Unexpected Security Breaches

Posted by Michael Bissell on Nov 2, 2018 3:52:45 PM
Michael Bissell
Find me on:

Hackers are extremely creative.  It’s not just phishing and knocking, hackers will try every crevice, every small hole, even things you would never think of as a way into your data center.  The reason you need Zero-trust security is because you never know how they’re going to slip behind the scenes and gain access to what you thought was an innocent little system.

tiny-breachIf you just protect the edge of your network, then all someone has to do is get under the fence. Here are a few memorable ways they’ve done it:

Target Corporation's POS and the Air Conditioner
One of the biggest consumer breaches came from hackers who installed malware on the Point of Sale credit card machines in companies like Target.  We’re talking the thing that controls the flow of money from the cash register to the bank, which you would think is a pretty important system – and it is.

But what Target didn’t think was a particularly critical system was the HVAC thermostat. Turns out the PoS and the thermostats were on the same network, so when the hackers got ahold of the password for the thermostats, they gained access to the network.  That network, is of course, not just for one store, but gave them access to every store, and once they were able to load their malware (which copied and reported credit card numbers and expiration dates) on one machine, they were able to upload it to all machines throughout the company.

Faxing your way to compromise
We don’t really do a lot of FAXing anymore, but we end up with the feature on those All In One printers that scan, fax, print, and do OCR, optical character recognition.  It was that combination of features that researches from Check Point Software Technologies were able to exploit.

They faxed over lines of malicious code disguised as an image file to the printer, relying on the fact that no one usually checks the contents received over a fax. The file was decoded and stored in the printer's memory, which allowed the researchers to take over the machine. Then they were able to get into the rest of the company network, explore other devices, and use the fax machine connection to upload malware to those devices

Having a Blue WiFi
Bluetooth is that thing you use to connect your phone to your car… WiFi is completely different, right? Well… not exactly.  A number of enterprise WiFi access points have Bluetooth as a discovery method to allow WiFi access points to find each other and to be set up (the irony being you can’t set up a wireless access point on the WiFi because the WiFi isn’t set up yet).

While the exploit has to be done over Bluetooth, which means you need to be physically within 100 meters or so of the access point (which means a laptop in a car outside the building could do it), the access gained is pretty frightening – the thing that every other thing needs to talk to is now compromised and can spread malicious code very quietly.

The little tiny chip on the server board
And of course we know about the tiny chip that found its way onto motherboards from the manufacturing plants supplying Super Micro Computer Inc. The chip didn’t do much, because it really didn’t have to do much.  It reported the details of the machine to a central location, and basically held the door open for hackers to send bits of code into the operating system. 

Once the OS is compromised, all bets are off. You don’t need the little chip anymore because you now own all the big chips and network access. 


At the end of the day there will always be some way for a hacker to crack open a window or slip in a back door.  Whether they get friends on the inside like with the little chip, or if someone just forgot to lock a door like the HVAC thermostat, the odds of an organization truly locking down the perimeter grow smaller and smaller every day as more “things” get connected and hackers get cleverer.

The moral is, hold your code close, protect everything as close to that thing as you can, and remember, the network is already compromised.




Topics: security

Developer Self Service for Identity and API Security.

Cloudentity provides enterprise application developers with a suite of microservices that seamlessly integrates Identity and API Security. Accelerate the DevOps processes with a service mesh that reduces time to market and development cost by 30%.

Download the whitepaper


Try the Cloudentity API Security Trial

Or refer it to an Enterprise Developer in your company.



Subscribe Here!

Recent Posts