Cables and connectors targeted by hackers

Computer scientists at an international security conference announced this week a major vulnerability that targets devices like laptops and tablets. It exploits the fact that we frequently have to plug these things in, or connect them to other pieces of equipment like projectors, network cables or just the charger. What the hackers do is produce a connector that looks deceptively like the real thing but as soon as you plug it in, it sneakily hijacks your device and installs a backdoor for the criminal. Jenny Gracie went to see how...

Jenny - Now we all know in order to keep our devices safe we really shouldn't open those dodgy e-mail attachments, or click on any flashing pop-ups. But how many of us think twice about borrowing a phone charger, or even plugging into a public charging point. The ability to physically link devices is bringing about some unanticipated risks. Robert Watson, from the Cambridge Computer Laboratory, explains why these devices are so vulnerable in the first place.

Robert - So there's this pressure to try and reduce the number of plugs or sockets on individual devices. And, over time, we've tried to make them as powerful as possible so every plug has to do as many things as possible. One of the things we've seen particularly recently is a desire to combine power and data, so plugging your device in to charge it up requires the ability to communicate across the same cable. And because of performance concerns - we want to use faster and faster storage, or faster and faster networking, those interfaces have become very complicated. And one thing we do know in computer science is that as interfaces become complicated it gets harder and harder to make them correct. And when they are incorrect they're often insecure...

Jenny - So these devices are more and more vulnerable as they get more technologically advanced, and they could be hacked. What actually could be taken from the devices? 

Robert - It depends what's on the devices. You and I probably use our personal computers to make purchases, to do our online banking, to access our e-mail, maybe our health records... all of those things become available to an attacker who - to use the terminology in our discipline - "owns" your machine. What does it mean to "own" a machine? It means they can run arbitrary software on it: they can read the contents. And of course they can affect what the machine does in the future it's not just the data you have today, but the passwords you enter tomorrow or the bank information or the credit card number you enter in two or three weeks time.

Jenny -  Robert and his colleagues have been researching devices that have a physical connection, like through a power cable or an adapter, or even a USB stick. Once the team identified the vulnerabilities, they built prototype hardware to investigate how the attackers might manipulate and access them.

Robert - So if you have a USB computer, so an Apple Mac or an HP Notebook, the devices that we provide look like your everyday device you plug in: a video projector you plug in; a power cable; or an ethernet device and within a second we have ownership of your machine. Under the hood, what's happened is the computer hass said to the device "What kind of device are you?" And we as the attacker get enormous choice: we can say we're any kind of device we want to be.

The reason this is a powerful tool for the attacker is it allows the hacker to find the worst-written device driver on the computer that you're running on. So they have their choice of which piece of software to attack. There is an interaction over the cable, which declares itself as a device. It accesses some memory it's not supposed to in a way that it's not supposed to. And from that point onwards it has ownership of the machine. When we give a demonstration, a window pops up on the screen giving you access to the machine to allow you to do what you want to do what without entering a password. But attackers have a lot more choices. It could silently compromise your machine and appear to perform all the functions it's supposed to, it could charge your notebook, or display something on the screen, and you might only later find out or perhaps never find out the machine was compromised. And, of course, the software that they install might continue to operate long after you unplug the device. So there is the opportunity for the attacker to dial home in the future to return some confidential data, or maybe run some other payload that they provide later: ransomware for example...

Jenny - That's terrifying thoughts there. It's scary to think that something as innocent as a projector could gain control over computers by masking an ulterior motive. I then asked Robert if they have to think like a hacker in order to test their work?

Robert - We have to think about the limits of the system and try to push a bit beyond them. The goal is to challenge the assumptions made by the legitimate author of the software they have made assumptions about the trustworthiness of communications or memory access or protocols. By pushing on those boundaries, we often find bugs; and bugs are sometimes - and in this case significantly so - vulnerabilities.

Jenny - The team work closely with tech giants like Apple Microsoft and Google to help find solutions to these vulnerabilities. For the system developers, te best protection would be to engineer the device drivers to higher standards and rigorously test them for this new class of vulnerabilities. But what about device users? Well just because you have antivirus software, that doesn't mean you're safe. These protective systems can be bypassed and your security still compromised. In that case, how can we be safe?

Robert - And the best advice to users is, please install the updates provided by Microsoft and Apple and others: they are available already. We have worked with these vendors for quite a while to try and ensure the updates address the problems that we've been encountering, and we hope that they will at least limit the opportunity for future attacks and limit the known vulnerabilities. Sadly, the terrible advice we always give people about not opening attachments they receive from people they don't know, it's probably time to start feeling that way about devices from people they don't know as well...