Your printer may betray you

A recent story making the rounds tells about how an NSA contractor got caught leaking classified information to the media. The contractor wanted to give information in one or more PDF documents to an online publication (The Intercept). She could have just emailed the PDFs, but she was probably worried that the PDFs might contain some metadata that could link the documents back to her. So she printed the PDF files, scanned the printouts with a desktop scanner, probably destroyed the printouts, and then emailed the scanned pages.

It turns out that many modern printers add little yellow dots to every page they print. If you know how to read them, the dots identify the type of printer, the printer’s serial number, and the date and time the document was printed. The dots are hard for people to see, but the contractor’s scanner was sensitive enough to image them.

So when The Intercept sent some of the scanned pages to the NSA asking them to verify the authenticity, the NSA just had to read the dots, identify the printer, and look in server logs to see who used that printer at the time the dots indicated. They arrested the contractor, and a conviction will probably put her in prison for several years.

To me this is reminiscent of typewriter forensics, like how they convicted Ted Kaczynski (search that linked page page for Unabomber). The FBI had a copy of Kaczynski’s typewritten manifesto. He’d used an old typewriter, the kind where the little arms with the embossed letters strike an ink ribbon to mark the paper. The FBI were able to match those pages to the typewriters they found in Kaczynski’s cabin.

It’s easy to see how this kind of trick could be useful to your character. She could do something like what the NSA did and trace a printout back to a person. Or she might print something on someone else’s printer to incriminate the printer’s owner of something.

Recent ransomware campaign

I’ve been trying to come up with an interesting way to tie this weekend’s worldwide ransomware attack into fiction, but I’m coming up short. Maybe it’s just too depressing. It just seems like a bunch of uninspired jackasses trying to steal money.

This malware is a bit more sophisticated than most, in that in comes in on email, a user clicks it and runs it (thinking it’s a link to a cat video or some damn thing), and then it spreads via file-sharing protocols to all the PCs on the local network, laughing at perimeter firewalls as it encrypts everyone’s files. For you sportsball fans, this is like the quarterback doing a fake to get the golden snitch past the goalie before the shortstop even hears the starter pistol. That’s called a slam dunk, friends.

The story has a couple of interesting points. It seems there was an ill-conceived but convenient kill switch. And it looks like this was a known vulnerability hoarded by the US government, so thanks for that, guys.

British hospitals seem to have been hit particularly hard, so much so that some have had to turn away patients. Pretend you’re a hospital that years ago purchased an expensive MRI machine operated by software that only runs on Windows XP. The company that sold the device and the software has long since gone out of business, so there’s no way to migrate to a supported operating system. People still need MRIs, so it’s not like you can just not use the thing. That kind of thing is likely why Microsoft released a patch for some of the legacy versions of Windows, so that was right neighborly of them.

This is a good reminder to run updates on your computers. All of them.

You can’t trust what’s on TV

A fellow named Rafael Scheel recently published some interesting research about hacking smart TVs. He discovered a way to use $150 worth of radio transmitter equipment to send signals to a smart TV. He combined this with a couple of other exploits (one involving the Adobe Flash player, one involving JavaScript, both supported by the web browser on the TV) to load malware on the TV.

Scheel’s attack in interesting, because it doesn’t require physical access to the TV, it’s virtually undetectable, and it’s very hard to remediate once exploited.

Imagine your book’s character parking her car outside her target’s business or residence, turning on her laptop, attaching a special transmitter, and tricking all the smart TVs in the area to upload an exploit. Then she could do any of several things:

  • use the TV’s wireless connection to attack other targets on the same network

  • join the TVs to a botnet to attack a web site

  • mine some bitcoins

  • capture audio using the TV’s voice control feature

Smart TVs are probably like most Internet of Things (IoT) devices. The manufacturer happily staples on all these features to add value but then falls short in addressing security problems discovered later. Have you ever heard of anyone applying a firmware update to a TV? My TVs are a few years old, making them somewhat antiquated. So maybe TV firmware updates are commonplace, but somehow I doubt it.

Do you have a smart TV? Is it connected to the internet?

Hacking medical devices

Stories about medical devices have come across my news feeds a few times in the last couple of months. Dutch security researchers found that they were able to hack several implantable medical devices.

implantable medical device, much smaller than a nearby writing pen

What’s interesting here is that the researchers were able to do this using a black-box approach: they just used radio equipment to eavesdrop on wireless signals between the implantable devices and the equipment used to maintain and control those devices. The researchers weren’t privy to the communication protocols the vendors use to control the devices, but the researchers were able to reverse-engineer these protocols and then send command signals of their own. These protocols typically used poorly-implemented encryption or no encryption at all.

The equipment the researchers used doesn’t come cheap, nor does the researchers’ expertise. Still, this makes it at least theoretically possible to do several things regarding devices like these:

  • Track the patient’s movements.
  • Trigger potentially fatal shocks in defibrillators and pacemakers.
  • Prevent a medical device from providing treatment.
  • Disable a device’s power-saving mode, causing its battery to drain too fast.

This isn’t entirely theoretical. Research like this has compelled at least one vendor to provide software upgrades to minimize these shortcomings. That’s probably an imperfect solution, but there are obviously some complications in providing firmware upgrades for already-deployed devices.

And in a case that’s presenting some interesting privacy questions, police arrested and indicted a man on charges of arson and insurance fraud. They used data from the suspect’s heart monitor as evidence that he set fire to his own house to collect the insurance money.

The radios in these implantable devices have a pretty short range, just around five meters. So your story’s character couldn’t run exploits like these from a great distance, but it provides some interesting possibilities.


Photo credit to ec-jpr for VVIR leadless St Jude Medical pacemaker

Physical access

You can do a lot if you have physical access to a computer.

Stealing login sessions with PoisonTap

PoisonTap is a pocket-sized Raspberry Pi device that you can plug into a computer’s USB port. It impersonates a new wired network connection and responds to outbound HTTP traffic. If the computer’s user is logged on to any of an extensive list of popular web sites, PoisonTap is able to capture the cookies and write them to a text file on the USB device.This works even if the screen is locked.

If your character needs to gain access to someone’s online accounts, your character could follow her target to the coffee shop, wait for the target to go to the bathroom, plug this device into the target’s computer for a minute, and be gone before the victim knew what was happening. If the target happened to be logged on to the online resource your character needs to access, she’ll have the session IDs on the USB drive. She may need to hurry: those session IDs will become invalid as soon as the target logs out of those web sites.

Reading the MacOS FileVault2 password with PCILeech

This is a vulnerability that Apple patched just this month, so it wouldn’t work on a real-world Mac running Sierra v10.12.2 or better. But Macs were vulnerable to this particular exploit for more than four months.

PCILeech refers to a mix of hardware and software that your character could use to break in to an unpatched Mac. The video shows using a laptop attached to the device that your character would plug into the target Mac. (Maybe it would be possible to use something smaller, like a tablet or a Raspberry Pi or Arduino.)

PCILeech is able to recover the FileVault2 password from the Mac’s memory after rebooting the Mac. Once your character has the FileVault password, she has full access to the Mac. This will work even if the Mac is locked with a screensaver or hibernating, but it won’t work if the Mac is completely powered off. And the target might notice that his Mac rebooted.

USB kill stick

And if your character just wants to destroy a target device, there’s the USB kill stick. It’s a USB device that looks like a harmless thumb drive. It has several capacitors that start drawing power as soon as it’s plugged in. When the capacitors are charged (which appears to take no time at all), the kill stick rapidly discharges the capacitors right back into the port. Some devices have hardware protection against this, but many do not. The video on the page shows the researcher plugging the stick into several devices, frying many of them. It makes a lovely noise when that happens.

Conclusion

I bet you think twice about leaving your laptop unattended. Remember to…

  • RUN YOUR OPERATING SYSTEM UPDATES!!!!!
  • Hope that your favorite devices have overvoltage protection
  • Never, ever use the Internet for anything

 

Phishing can be effective

Have you ever gotten an email that looks real but feels wrong, an email trying to get you to click a link in the body of the message? It may have been a phishing attack, and that sort of thing is becoming more and more common.

Fish, which sounds like phish, and has nothing to do with phishing

A typical phishing attack email is a message that tells you that there’s something wrong with one of your online accounts and that you need to click a link and log in right away to do something. That’s the kind of message that tricked John Podesta, the chairman of Hillary Clinton’s presidential election campaign. He got a message saying there was some problem with his gmail account, he clicked the link, got something that probably looked like the gmail login page, and he typed in his username and password. But the message wasn’t from gmail, and the login page didn’t belong to google. Unknown to him at the time, Podesta had just handed over his gmail credentials to criminals who then logged on to his gmail account, downloaded copies of his email, and published them on wikileaks.

That motherboard article shows a screen shot of a similar phishing message sent to someone else on Clinton’s campaign. The message told the staffer that someone had just logged on to his account from the Ukraine, and that he needs to use the link in the email to change his password immediately.

email messages like that prey on our fears, and they work well. If you get an email like that, don’t click anything in the message. Go to gmail (or whatever) via a bookmark or a web search or by typing the address yourself. Then log in and check on your account, changing the password if you need to.

Sometimes phishing messages try to appeal to emotions other than fear. The holiday season sees lots of phishing messages claiming to be from Fedex or UPS telling people to click a link to  track a package. Other effective phishing attacks ask the victim to click a link to make a charitable donation right after a natural disaster.

If you need more evidence of how effective these attacks are, remember that the Target breach happened because someone fell for a phishing attack, or read about how the city of El Paso lost $3.3 million in a phishing scam.

The main character in your story might want to use phishing to take over someone’s email. It’s the kind of thing your readers will find plausible, because they’ve probably heard lots of stories of that happening. They may have even experienced it themselves.

Photo credit to Ching for Fish, Creative Commons.

Predictably insecure electronic locks

A couple of researchers recently presented their analysis of a dozen or so consumer electronic locks. Some of these locks are the kind that you’d use on a typical door in place of a deadbolt, and some of them work like padlocks. Most of them use bluetooth for wireless operation: you purchase the lock, install an app on your phone, and then use your phone to lock and unlock the device.

Sounds great, right? That’s fewer keys in your purse or pocket or in that not-very-fake-looking rock on your porch. You can enable a temporary code that you send to your plumber, so that he can enter the house while you’re at work. Some devices even have access logs. (Did the plumber come when he said he would? How long did he stay?)

The researchers found that 75% of the devices they studied were vulnerable to different kinds of attacks. In many or most cases, these attacks involved capturing and analyzing the traffic between the smart phone and the lock. The researchers notified the vendors of the affected products, but none of them was interested in doing anything about it. And why would they? At the very best, it would mean an expensive and embarrassing public relations campaign to notify consumers that they had purchased a lock with a defect.

This offers a plausible way for your character to do some breaking-and-entering. Maybe she needs to enter the home or storage building of a gadget-lover. She might need to plant some kind of sniffer device near the lock she wants to defeat and leave it there long enough for someone to use the lock. The FTS4BT bluetooth protocol analyzer and packet sniffer looks like a USB device that she could plug in to a Raspberry Pi. Tricking the lock might be as simple as replaying the signal that the sniffer recorded. If the devices doesn’t have access logs (or if the owner doesn’t bother looking at them), your character could come and go as she pleases from then on.

Oh, and don’t use electronic locks in real life. There’s a reason people have used metal keys to secure their stuff for hundreds of years.