Many of the successful cyberattack cases examined by security industry specialists and the media featured social engineering as an integral components of the attack process. In a complex attack that combines technical expertise with social engineering, the latter is especially critical during the reconnaissance phase. In addition to being susceptible to social engineering, individuals often purchase less robust products. Few consumer-grade devices, including home wireless routers, have sufficient security built in. Gartner projects that the number of connected devices will reach 20 billion by 2020. This includes fixed devices (e.g., home appliances) and mobile devices (e.g., fitness trackers and baby cams). The software controlling device operations is frequently not accessible by consumers, so cannot be patched to fix a vulnerability or change a default setting, thus also facilitating the attacker’s quest for access to devices inadequately protected by manufacturers.
Social engineering; rogue wireless access point; Wi-Fi; credential; phishing; man-in-the-middle; man-in-the-browser; bricking; credit card; digital pickpocketing
How attractive a target are you to a potential hacker? No offense, but as an individual, it is unlikely that you are very attractive to anyone but a low-level cyber vandal, pickpocket, or identity thief—unless you are a celebrity, politician, high-profile executive or government official, security guru, or high net worth individual (HNWI). Still, the damage and inconvenience that can be triggered by these opportunists can be considerable. In many cases covered by security industry specialists and media, social engineering was integrated into the attack process. In a complex attack that combines technical expertise with social engineering, the latter is most critical in the reconnaissance phase. It is here that social engineering can save time, effort, and potential harm to the one attacking. Talking one’s way into a privileged area (whether physical or digital), for example, is typically less dangerous than physically breaking into an office or home. Breaking and entering at the physical level is detectable and carries legal consequences—and risk of actual physical injury—as opposed to gently conning people. Combining social engineering with hacking WAPs is highly productive, substantiating the observation that “technical engineering and social engineering go hand and hand.”1
Perhaps the most significant advantage to social engineering is its low cost and ease of use. It does not require deep understanding of technological tools or programming techniques, just awareness about factors that motivate human behavior and the desire to manipulate others into acting in a way that is beneficial to the social engineer. In this we are all trained as social engineers so, ostensibly, we should be able to recognize when we are being escorted down a path that might be risky. Ostensibly.
A good definition of social engineering comes from McAfee: The deliberate application of deceitful techniques designed to manipulate someone into divulging information or performing actions that may result in the release of that information.2
Psychologist Robert Cialdini categorizes the influencing levers for social engineering, that is, the human susceptibility to different types of social engineering appeals as reciprocation, scarcity, consistency, liking, authority, and social validation.3
Reciprocation addresses the human compulsion to return a favor. You offer to hold open the office door for me because I’m carrying a heavy load, and I am inclined to ignore that you have entered the building without having to swipe your access badge.
Scarcity captures the tendency to fill a void, often of information (e.g., bogus email messages about missing account or credit payment information). An example of how information scarcity can play out is the 2011 hack of RSA, manufacturer of SecureID tokens, used by some of the most security-conscious organizations in the world and broadly distributed: some 40 million RSA tokens were in use in 2009. Similar software runs on some 250 million smartphones, as of 2011. The hack ultimately affected many organizations and cost RSA $66 million,4 in addition to significant unpleasant publicity and questions about the cryptographic approaches used to implement multifactor authentication. The phishing email sent to a small group of employees contained an Excel spreadsheet with an appealing subject line: “2011 Recruitment Plans.” Although RSA’s email filter routed this message correctly to the spam folder in individual mail accounts, a curious employee retrieved and opened it, thus releasing its malicious payload: a zero-day Adobe Flash exploit that then allowed attackers to deploy a version of Poison Ivy RAT, a remote administration tool. This allowed the attackers to control computers from outside the network and obtain access to personally identifiable information (PII) and account credentials.5
Consistency refers to that human desire to make good on a promise or commitment, the intention to be trustworthy, based on the assumption that others are similarly trustworthy. My sense is that this underlies the often-noted phenomenon of individuals clicking on a link to change a password without verifying the message’s source even though that individual has just attended a security awareness training session. Deep learning that training warnings pertained to all messages with links, even those that appear to originate legitimately, has not yet occurred. This technique is useful for evaluating whether training has achieved its goals and where gaps still might exist.
Liking is similar to pleasing. People are inclined to trust those they like, admire, or sympathize with—and overshare with them; examples include Bernie Madoff, Frank Abagnale (of “Catch Me If You Can” fame and for 40-plus years working for good with the FBI and others), and James Hogue (the “Princeton Imposter” who is still working cons, recently in Colorado). This human frailty is frequently exploited in voice messages that urge the recipient to some course of action like dialing a masked for-fee phone number.
Authority is often used in phishing attacks to gain access or credentials. One example is the UPS fraud that leads the target to a legitimate page for checking shipping status, but then to a faked invoice link that triggers the downloading of malicious payload. Natural credulity contributes to the strength of this particular lever, especially when the caller (or emailer) claims to be from an organization or service that the target frequents. Challenging authority can be a recommended course of action—or at least verifying the identity of the message sender or caller by calling back and/or using one of the reverse 411 or email identification tools available online.
Social Validation leverages the crowd-following tendency to participate in the news being shared, ostensibly by a friend. It also takes advantage of reputation-based networks (which are, nonetheless, susceptible to hacking).
Although Cialdini does not discuss greed as a basic social engineering lever, the wish for gain is certainly a factor that is used in many attacks. Many people have apparently not given up on the childhood belief in a fairy godmother, magic bean, or unknown and yet wealthy benefactor. Social engineering techniques are a powerful adjunct to technical tools and can save money, time, effort, and, possibly, detection leading to criminal prosecution. The techniques can be used to acquire the information or credentials needed to support attacks on WAPs. They can also alleviate the need for using more sophisticated tools like brute force attacks against passwords.
WAPs—for example, smartphones, tablets, baby cams, fitness trackers, routers, navigation systems, clothing, household appliances—are like pores in the ubiquitously networked world we are building. And like pores, they allow signals and data in and out, some desirable, others not.
Each hacker scenario that follows indicates the apparent or asserted attack objective on the individual, the technique employed, and the impact to the victim. Included in Appendix 1 are three sample attack diagrams that indicate some possible routes for achieving a particular objective. The diagrams show a possible public WiFi compromise, spear phishing paths, and network access through medical devices.
Hacker Objective: Power play; wreak havoc by taking over a security industry analyst’s digital life
Hacker Technique: Chain reaction after single point of entry via social engineering
Victim Impact: Loss of data, especially priceless family photos; faked Twitter posts read by his approximately 131,000 followers
Wired magazine reporter Matt Honan experienced an epic hack that exposed the security flaws in Google, Amazon, and Apple ID (iCloud) policies and practices that support user convenience, but also remove digital stopgaps between applications and personally identifiable account information.6 Although he was ultimately able to recover 100% of his daughter’s precious first-year-of-life baby pictures and did not suffer credit card and other financial account compromise, he did lose 25% of his files, numerous applications and account preference settings, and a week of productivity while working anxiously to learn what had happened and what, if anything, could be restored from the erased memory of his iPhone and MacBook Air. He also had to repair his Twitter account, now bowdlerized with racial slurs and other offensive commentary, and pay more than $1600 to a data recovery firm (an investment he was happy to make).7
1. iPhone powered down by itself. When plugged, displays setup screen.
2. iCloud password will not work. When iPhone plugged into computer, user informed that Gmail account information was wrong.
3. Called AppleCare. Tech did not mention an earlier call from an impersonator who claimed to have had problems getting into his Me.com email account (which the impersonator had guessed, based on Gmail account listed on personal web page). Impersonator was given a temporary password in spite of not knowing security answers and just providing two pieces of information readily available: billing address and last four digits of the registered credit card.
a. Billing address available by checking “whois” on personal web domain. Alternatively, sites like Spokeo, WhitePages, and PeopleSmart are resources.
As a self-respecting hacker with limited patience for the messiness of breaking into an office, burglarizing a home, or breaking an automobile window to obtain mobile computing devices (high-probability repositories for contact lists, user account information, and access credentials), an attacker who was involved in Honan’s account compromise (Phobia) contacted him to, in part, bruit that he had used social engineering, nonphysical techniques to break into the account. He just called tech support at AppleCare and provided Honan’s billing address (easily deduced from an online search for publicly available information about Honan) and the last four digits of a credit card. No brute force efforts for password cracking or rainbow tables for reverse engineering cryptographic hashes were needed, nor was dumpster diving to obtain discarded bills revealing the last four digits of credit cards.
This hacker took advantage of retailer eagerness to provide a prospective customer with convenient service. By claiming to be an Amazon account holder to the Amazon representative he called, then providing easily accessible information (name, email address, billing address), he was able to “add” a credit card number to the account. For ease of use and less traceability to yourself, you can obtain “valid” credit card numbers (plus card verification value (CVV) codes) for free from a number of websites, although you might have to confirm that you will not use the number obtained for illegal purposes. (Hacker Response: “OK.”) You can also use an expired or retired credit card (your own or someone else’s) and just change the expiration date.8
Having thus established credibility with tech support, the hacker then called back to say he had lost access to the account. By using the new credit card as validation (as well as the name on the account and billing address), you can add a new email account, then request a password reset to the new account. You will then have access to the account and be able to see, in clear text, the last four digits of all credit cards associated with the account.9 Using this additional information you can work with trusting tech support for AppleId to respond correctly to identity verification questions based on the last four digit of the credit card used to subscribe to the service. Once you-the-hacker have succeeded, you can remotely wipe files from the victim’s iPhone and other connected Apple wireless devices, change access codes, and even alter file information or obtain credentials for purchased apps and the Apple Store.
Similar processes can be used for accessing Google accounts. Because Google integrates account sign-ons across product platforms, by compromising authentication credentials in one product all are compromised. Thus, Honan had to reconstruct his identity with Google support. This time he opted for multifactor authentication to stymie would-be hackers and also revoked connection permissions to his Google account for all apps and websites.10 He also no longer uses his Apple email as the backup contact account.
As an aside, the EMV cards, required since 1 October 2015 for compliance with revised standards from major US credit card issuers,11 are more resilient to attack for in-person transactions. In card-not-present situations, such as those associated with most wireless e-commerce activity, the embedded chip protection is irrelevant.
This attack shows that even when one “does everything right,” a person may still be hacked. Information on the phone would have been lost had the phone been stolen as opposed to having been wiped. Backing up information on a phone to another device (or to the cloud) is recommended, but few people take the time to perform this—or only start doing it after the loss of photos or other items.
Hacker Objective: Obtain account credentials and device access
Hacker Technique: Deploy a rogue WAP and hijack communication signal or compromise the legitimate wireless router
Victim Impact: Potential loss of data, credential misuse, botnet recruitment, ransomware hard drive access block
1. Opens wireless utility and scans available networks. Selects the logical network name.
2. Performs usual activities, for example, online banking, medical record check, e-commerce purchases, remote alarm or thermostat control for home.
3. Notices computing performance degradation, multiple spam or suspicious email messages, alerts from friends about odd messages received, questionable credit charges or banking account activity, lockouts of entertainment-related applications (e.g., iTunes, Pandora, Netflix).
4. Sees evidence of tampering with baby monitors, thermostats, security alarm systems, etc.
Computing devices, like their human users, are programmed to work efficiently and take the path of least resistance (or, at least, the path that leads to less battery usage and/or faster promised connection speed). A low-key, opportunistic attacker can set up a rogue WAP with an innocent or expected name, for example, Pablo’s Danger Monkey.12 If the rogue WAP is in closer proximity or broadcasts a stronger signal to devices that are looking for a wireless connection, the device will likely choose that open, unprotected connection, assuming the user does not take the time to launch a VPN session. As one analyst describes the encrypted tunnel established between computing device and ISP during a VPN session:
Think about it this way: if your car pulls out of your driveway, someone can follow you and see where you are going, how long you are at your destination, and when you are coming back. With a VPN service, you are essentially driving into a closed parking garage, switching to a different car, and driving out, and no one who was originally following you knows where you went.13
Keep in mind, however, that your device is vulnerable and signals are unprotected until after the VPN is established.
Coffee shops are prized for the quality of their brew, not the security of their networks; technology investments are centered on finding the best value coffee-brewing equipment. Baristas are hired for customer service skills and earn money for the shop by being out front, not in the back with whatever computing technology is available. Logically, there should be no expectation on the part of customers that the technology is adequately safe for conducting any activities that include communication of PII, financial accounts and credentials, or intellectual property. Buying and deploying a wireless router is a low-cost approach to providing customer (dis)service unless the router is hardened: default factory settings are changed, administrator accounts are differentiated and monitored by user, encryption is ensured to at least WPA2, and passwords and network performance and activity metrics are monitored regularly.
A rogue WAP can be deployed that rides on the communication signals of the legitimate network and establishes a credible presence to which customers willingly connect. Another ploy is to take control of the wireless router if it has not been sufficiently hardened. In the latter situation, the connecting mobile device may, understandably, recognize that the router is familiar and trusted. “MITM” attacks are thus easily carried out, using low-cost tools like Hak5 WiFi Pineapple (less than $100 for a pocket-size wireless penetration testing/auditing tool).
VPNs are typically provided by businesses to their employees. Even with VPNs, employees are discouraged from performing business on public Wi-Fi hotspots, since other techniques such as “shoulder surfing” can lead to the loss of information.
One should not perform critical applications, such as banking, on unsecured WAPs. Even if a bank uses two-factor authentication, such as a PIN sent by text to a cell phone as well as an answer to a security question on your tablet, both pieces of information can be sent over the same WAP. (Many cell phones use Wi-Fi hotspots when available to conserve data usage.)
If a public WAP requires users to log in to use the service, a hacker could set up his rogue WAP to provide a victim with a similar page. By logging onto this page, malware could be downloaded which could lead to the victim’s device becoming part of a botnet or being infected with ransomware.
Most operating systems will notify a user if a new Wi-Fi network is being accessed and request that the user identify how the network should be considered and used. One should always check with the “owner” of the public WAP on the proper network to be used the first time the network is accessed. A different Wi-Fi network on subsequent uses should be treated with caution and verified with the owner as to its “bona fides.”
Hacker Objective: Obtain account credentials, corporate intellectual property, money from (often) HNWI or persons of interest
Hacker Technique: APT to compromise a high-end hotel’s wireless network and reservation system to deliver malware via P2P and other connections
Victim Impact: Loss of data, credential misuse, botnet recruitment, ransom exposure, financial and intellectual property loss
As many as 16 million people fall victim to identity theft in the United States annually, with international travelers as much as three times more likely to experience such problems. Even sophisticated travelers can be caught unawares.
“Darkhotel” is a variety of malware identified in at least 3000 targeted attacks on high-level corporate business executives staying in hotels while traveling. The majority of the attacks (90%) played out in Japan, Taiwan, China, Russia, and South Korea. Investigative security firm, Kaspersky Labs, found that this particular APT was more sophisticated than many, and combined watering hole and spearfishing techniques.
1. Logs onto hotel network without using VPN.
2. Receives email message(s) to upgrade or patch common software applications like Adobe or Google.
3. Applications contain digitally signed backdoors (that are installed along with the legitimate code).
These attacks are multivector. For example, spearfishing techniques are apparent, that is, the targeted zero-day attacks have appeared to specify just certain individuals, as if the attackers knew in advance the scheduled arrival and departure of hotel guests. The hotels affected required both last name and room number to authenticate the guest who was logging on. The suspicion among investigators is, therefore, that both the hotels’ wireless networks were compromised along with their reservation system. The attackers also appear to have delegitimized certificates with 512-bit encryption keys.14
The investment required for factoring 512-bit encryption keys has decreased dramatically since these keys were first used in 1999: Researchers from the University of Pennsylvania showed that an investment of $75 and four hours would be needed, using the virtualized computing resources available by the hour from Amazon Elastic Compute Cloud (Amazon EC2).15
Key length makes a notable difference in the time needed to crack them. Experienced attackers and ethical hackers can also obtain secure shell (SSH) public keys that have been uploaded to GitHub’s public API.16 Legacy technology infrastructure is thus a high-opportunity attack surface: weak encryption, default or unsophisticated privileged account naming/credential protection, unpatched vulnerabilities, and expired vendor or manufacturer support.
As with other near field communication (NFC) devices like chip-enabled credit cards, passports are a potential source for compromise. Almost all US passports issued since October 2006 are embedded with passive RFID chips (the US Department of State’s initial plan was for active RFID chips) that contain useful PII: name, nationality, sex, date of birth, place of birth, digitized photo of individual, and soon, digitized biometric data. Other nations have followed suit, in keeping with the UN’s International Civil Aviation Organization standards. Hackers can use NFC readers to obtain information on the RFID chips; although some protection is offered by the passport cover, RFID-blocking sleeves, wallets, and other containers can reinforce that protection.17 (An added advantage to such protective mechanisms is that you could protect your hotel room magstripe card from accidental degaussing even if sharing a jacket pocket or purse with your smartphone.) Of course, the do-it-yourself approach is always cost-effective: wrapping your passport and credit card in aluminum foil means “game over” for malicious card readers.
Many companies will provide loaner tablets or PCs for employees traveling overseas. These devices will have the latest security updates and connect with corporate offices over a secure VPN (1024-bit encryption or better), and will ensure all functions are “performed in the cloud,” with no information allowed to be stored on the device. After returning to the United States, these devices are checked to see what malware has been loaded onto the device to understand what additional security functions are needed. The device is then wiped and re-imaged for future remote travel use.
The US Government’s Secure Mobile Computing initiative is based on the premise that a secure mobile device cannot have both secure and nonsecure connections. The secure devices are provisioned so that only one connection is made to an agency’s portal and that that connection is secured in a VPN tunnel. The agency portal is responsible for managing connectivity to resources on the Internet.
It is only a matter of time before one or both of the above approaches become “best practices” for industry.
Hacker Objective: Credential theft for financial gain; signal access for surveillance, botnet activities, entertainment, man-in-the-browser access
Hacker Technique: Use under-protected, networked, wireless devices as a pivot point (entry) to information repositories, other devices, and communications routers
Victim Impact: Botnet recruitment, device bricking, loss of data, credential misuse, ransomware exposure, burglary, stalking
Each interconnected consumer gadget with inadequate protection creates a new surface for attack in a kind of smart-device-meets-dumb-user dance: picture an evil and competent Inspector Gadget cyborg19 that can extend his reach into your pocket, your kitchen appliance, your baby’s crib. Although cyber-pranks like hacking into a refrigerator to play with the temperature setting or food replenishment schedule are trivial, using that entry point to gain access to other devices connected through the same home-based infrastructure is not. Because the information gathered by such devices seems incidental, it is easy to dismiss the potential for combining that information, perhaps with publicly shared information communicated over social media networks, to form the basis for carefully designed attacks deployed digitally or physically.
Gartner research analyst Earl Perkins explains it well: “If I look at my home as a bubble, the threat opportunity increases with every hole I put in the bubble and if I’m wearing wearable technology or have video surveillance system linked via the Internet for example, I have all these points of access and that is power for people wanting to steal personal information.”20 One large-scale attack during the 2013–2014 winter holidays (when attackers are especially busy) engaged more than 100,000 common gadgets (especially wireless home routers) in a malicious email campaign that transmitted 750,000 messages. More than privacy violations are at stake, especially given the number of gadgets being connected every day: Gartner projects that the number of connected devices will reach 20 billion by 2020. The software controlling device operations is frequently not accessible by consumers, facilitating the attacker’s quest for access to devices inadequately protected by manufacturers.
Wireless consumer-grade surveillance devices like baby cams offer remote Peeping Toms insight into personal lifestyle patterns and, introduce a distinctive creepy factor as familiar home and other environments are remotely and covertly switched into Panopticon-style environments.21 Researchers who tested Internet-connected baby monitors gave them failing grades on basic security dimensions: lack of encryption, default passwords, accessible identification credentials (device serial and account numbers). Countermeasures include decoupling the monitors from the Internet and just using radio-frequency signaling, which limits interception to those in the immediate vicinity of the device, thus raising the risk to the hacker.22
Current generation fitness trackers generally do not take advantage of Bluetooth LE security techniques that mitigate against MITM attacks. Rather, they happily pair with other devices, sharing login credentials and activity tracking information with little data integrity validation for the latter (i.e., the data is not tamperproof and often transmitted as cleartext). Although not considered, medical devices in the United States, thus not covered under HIPAA provisions, such data is considered protected under the European Data Protection Directive. Legal issues with respect to the data generated as evidence in insurance litigation cases is discussed in Chapter 6, WAPs in Medical Environments.23
Other low-level nuisance attacks against individuals that may or may not carry a significant monetary damage combine social engineering and other techniques to gain access to WAPs. A few common ones are described below.
Consider the uses to which you could put your smartphone, tablet, or other mobile device if rendered useless as a communication or information device: paperweight, shim for an uneven table, plant stand, hotplate. Basically, if the device is hard-bricked, this is the brainstorming list you need because your device is dead: it will not run and is not recognized by your computer, perhaps because of a failed user effort to root the device or a successful external hacking effort against an already rooted device. A device that is soft-bricked, on the other hand is not working as it had been (e.g., bootlooping without completing initiation, crashing frequently, or failing apps).
Whether playing on individual greed (“At last! A cherished vendor who accidentally sent me a gift!”) or forgetfulness (“Was I sleep-shopping online again?”), hackers realize good success with bogus email and even snail messages (often postcards) that encourage the recipient to open up an attachment, provide credit card information, or dial a toll-free number to claim the mystery item. The messages that are secretly inviting you to download malicious code, give up credential information, or slam your telephone number likely appear from a legitimate service provider: DHL, FedEx, UPS.24 Although the package delivery variants appear more frequently during holiday gift-giving season, rest assured that hacking season is year-round.25
Unlike the odds of predicting successfully whether or not you will win a Powerball lottery, the odds of predicting successfully your credit card’s security code are high. Magnetic strips (magstripes) containing “unpredictable” numbers ranging from 0 to 99 are still being used on card readers (again, convenience trumps security: legacy systems will remain intact, although their vulnerability is acknowledged). Given a single attempt, the likelihood of guessing the number would be one in 100—hardly a random number, especially given the speed at which simple computers can perform matching exercises. In addition, databases of actual credit card numbers (including scores that indicate the associated credit limit) are available online,26 as are credit card number generating tools.27 The latter tools should also generate a CVV and expiry date. Continuing to rely on legacy magnetic stripes perpetuates known vulnerabilities that have been famously exploited in the past.
Magnetic stripe technology is limited with respect to implementing “fixes like including more complex random numbers into transactions to prevent card cloning.”28 In fact, an Oklahoma State University student cloned a fake credit card for use on campus as a final project before graduation by deconstructing the pattern in the “random” 16-digit numbers assigned by the school. Of course, his same technique could be used to create fake building access credentials, thus potentially introducing physical as well as financial safety issues.29 Differentiating between “unique” and “predictable” has also entered into discussions about whether government agencies and security technology firms have reached agreements on sharing algorithms for generating what are actually pseudo-random numbers. Computers follow programmed guidelines; true randomness does not.30
Credit card chips are passive and require activation by smart card readers. To be able to skim information from these cards, specialized technology (card readers) must be purchased, so some investment is required by the potential hacker. The investment is not onerous, however: less than $100 through online vendors. Contactless cards are a different challenge because they rely on RFID technology. European standards recommend that the RFID chips be readable at a maximum distance of 5 cm readability, but some are readable from further away, allowing data (e.g., card number and expiry date) to be slurped. Given the number of transactions made annually (more than 300 million in 2014),31 illicit wireless access to card data is attractive, especially if merchants do not verify cardholder name and address information.32
One should consider the benefits and risks of attaching devices to the Internet. (Why attach an Internet-enabled refrigerator to the Internet if one has to input the items place into and taken out of the refrigerator for the software to work properly? Do the devices need to be continually on the network or only on when a software patch is needed?) Securing the IoT is a business opportunity for home security companies to expand their service menu: ensuring the IoT home devices connect to a WAP using a security protocol, creating white lists (permitted connections) and black lists (prohibited connections) for IoT devices and Internet services, possibly keeping track of communications and sessions between devices and the Internet to look for permitted and “rogue” sessions, and so on. This will require upgrading current “minimally-secure” home routers and firewalls to “industrial strength” routers and firewalls.
With the adoption of IoT for commercial spaces—in smart buildings, for example—making mischief through WAPs moves from the individual to the wholesale level. The broadly publicized compromise of retailer Target’s consumer data, accessed through a networked pathway between an HVAC service provider and Target corporate systems, illustrated dramatically the importance of supply chain security. Chapter 5, WAPs in Commercial and Industrial Contexts, explores WAP hacking opportunities in commercial and industrial spaces.