When you think about cyberthreats, what comes to mind? An extortionist announcing your doom with a dark monitor and a laughing skull? State-sponsored cyber-warriors working from a secure command post? President Trump’s certain, “somebody sitting on their bed that weighs 400 pounds?”
Chances are good, your version of cyber risk involves one of the above “types” hunched over a keyboard deploying massively sophisticated malware on the networks of unsuspecting businesses and government agencies. Think again.
Ever notice that some phone chargers work better than others? That’s because they’re devices. Some are built better than others, and both charge devices and move data faster than inferior specimens.
The O.MG cable looks like a standard iPhone/iDevice “lightning” cable, but it contains a tiny Wi-Fi transmitter that allows a remote user to take control of a connected computer.
If that sounds exotic to you, be advised that the O.MG device (it bears repeating: a cable is a transmission device) could already be in your office. There has been limited availability since its successful debut at this year’s DefCon, the white hat hacker conference, and this nefarious little hacking gadget will soon be for sale on the web.
Why it matters: If you happen to be in an office, look around and take note of how many co-workers are using their workstations to charge their phones. Yup, it’s a nightmare waiting to happen.
The danger in this realm of peripheral devices isn’t limited to 007-style hacking tools disguised as everyday items.
When it comes to your office’s attackable surface, printers hold a special place. They’re typically internet- and network-connected. They store a stealable version of what they’ve recently printed. And, generally speaking, the most affordable (and thus most commonly used) models have minimal built-in security.
Printers are often leased and returned with the data they store intact–not wiped clean. For smaller companies using even cheaper models, older machines are simply “disposed of.” Sold off for surplus, donated to a charity, or returned to the leasing company, and yes, still brimming with data. Anyone with access to these jettisoned machines will be able to recover a treasure trove of sensitive data on their built-in storage.
Wireless network access is ubiquitous, but the same technology that makes it possible for employees to bring laptops to conference rooms to stay online also means anyone within range can access data moving on the network.
To get a sense of how poorly protected most WiFi networks are, consider Pwnagotchi, a device that combines 90s-era nostalgia for virtual pets with a powerful hacking tool that costs less than $100 to assemble. Using a low-powered Raspberry Pi computer, the pocket-sized Pwnagotchi either passively sniffs out or cracks WiFi network passwords and has the capacity to do this more efficiently with every network it manages to compromise.
The Pwnagotchi device is not as widespread as the virtual pets that inspired its design. But it underscores the reality that WiFi security is often something that a hobbyist’s toy can crack–and yes, we’re too often talking about the exact same kinds of encryption that businesses use to protect their data.
What Does This Mean for Us?
Effective cybersecurity for businesses is a daunting proposition. Every day seems to bring a new strain of ransomware, a new software vulnerability, and new potential for extinction-level data breaches. Even large-scale enterprise is at risk.
Every entry point to data in an office is a potential vulnerability, and what are commonly thought to be cheap and disposable accessories are no exception.