“Cybercriminals need to get it right only once. Cybersecurity needs to get it right every single time.”
This well-worn aphorism has morphed into a cliché in the cybersecurity industry — but for good reason. And as the cyber threat landscape evolves, it will only increase in relevance. Today’s modern cyberattacks can move laterally within the victim’s system, “hopping” between an individual infected mobile device to the cloud to the on-premise network, using advanced software to take different forms in different attacks.
This article will describe two examples of vectors which can be part of fifth-generation cyberattacks and will hopefully prove how important it is to be aware of the changing dynamics of cyberthreats and cybersecurity.
Fax Machines And Printers
Fax machines are still widely built into all-in-one printers. And while the fax machine functionality of these printers is connected to a regular PSTN (public switched telephone network) phone line, the printer element is connected to a corporate or home network through Ethernet, Wi-Fi or Bluetooth. This essentially means there is a connection from the PSTN line to an organization’s entire IT network.
With this in mind, our researchers discovered that all they needed to take control of a standard, all-in-one printer (thus accessing the organization’s entire IT network) was the fax number associated with the machine.
When a fax machine receives a color fax, it dumps the contents into a JPG file without performing any sanitation checks, allowing potential attacks to leverage malicious payload in a color fax. Our researchers demonstrated how easy it is to gain access to the LAN (local area network) and specifically to the PC connected to the same network as the test machine.
From there, it was a simple step to send data from those PCs back to the “attacker” via the infected all-in-one-printer. Cybercriminals hypothetically wouldn’t even need an internet connection in order to penetrate the organization’s network.
Once our researchers realized the scope of these vulnerabilities, they immediately alerted HP, who swiftly developed and released a patch. But if you have a fax machine silently collecting dust while confusing the millennials in your office, remember that cybercriminals may only need your office’s fax number to hack your entire network.
The main takeaway here (besides patch your printers and maintain good cyber hygiene) is that misunderstandings, miscommunications and disorganization can open up attack vectors in unexpected directions.
The challenge becomes even greater with mobile phones, due to the fact that mobile cyber hygiene depends not only on the mobile vendor but also on the developers of the apps designed for these mobile devices.
Another team of our researchers discovered that Android’s operating system architecture had an inherent design flaw that opened an entire attack surface. Android phones’ operating systems have two types of storage: internal storage, where the app data is segmented and isolated on the device, and external storage, where the app data is freely shared between apps.
App developers may have logical, innocuous reasons to write their code in external storage:
• Not enough capacity in the internal storage.
• Allowing for backward compatibility with different devices.
• Minimizing the app’s demands on the device memory.
• Enabling functionalities with another app, such as allowing a messaging app to share a photo from the phone’s photo gallery.
However, this means that everything in external storage is out in the open and potentially vulnerable to an attack.
The Man-in-the-Disk attack surface permits an attacker to intercept and interfere with data stored on a mobile device’s external storage. The research done by our team saw apps downloaded, updated or receiving data from the server of the app provider with traffic directed to the external storage before its final destination to the app itself. By doing so, a threat actor would have the opportunity to manipulate the data held in the external storage before being again read by the app.
By creating a seemingly innocent application that holds a malicious exploit script, potential attackers can dupe users when the app asks for permission to access the external storage. A typical user is likely to approve the request, enabling the attacker to manipulate the data written on that storage and used by multiple applications.
App development guidelines urge developers not to have their apps store sensitive code in the external storage, though our researchers found that many apps, including Google Translate, did not heed this advice. However, while security-related guidelines are great, frankly, it’s naïve to expect every developer in the world to have security top of mind when they write their code, let alone to have enough expertise to get it right.
Google patched their applications that were affected by this particular vulnerability, as responsible companies do, but it goes to show that identifying just one entry point is enough to keep attackers in business.
Securing the internet in 2019 presents an entirely new set of challenges: Every new technological advancement is paid with the price of an entirely new set of vulnerabilities. In the fifth generation of cyberattacks, seemingly minor nuances can easily crack the whole system wide open.
The burden of proof, so to speak, is on us, the cyber defenders. We need to drive companies to stay up-to-date with the fifth generation of protection. By doing so, we will make it harder for cybercriminals to steal their data, harm their businesses and disrupt their lives.