage, pointing out that keyboards have voids for more memory. He also noted that corrupted wiring could harvest mouse movement patterns, key tapping and pacing patterns on keyboards identifying biometric information about center staff that may be used elsewhere. Such an attack would require a custom hardware insert inside the device, or cable plugs. It is feasible, but it would take physical access to the site, or more likely the warehouse holding replacement equipment. Dingwall was concerned to facilitate swap in and out, however that “corrupted devices may be programmed to ‘fail’ with an intentionally higher failure rate than normal” and “swapping out devices may put the hacked device back in a less secure area for harvesting.”
Asher Dahan also pointed out that hacking a monitor like the ones shown in the photo require physical access to the device. The attacker would have to penetrate the monitor via the USB connector or to the HDMI connector in order for them to inject new code and reprogram firmware. Referencing the Business Insider article about monitor vulnerabilities, Dahan did express alarm that “the controller has no security to protect it from programing with anything one wish if they can reach the USB port.”
Physical Access Is Required to Hack This Hardware
Given that physical access is needed to hack the monitors or other devices in the photo, the risk to the Cyber Command is probably low. Still, with the potential vulnerabilities in the circuitry, it would seem that vigilance is required when dealing with foreign-made electronics in a sensitive national security context. With the volumes of hardware involved, it might be possible to miss a threat give the ratio of to signal to noise.