DAV EY WINDER Academic research into security breaches could be anything but academic in a year or two, says Davey, before highlighting a nosy vacuum cleaner.
Academic research into security breaches could be anything but academic in a year or two, says Davey, before highlighting a nosy vacuum cleaner
Long before I wrote about security, I was a hacker. I first got involved with online communities, bulletin boards, conferencing systems and networks out of a combination of necessity and curiosity.
The necessity part is easy to explain: I lost a year of my life, and a whole load of rather important brain cells, in hospital courtesy of a nasty encounter with viral encephalitis in the 1980s. Before becoming a patient at world-renowned Atkinson Morley neurology hospital (which was involved in the development of the CT scanner) I had set out on a career in sports management. Upon my discharge, some 12 months later, I couldn’t read or write, had severe cognitive difficulties and had lost the use of three limbs.
Long story short, as my brain started to recover and relearn, my body lagged behind. I only left my specially adapted flat when picked up by the London Ambulance Service for my twice-a-week hospital visits. An Amstrad PCW connected to a modem the size of a shoebox was both my escape from this mundane and restrictive existence into a virtual world where I was free to explore with everyone else. Starting with FidoNet bulletin boards and then systems such as Prestel’s Micronet, the Compulink Information eXchange (Cix) and Usenet newgroups, I found a world where I could exist on equal terms.
Believe me, I had got very used to the “does he take sugar?” syndrome of people talking to whoever was pushing my wheelchair at the time, rather than me, in the real world and didn’t much care for it. Which is where my curiosity kicked in, wanting to find out more not only about the people who inhabited these online worlds and others I had yet to discover, but also how they worked. Which meant exploring, or hacking if you prefer: that’s what it was most of the time as I hadn’t the money to pay the cost of the telephone calls or the subscription fees.
I was, perhaps, a tad disruptive at times but never destructive; my intent was never to harm, rather to explore, interact and more often than not have a bloody good laugh. That was then, this is now, and all that’s really changed is that while I’m still exploring and discovering new stuff, I now get paid to share this knowledge with others through my writing and consultancy work. Oh, and I hardly ever break any laws in the process.
The reason I mention all this, and I appreciate many loyal PC Pro readers will be well aware of my background, is to establish that hacking isn’t a bad thing. Indeed, the word itself is just that: a word. I like the definition of a hacker as being someone who uses their expertise (technical or social) to overcome a programming, hardware, network or other computer-related obstacle or problem. That is as it has always been. The word itself implies neither good nor bad intent; a hacker makes the choice whether to be a problem solver or a cybercriminal. I don’t intend to get into the debate around not calling cybercriminals hackers, other than to say if they hack to perpetrate the crime then it’s a valid noun in my opinion, as long as the context in which it’s applied is explained properly.
If my life had taken a different turn along the way, and I wasn’t fast approaching bus pass age, I may well have decided to become a security researcher within the academic sphere. Little known fact: I was offered the opportunity to become a professor many years ago, lecturing on the subject of digital journalism, which should give you some idea just how long ago it was. I turned it down as I didn’t really think “Professor Winder” went with my cyberpunk image at the time. Anyway, I admire people who do security research “lab work” and I think it’s unfair that so much of it attracts the criticism of being research for the sake of research. Today’s “impossible outside of controlled lab conditions” exploit is tomorrow’s cybersecurity news headline. And, importantly, from an educational perspective serve to remind us of the importance of good security hygiene.
Looking over your shoulder
Take the keystroke inference attack, as demonstrated by researchers from the University of Texas and the University of Oklahoma. The research paper, which you can read at pcpro. link/318zoom, is heavy going, as such things tend to be. Essentially, though, it’s a method that attackers could use
“A hacker makes the choice whether to be a problem solver or a cybercriminal”
to grab data, such as passwords, during a videoconferencing call. Not your Zoom password used to initiate the call, but credentials that you might input during it because we have all become gods and goddesses of multitasking during the pandemic. What’s so clever about watching someone type something on a video link you may ask? Nothing at all – apart from the fact that in most such calls you only see the head and shoulders of the participants. Hence the “inference” reference in the attack methodology, which uses shoulder movements to read keyboard inputs. And yes, this is as complicated as you might think.
It revolves around the use of Newton’s third law of motion, in that whenever you hit a key there’s a reaction force produced in the opposite direction, a force that travels up from the fingertips to the shoulder muscles and joints. A force that differs depending on which finger is being used. These movements are as diminutive as they are delicate, but they’re enough to indicate direction of travel across the keyboard.
Using software that cross-references these directional movements with dictionary word profiles, the researchers reckon they can get something like 75% password-guessing accuracy. Of course, there are qualifying factors such as an attacker needing to be in on the call in the first place, by invite or other means, and the quality of video needs to be high enough for the software to do what it does. The upper accuracy rates themselves were only attainable with controlled parameters, including the chairs, webcams and keyboards being used.
Out of key
Am I worried about something like this being exploited in the real world now? Heck no. But it does serve to reinforce why complex and random, non-dictionary, passwords should be the good security baseline. Ditto when it comes to using 2FA as an additional barrier to nefarious entry, should login credentials get compromised.
It’s not just movement that can unlock your security keys: sound has also been used by security researchers in a quite literal way. I’m always explaining to people that solid security hygiene requires a holistic approach with 360° of thinking. Securing your data is more than a software issue, it demands a broader grasp of risk than locking down hardware and software. People are as important as processes, and ignoring the physical aspects of your security posture is asking for trouble.
How much emphasis do you put on the locks that prevent attackers from gaining access to your offices, for example? I recently performed a Twitter straw poll that asked security professionals if they would use a smart lock: of the 549 that responded, some 400 of them told me to get in the sea. This doesn’t mean that a “dumb” lock is off the radar for hackers, as another piece of research I uncovered reveals. The researchers, from the National University of Singapore, created an attack model that allowed them to create a physical key template just from listening to the sounds made when it’s being inserted into a lock.
Called SpiKey, because who can resist an obvious pun, the model can reduce the number of key templates that will open any given lock from a base of 330,000 down to just three. This is accomplished by using a smartphone app recording the sounds made as the key moves past the various tumbler pins in the lock, and measuring the time between tumbler pin click. The application reverse-engineers the key from these sounds and measurements, determining the fine-grained biting depths of the key itself. This is quite a feat considering that these differences can be as little as 0.381mm.
Without getting into the mechanics of this in more detail, it’s another attack methodology that comes with qualifications as far as out-of-the-lab exploitation is concerned. Not least that it requires a constant speed of key insertion to be accurate; jiggling the key around a bit will likely be enough to cause problems. As, indeed, would ambient sound and the small matter of being close enough to the lock to get a clear enough recording.
Here’s the thing: these are hurdles that could be overcome in time. The researchers have been exploring the use of multiple key insertion recordings for each lock, a bit like taking multiple scans of your fingerprint to ensure the best chance of your finger being recognised when presented to the reader. The distance requirement could, potentially, be mitigated by installing malware on a target phone or even a smartwatch.
What’s the security lesson here? I’m not suggesting for a moment that your physical lock is a massive vulnerability – that would be daft. However, it does mean that rather than dismissing smart keyless locks out of hand, they could have a place – assuming we’re talking about those that aren’t connected to a network. Why replace one potential
vulnerability with another?
“The model can reduce the number of key templates from 330,000 down to just three”
Hoovering up conversations
The final piece in this labs-based hacking research triumvirate also concerns an unlikely attack methodology: using a vacuum cleaner to record conversations. To record conversations, I should add, without requiring a microphone to be involved. Last month, I recounted how I’d made the move from Android to iOS, at least as far as my daily driver smartphone was concerned,
and succumbed to the lure of an iPhone 12 Pro Max. This brings light detection and ranging, or Lidar, to the iPhone party.
What does Lidar do, other than enable you to use an app to create a proper 3D-scanned representation of your bathroom? The answer is quite a lot, but not in a visible kind of way. Lidar brings clever depth-measuring, using a grapeshot infrared dot “spray” to map out distances. It does this to good effect with low-light focusing and improved night mode photos. So, in other words, Lidar helps the already impressive iPhone 12 Pro Max camera see better in the dark. The same method of measuring reflections from a point illuminated by laser light is used as the basis of the vacuum cleaner spying hack.
Researchers from the National University of Singapore and the University of Maryland have explained how a smart robot vacuum cleaner can be hacked for eavesdropping purposes via Lidar sensors ( pcpro.link/318vac).
This side-channel attack uses the Lidar sensors that the vacuum cleaner uses for mapping and moving around a room to covertly record conversations, with the researchers recording 19 hours of conversations as well as music played over a TV soundbar.
A clever repurposing of the Lidar sensors meant that vibrations within solid objects caused by sound waves could be grabbed and processed using a deep-learning algorithm with a success rate of 90% in converting the data to sound once more. More than my previous examples, the so-called “LidarPhone” exploit requires conditions outside the lab that make it far from straightforward to pull off. The vacuum cleaner would need to be compromised first, although that’s more than doable because firmware updates are all too often susceptible to vulnerabilities. On top of this, attackers will need access to the local network that the cleaner uses.
What makes this of concern are that other things use Lidar sensors. There’s the iPhone 12 Pro Max for one, self-driving cars for another. It also highlights the need to be aware of the dangers that firmware update mechanisms can present. davey@happygeek.com