Through Glass Transfer: A New Protocol Designed to Cause Headaches for the CISO
By Richard Stiennon
Today at the COSAC 21st International Computer Security Symposium and SABSA World Congress in Naas, Ireland, a researcher demonstrated a protocol he had devised that automates the transfer of data from any display to devices like smart phones.
COSAC is one of the longest running computer security conferences. This year it drew 60 security experts from around the world to discuss pressing issues and new developments in a congenial environment.
Presenting at COSAC is often fraught with stress for first time attendees as they are frequently interrupted and must be prepared to address all objections, conjectures, and random observations from an eclectic crowd of very smart people.
Ian Latter presented his body of work today on two protocols he had created that effectively demonstrate the futility of 100% data leak prevention(DLP). The fact that critical data is ultimately displayed on a screen has long been the one open hole in DLP.
While solutions exist to detect critical data traversing the network or leaving the data center or control the attachment of USB storage devices (ala Snowden’s thumb drives or Manning’s CD drive), there has always been the possibility that a trusted employee or contractor could simply snap pictures of the display and walk out the building with critical information.
But a lot of data is most useful in file formats. Software code, spreadsheets with embedded calculations, etc. Latter’s new technique, in his words, treats the computer display like a bundle of fiber optic cable. Each pixel represented by a strand of data transfer capability.
Latter, an independent researcher, has written, and made available on his website. a very simple client agent that, once installed, converts files into a series of QR codes that are displayed in a video style (ThruGlassXfer (TGXf)) He has also made available an application for iPhone and Android that reads those QR codes and translates them back into the original file format.
Armed with the app you can download a PDF by pointing your smart phone camera at this video:
Thinking further about how to get his client agent on a target machine that is probably well protected, Latter devised another protocol (ThruKeyboardXfer (TKXf)), which can be used to install software from a small USB device that emulates a keyboard.
By combining the two, Latter demonstrated that a remote worker could easily gain access to and transfer any data that the user has permissions to see. The use of exploit kits could extend that capability but might trigger the protections the enterprise has deployed.
Latter explains that there is a fundamental risk, especially with remote or out-sourced workers, that has not been addressed by security architectures. By releasing his code and a 200-page paper on his research he hopes to highlight that risk and spark discussion of how to counter it.
While the risk has always been there, Latter’s proof of concept of a covert channel via computer display turns a possibility into a certainty.