How a $100 Hacker Toy Could Cost You Millions

Please Note: This is the fifth article in a series.  To start from the beginning, please click here.

When you think of hacking tools, you probably think of complicated systems of expensive hardware and software. However, with the development and increased popularity of open source hardware and software, many hackers are learning to put together inexpensive tools for their dirty deeds. Before we can explore the tools they use, we need to examine why they are using open sourced software and hardware in the first place.

Open source means that it's free of any copyright or license and the design and use is free to the public. Think hacker DIY. DIY projects have risen in popularity on sites like Pinterest all across the nation because you can get virtually the same results for a fraction of the cost, plus it leaves room for creative control.  Hackers are no different. By using open source software and hardware, they save time and money. By saving time and money, they can get more in return for the data stolen. Yes, even hackers are concerned with ROI.

TOYS
We've complied a few examples of popular hacking tools that utilize open sourcing, most of which cost less than $100. 

• Rubber Duck ($43) – A rubber duck is a keystroke injection attack platform disguised as a thumb drive. It can be programed as a WiFi password grabber and auto connect to a network with Pineapple, OSX root backdoor, etc. While User Account Control (UAC) will block the code, if plug-n-play is enabled it will not; allowing hackers to record all of your keystrokes, redirect your web access, etc.
• Ubertooth ($109) – An Ubertooth is a Bluetooth transceiver that utilizes open-source hardware to launch Smurf attacks, a type of denial of service (DOS), rendering networks unusable. While DOS attacks don’t cause a direct threat to data and are regarded as mostly a nuisance, the Worldwide Infrastructure Security Reporthas shown them to be on the rise for cloud networks, 29% vs 19% the previous year, and to be “a very serious threat to business continuity and the bottom-line.”
• Software Defined Radio ($18) – Software Defined Radio (SDR) tools can vary in size and price, however this particular one looks just like a thumb drive. While it’s designed to broadcast TV on a computer, you can also listen to aircraft, emergency band, FM radio, etc. It is just a receiver but can be used to build up tohacking wireless devices, recording wireless key fob transmissions and replaying them to gain access, and more.
• WIFI Pineapple ($100) – The Pineapple weighs less than a pound and is slightly larger than a deck of cards without antennas. This means that it’s unlikely to draw a lot attention. With the Pineapple, hackers can connect to a public internet. Once they are connected, they can connect others in their vicinity to the internet by rerouting them through Pineapple, recording every keystroke they make to gather sensitive information. For this reason, individuals, for their personal and professional protection, should be educated and urged to never enter sensitive information over public internet access. 
• Raspberry Pi ($35) – Raspberry Pi is a credit-card sized computer that can be plugged into a monitor or TV, with ports for a keyboard and mouse. It has less power than a full-size computer but can still be used to run Network Attached Storage (NAS), TorrentBox, Windows for IoT, etc. As a hacking device, Raspberry Pi is a platform to build upon to create a portable hacking station and has even been featured on USA’s Mr. Robot. 

The examples above are commercial tools developed for security professionals to test their networks or to help facilitate the exploration of computer science. The likelihood of hackers using commercial products in the field is minimal. However, it’s important to understand the technology they utilize and represent.

COST
With the use of these toys, separately or in conjunction with other tools, hackers can begin to test, gather information, and infiltrate your network. If they’re successful, what could a data breach ultimately cost you?

We’ve created this handy infographic from data released by the Ponemon Institute’s 2015 Cost of Data Breach: A Global Study report.

INSIGHT
With an average organizational expense of $6.5 million dollars for each data breach, it’s important to understand even the simplest of technologies and tools available to hackers. When you understand how they intend to attack, you and your security team have the opportunity to do exactly what they would do: test your network. Probing for vulnerabilities and open access points allows you to identify areas where your security posture needs strengthening and examine processes currently in place that may need revising. 

The implications of these hacking technologies and the insights they render are important building blocks for your organization’s cybersecurity. Do you understand how your security posture stacks up compared to the threats against it? Do you have a security action plan in place? What processes would your organization follow during a cybersecurity event? Join us in addressing these questions through the examination of proper security planning and response in the next coming days.