A few days ago in a table top exercise with a client, the subject was brought up about how cheap, available and open electronics and software have become. How anyone, just about anywhere could make, purchase, or order tailored devices that do anything you’d want them to; good or in this case for bad. For instance you can go to a web forum for programmers and ask how to make your program log key strokes, and often for free, you’d get a quick answer or link to an answer. Another example, the Pi Zero is tiny, very powerful and very cheap. It is an entire computer with connectivity and plenty of processing power and only the size of two sticks of gum. Many IC’s and chips have been created that do wondrous and amazing amounts of work in the most minuscule footprint. These devices are so small and so powerful, they are easily concealed/hidden and can carry out very complex tasks, without being seen.
Our analysts have a propensity to look at most if not all items like technology and software from a dual-use perspective; what might seem like a great way to address one problem for good, may be just as useful for bad. Facial recognition came up in this discussion. It would be a great use of that tech to authenticate someone entering a secure area. What if they have a literal evil-twin, an identical sibling that can also get into that area too just based on their face. Employee credential sharing happens more than you think. Foreign consultants have been found abusing card access systems, one employee leaves and hands over their badge to another person. That person, then enters the building and continues to the work on what the last person was working on.
In this day an age you could be guilty by proximity, your phone is in the same area as when people are killed in separate instances, or your phone was joined to a network near where something bad happened. Context is lost in most Meta-Data, so it makes sense for the Police to suspect you of the crimes, your phone was in the “right” place and “right” time so it may stand to reason to suspect you. Your Google Home or Alexa recorded you saying you want to hurt your boss, and if he/she ended up hurt, the Police may subpoena the recordings of you saying you wished harm to your boss… the context may get lost and you become a prime suspect.
Again this is where convenience and security are at odd’s. Laser beams modulated with voice commands, aimed at microphones do transfer enough data to the mic’s to carry out the command. No voice print, pin or other authentication is needed typically. This kind of thing sort of happened a few years ago when News stories would say “OK Google” or “Alexa” commands. The TV said the wake phrases, then a command, and the digital assistant carried out the command.
All of this is to say, look for us to drop some “adversarial” idea’s and PoC’s coming to this space soon :p
EDITED TO ADD: