From time to time, our readers raise questions or issues related to topics that concern, or simply interest them. One such issue was brought up recently by a Twitter user, who asked us: “Do you have any posts discussing the risk to banks when people use their cell phone inside them, ignoring the security guards?”
We think this is a very interesting question and one that can apply to practically any corporate environment, not only banks — so we are going to try to answer it in this article.
Corporate WiFi networks
When we look at the specific scenario suggested to us by the user, we can think of one interesting tactic that an attacker could use to access the internal network at a bank.
If we put ourselves in the shoes of this attacker – who could quite easily be someone like Elliot from the TV series Mr. Robot – the first thing we’d try would be to see if we could connect to any of the WiFi networks that the bank has.
It wouldn’t be unusual to find a number of networks within range, and it’s quite likely that at least one of them would be identified as belonging to the bank or exclusively for staff.
What you’d be less likely to see these days would be networks that did not require a password, or if they were using an obsolete encryption system like WEP. It’s not 2010 anymore so it is highly likely that most of the WiFi would use WPA2 encryption or better.
In these circumstances, the chances of being able to access this corporate network from our smartphone are considerably reduced, although there is still the possibility of the attacker succeeding if the bank in question has a guest network that is not configured correctly. Guest networks are precisely that: networks that provide connectivity to people visiting the place temporarily.
Depending on how the guest network was set up and whether it was segmented correctly or not, the attacker may succeed, or they may have to seek out alternatives.
If the network was not isolated as it should be, they will be able to switch to the company’s critical systems and see whether they have robust security measures, or whether they are at the mercy of the attacker, who may be able to connect to them in order to carry out malicious activity.
So, the possibility to launch an attack from a smartphone connected to a bank’s WiFi network will depend largely on what security measures the bank in question has implemented.
From personal experience of the banks I’ve checked from time to time which had WiFi access points, this security tends to be robust. However, as we will see below, there are other methods of attack using smartphones and other devices.
Gathering information about the environment
Once the attacker has established that there is nothing they can do through the WiFi network, they will probably use their smartphone for other purposes. One of the simplest ways, but one which is very useful for gathering information, consists of using the camera of the smartphone to take photos and videos of anything that might be of interest to the attacker.
Capturing images showing which software is used by the employees, which ports are used on employee PCs when serving customers, what network outlets that might be accessible, identification plates, or even filming when and how the security guards change shift — are all actions can be very useful for someone planning a future attack.
Furthermore, if the device has NFC capabilities, the attacker can try their luck and see if they can capture the data from any staff ID card which might give them access to restricted areas used only by employees. This would be risky when it comes to actually entering the area, but it wouldn’t be the first time somebody tried it.
Moving on to more specialized types of devices, one kind available is known as a “WiFi Pineapple”, which the attacker can use to create a fake access point and see if any employees try to connect to it. They would then monitor their connections and try to capture passwords for accessing the bank’s internal systems.
Otherwise, they could try to pass themselves off as a customer and approach an employee with some kind of query in order to then take advantage of a moment of carelessness when, if the employee’s computer has a USB port free, they can plug in a “Rubber Ducky” device, which then executes the commands necessary to steal as much information as possible.
They could also try to get the computer to download some malicious code from an online archive pre-configured by the attacker, using something like a ready-made payload or one they created themselves.
All of the above involve one major hurdle for the attacker, and that is that they would have to go in person to the actual branch of the bank they want to attack. The security cameras could be used against them if the video recordings are analyzed after discovering the attack, and for that reason, attacks that manage to infiltrate banks’ and other companies’ corporate networks tend to be executed remotely.
Let’s take as an example some of the cases discovered over the last few months. The attacks on Russian banks began with an email being sent — one that was very well prepared and aimed at bank employees. The apparently innocent Word document actually contained a malicious macro which performed a connection to an external server controlled by the attackers, from here additional modules were downloaded. These were then used to control and spy on the infected systems and enter the corporate network.
Another, more elaborate case was one that affected more than 20 Polish banks. On that occasion, the attackers managed to compromise the official website of the Polish financial regulatory agency, which is visited frequently by employees of various Polish banks, who were unwittingly infecting their work computers with malware.
The short answer for the user who posed the question about the use of a smartphone at the bank is that this risk depends largely on the corporate security policies implemented, especially those related to network security and segmentation.
On the question of whether we are going to see attacks of this style using smartphones as the main tool in the attack, we would not rule it out, but cybercriminals know they can get much greater benefits without needing to expose themselves by attacking banks remotely, and we don’t think that trend is likely to change any time soon.
written by Josep Albors, ESET We Live Security