As you read this article, as yourself a question; how do you really know that the device you’re reading this on is really yours? This may sound like a strange question but as users of technology, we trust that the devices we use (such as desktops, laptops, tablets and mobile phones) to work as intended and to have not been modified by anyone but the manufacturer. But this is not always the case.
Victims of cyber-crimes often overlook the lengths that attackers will go to, to obtain access to their data, and one of the most common methods is “tainted” hardware. For an attacker, replacing existing equipment with equipment which has been modified to extract data or provide remote access, without using the target’s network has a number of major advantages, the largest of which is that it’s much harder to identify by the victim.
High risk, high return
Although getting tainted hardware on site can be seen as a high risk process (law enforcement agencies tend to view trespass
and theft – by removing the untainted equipment before or the tainted hardware from site after the attack – slightly more seriously than network attacks) attackers have a number of ways of getting hardware on site. The most common method is to use an insider, often a member of staff who can be bribed or extorted, as this ensures correct placement. However, sending tainted hardware to staff under the guide of a gift or trial, as a replacement for damaged equipment or by leaving it somewhere that staff can find it (most staff can’t resist a USB stick or high end mobile phone) are also popular.
These methods may sound expensive, but they are often considerably cheaper than the value of the data that can be extracted from the target.
Difficult to identify
Unfortunately, identifying tainted hardware can be very tough. Although there are some “standard” platforms used by hackers, most hardware attacks are based on standard electronic components, making them very hard to identify. If the hardware is based on USB or network equipment, then there is a chance that device control or network monitoring systems may identify them but this can’t be guaranteed.
Control is key
Although controlling physical access to hardware is a reasonable method of preventing hardware tainting, it’s only really practical for hardware which staff don’t access directly, such as servers. Monitoring software can help, but most packages aren’t able to provide an insight into hardware such as printers, keyboards, monitors and cables.
Security labels – A simple way to gain control
What if you could positively identify hardware as belonging to your organisation so that staff could avoid anything without an identifying mark? What if it could also act as a seal to show that hardware had not been tampered with?
Security labels provide just such functionality but are often overlooked as a method of control. Made of a specialist, hard to remove, tamper evident material, any attempt to remove or re position them is instantly visible making them an ideal way of identifying equipment or sealing it’s case. When custom printed (usually with the logo and name of the owning organisation) they are very hard to replicate due to the specialist equipment needed to print them. A QR or bar code can also be added son that staff can check the validity of the label.
When placed in a prominent place on every piece of equipment (including monitors, keyboards, printers, etc. as well as systems such as desktop computer tower units or laptops) and combined with a “If it’s not marked, don’t touch it” training programme for staff, security labels provide a visual method of identifying which equipment is genuinely owned by the organisation and which isn’t. This prevents tainted hardware attacks as the hardware replaced by the hacker won’t have a label meaning that staff should be able to identify that something has changed and report it.
If the attacker has opened equipment which has already been marked, the label (if placed correctly) will be damaged, making it obvious to staff that someone has tampered with it.
Lastly, security labels can double up as asset tags, if they are printed with a unique number. This means that as well as identifying equipment as safe to use, they can also be used to track the details, location and history of each item of equipment.
A security label may cost only a few pence, but it is a cheap and highly effective way of preventing hardware based attacks.
IXCG – Making security labelling easy
At IXCG we are able to provide custom printed security labels by themselves or as part of an end-to-end solution including assessing, inventorying, labelling and training staff.