When you think about cyberthreats, what comes to mind? An extortionist announcing your doom with a dark monitor and a laughing skull? State-sponsored cyber-warriors working from a secure command post? President Trump's certain, "somebody sitting on their bed that weighs 400 pounds?"
Chances are good, your version of cyber risk involves one of the above "types" hunched over a keyboard deploying massively sophisticated malware on the networks of unsuspecting businesses and government agencies. Think again.
Forget megabreaches. We've entered the gigabreach era. The personal data of entire nations is up for grabs--literally: Ecuador, Bulgaria. And the threat is not only coming from external sources. There are smaller things to worry about, and they are in your office right now.
Ever notice that some phone chargers work better than others? That's because they're devices. Some are built better than others, and both charge devices and move data faster than inferior specimens.
The O.MG cable looks like a standard iPhone/iDevice "lightning" cable, but it contains a tiny Wi-Fi transmitter that allows a remote user to take control of a connected computer.
If that sounds exotic to you, be advised that the O.MG device (it bears repeating: a cable is a transmission device) could already be in your office. There has been limited availability since its successful debut at this year's DefCon, the white hat hacker conference, and this nefarious little hacking gadget will soon be for sale on the web.
Why it matters: If you happen to be in an office, look around and take note of how many co-workers are using their workstations to charge their phones. Yup, it's a nightmare waiting to happen.
The danger in this realm of peripheral devices isn't limited to 007-style hacking tools disguised as everyday items.
The constant increase and improvement of transfer speeds with conventional cables and other USB devices means increased cyberthreats.
The recently greenlit USB4 standard allows for transfer speeds of up to 40Gbps, meaning that anyone with access to a computer, even for a short period of time, could potentially pilfer large amounts of data quickly and discreetly.
When it comes to your office's attackable surface, printers hold a special place. They're typically internet- and network-connected. They store a stealable version of what they've recently printed. And, generally speaking, the most affordable (and thus most commonly used) models have minimal built-in security.
Printers are often leased and returned with the data they store intact--not wiped clean. For smaller companies using even cheaper models, older machines are simply "disposed of." Sold off for surplus, donated to a charity, or returned to the leasing company, and yes, still brimming with data. Anyone with access to these jettisoned machines will be able to recover a treasure trove of sensitive data on their built-in storage.
The threat posed by office printers isn't simply limited to businesses. Employees use them to print out personal information--including tax information and medical records, which makes them a vector for personal identity theft. Given that the average worker's identity incident costs businesses 100-200 hours of lost productivity, a compromised printer should be granted supreme risk status. It's that serious.
Wireless network access is ubiquitous, but the same technology that makes it possible for employees to bring laptops to conference rooms to stay online also means anyone within range can access data moving on the network.
To get a sense of how poorly protected most WiFi networks are, consider Pwnagotchi, a device that combines 90s-era nostalgia for virtual pets with a powerful hacking tool that costs less than $100 to assemble. Using a low-powered Raspberry Pi computer, the pocket-sized Pwnagotchi either passively sniffs out or cracks WiFi network passwords and has the capacity to do this more efficiently with every network it manages to compromise.
The Pwnagotchi device is not as widespread as the virtual pets that inspired its design. But it underscores the reality that WiFi security is often something that a hobbyist's toy can crack--and yes, we're too often talking about the exact same kinds of encryption that businesses use to protect their data.
What Does This Mean for Us?
Effective cybersecurity for businesses is a daunting proposition. Every day seems to bring a new strain of ransomware, a new software vulnerability, and new potential for extinction-level data breaches. Even large-scale enterprise is at risk.
Highlighting these vectors of risk is not about pointing a flashlight under my chin or spinning a scary story. I want to drive the point home that any business wishing to take cybersecurity seriously needs to look at the whole chessboard.
Every entry point to data in an office is a potential vulnerability, and what are commonly thought to be cheap and disposable accessories are no exception.