I Can Steal Your Data in Less Than 10 Minutes (With a Privacy-Back Guarantee)

It’s estimated that companies and governments will spend over $124 billion dollars this year on security measures to protect your data. But with a disguise, the right piece of specialized equipment (which is basically a USB stick on steroids that I could purchase for $49.99 during a Christmas sale), and about 10 minutes, I, a 20-year old college student, can make all that security worthless.

The problem with only investing in network security measures is this: While most data today is stored in a cloud, the cloud isn’t a real place, and your data has to be stored somewhere. If I can physically touch the computer where your data is stored, I win. Think about the millions of servers that store the data about your online purchases (an adult Tinkerbell costume? Really?), the pharmacy computers that have all your medical data (you got pink eye in your 40’s? Embarrassing!), and the computers storing your Tinder message history (I’ll need therapy after reading through those.) Do you really think that I can’t get to a single one?

Imagine we have a computer system that manages drug prescriptions (which are highly confidential and legally protected) in a totally made up pharmacy called SVC. To protect prescription data, SVC pharmacies across the country employ a sophisticated firewall technology that they license from a security company for hundreds of millions of dollars a year.

Plot foiled, hacker lost, game over, right? Unfortunately not – sadly for SVC, I could walk in with a tech support uniform on, convince the pharmacy workers that their computers had an issue that I needed to check out, and plug my USB drive into their computer, compromising all the data and bypassing those fancy security networks.

Over the past decade, we’ve seen a number of cyber-hacking events in the news. Some of the highest profile incidents have involved exploiting vulnerabilities through a network (think: hacker on a computer in a dark room hundreds of miles away). Such examples include the Guccifer hack on the Democratic National Committee, the hack of former Chief of Staff John Podesta’s emails, and state sponsored industrial espionage. But while these kinds of attacks get the most news coverage, they’re not the norm. Instead, as countries and corporate entities strengthen their network security, they are increasingly leaving their physical systems – the actual computer or server on which the information is stored – vulnerable to attack.

Take the case of Stuxnet, the first digital weapon used to target Iran’s nuclear program. In this case, hackers took extreme cybersecurity measures, both network and physical measures, to get in. The facility targeted was “air gapped,” which means the facility’s network was entirely disconnected from the internet (and the rest of the world). The facility used routine security checks to ensure that scientists and workers weren’t bringing their personal laptops in, and any software brought in was sanitized and placed on special computers to avoid contaminating the network. But in the end, all it took was a few seemingly empty, but in reality, infected, memory sticks sprinkled in the parking lot outside the facility to make it through the air gap and compromise the facility. Ultimately, the firewall was broken with a 99 cent piece of plastic and metal. While we’re uncertain of how much damage it caused in total, we know that, shortly after the attack,  the Iranians decommissioned and replaced 1000 centrifuges that they were using to enrich uranium. This represented about 15% of the facilities’ enrichment capabilities, and a cost of over 20 million dollars.

Image Credit: Heartbleed Explanation from Randal Munroe’s XKCD Comic

At this point I’m sure you’re thinking something along the lines of “Alright, so if I ever decide to create a country, I’ll be extra sure to pay attention to physical cyber security. But today, I’m just going shopping. Why should I care, then?” Well, funny you should ask, my security-conscious friend – the short answer is that this isn’t just a technology used by nation states against other nation states. Given how easy it is to use this technique on lower-value targets (like SVC), it has and will continue to become a toolkit in more typical “cyber crime” hacking. (That is, hacking done by criminals for a profit rather than by countries/third parties to forward an agenda).

In 2013, consumers just like yourself were affected when credit card information held by Target was hacked. How was it done? While Target has remained vague, investigators believe that hackers gained access to the physical terminal where the information was held.

While hacking consumer credit card information for a single store isn’t the end of the world, it’s indicative of a larger problem that could be much worse depending on the circumstances of the breach. When things like medical data, sensitive messages and private pictures are all stored “in the cloud,” the physical location of that cloud becomes all the more critical.

The biggest reason average people aren’t targeted in these attacks is that it isn’t profitable. But with attacks like Heartbleed and Wannacry, the barriers to targeting individuals are decreasing. There’s no reason that this trend won’t spread, and the consequence of ignoring this is dire.

The weaknesses in the physical security of our data affects us on more than just on a personal level – through physical methods, hackers can also compromise national interests.

Consider an actor of an enemy state. You could imagine that with a little training, he or she could surmount the relatively small obstacles required to become an Amazon Web Services engineer. Once they’re in, they can gain physical access to the facilities in which Amazon stores its cloud data.

Amazon has a Level 4 Security Compliance Certification (the second highest level for declassified, but highly controlled information) from the Department of Defense. Should the data on those servers be compromised, the United States could potentially face international consequences.

In Amazon’s 33 page report entitled, “DoD-Compliant Implementations in the AWS (Amazon Web Services) Cloud,” the physical systems where the data are stored are mentioned exactly three times, with no specific discussion on how to protect them. If this enemy of the state accessed any classified government information stored on Amazon’s Systems, this would pose a massive threat to American interests, both domestically and abroad.

So, what can be done about all of this? Unfortunately, there’s not much that you alone can do – aside from maybe not inviting strange tech support people into your home. Rather, it will take a concerted effort from consumers and voters to create change. So the next time an incident comes up, write to the company that was attacked and write to your elected officials. Let them know that you want to see companies take responsibility for their own data security and that you want the government to regulate cyber security more strictly. If that happens, I just might not be able to get to your data after all.

Alexander Dean’s article is part of a collaboration between the Illinois Science Council and the University of Chicago.