CAPEC-675: Retrieve Data from Decommissioned Devices

Description

<p>An adversary obtains decommissioned, recycled, or discarded systems and devices that can include an organization’s intellectual property, employee data, and other types of controlled information. Systems and devices that have reached the end of their lifecycles may be subject to recycle or disposal where they can be exposed to adversarial attempts to retrieve information from internal memory chips and storage devices that are part of the system.<p>

Extended Description

This attack first requires the adversary to trick the victim into installing a Trojan Horse application on their system, such as a malicious web browser plugin, which the adversary then leverages to mount the attack. The victim interacts with a web application, such as a banking website, in a normal manner and under the assumption that the connection is secure. However, the adversary can now alter and/or reroute traffic between the client application (e.g., web browser) and the coinciding endpoint, while simultaneously displaying intended transactions and data back to the user. The adversary may also be able to glean cookies, HTTP sessions, and SSL client certificates, which can be used to pivot into an authenticated intranet. Identifying AITB is often difficult because these attacks are successful even when security mechanisms such as SSL/PKI and multifactor authentication are present, since they still function as intended during the attack.

Severity :

Medium

Possibility :

Medium

Type :

Standard

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-37: Retrieve Embedded Sensitive Data Retrieve Embedded Sensitive Data CAPEC-116: Excavation Excavation CAPEC-406: Dumpster Diving Dumpster Diving

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

An adversary needs to have access to electronic data processing equipment being recycled or disposed of (e.g., laptops, servers) at a collection location and the ability to take control of it for the purpose of exploiting its content.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

High An adversary may need the ability to mount printed circuit boards and target individual chips for exploitation.
Medium An adversary needs the technical skills required to extract solid state drives, hard disk drives, and other storage media to host on a compatible system or harness to gain access to digital content.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Exfiltration Over Physical Medium

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-1266: Improper Scrubbing of Sensitive Data from Decommissioned Device

Visit http://capec.mitre.org/ for more details.