James Bond style hack attacks pose no threat in the real world

Bond

A couple of years ago I was fortunate enough to be shortlisted in the Best Investigative Feature category at the BT Information Security Awards for a piece published over at Cloud Pro.

Under the rather apt title of "Cryptography attack: side-channel cloud threat is all nerd and no knickers", the article was a rather complete dismissal of yet another side-channel attack scenario that had emerged from the labs of some security researchers. The research itself was hugely interesting to a security nerd such as myself, but totally unrealistic as an attack vector outside of the carefully controlled conditions of the lab and into the real world of enterprise data storage.

As someone who has been researching, and writing about, side-channel attacks for the best part of a decade now, none of this came as any real surprise. While these attack vectors remain in the theoretical domain of the uber nerd, they are not of any great threat to the rest of us.

Sure, there have been plenty of practical demonstrations of how sounds waves or processor timing information can be used to attack crypto systems, but they all rely upon a raft of 'as long as' and 'assuming that' conditions which tend not to exist in actual use-case scenarios.

Nothing to see here then, you may think, and nothing to write about either for that matter. However, what if I were to tell you that side-channel attacks (in the broadest possible sense) were evolving into the real world realm? What if I were to suggest that maybe we do need to worry about them after all when the bad guys can destroy your device when you plug in a USB killer stick, can get at your smartphone data through the remote voice hacking of Siri/Google Now or access your network password using your smartwatch?

Don't panic, I'm not suggesting anything of the sort. In actual fact, I think the whole side-channel threat remains as overblown as always. Let me explain why, using those three examples. The smartwatch route to stealing your password is a classic example of why these side-channel type attacks are, for the most part, a complete crock.

MoLe can't even get the acronym thing right as it apparently stands for 'Motion Leaks through Smartwatch Sensors' and was a labs-based attack demonstrating how motion sensors in your smartwatch could be used to determine the keystrokes entered while typing.

In theory, it works just fine. In reality it's a total non-starter as the attack worked with a single and specific watch (Samsung Gear Live) which the target needed to be wearing on their left hand, and which the attacker had already managed to get malware installed upon. The attacker had to be wearing the exact same model watch.

Then, the victim also needed to be typing one word at a time, in valid English only, and not using a hunt and peck style of two finger typing but 'proper' typing using appropriate fingers. All of which makes it hugely unlikely that anyone would ever actually get their password hacked by this so-called smartwatch threat.

So what about the much-reported Siri or Google Now remote voice hack then? According to Wired, researchers at ANSSI, which is a French government IT security agency, have demonstrated that they can trigger voice commands on smartphones without the user knowing, and from a whole five metres away.

These commands could be used to initiate calls, send texts, turn the smartphone into an eavesdropping device by calling the number of the attacker, or perhaps install drive by malware by visiting the right URL. Sounds alarming, doesn't it? More so when the technicalities of converting electromagnetic waves into electrical signals that mimic the audio from the smartphone microphone and fool the device into thinking voice commands are being sent are revealed.

It's much less of a threat, however, when you learn that not only would the smartphone have to have Google Now or Siri commands enabled at the lockscreen (and not set to recognise the users voice) but would also require the device to have a set of headphones with a microphone plugged in. Erm, OK, maybe plenty of people meet these requirements, but what are the chances of someone with all the rather cumbersome hardware required to perform the attack, and the knowledge of how to do it, being able to find a victim which meets these requirements and is actually worth hacking? Sit back down folks, nothing to see here either.

And finally, what about those USB killer sticks that we reported on here at IT Pro when the news broke? Again, this is another 'developed by a researcher' attack mode that could easily cause havoc if allowed to escape into the real world. Actually, of the three attacks mentioned it is the least classically 'side-channel' in approach and the one most likely to succeed.

It's a simple enough concept, a USB stick that looks like any other but has been rigged to deliver a 220v charge when plugged into a laptop, a charge that is repeated until the laptop battery runs flat. In reality the motherboard would likely be fried long before the battery died. Then again, in reality, the data on that laptop should be OK as the hard drive would not be impacted by the attack. Which makes you wonder what the point of it would be, other than just causing random damage.

This is where 'reality' starts to fade away for me, because if the point was to destroy a specific device then the only way to ensure that would be to have access to the device and insert the stick yourself. If you have this access anyway then all bets are off, with or without a killer stick. If you are relying upon leaving loads of such sticks laying around an office, cafe or whatever in the hope that the right target will pick one up and insert into the right machine, then good luck with that. It seems an expensive and very haphazard way to destroy a specific device if you ask me.

This is the problem with all of these kind of 'wow factor' attacks we see reported and which seem to scare the bejesus out of folk: they are expensive, and they are too haphazard. They just don't work in the real world, and if they did then a small dose of common sense would prevent all of them. Don't use randomly found USB sticks, don't enable voice commands at the lockscreen, don't use proper English passwords. Simples...

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.