This research note, jointed produced by TAG Cyber and Sepio, makes the case that Rogue Devices represent a particularly intense threat to financial institutions. This indicates an increasing need for proficient cyber security in financial institutions. Several example threats, including to automated teller machines (ATM Jackpotting Attacks) are used to show how rogue devices can be used to create negative consequences to the financial services sector, as well as other critical infrastructure sectors. The note includes detailed case studies of rogue device attacks tools being used in practice.
Threats to Financial Institutions
Before getting into the details of rogue devices, it helps to highlight the security challenges in financial services. As experts know, the financial services industry is one of the most important in the world. Being a primary source of economic growth and development for a country. The wide range of services offered by financial institutions means that they are an essential component to any nation, thus making this a core component of national critical infrastructure.
As such, financial institutions store a substantial amount of data on its clients, including personally identifiable information (PII). This makes bad actors prioritize financial service providers as their top targets. In fact, hackers target financial service firms 300% more often than businesses in other industries. Therefore, it’s not unreasonable to assert that financial services organizations encounter billions of attempted attacks every year.
High Level Overview
Rogue devices are pieces of hardware, usually undetected by IT security teams. They have been maliciously tampered by hackers to target assets on a network of interest. Rogue devices are doctored to exploit their Ethernet or USB Human Interface Design (Bad USB) interface to accomplish an attack objective. These devices include modified peripherals such as cameras, chargers, mice, and keyboards. And since rogue implants operate at the physical layer, it is difficult for traditional security tools to detect their presence. Such covert operation makes rogue devices dangerous for security teams protecting critical assets – as one finds obviously in banks.
Rogue devices are generally manipulated to support some malicious objective. By using the hardware attack interface, bad actors increased their chances of success since the attack can easily go undetected. Hardware implants sit on the physical layer, for example, thus going unnoticed by existing security software solutions. The system will recognize spoofed peripherals as genuine devices when executing the attack through a USB HID interface. Spoofed MiTM attacks with network devices do not raise alarms.
These devices are thus threatening due to their covert characteristics. Moreover, the attacks that these devices can carry out cause serious damage to the victim.
Rogue devices can accomplish a surprisingly wide range of cybersecurity threats. This broad capability stems from the fact that rogue devices involve implants that individuals can design to execute various types of attacks. Hackers, utilizing conventional methods, acquire the knowledge of malicious exploit techniques, which may include nation-state sponsored approaches. They subsequently incorporate these exploits into manipulated devices, aiming to establish communication with the external environment via the USB HID or Ethernet interface.
Here, we provide a summary of the specific types of security threats that can be posed by rogue devices.
Consequences of Rogue Device Threat
Rogue devices can pose considerable threat implications for financial services firms, particularly when capable adversaries like nation-state actors carry out the attacks. While soft consequences such as reputation must always be expected after an attack of this type, the more tangible implications of rogue device security attacks on the financial services industry are as follows:
Direct Financial Loss
Rogue devices pose a significant threat to various systems, including ATMs, where they can be used for activities such as ATM Jackpotting. When rogue device attacks target ATMs and other systems that can dispense cash immediately, the financial losses are direct and immediate. It is not difficult to imagine this being done at scale and in a manner that creates a large aggregate loss.
Indirect Financial Loss
When a bank or another financial institution discovers and reports rogue devices, it can negatively affect present and future consumer and commercial business. Even a small percentage hit can result in a considerable loss.
Preventing is easier and cheaper than finding and addressing their consequence after an attack. The incident management costs of rogue devices attacks can thus lead to considerable operating expenses to respond, report, and remediate.
Financial service firms face considerable compliance costs when reporting, fixing, and providing evidence to external entities for rogue device attacks. Detecting these attacks will have lower compliance costs than responding to them.Download Report