Pierluigi Paganini April 23, 2021

Evil Maid Attack – Weaponizing an harmless vacuum cleaner hiding within it a small Rogue Device such as a Raspberry Pi.

It is a typical day at the office. You are sitting at your desk, working hard at whatever it is that you do. The cleaning lady is also doing her job nearby, but you are too focused on your work to be disturbed by the sound of the vacuum. After stepping away to grab a coffee, you return to your desk to see that your laptop is functioning on its own – or is it? Of course, it is not, and you quickly realize that your device is under attack. But by who? Or what?

Just suck it up

That vacuum that was not disturbing you just a few minutes ago? Well, it is disturbing you now since this is the origin of the attack. Who would have thought that a vacuum cleaner would be sucking up data, too? Okay, it is not the vacuum cleaner itself performing the attack; the actual source is a small Rogue Device known as a Raspberry Pi, but the vacuum is where it is hiding.

As a hardware attack tool, the device needs to gain physical access to the target’s environment. The vacuum proves to be the perfect trojan horse; dare I say it, a trojan vacuum. Once inside and within a reasonable distance to the target endpoint, the Raspberry Pi’s wireless capability provides the attacker with remote access to the endpoint, all while sitting inside the vacuum. Worrying? Yes. But clever? Also, yes.

Trust thy neighbor?

This attack highlights two core vulnerabilities that put all organizations at risk, the first one being insiders. It is not new information that insiders pose the most significant cybersecurity risk to enterprises. With various ways in which a trusted employee can cause a cyber incident – unwittingly or not – makes the threat even more alarming.

The cleaning lady with the vacuum could be a malicious internal actor working with a colleague who executes the payload and controls the device remotely. In this scenario, the cleaner is taking advantage of her insider privileges – primarily the trust given to internal employees; she raises no security alarms.

Alternatively, as cleaning personnel are often outsourced, the woman, and her trojan vacuum, could have entered the premises as a third-party employee. Still, a cleaning lady typically does not get security alarm bells ringing.

However, the cleaner might not be malicious at all and, instead, unwittingly, or unknowingly brought the device inside the organization as a result of social engineering, which brings us to the second vulnerability.

Pretty fly for a Raspberry Pi

Hardware-based attacks require some form of physical access. Attackers often seek out cunning (or fly) social engineering techniques to implant a hardware attack tool within the target enterprise – whether by inserting it themselves or having someone else do their dirty work for them. Cybercriminals have many social engineering techniques at their disposal, depending on how they want to insert the device. A possible option is to blackmail an insider, in this case, the cleaner, and have them unwittingly bring the device inside the organization’s environment. If the perpetrator does not have any “dirt” to hold over the innocent employee, they could use additional social engineering techniques to create some dirt. Another method could be to hide the device inside the vacuum without the cleaner’s knowledge and lurk in a nearby location waiting to execute the attack. Finally, disguises can be the perfect social engineering technique to gain physical access. A large corporate entity will have thousands of employees in a single office, so an unfamiliar face is nothing new and will likely not raise questions.

Cybercriminals disguised as cleaning personnel can easily slip past physical access security measures and carry out their attack. And it is not just cleaning staff that are impersonated. Who is to say that the next maintenance man that walks into the office is actually there to fix the broken printer? Sure, he probably did repair it not to raise suspicions, but what he left behind can break more than just a printer; the entire security infrastructure is at risk.

I don’t spy with my little eye…

How, you might be wondering, could the entire security infrastructure be broken by a hardware-based attack? One might think that, although a cybercriminal can successfully infiltrate the organization, there are technical security measures in place to detect or block the attack, such as NAC and IDS. The answer is simple: a lack of complete asset visibility. The Raspberry Pi is just one of many hardware attack tools used by bad actors. When manipulated with a malicious payload, these Rogue Devices can carry out several harmful attacks such as data exfiltration, espionage, malware injection, MiTM, DDoS, and more. Rogue Devices are malicious by nature, and, more importantly, their covert characteristics allow them to slip under the radar of existing security software solutions. The Raspberry Pi, operating on the wireless USB interface, spoofs a legitimate HID through Physical Layer (L1) manipulation. Since this layer is not covered, the Raspberry Pi is recognized as the device which it is impersonating, thereby not raising any security alarms. It is such device visibility challenges that allow hardware-based attackers to enjoy great success. Without complete asset visibility, it can be almost impossible to identify the attack source, assuming the attacker makes their presence known. In this specific case, it was clear that the laptop was under attack, but what about malicious activity that goes unnoticed? If you do not even know that you are under attack, how could you even possibly begin to think about its origin?

Okay, we cannot literally see through the vacuum cleaner but, metaphorically speaking, we can. Sepio Systems’ Hardware Access Control solution (HAC-1) enables Physical Layer visibility, providing a panacea to the gap in device visibility by detecting all IT, OT and IoT devices operating across the network and peripheral infrastructure. It might not be x-ray vision in the traditional superhero way, but this is x-ray vision in the cybersecurity world. Not only are all devices visible to HAC-1, but by validating a device’s Physical Layer information, its true identity is revealed – not just what it claims to be. So, even if a malicious actor can hide their true identity, they cannot hide their device’s. The solution’s policy enforcement mechanism enables Hardware Access Control by enforcing a strict, or more granular, set of rules based on the device’s characteristics. And, importantly, HAC-1 instantly detects any devices which breach the pre-set policy, automatically instigating a mitigation process to block the device, thus preventing malicious actors from successfully carrying out an attack. With HAC-1, enterprises need not worry about detecting extremely deceptive social engineering techniques to block hardware attacks. Our x-ray vision, or Physical Layer visibility, means that no matter how a cybercriminal implants a Rogue Device within an organization, we are going to find it and block it – instantly.

About the author: Jessica Amado

Head of Cyber Research at Sepio Systems

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, vacuum)

[adrotate banner=”5″]

[adrotate banner=”13″]