How many times you think a state government uses this vs the thousands of cameras, warrants, a well placed USB stick on the desk, and monitoring the war thunder forums?
I get what you’re saying, but in the grand scene of things, even at the state level, these are not how state agencies are spying on you in practical terms.
The effort to just get this executable running undetected in the background for such a low value attack just doesn’t make sense to spend resources on.
This kind of stuff is SIGNIFICANTLY more alluring when you’re dealing with an air gapped pc.
Interdict the mouse and modify so that it drops the usb, pair with an sdr and a specially modified usb plug to exfiltrate any data picked up, the user is none the wiser, you’ve grabbed whatever info you’re after, and you never even need to physically access the air gapped pc.
It’s elaborate but if you’re targeting an air gapped pc or network then elaborate is necessarily going to be the name of the game.
If you’re looking for something amiss you’d notice a microphone. Unless you really, really, really knew your shit something like this could be essentially invisible even if you disassembled it.
As soon as this kind of stuff gets a simple binary that an attacker can drop on the system, they could definitely add it to their arsenal.
There’s many different state actors working on this kind of stuff. I’m sure there’s a separation between teams that make tools such as these and the ones using them.
How many times you think a state government uses this vs the thousands of cameras, warrants, a well placed USB stick on the desk, and monitoring the war thunder forums?
Very often. Software supply chain attacks are the most common method of infiltration these days, and even in environments with compliance requirements people are very laissez-faire about what they install.
I’d agree with the broad thrust of your comment that this isn’t exactly screaming “panic now, the end is nigh”.
Being aware of vulnerabilities like this is important nonetheless.
The nature of side channel attacks like this are that they’re incredibly difficult to spot and mitigate. This one does seem rather elaborate in that it requires software running on a pc but the attack you mentioned with the processor is decidedly stealthier. Just like timing attacks with fans, tempest style attacks - this stuff happens, and from a consumer pov if someone can interdict a package you order from Amazon and alter it then you’d never even know anything was even happening.
Is this happening a lot? Probably exceedingly rarely. Is it a risk most people have to worry about? No. Is it a risk nonetheless? Yes.
All I’m saying is that it’s important to be aware of the risks if you care about security.
But I think you forget most people have limited attention spans and don’t care about this. They don’t need to know. It’s the equivalent of Windows UAC. Folks get a headline each week, Google is selling your info, malware this, Alexa it’s listening! And they have just tuned it all out. It’s counter productive unless you’re interested in the topic.
The privacy and security security could use a good lesson in messaging. They’ve largely made themselves irrelevant to the general public.
I would add that people’s unwillingness to understand or care about security risks does nothing to alter the importance of being aware of them, but I’m well aware that expecting anyone to give a shit about cybersecurity is pissing into the wind.
This is potentially much cheaper than cameras or going somewhere in person, especially if you can do the a lot of the data processing on site and only upload transcripts. If the official driver manufacturer is in on it or even the initiator, it doesn’t even take much criminal energy. And for international espionage? Pure gold.
This really isn’t worthless.
The chances someone may use it against you may be low but a committed attacker against a secure target will rely on stuff like this.
It’s more in the realm of espionage than stealing your credit card number but this shit happens.
How many times you think a state government uses this vs the thousands of cameras, warrants, a well placed USB stick on the desk, and monitoring the war thunder forums?
I get what you’re saying, but in the grand scene of things, even at the state level, these are not how state agencies are spying on you in practical terms.
The effort to just get this executable running undetected in the background for such a low value attack just doesn’t make sense to spend resources on.
I think they meant international espionage, not spying on the population. That’s at least what I would expect for this.
And everything I said applies. Especially war thunder forums.
There are higher success rates with more common and easy to achieve tactics.
This might be used on 1 or 2 people. Might.
This kind of stuff is SIGNIFICANTLY more alluring when you’re dealing with an air gapped pc.
Interdict the mouse and modify so that it drops the usb, pair with an sdr and a specially modified usb plug to exfiltrate any data picked up, the user is none the wiser, you’ve grabbed whatever info you’re after, and you never even need to physically access the air gapped pc.
It’s elaborate but if you’re targeting an air gapped pc or network then elaborate is necessarily going to be the name of the game.
If you introduce specially modified hardware, why not just add a microphone?
If you’re looking for something amiss you’d notice a microphone. Unless you really, really, really knew your shit something like this could be essentially invisible even if you disassembled it.
I’m not sure you’re right.
As soon as this kind of stuff gets a simple binary that an attacker can drop on the system, they could definitely add it to their arsenal.
There’s many different state actors working on this kind of stuff. I’m sure there’s a separation between teams that make tools such as these and the ones using them.
Very often. Software supply chain attacks are the most common method of infiltration these days, and even in environments with compliance requirements people are very laissez-faire about what they install.
I’d agree with the broad thrust of your comment that this isn’t exactly screaming “panic now, the end is nigh”.
Being aware of vulnerabilities like this is important nonetheless.
The nature of side channel attacks like this are that they’re incredibly difficult to spot and mitigate. This one does seem rather elaborate in that it requires software running on a pc but the attack you mentioned with the processor is decidedly stealthier. Just like timing attacks with fans, tempest style attacks - this stuff happens, and from a consumer pov if someone can interdict a package you order from Amazon and alter it then you’d never even know anything was even happening.
Is this happening a lot? Probably exceedingly rarely. Is it a risk most people have to worry about? No. Is it a risk nonetheless? Yes.
All I’m saying is that it’s important to be aware of the risks if you care about security.
I said I love them didn’t I?
But I think you forget most people have limited attention spans and don’t care about this. They don’t need to know. It’s the equivalent of Windows UAC. Folks get a headline each week, Google is selling your info, malware this, Alexa it’s listening! And they have just tuned it all out. It’s counter productive unless you’re interested in the topic.
The privacy and security security could use a good lesson in messaging. They’ve largely made themselves irrelevant to the general public.
No arguments.
I would add that people’s unwillingness to understand or care about security risks does nothing to alter the importance of being aware of them, but I’m well aware that expecting anyone to give a shit about cybersecurity is pissing into the wind.
This is potentially much cheaper than cameras or going somewhere in person, especially if you can do the a lot of the data processing on site and only upload transcripts. If the official driver manufacturer is in on it or even the initiator, it doesn’t even take much criminal energy. And for international espionage? Pure gold.
I know, I know, another program mass sending telemetry that somehow every security researcher has missed.