This article was originally published in Cybersecurity Magazine in September 2023
A recent article in Bleeping Computer detailed a new cyber attack technique developed by researchers in the UK that uses AI to translate the sounds a keyboard makes into the typed text, meaning a cyber criminal could theoretically record their victim typing on a computer in a Starbucks or over a Zoom call and be privy to what they’ve typed. The cyber criminal, of course, would need access to the cutting edge deep learning model, somehow train the model on the sound idiosyncrasies of the victim’s machine, be close enough to create a clean recording (or somehow hack their way into a Zoom call), and hope that the timing of their attack coincided with the victim typing in a password or other valuable information, and not writing an email to their mother wishing her a happy birthday. Without question, if you have reason to believe that you’re the specific target of a nation-state actor or criminal enterprise, you should be aware that you could be the target of such an attack. For the rest of us susceptible to the infinitely more common random cyber attack, however, we should be more concerned that a lazier (or more efficient) cyber criminal might find some of our credentials among the estimated 15 billion for sale on the dark web with a little bitcoin, or better yet, for free on select telegram channels.
In another example, a few months ago, Good Morning America ran a story highlighting an FBI warning of “juice jacking” or the potential compromise of public device-charging ports by cyber criminals. Plug your phone in at an airport and the bad guys could install malware on your iPhone. Nevermind that the cyber criminal would have to jump through a number of technical and access hoops to successfully execute such an attack. Indeed, “no known instances of juice jacking have appeared in the wild…and modern smartphones now alert users when data is being transferred.” But again, might a sophisticated, targeted attack on a specific individual or individuals include juice-jacking? Certainly. But these are not the types of attacks that should keep CISOs up at night (and they’re likely not).
The danger I see while reading these and similar stories of creative new attack vectors implies that the tried and true methods used by bad actors are failing them, and the cyber security community is successfully shutting down conventional attacks, forcing cyber criminals to innovate.
Well.
Maybe it’s just me, but I can only find evidence to the contrary. Just this year, the number of ransomware attacks in March exceeded the number in February by over 90%, and a 2 minute Google search will generate endless data supporting the assertion that the cyber criminal community is doing just fine with the tools it’s had at its disposal for years now.
Certainly, cyber criminals are already leveraging technologies like generative AI to improve their efficiency, and make it easier for non-technical bad actors to join the cyber crime game, but the increasing success that proven and reliable attack vectors are enjoying creates little motivation for threat actors to abandon them in search of more sophistication. Can new AI tools help bad actors find and exploit unpatched vulnerabilities more efficiently, craft more realistic phishing emails, scale phishing operations, enable non-technical criminals to write more sophisticated malware, or enhance the efficacy of credential stuffing operations? It’s very likely all that is either happening now or will be in the near future.
Fundamentally, however, the means of compromise are the same as they’ve been for years: exploitation of unpatched vulnerabilities, stolen credentials, and phishing. Automobiles have grown exponentially more sophisticated since the days of Ford’s Model T, but, until just the past few years, the basic propulsion technology – the internal combustion engine – hasn’t changed, and is only doing so now because of nearly universal environmental concerns. Put another way (sports metaphor warning), if a football team is gaining 10 yards every time they run the ball up the middle, why would they stop doing that in favor of a fancy play like a double-reverse flea flicker?
So, it probably makes sense to take the hyperventilating stories of cutting-edge attack vectors with a grain of salt. There will come a day when the primary means of initial penetration become obsolete or are abandoned by the cyber criminal community in favor of something revolutionary. However, the cyber security community – the good guys – will first need to render them ineffective and, unfortunately, we don’t seem to be close to achieving that reality.