For various reasons, many executives and senior team members with privileged status on the network and/or access to financial assets oftentimes need to access corporate IT systems from a public place outside the office. What is very common in these types of places is that they’re covered with security cameras. Such devices are a must-have for businesses to protect themselves against burglars. However, these devices do not always work in favor of the privacy or digital security of visitors. It’s important to recall that security cameras have drastically changed over the years. Back in the days when security cameras were both expensive and recorded images with a low definition quality, they were scarce in most popular locations that are commonly used for casual meetings. But as the newest devices record high-quality images, these security cameras pose a potential threat to business leaders of high value. Why would a coffee shop’s security cameras be a threat to the CEO who’s having a coffee while logging into their email? The answer is: because most visitors enter their credentials on their smartphone or laptop are unaware of the potential of their username and password is recorded by the security cameras. These security cameras are most likely transmitting their video stream over Wi-Fi or Bluetooth back to their recording devices. In this setup, there is a high probability that those cameras and recording devices themselves are connected to the same public Wi-Fi router employed by the business to provide its customers with free Wi-Fi. Unfortunately, cracking a Wi-Fi connection isn’t always that difficult, as we saw with the KRACK vulnerability less than two years back. An adversary could use that connection to gain access to the video stream in real time and mount an immediate attack by focusing in on the targeted executive and capture what they’re doing on their device. By revealing usernames, static or one-time passwords, tokens and other types of knowledge-based secrets, the attacker could then save and reuse them to try to authenticate themselves to the protected service and, ultimately, exfiltrate valuable business confidential or sensitive private information. Most lucrative targets for a potential attacker would be executives and other people with high value, since they have access to privileged information that can turn someone into a millionaire overnight (imagine the value of the internal information about tomorrow's quarterly report of a big stock market listed company) or ruin their company's image.
But I Have 2FA!
Two-factor authentication (2FA) has been adopted more widely in the last few years. It definitely has helped prevent a lot of data breaches by injecting another verification step into the login process. But even when it is available as a ready feature, not everyone enables it. In fact, this negligence to activate 2FA has traditionally been the single reason for a successful breach. But most popular 2FA deployments could not break the kill chain of the described attack if the targeted person simply reads one another code from their phone (e.g. SMS message or Authenticator app) and enter it in the service login prompt: there is still a chance of a successful attack within the expiration time of this second factor, even if it is only 30 seconds.
So, What Do We Do?
The solution would be to use either certificate-based 2FA (installed on the device in advance) or physically connected 2FA (external devices, connected to the authentication device and which automatically feed the generated token without showing it on any screen). To strike a balance between usability and security, there’s also the option of expiring 2FA tokens more often or monitoring and delivering alerts in the event of multiple connections interacting with the same system. Of course, there is also the age-old recommendation of business executives exercising caution around them and concealing what they type or paste when authenticating.
About the Author: Krassimir Gadjokov has been an aficionado of technology since early school years, when he built a telescope for a science fair. Later on he got fascinated by personal computer revolution and especially software development, mastering several programming languages, operating systems, and network. As a developer and later system analyst in his early career, he was always fascinated by security: he automated anti-malware distribution at large, enterprise-scale long before the vendors provided tools for. In his more than a decade long dedicated Information Security career in a major telecom, he has specialized in application and infrastructure Security Architecture, DevSecOps, and Cyber Threat Intelligence. He has also mentored university student teams on application architecture and security at the 2017 and 2018 Steacie Library Hackfest at Toronto's York University. Krassimir holds engineering degree of Masters in Computer Technologies from the Technical University of Sofia, Bulgaria, as well as certifications in CISSP, CPT, and CEH.
