Sepio | Resources | Research

Rogue Devices on Financial Institutions

Rogue Devices

This research note, jointed produced by TAG Cyber and Sepio, makes the case that Rogue Devices represent a particularly intense threat to financial institutions. This indicates an increasing need for proficient cyber security in financial institutions. Several example threats, including to automated teller machines (ATMs) are used to show how rogue devices can be used to create negative consequences to the financial services sector, as well as other critical infrastructure sectors. The note includes detailed case studies of rogue device attacks tools being used in practice.

Threats to Financial Institutions

Before getting into the details of rogue devices, it helps to highlight the security challenges in financial services. As experts know, the financial services industry is one of the most important in the world, being a primary source of economic growth and development for a country. The wide range of services offered by financial institutions means that they are an essential component to any nation, thus making this a core component of national critical infrastructure.
As such, financial institutions store a substantial amount of data on its clients, including personally identifiable information (PII), which makes financial service providers a top target for bad actors. In fact, hackers target financial service firms 300% more than businesses in other industries. It is thus not unreasonable to claim that financial services organizations are faced with billions of attempted attacks every year.

Rogue Device Threats – High Level Overview

Rogue devices are pieces of hardware, usually undetected by IT security teams, that have been maliciously tampered by hackers to target assets on a network of interest. Rogue devices are doctored to exploit their Ethernet or USB Human Interface Design (HID) interface to accomplish an attack objective. These devices include modified peripherals such as cameras, chargers, mice, and keyboards – and since rogue implants operate at the physical layer, it is difficult for traditional security tools to detect their presence. Such covert operation makes rogue devices dangerous for security teams protecting critical assets – as one finds obviously in banks.
Rogue devices are generally manipulated to support some malicious objective. By using the hardware attack interface, bad actors increased their chances of success since the attack can easily go undetected. Hardware implants sit on the physical layer, for example, thus going unnoticed by existing security software solutions. Spoofed peripherals will be recognized as genuine devices, while executing the attack through a USB HID interface. Spoofed MiTM network devices raise no alarms.
These devices are thus threatening due to their covert characteristics. Moreover, the attacks that these devices can carry out cause serious damage to the victim.
The range of cyber security threats that can be accomplished by rogue devices is surprisingly wide, perhaps because the nature of rogue devices involves implants which can be designed to accomplish many types of attacks. Hackers can learn malicious exploit methods through the normal means including nation-state sponsored methods. These exploits are then coded into the doctored device with the goal of communicating with the external environment through the USB HID or Ethernet interface.
The specific types of security threats possible using rogue devices are summarized below.

Consequences of Rogue Device Threat

The threat implications of rogue devices on financial services firms can be considerable, especially when the attack is carried out by capable adversaries such as nation-state actors. While soft consequences such as reputation must always be expected after an attack of this type, the more tangible implications of rogue device security attacks on the financial services industry are as follows:

Direct Financial Loss

When rogue device attacks target ATMs and other systems that can dispense cash immediately, the financial losses are direct and immediate. It is not difficult to imagine this being done at scale and in a manner that creates a large aggregate loss.

Inderect Financial Loss

When rogue devices are discovered and reported within a bank or other financial institution, it can have a negative impact on present and future consumer and commercial business. Just a tiny percentage hit can result in a considerable loss.

Response Costs

Preventing rogue devices is easier and cheaper than finding and addressing their consequence after an attack. The incident management costs of rogue device attacks can thus lead to considerable operating expenses to respond, report, and remediate.

Compliance Costs – Since financial service firms are regulated, the compliance costs to report, fix, and provide evidence to external entities will be considerable for rogue device attacks. Again, the compliance costs will be lower to detect than to respond.

Download Report
October 20th, 2020