Your data: Stolen through PIXELS

Can't detect what you can't see, Oz hacker says

46 Reg comments Got Tips?

Kiwicon Data loss prevention has been dealt a coup de grace with the development of a client-less system that can suck corporate data through monitors.

The research, to be detailed in a proof of concept at the Kiwicon hackerfest in Wellington on Friday December 12, bypasses all detection methods, its developer says.

The attack requires only that an attacker have physical access (but not necessarily authority to access) to a target machine, and install an off-the-shelf HDMI recording device and an Arduino keyboard.

So far, there's no way to prevent it, according to Ian Lattler in conversation with El Reg.

A local security governance bod at a blue chip company subsequently told Vulture South the technique which has been upgraded from previous incarnations quietly revealed in International Computer Security Symposium left no traces for real time security systems or forensics to analyse, and requires no installation.

"The attack means data can be extracted through the screen," Latter said ahead of his presentation.

"This works on the assumption that you have access to a computer but not access to the data, and these tools allow you to take the data outside of the target systems.

"The whole point of the client-less version is that there is no indicators of compromise on the application server or QR codes."

Previous incarnations spun sensitive data into QR codes using an agent installed on the target machine allowing both the codes and the installed agent to be to be potentially detected.

He previously made available a TGXf client that generated the QR codes and Android and iOS applications that could interpret the information on mobile devices.

His latest clientless TGXf version worked by using Bash to turn data into text that was funnelled and captured through video output and turned back into its initial state using optical character recognition.

It differed Latter said from existing work including 2012 research by NeoHapsis Labs that focused on HTML5 and JavaScript encoding which depended on a web browser and required access to raw video.

Latter who had built and reviewed corporate perimeters for major companies tipped off CERT Australia and the Office of the Australian Information Commissioner to his creation warning that it could result in Privacy Act breaches of outsourcing arrangements because it allowed offshore staff to siphon sensitive data.

There was virtually nothing the office or organisations could do to prevent the attacks, however.

"If this attack was done well, you would not see the attack itself," Latter said. "What I think you'd find is a loss of effectiveness of your organisation."

Latter's proof of concept to be demonstrated at the Wellington conference used an AverMedia Game Capture II device popular with video game players to save plays, and could capture 1920x1080 at 30 frames per second to MP4. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

Readers of a certain age will remember GPRS: Old insecure tech from turn of millennium still haunts 5G networks

Positive Technologies analysts less than positive about GTP

Poor, poor mobile networks. UK's comms watchdog plans to stop 'em selling locked-down handsets

First OTT apps nick their SMS revenue, now this...

BT: 'Because of the existing underlying supply of the 4G equipment, most of our 5G (NSA) so far is with Huawei'

Vodafone not happy either as telcos complain to defence sub-committee about Huawei removal woes

Better late than never... Google Chrome to kill off 'tiny' number of mobile web ads that gobble battery, CPU power

Could have done with this years ago to stave off rise of advert blockers but fine, OK, whatever, now it's coming

Who's essential right now? Medicos, of course. Food producers, natch. And in Singapore social media workers have made the list

The spicy memes must flow even under new ‘circuit breaker’ corona-crackdown

Microsoft buys Affirmed Networks to provide cloudy services for 5G network operators

Vodafone, Orange, AT&T, and Softbank are already users, will soon have Azure option

UK smacks Huawei with banhammer: Buying firm's 5G gear illegal from year's end, mobile networks ordered to rip out all next-gen kit by 2027

Country to be hit with £2bn cost, massive tech delay after firm 'materially compromised' by latest US sanctions

If you haven't potentially exposed 1000s of customers once again with networking vulns, step forward... Not so fast, Palo Alto Networks

Getting to be a real PAN in the OS

Biting the hand that feeds IT © 1998–2020