The Rise of Cyber-Physical Threats: Why Traditional Security Isn't Enough

Cyber security professionals spend most of their time monitoring and analyzing virtual threats, but physical threats and their consequences can also seriously impact a business. Anything from economic disruption to loss of life can result from a cyber-physical attack. While some virtual cyber threats have physical consequences, the increase in physical threats is particularly concerning because they are often overlooked in comprehensive cyber security strategies.

‍What are Cyber-Physical Threats?

The line between a standard virtual threat and a physical one is often blurry. Virtual threats generally aim to steal data, but a cyber-physical threat focuses on harming physical assets such as infrastructure—hardware or software—human safety, buildings, or even community resources (e.g., electricity, water, or gas utilities). Physical threats can start with virtual exploits, but identifying and dealing with physical threats extends to the additional attack surfaces you might forget. It’s also increasingly common, as nation states attack companies, that both cyber and physical means will be deployed to disrupt operations and steal IP/data simultaneously.

For example, physical entry points such as entryways, backdoors, and even the roof of a building can add risk and extend the attack surface for potential security breaches. Most people think of hackers as anonymous, hidden people sending exploit requests to software and web servers, but sophisticated and socially charming hackers can use social engineering or on-site exploits to find vulnerabilities in your physical security. It’s also important to recognize that like any crime, hackers can draw from many malicious sources, whether foreign governments attacking companies, political activists (hacktivists), vandals proving their capabilities, and organized crime rings making a living from these activities. Here are a few examples of these types of threats that could have serious consequences for your business:

What are Cyber-Physical Threats?

The line between a standard virtual threat and a physical one is often blurry. Virtual threats generally aim to steal data, but a cyber-physical threat focuses on harming physical assets such as infrastructure—hardware or software—human safety, buildings, or even community resources (e.g., electricity, water, or gas utilities). Physical threats can start with virtual exploits, but identifying and dealing with physical threats extends to the additional attack surfaces you might forget. It’s also increasingly common, as nation states attack companies, that both cyber and physical means will be deployed to disrupt operations and steal IP/data simultaneously.

For example, physical entry points such as entryways, backdoors, and even the roof of a building can add risk and extend the attack surface for potential security breaches. Most people think of hackers as anonymous, hidden people sending exploit requests to software and web servers, but sophisticated and socially charming hackers can use social engineering or on-site exploits to find vulnerabilities in your physical security. It’s also important to recognize that like any crime, hackers can draw from many malicious sources, whether foreign governments attacking companies, political activists (hacktivists), vandals proving their capabilities, and organized crime rings making a living from these activities. Here are a few examples of these types of threats that could have serious consequences for your business:

• Code injection: Using Cross-Site Scripting (XSS)—either permanent or reflected—an attacker can add code to a user’s session and trigger actions that interrupt operations.
• Denial-of-Service (DoS): Various threats can crash infrastructure or cause interruptions in critical operations. A distributed DoS (DDoS) is also possible with enough generated traffic targeting a single source.
• USB drop attack: Users should be warned never to insert an unidentified or randomly deserted USB device into their systems. Some administrators disable USB connections to avoid this attack.
• Drone-Based Cyber Attack: A drone attack could involve flying a drone equipped with a Wi-Fi sniffer to intercept sensitive wireless network traffic, such as login credentials or confidential communications. Alternatively, the drone could deploy a rogue access point that tricks employees into connecting to it instead of the legitimate network, allowing attackers to capture sensitive information or launch man-in-the-middle attacks.
• Air hopping: Radio frequencies carry data, and sophisticated hackers can intercept, eavesdrop, and use them to extract sensitive data. Air hopping is used in NSA and military operations, so it’s an advanced attack but still a threat to any business.
• Piggybacking (also called tailgating): Are you kind to strangers and open the door for them? While it’s a nice gesture, you could be allowing access to a social engineering attack and giving a nefarious user entry to the physical building.  
• Shoulder surfing: Users with mobile devices are at risk of outsiders viewing credentials as they enter them in public. Most sites use asterisks in place of password information, but sensitive information that is entered in public could be extracted with video replay.
• Insiders: Disgruntled employees and contractors can cause issues from the inside and severely damage infrastructure with their legitimate access to critical systems.

In these types of attacks, the vulnerability is usually in infrastructure or how users are trained to handle common physical threats. Most organizations focus on phishing and social engineering, but they forget that some attackers pose physical threats to operations. Because these threats are much more sophisticated, they can do physical harm, including threats to human life and community safety.  

Behind many of these attacks are state-sponsored actors. Interruption of community or health resources (e.g., medical equipment) does more than ruin brand reputation or steal sensitive data. In a state-sponsored attack targeting critical resources, human lives are at risk. Numerous physical consequences come with being the victim of these types of attacks, including loss of life, which makes them much more important than even the most significant virtual data breach.  

How Physical Threats Work

With the risk of physical harm to people or infrastructure, it’s hard to imagine how someone from miles away could impact human life. We hear about data breaches and the numerous phishing and ransomware attacks that steal data, but you don’t often hear about physical security failures. As more people rely on technology for survival, physical security is necessary to protect them from harm.

An XSS attack is a sophisticated, complicated threat in some scenarios. The basic activity in an XSS attack is injecting malicious code into a user’s browser. The user executes the code in the context of their session, so a system administrator could execute high-privilege commands against infrastructure. For example, XSS injected into a healthcare administrator’s browser could control critical monitoring systems or infrastructure that alert doctors and nurses of a critical life-threatening event.  

Most security people know of popular DDoS attacks, but DoS attacks (note the absence of a distributed collaborative effort) are also an issue. Interruption of infrastructure activity could be caused by an external source exploiting a bug or a race condition that crashes the program. These interruptions can be dangerous for any infrastructure, including those monitoring threats. For example, suppose a race condition exists where one process should wait to shut down only after another one first shuts down. If the race condition is unknown and was not found during testing, shutting down systems out of order could crash the program and potentially cause it to be unresponsive to users.

Phishing is commonly used to inject malware into a system, but a USB drop attack can be much more dangerous. In this scenario, a threat actor places a malicious USB in a public place. Users find the USB and decide to find out what’s stored on it. They insert it into their computer and a file named autorun.inf tells the USB flash drive to automatically execute a specific file. This file could be an innocent menu to run other software or a threat actor could set it to run malware on the local machine. With remote control software installed on the computer, a remote attacker could use it to control critical systems. A USB drop attack could be considered a trojan horse with an innocent-looking device on the outside and malicious programs stored on the inside.

Drone-based attacks are an evolving threat that blends physical and cyber vulnerabilities. For instance, an attacker might use a drone to fly above or near a building equipped with a WiFi sniffer to capture sensitive network traffic from the company’s facility. Simultaneously, the drone could deploy a rogue access point mimicking the company’s legitimate WiFi network, tricking employees into connecting and exposing their data. This dual approach allows attackers to intercept login credentials and confidential communications or even launch man-in-the-middle attacks. Such sophisticated threats highlight the need for robust network security and employee training to recognize and avoid suspicious networks. As technology advances, integrating physical security measures with traditional cyber defenses is crucial to safeguarding against these emerging threats.

Air hopping is a lesser-known physical threat, but it’s still a threat. Servers and infrastructure hosting extremely sensitive data, such as government secrets and confidential military information, are completely segmented and removed from the internet. This infrastructure has no access to the public internet, and it’s segmented completely off from public internet access. Even with these safety measures, computers isolated from a network still use light, sound, heat, or vibrations to transmit data. With a mobile device and sensor app, a particularly sophisticated spy or state-sponsored hacker could exfiltrate data. Infrared thermometers, lux meters, decibel meters, or electricity usage monitors are alternative tools for air hopping exploits. Keeping people away from your building also reduces the risks of these attacks.

It’s considered polite to open the door for the person behind you walking into a building. While this polite gesture is helpful to the person behind you, it’s a security risk for the organization. Piggybacking –or tailgating– is the term used to describe an attack allowing an unauthorized individual to access the physical premises. With physical access, you can imagine what can happen – a threat actor can cause harm to infrastructure or convince an employee to divulge sensitive information. Threat actors can also view open screens and potentially extract data using their mobile devices to snap pictures of desktop screens. For example, proprietary code shown on a screen could be exfiltrated using piggybacking.

Shoulder surfing can happen anywhere an employee works in a public location. Whether it’s a coffee house or the airport, shoulder surfing occurs when another person can see what’s being typed into the employee’s mobile device. Any passwords or sensitive information could be snapped in an image from a mobile device and used later. Shoulder surfing also happens within the office location, which is why some organizations have rules against taking pictures inside the office building.

Employees are risks themselves, and sometimes, they don’t even realize it. Insider threats come in two flavors: malicious and unintentional. Disgruntled employees might purposely destroy infrastructure, but they don’t always purposely cause security incidents. For example, a disgruntled employee might break monitoring systems to perform malicious activity, but another employee might insert a USB device and unintentionally install malware on their local computer.

IoT and Physical Threats

In the last few years, IoT (Internet of Things) is everywhere you go. Internet-connected devices are a part of devices for home and work. Your refrigerator might be internet-connected so that you can monitor internal temperatures, your thermostat is connected to monitor home temperature, and your garage and security system cameras might be connected to the internet for remote monitoring.  

Warehousing and healthcare are two industries that are continuing advancements in IoT to monitor large machinery. Manufacturers use IoT to monitor machinery and detect potential failures before they happen. Healthcare uses IoT devices to monitor patient vitals. Utilities might manage and monitor systems using IoT. All these systems are critical to human life and services necessary for human safety. Should a physical threat actor access IoT, it could be devastating to operations.

A few real-world events illustrate the impact of IoT and its security. In 2017, heart devices from St. Jude, including pacemakers and defibrillators, were found to have vulnerabilities that allowed attackers to drain their batteries or send the wrong electrical signals to the human heart. A researcher in 2016 found that Owlet baby monitors did not transmit data using encryption to Wi-Fi devices, which allowed a nearby attacker to eavesdrop on data. Researchers in 2015 found that an attacker could hack into Jeep Cherokees and cause engine failure while driving, threatening human life. With Claro Enterprise Solutions, trucks stolen from warehouses can be located thanks to IoT tracking devices like Asset Insight. Someone piggybacking into a nursing home can be detected as a stranger thanks to AI Video Analytics' facial recognition, which can be used to monitor visitors entering and exiting the facility. A carjacking can be investigated through cameras in a parking garage, analyzing license plates for any car following it into or out of the garage.

Traditional Cyber Security Isn’t Enough

When administrators prepare and budget for security, they usually focus on appliances like firewalls, network segmentation, and antivirus software. These traditional cybersecurity appliances stop many of today’s threats but don’t help much with physical threats. For example, antivirus might stop a USB drop attack from installing malware, but it won’t help with shoulder surfing, insider threats, or piggybacking.

Defending against sophisticated physical attacks requires a high level of security. Employees must be trained to recognize attacks and take precautionary measures. For example, they should be taught that piggybacking is a risk and that every user should use their own badge to access the business building. Monitoring systems can be used to catch eavesdropping, XSS injection, and DoS attacks.

Administrators might choose to disable USB devices on all machines, but another option is to train users not to insert unknown USB flash drives into their computers. While antivirus software can help prevent malware installation, it can’t always detect zero-day threats, including those sent via phishing emails. Organizations should not rely solely on antivirus software as their only defense against malware. Instead, antivirus should be one layer of a multi-faceted security approach that includes robust security monitoring and intrusion detection. Enhancing video surveillance with Artificial Intelligence (AI) can improve security by quickly identifying unrecognized devices, such as drones, that may be flying near the company's premises, providing an additional layer of protection.

For large organizations, piggybacking is stopped by placing human security and cameras in place to watch doors and entryways. What were traditional ways to be reactive? Cameras using artificial intelligence can be used to give security people proactive security strategies. You could have a security person watching doors for any piggybacking or unauthorized entry, but a camera using artificial intelligence (AI) can act as your security guard and send alerts to on-site security personnel should an anomaly trigger an alert.

For example, suppose you have a camera in front of a back entrance door. Using AI-enabled cameras, you can detect if a user swipes their card or carries a weapon into the building. This strategy frees up your security guard’s time and keeps them safe from violent events. Instead, the security guard stands by at a monitoring station and receives alerts from the AI-enabled systems to warn of an anomalous event. Employees piggybacking or entering the building without their badge can receive training or a reminder to wear their badge.

Artificial intelligence incorporated with security cameras can identify and even pinpoint the exact threat, like a weapon or a strange car in a company parking lot. Security around your perimeter keeps your staff safe and gives them the information they need to respond to a physical threat. Alerts can also be used to notify employees within the building, leaders, or other staff members, depending on your own business methods, of potential risks.

Claro Enterprise Solutions specializes in cyber-physical security protection strategies to manage different types of risk, delivering AI-based cameras and tracking devices for physical security. We also offer cyber security solutions for managed cloud services, IoT, network and communications, and MSP services. See what we can do to boost your cyber-physical security posture.