Is your computer bugging you? [Q&A]
Data leaks due to security flaws and hacker activity constantly make the news, but they're not the only ones that businesses have to worry about. Leaks can stem from employee or industrial espionage activity too and of course there's always government snooping.
Whilst larger businesses with sensitive data or intellectual property to protect often check for old-style surveillance they may not be as aware of the potential for PCs and other gadgets to gather intelligence as well as leak data. We spoke to Andre Ross, Director of Australian digital forensics and information security company Elvidence to find out how businesses may be at risk and what they can do to combat it.
BN: Why isn't a conventional TSCM (Technical Surveillance Counter Measures) bug sweep enough any more?
AR: Whilst an experienced TSCM specialist is capable of detecting a phone tap, radio frequency (RF) bug or candid video recording devices, he/she is helpless with Bluetooth or Wi-Fi devices or transmissions. The latest and greatest spectrum analysers can detect the source of Bluetooth or Wi-Fi transmissions, but the operator is unable to tell the difference between the legitimate or rogue transmission devices or communications.
Most commercial TSCM operators are helpless when dealing with computer devices and networks. Planting a bug requires physical access to secure premises. Infecting a computer with malware that turns any computer into a listening or video recording device can safely be done from a remote location.
BN: How easy is it to turn a PC into a bugging device?
AR: Not only PCs, but telephones, other computers, smartphones, and other network-connected devices with built in microphones. All of these can surreptitiously be turned into listening devices by compromising their operating software.
On a PC there are a number of ways to achieving this, starting from luring the unsuspecting user to a trivial clickable link, leading to installation of malicious software. Or it could be done by sending a payload hidden in Microsoft Office or Adobe Acrobat documents as an email attachment from an address appearing to be within the same company. It can also be done by infecting USB peripherals with BadUSB and dropping a few during an office visit.
Another example is when a Chrome user visits a website that uses speech recognition to offer voice control or other cool functionality, the site asks the user for permission to use his microphone. The site remembers this decision (standard behavior for HTTPS sites) so it can now turn the mic on and start listening without asking for permission again. While Chrome displays a clear notice in the browser that speech recognition is on, a malicious or compromised site may have opened another hidden pop-under browser window. The user can stop the speech recognition on the front window, but the hidden windows would keep speech recognition on and continue to listen in.
Office telephones can be bugged too. Before Cisco released a software update to its Unified IP Phones 7900 Series -- found in many corporate offices -- these phones could be exploited by gaining physical access to the device or remotely via SSH. After executing malicious code the phones could be turned into a listening devices. Many phones are still run on a vulnerable version of software even though an update fixing the issue was released on in November 2014.
Smartphone apps Shazam, Color, Shopkick and many others are capable of automatically activating the microphone in Android or iPhone devices. These apps gather contextual information such as music, ambient noise or even sounds inaudible to humans generated by other devices. Android smartphones that have lesser app quality control and jailbroken iPhones can have such modified or "dual-purpose" apps installed without the user having knowledge of its true nature. BYO devices are commonplace and having one such smartphone in a meeting room is enough for business security to be compromised.
BN: How hard is it, and is specialist knowledge required, to detect that a computer is being used in this way?
AR: It is very hard for an ordinary user or even TSCM operator to detect such devices. A typical computer forensic specialist may also struggle to identify these zombies. It requires a good knowledge of network forensics, memory forensics and malware detection as well as skills in the area of information systems security. An experienced and knowledgeable forensic professional knows where to look for tell-tale signs and can effectively detect sources of information leaks.
BN: Is there an overlap between this type of surveillance and malware that attempts to steal data from individual machines or corporate networks?
AR: These are close relatives and use the same attack vectors to achieve the same goals, that is to steal valuable information.
BN: What's the best way for businesses to protect themselves from computer eavesdropping?
AR: To follow best Information Security practices, keep the devices up-to-date and of course perform regular (TSCM) bug sweeps in conjunction with IT security audits, ideally performed by an experienced computer forensic specialist. Some TSCM operators are starting to offer joint IT security audits and bug sweeps performed simultaneously to deliver better results.
BN: Should we just accept that surveillance is now a fact of life and if something is really confidential we should maybe keep it on paper?
AR: Surveillance is a fact of life. But that doesn't mean that we should limit ourselves from using modern technology. That would be shooting ourselves in the foot. Technology is an enabler for businesses and organizations. When thinking about information security, confidentiality and privacy, we should always remember The Frog in the Milk Pail.
Image Credit: Maxx-Studio / Shutterstock