The problem with this approach is that you only get to see whatever is displayed on a particular PC's monitor. In most cases that won't be very interesting. Also, you have no power to go fishing - you will need physical access to a PC that is going to display something important. For that to work you would need an insider with physical security access to the PC that you want to spy on. If the data going to that PC is important, it's probably sitting in a locked office, in which case why are you doing it the hard way? Just ask your cooperative insider who has a key to that office whatever you want to know.
Your data: Stolen through PIXELS
Data loss prevention has been dealt a coup de grace with the development of a client-less system that can suck corporate data through monitors. The research, to be detailed in a proof of concept at the Kiwicon hackerfest in Wellington on Friday December 12, bypasses all detection methods, its developer says. The attack …
COMMENTS
-
-
Thursday 11th December 2014 07:08 GMT Anonymous Coward
The problem here is that normal operations by a user can be recorded for data exfiltration and you don't have to be a "hacker" to do it. I'm not sure what role the Arduino keyboard plays in this, except for perhaps controlling the scroll rate, but slipping a game recorder into the line between the HDMI out of a computer and in where it hits the display takes care of data collection.
Short of using epoxy to glue (or perhaps a locking mechanism, patent anyone?) on the HDMI cable, you aren't stopping it. [And how do you prevent a cellphone or Google-glass like device from recording the display?] The point here is that the assumption that the user has to leave a trace on what was stolen is completely erroneous. Obviously the user has access to the data. Taking it home was the traceable part. No longer.
This is just off the cuff after seeing it and a couple of cigarettes. Interesting.
-
Thursday 11th December 2014 16:55 GMT Robert Helpmann??
And how do you prevent a cellphone or Google-glass like device from recording the display?
Well, it ought to be pretty obvious if you are at work and someone is holding a cellphone behind you while you beaver away. There are privacy screens that prevent shoulder surfing to a certain extent. Perhaps the next wave in security of this nature will involve a VR headset.
-
-
-
-
-
Friday 12th December 2014 00:42 GMT Deltics
Re: @badvok (without attaching [...] anything else)
Great. So all I need to do is pop down to my local electronics store and ask for a HDMI recording device that doesn't leave a footprint ?
Even if such a thing exists, you still need physical access to install said mythical device and if you can contrive to obtain that access then you almost certainly already have access to far easier methods for getting the data you want.
-
-
-
-
Friday 12th December 2014 10:26 GMT Anonymous Coward
poopypants: I mentioned a similar attack months ago in the company I work for, and I can tell you you can dump anything you want
What you need to do is:
- open a window with a specific marker in it (like you have in QR code)
- output the binary data you want to dump to the outside world within these markers
- have you hdmi device recording between the markers
hdmi data is digital, so you can dump anything you want, like the entire codebase of your HFT firm without anyone noticing it (they check for USB and network, ith HDMI, there is nothing they can do).
The "real difficulty" is to run (type?) the program that's going to do the output on your computer without being caugh (not saving it, not leaving traces in any form of log).
-
-
Thursday 11th December 2014 06:52 GMT Khaptain
Next Stage
Definately dangerous technlogy due to it's lack of requirement for OS interfacing.
So the obvious next stage would be to intercept what is being sent to the screen and to modify it in such a manner that tricks the target into believing that they must re-enter/change their password for example.
-
Thursday 11th December 2014 07:38 GMT Shadow Systems
If the attacker has physical access, then it's no longer YOUR computer.
Rule number 1 of basic computer security. So if someone comes in & slaps a recording device (video, keyboard, etc) on the machine, you were screwed no matter WHAT they did, because they could just as easily stolen the unit altogether. Yes that would clue you in to change all the passwords once you found the unit missing, but would you have reacted in time? Or will the bastard already have gained access to your Root, set themselves up a couple of hidden Admin accounts, and thus gets to laugh at your attempts to lock them out of THEIR network now?
And I find it amusing that the IT department allows anyone to disconnect the cables, not employing a simple locking dongle between ports & cable. Can't unhook the dongle (locked to chassis), can't disconnect the cable (locked inside the dongle), thus removes any such attack vector. Hell, we were doing that to all the kit in our office over a decade ago, and we weren't even doing it to thwart outside attackers, rather to keep the grubby fingered employees from swiping the brand new monitors & exchanging them for their crappy CRT's from home. Thieving little bastards, and they wondered why we locked them out of their USB ports, too? Because you kept fucking installing virus' & infected shit! I swear to all the Nameless Gods of Cthulhu's arsehole that we were THIS >< close to switching you stupid fucks over to Thin Clients & making you suffer on Ten-Base-T networking JUST to teach you a lesson about not pissing off the IT department!
*Shakes a palsied fist*
Damned Whippersnappers! Now get off my LawnGnome!
-
Thursday 11th December 2014 09:01 GMT HMB
Re: If the attacker has physical access, then it's no longer YOUR computer.
Wow, where do you get the authority to deny your office workers USB flash drives? Are you working for the public sector? I wont deny the effectiveness of your methods, but few companies I know would allow such practises.
-
Friday 12th December 2014 06:36 GMT John Tserkezis
Re: If the attacker has physical access, then it's no longer YOUR computer.
"Wow, where do you get the authority to deny your office workers USB flash drives?"
We are the IT deptartmet. We ARE the authority. We have been charged with ensuring the securty of our network from various intrusions, one of which is malware-infected USB drives, which we've shown again and again, idiot users, much like yourself, like to poke into any and every computer out there. But not ours.
Don't like the way we do things? No problem, fuck off and work somewhere else that does let unfettered USB drive use, like Sony for instance. As an example.
-
Thursday 11th December 2014 09:59 GMT Anonymous Coward
Re: If the attacker has physical access, then it's no longer YOUR computer.
Even if the connectors are locked down, perhaps someone has enough technical skill to splice the spy into the middle of the cable. Even if most of the cable was tied down in some unreachable conduit, the cable still has to reach the monitor out in the open somehow, and that alone could be enough cable to perform the splice.
-
Thursday 11th December 2014 15:09 GMT Anonymous Coward
Re: If the attacker has physical access, then it's no longer YOUR computer.
> Even if the connectors are locked down, perhaps someone has enough technical skill to splice the spy into the middle of the cable.
Not to mention walk in with a GoPro strapped to their head and just record the screen and keyboard. :-)
If queried, you just say you're training for your ski holiday.
-
Thursday 11th December 2014 10:01 GMT Anonymous Coward
Re: If the attacker has physical access, then it's no longer YOUR computer.
"Thieving little bastards, and they wondered why we locked them out of their USB ports, too? Because you kept fucking installing virus' & infected shit! I swear to all the Nameless Gods of Cthulhu's arsehole that we were THIS >< close to switching you stupid fucks over to Thin Clients & making you suffer on Ten-Base-T networking JUST to teach you a lesson about not pissing off the IT department!"
Others have tried this, only to learn the malware was coming from the VPs and other top-level execs who can override the IT department.
-
-
Thursday 11th December 2014 08:38 GMT Mage
Eh?
How is this news?
Though the article was a bit confusing with some irrelevant detail.
Obviously you send important targets a very nice mouse with a trojan. Much cheaper and more effective.
If you really want to do this you supply a nice monitor with this built in. Perhaps with a special cable dock for ALL cables to pass though (Protect your Cat5, USB, Mains etc from surges and lightening, or equipment replaced free) The nice surge arrestor of course listens on all and uses the ethernet to call home.
Icon because the example is baby stuff.
-
-
Friday 12th December 2014 06:44 GMT John Tserkezis
"The solution is to glue laptops do desks :P"
Ahem. A place I used to work at, had various cards go missing from my testbed computer.
I finally superglued (in the form of a threadlocker) the hex nuts into place, as well as the VGA cable fastening screws. For good measure, I got in and superglued the videocard fastening screw in place.
Then I waited for every bastard to ask me why I did that. (they had to try to pinch it to realise it was stuck, because I didn't tell anyone).
Turns out, most of the people in the department were the thieves. Not that is was hard to get the cards, you sign the paperwork and you get it. But handwriting was too hard you see.
-
-
-
-
-
Thursday 11th December 2014 13:08 GMT Charles 9
"If a new HDCP standard emerged with the ability to, say, flash upload a unique key pair between source and sink, then you could pair the graphics card of a PC to a specific monitor and any interloper on the HDMI line would see not a lot at all."
Unless, of course, the monitor has to be replaced due to a hardware failure. Then you need to have a way to renegotiate the key exchange when the new monitor comes in. Then, the spy can imitate that and act as a Man in the Middle.
-
Thursday 11th December 2014 15:14 GMT TRT
The keys are asymmetric, so the decryption key is never sent over the wire. It has to be looked up in a table. New media are supposed to carry a blacklist of compromised keys which sinks and sources update in non-volatile memory and never use once marked as compromised.
Presumably there is a defined supply chain for hardware, so I envisaged the company's own CP key table being blown into every device before deployment rather than being generated on the fly and transmitted over a presumed un-secure wire.
It's just moving the problems of secure data exchange from e.g. the internet onto another wire; a wire that already has an encryption standard.
It might be possible even for an encrypted version of the key-pair to be downloaded from e.g. a trusted server. I believe there's a protocol for ethernet over HDMI already.
The goal in this scenario is to at least detect unauthorised data removal.
-
Friday 12th December 2014 05:01 GMT Anonymous Coward
If the keys are stored, they can be retrieved somehow. Remember, we're talking industrial if not government espionage here. Money may not necessarily be an object. Look at how the HDCP master key got leaked. Some of Sony's private keys have been leaked. The only key that can't be leaked is one no one knows about. The only one I can think of that fits the bill is a generated key, and a MITM spy can generate a key as easily as any other device.
-
-
-
-
-
Thursday 11th December 2014 10:36 GMT Clive Galway
Not Undetectable
There are systems out there that can detect a machine requesting lots of files over the network and flag it as suspicious.
Also, running in a non-1920x1080p resolution would cause big problems for this hack - most of these game capture boxes pretend to be a 1920x1080p monitor, so you could just check for device change of the monitor, or watch for resolution change.
Also, you would not need a game capture card for many nvidia GPU machines - just record the desktop with Shadowplay.
Which raises more of a security risk IMHO.
Just make ShadowPlay is enabled in "Shadow Mode", wait for the CEO to leave his PC unlocked, then hit the record button and have his last half hour of screen activity dumped to a video.
-
Thursday 11th December 2014 17:23 GMT David Roberts
Missing something?
I assume the whole point is to capture data without saving it to a file on the client, and thus leaving an audit trail. Also no software to install. Also no problems getting the data off the client if USB ports have been quite reasonably disabled.
So running software on a PC to capture the video stream and then copy/email it wouldn't meet the undetectable requirement.
This seems to be a fast and easy method of capturing data displayed on a screen without having to record it via a camera or plain old paper and ink.
However it is a niche attack - the client is locked down to prevent USB drives being attached and is audited and email is also scanned. However physical security is lax enough that you can connect another computer to the video hardware to record your sessions and then remove the hardware afterwards (or leave it there under the desk and regularly swap out the SD cards with the captured data).
I am assuming that the device uses a spare HDMI port on the graphics card instead of being inserted between PC and monitor on the main graphics output but I may have missed that part.
If it is feasible to have a device recording the HDMI output then this puts the mockers on any Digital Rights enforcement preventing copying of programs from e.g. Virgin Media Tivo boxes in full HD. So is it a media copying device which could also be used for spying?
All in all an interesting spy device to plug into a tower PC under a desk. Who would notice it?
-
Thursday 11th December 2014 19:39 GMT Christian Berger
I hate it when all my bad prejudices come true
I mean that guy is using Mint... so I assume he's subscribed to the FreeDesktop people mindset who solve trivial problems in very awkward and complicated ways, but I refuse to actually believe that, since it's a bad stereotype. People are better than their stereotypes, aren't they.
Then I see that person using video to steal data and doing this in a complicated way instead of just using hexdump or base64. Both programs are commonly available on just about any unixoid system.
This somehow strikes me as a typical solution from those people. Instead of using what's already there they seem to want to re-invent the world, and typically fail at doing so.
-
Friday 12th December 2014 08:38 GMT Ian Latter (TGXf)
More info
Just read the article - thanks Vulture South!
The presentation deck with youtube links is now online;
http://thruglassxfer.com/The%20TV%20people%3F%20Do%20you%20see%20them%3F%20-%20Kiwicon%202014%20-%20v1.0.pdf
And if you're in the region and you've never been then you've got to get yourself to the next Kiwicon, metlstorm put it best: "less like a security conference and more like a security variety show!" - brilliant.
Reading the comments ..
The primary use case here is off-shore partners (particularly) and also remote workers where the enterprise has no independant physical security controls. Controls in these physical environments tend to be derived from contractual relationships empowered through national regulatory frameworks and are penalty driven but require proactive detection.
Agree completely that we're talking baby stuff RE physical access but we are in the strange situation where enterprise routinely provides access to sensitive information on-shore, to un-trusted (or at best semi-trusted) users off-shore, on the basis that the regulatory frameworks (Data Protection/Privacy typically) believe that the data can't get through the glass at the far end. In the middle of all of this the actual physical security off-shore is typically paid by the off-shore party - like having the guy who cleans the crown jewels hire the security detail that ensures he doesn't nick 'em.
To address the thread questions I can see ..
HDMI port: You don't need a second display port, use the primary display port. I used the "second" in the video because it was a laptop. If you find that someone has glued/locked the cable into the port on the PC, check the back of the monitor, you can unplug it there too .. otherwise you're back to cutting the cable or unscrewing the screen.
HDCP: I haven't looked into a solution for HDCP, but I don't see it as unsolveable.
Black text on White BG: Because of the raw nature of the OCR process that I used, I considered inverting it in the decoder but it's a PoC so, meh.
USB or not: clientlessTGXf does not require an Arduino USB device to be connected to the End-User-Compute device. I used one in the video because I'd be a sadistic bastard to make everyone sit through the pain of watching me type it .. lol
GoPro: Yes, but the risks are always minimised based on data reconstruction effort. The experiment here is to see where the argument goes when the entire process is point-n-click or plug-n-play.
Tempest: Yes, emissions attacks are too abstract apparently, hence the off-the-shelf kit. On the keyboard side, the advantage of being active in the signal is through-console networking (take a look at TCXf: http://thruglassxfer.com/TCXf-application-architecture.png).
Hexdump: When I get the web site updated with the source code published early next week you'll find that the OCR training was all (generator, images, arrays) sized for hexadecimal, specifically because I was going to use hexdump as the clientless generator. However I had too many recognition errors between [A4F] and [08B], so I simplified it to a binary encoding and implemented it in script (arguably more portable). Trust me when I say that I value my weekends too much to be re-inventing the world for no value.
But this one has to take the icon -- "I swear to all the Nameless Gods of Cthulhu's arsehole" .. ROFL.