Your smartwatch can hack high security networks

cypac1
3 days ago
3 min read

Happy Friday This week during an interaction with Homeland Security, they mentioned this new hack. Apparently, a university security researcher published some findings demonstrating how cybercriminals could use a smartwatch’s microphone to listen to ultrasonic signals to eavesdrop on nearby computers. These signals are inaudible to humans, but data can be transmitted over ultrasonic frequencies at distances of up to 30 feet at speeds of 50 bps, fast enough to transmit keystrokes, passwords and configuration files.

This is a problem because many networks are “air-gapped” which is a term used to describe systems that are physically isolated from everyday use networks. For example, a water utility might have one network for customer service computers and a completely separate one for pump controllers. If criminals were able to “hop” between those networks using something like a smartwatch, they could theoretically shut down the pumps.

The Takeaway

In reality though, pulling this off is hard. A hacker would first need physical access to a computer on the air gapped network to install malware that would start broadcasting ultrasonically when a targeted smartwatch comes within range. The attack also relies on a hacked smartwatch, so the attacker would need to steal an employee’s smartwatch, load it with malware, then return it without them noticing. In my opinion, this sounds like something out of a spy movie.

Still, it's a solid reminder that physical security is part of cybersecurity. It's worth reviewing your team’s habits and behaviors that might be exposing the company to unnecessary risk:

Don’t leave passwords in plain sight. Avoid writing down login credentials on sticky notes or whiteboards where cleaning staff, visitors, or shoulder surfers might see them. Yes, I see this all the time.
Treat your electronics like young children. Don't leave laptops, phones, or external drives with sensitive data unattended in cars, coffee shops or conference rooms. A couple of weeks back I sent out a post about some new anti-theft security measures Samsung added to their phones. Be sure to check it out.
Lock your workstation when stepping away. Get into the habit of locking your screen (Windows+L / Ctrl+Cmd+Q on macOS) when stepping away, even if it’s just to go to the bathroom.
Shred sensitive documents. Any papers with sensitive data should be cross-shredded to combat dumpster divers.
Beware of tailgating and impersonators. Challenge individuals who might try to follow you through secure doors without badging in. Your company likely has these security measures for a reason and it takes everyone to enforce them.

Your company could very well be susceptible to a security incident without someone accidentally clicking on a bad email. Have a second look at your physical security.

Walk through your office like an attacker would, then lock it down like a defender should.

Stay safe out there

-Attila

The Positivity Box

This week I had the honor of being the MC at an event for the Hong Kong Business Association of Hawaii on the topic of the Dark Web - the Dark Side of the Internet.

Many thanks to Barinna Poon for arranging the event, helping to improve awareness through education and reduce cybercrime in our community!