Compromising mobiles, hardware and firmware - The new frontier for surveillance
The ‘quest’ for ultimate control and surveillance
Since revelations from the whistleblower Edward Snowden started to be disclosed, on June 2013, regarding mass surveillance and espionage practices from intelligence agencies like NSA and GCHQ, much has been said and written about this matter. Also, since then, several infrastructure providers, organisations and individuals began to deploy strong cryptography in order to protect themselves and its users from potential wiretaps and eavesdropping of communications and stored data – be it professional or personal, classified, sensitive or even ordinary information. The users’ rising demand for strong cryptography and the growth of the user base of mobile platforms have then contributed for the development of many applications aimed at ‘secure’ messaging exchange. The adoption of these apps was huge, which began to be widely used by end users for exchanging confidential or sensitive information through their personal or corporate smartphones.
Indeed, some of these apps have a couple of advantages over traditional electronic mail transmission, even if its content is encrypted. Due to the SMTP protocol design, e-mail messages have some pieces of information (known as metadata) that are always sent ‘on the clear’. These metadata may be very useful for threat actors to map and infer information on individuals targeted in espionage or surveillance operations. To address this problem, some of the aforementioned ‘secure’ messaging mobile apps have other important features besides end-to-end cryptography, for instance: messages being stored only on the mobile devices themselves (or in the cloud only in encrypted form, with cryptographic keys generated on the mobile); the user’s ability to configure specific messages or chats to ‘self-destruct’ just after they have been read or after a given period of time, in such a way that messages will be no longer available even in the mobile devices used to create or receive them.
An expected outcome of the ‘evolution’ of such messaging mobile apps was that adversaries have also adapted their TTPs (Tactics, Techniques and Procedures). Threat actors, be it cyber criminals or a Nation-State, started to develop their own ‘cyber implants’ for mobile devices, which aim to circumvent or completely bypass the protection features deployed by the ‘secure’ messaging apps – especially the use of strong cryptography on messaging exchange. Surveillance software made by the notorious Italian company HackingTeam is a well-known example of implants developed to infect a wide variety of mobile platforms. Despite these software were supposedly sold only to law enforcement agencies or governments of non-embargoed countries, there are also several other threat actors and groups that have already developed 'cyber implants' to infect and compromise mobile devices. A very good analysis1 of such malicious software for different platforms was published by Dmitry Bestuzhev, from Kaspersky Lab, on January 20, 2016.
But the ‘quest’ for ultimate control and surveillance capabilities does not end there. Researchers and attackers are always searching for innovative TTPs to bypass current and upcoming defence mechanisms. Not surprisingly, the ‘new frontier’ for attackers is the hardware2 and firmware of IT infrastructure, as the exploit of these leverages some advantages over compromising traditional software. For instance, by breaching such low-level space, an adversary can theoretically control all of the above layers and more easily evade or completely bypass anti-virus platforms and intrusion detection systems, severely undermining any security mechanism deployed. As a matter of fact, the compromise of lower-level environments can severely hinder the visibility of threats and incidents by security software and anti-malware platforms.
According to a recently published predictions report3 from McAfee Labs, despite there is only a small fraction of malware that target hardware or firmware vulnerabilities nowadays, this is probably going to change in a five-year horizon. Not long ago, there were spotted persistent attacks against GPUs (Graphics Processing Units) and even against the firmware of hard disk drives. Malware that exploit vulnerabilities on BIOS and other firmware were also identified. Furthermore, in the midterm, the use of such advanced malware and tools will likely not be limited to advanced Nation-State adversaries, such as intelligence and defence agencies, but will also be leveraged by large cyber crime groups and then by minor rings and individuals, possibly becoming a widespread threat.
As mentioned earlier in this report, hacking the hardware or firmware of IT equipment can give an adversary much more control over infected devices. In addition, it becomes much easier to make the breach stealth and persistent, thus hampering the detection and removal of any malicious artefacts that have been deployed. It is interesting to note that despite the firmware of mobile devices is usually equivalent to a desktop operating system, it is much harder for ordinary users to completely reinstall this firmware than to format a workstation’s disk drive and then install a fresh OS. Usually, the ‘restore to factory settings’ option present on most mobile operating systems clears only the user’s applications, data and cache directories, but do not erase the system areas. Thus, persistent threats and malware that install themselves in these system partitions are also much harder to be removed by ordinary users. This means that compromising the firmware of mobile devices has almost the same effect (and persistence) of compromising hardware controllers, for instance the firmware of disk drives or network cards.
Recently, on January 12, a security researcher posted4 a message on his Twitter profile showing a supposed backdoor found on the firmware of a smartphone assembled with a MediaTek processor. It is not clear if this backdoor was inserted intentionally or for testing purposes, but it could be used to get root (i.e. administrative) privileges on affected equipment. The company said it was working on a patch, but it will probably require smartphone manufacturers to deploy it on a new firmware and only then release it to end users. This process often takes very long or never happens at all, especially on low-end mobile devices.
The next step for an advanced adversary would probably be compromising the firmware of embedded devices, what would bring a yet deeper level of persistence – the provision of patches to such devices’ firmware is even scarcer. Beyond that, the security monitoring of these equipment is usually overlooked, what means eventual compromises will likely go unnoticed for longer. This kind of threat was spotted several times over the past years, for instance in the massive compromise of SoHo and domestic broadband routers5 and IoT6 (Internet of Things) devices. The difference, however, is that an advanced attacker will probably try to compromise core IT equipment or assets of specific interest located on the infrastructure of its victims. It is interesting pointing out that hacking mobile devices has also some advantages over traditional ‘motionless’ equipment – the former almost always carries additional information associated to its owner, for instance: GPS coordinates, information on cell phone base stations, 2FA authentication tokens, instant messaging chats, etc.
The consequences of hardware or firmware compromises for organisations depend, of course, especially on the role played by the device that was breached, but also on where it was located within the corporate network. The major problem, however, was mentioned earlier in this report: the difficulty for traditional anti-malware platforms to detect low-level compromises, what may render the security defences completely ineffective. It is very important to bear in mind that a successful compromise of such devices may probably become an APT-like (Advanced Persistent Threat) problem that can last for years to come before being detected and properly addressed.
To such an extent, it is strongly recommended that embedded devices and other equipment which seldom receives updates be placed on a segregated network segment or, as a last resort, on a perimeter VLAN (such as an extranet), but never on the core corporate infrastructure. Naturally, the monitoring of such devices should also not be overlooked, but rather undergo periodic security audits, routine patching cycles, compliance inspections, security hardening procedures and penetration tests, as any other equipment deployed on the network. In addition, it is very important to frequently check the integrity of the firmware and the devices’ filesystems using appropriate tools.
At last, it is worth mentioning that there are other possible defences that can be used to protect equipment against low-level compromises, for instance using ‘secure boot’ methods, trusted execution environments and other equivalent solutions. Unfortunately, these will also raise the TCO (Total Cost of Ownership), while not solving the root problem permanently. It is thus recommended to deploy traditional security mechanisms (as those mentioned on the previous paragraph) combined with monitoring and integrity checking. For mission-critical devices, the aforementioned advanced protections may also be considered.