Pavement hacking: What it is and how to avoid it
Pavement hacking is still a very real problem as far as complacent companies are concerned, especially at the smaller end of the business scale, where there’s likely to be less thought given to preventing the use of unauthorised USB devices.
What exactly is “pavement hacking”, I hear you ask? It’s the simplest of data security penetration techniques, which relies upon that greatest of human weaknesses: curiosity.
Here’s how a typical attack works. The bad guys infect a bunch of cheap USB thumb drives with malware and then drop these memory sticks outside the offices of their target business, perhaps in the car park, even in the reception area if the criminals are feeling particularly cheeky, and don’t mind risking being caught on CCTV.
It’s the simplest of data security penetration techniques, which relies upon that greatest of human weaknesses: curiosity
The chances are pretty high that at least one of these drives will be picked up by someone who works at the target business, and are equally high that this person will be nosey enough to plug it into their work computer to have a look at what it contains.
The criminals will have loaded the stick with a single, interesting-looking directory called something like “photos” or “personal”, and the cleverer ones will have made the directory’s icon a fake one that executes the malware when clicked.
Okay, there are still some obstacles that may prevent this attack from succeeding, such as the target business having some kind of control system in place to prevent unauthorised USB devices being connected to the network.
The firm would also need to have poorly updated or non-existent anti-malware protection. You might imagine that this means pavement hackers are mostly wasting their time – but research suggests otherwise. Take a recent report from the US Department of Homeland Security, which undertook a penetration test that sought to expose the state of US Government agencies when it comes to resisting pavement hacking techniques.
Apparently, 60% of the people who picked up the thumb drives plugged them in, a figure that rose to 90% for those thumb drives that deliberately bore an official US Government logo.
The fact that the testers were able to identify the numbers who did plug them in was proof that the targets’ malware defences weren’t up to scratch, because the malware infection on the drives was a simple phone-home routine that only connected to a server only to acknowledge that the device had been accessed.