Visual hack: what threatens and how to protect yourself from spying

Hello, Habr!
My name is Dmitry Fomin. In 3M, I work in the department of protection against visual hacking, which makes films on screens – for the visual protection of data. Among other things, I explain to users why carrying secret documents without folders and sending screenshots of internal software is a bad idea. For a long time I have been wondering what percentage of all the high-profile hacks that the media write about starts with a visual data leak. During the search I gathered a lot of interesting information: survey results, examples of visual hacking, notions from popular science magazines. I will share the most interesting findings.
By the way, now this is more relevant than ever – statistics say that even before self-isolation, employees did not protect much information from peeping, and while working from home, they completely relaxed. In the meantime, the leak of confidential data can have serious consequences, including criminal liability.

Visual Hacking Examples
Today, when jobs are becoming more mobile, traditional means of protection – at least software, at least hardware – have ceased to be a panacea. If at all they could ever claim such a role.
More and more enterprises allow employees to bring their own gadgets (BYOD) for work. More and more people work with confidential information from insecure places: in open-type offices, cafes, airport lounge, public transport.
Content just asks for it to be viewed or photographed by someone else – sitting nearby or just passing by. Especially considering the fact that everyone now has powerful cameras in smartphones.
When someone forgets to fence off their screens and prints from prying eyes, he risks becoming a victim of visual hacking. Such embarrassments arise now and then:

 A UK government official took a train in front of his laptop, with sensitive data on the screen. The journalist who was riding in the same car took a picture of the poor fellow and wrote a story about him in the national media. [2]

 Through the windows of the St. Petersburg branch of Bank of America, passers-by could see the personal data of the bank’s customers. [3]

 The help desk employee, succumbing to the fraudsters’ tricks, provided him with screenshots of the corporate IT system. These screenshots helped the villain reverse the IT system and hack it. [4]

 A news correspondent photographed a British official when he left 10 Downing Street (the residence of the British Prime Minister) with confidential government papers in his hands. The photo shows that there we are talking about a special operation in Afghanistan. [5]

 A London policeman from the counter-terrorism center got into the camera of a news correspondent when he entered 10 Downing Street. The photo shows the papers he is holding in his hands. There we are talking about the planned raid on a terrorist cell. Due to a data leak, the police officer had to resign. [6]

How often do such embarrassments occur? And where do their legs grow from? To understand this, I studied the results of open polls and collected some statistics. As you know, I was interested in data leakage from monitors, so here are the most interesting facts about it.

Nearly 90% of employees are at risk, but only 30% are protected from hacking: excerpts from surveys

At least 50% of enterprises allow employees to bring their own gadgets (BYOD) for work. [1] 90% of employees addicted to BYOD work not only in the office, but also in public transport: on the way to work and on the way home [10]spending from 7 to 14 hours a week [9]. Most of them are sure that their activity is impossible without mobile access to email and instant messengers.
80% of public transport passengers read from other people’s screens at least once; the same picture is observed among the guests of the catering. 80% of office employees do not exclude that someone outsider and unauthorized could peek confidential information from their screen. 80% of managers are sure that the employees of their enterprise will not be puzzled about protecting their screens from viewing by strangers. [1]

I found such data in open sources. Plus, it also initiated a separate survey of a business audience, implemented jointly with the Tecart consulting group. Representatives of 200+ foreign and Russian companies from the financial sector (banks, insurance), consulting, telecom, pharmaceuticals, manufacturing, construction, and trade took part in it. 72% of respondents are senior and middle managers.
It turned out that 86% of employees of any company work with personal or confidential data. 54% work in open-type offices. 19% go on business trips more than 10 times a year.
Diagram 1. Frequency of business trips,% of the total number of respondents

28% noticed that they were spying on their screen. About 30% take some actions in this regard.
Approximately the same number of respondents (31% of representatives of international companies and 20% of Russian companies) said that their companies paid attention to the issue of security.
Chart 2. The share of companies that care about the security of corporate devices, in the context of areas of activity

Among the most common visual protection measures (personal or corporate):
1) minimizing the working windows,
2) screen lock,
3) expanding the screen so that outsiders could not look into it,
4) differentiation of workplaces in the office (separate office, table spread from the window, partitions, etc.),
5) movement only on corporate transport.
We also found out how many people use protective films. It turned out that there are only 5% of them. Even though this is a simple and obvious solution.

We already wrote about protective films 7 years ago in another post on Habré [7]up to what physics, optics and chemistry are behind, so I won’t repeat myself.
From the survey it also became clear which corporate gadgets are most in demand. 72% use laptops, 46% use desktop computers, 40% use smartphones, and 8% use tablets.

How paranoid ones protect themselves from visual hacking

When I saw that only 5% used protective films, I began to look for what people generally do to protect against visual hacking. Delving into popular science magazines, I came across an article [8] at IEEE Transactions on Consumer Electronics. An interesting way of protection is described there. I do not want to judge how practical it is, but it was interesting to get acquainted with it. I give a description as a lyrical digression.
Schematically, the protection looks like this:

She has software and hardware. It keeps track of unauthorized persons (in the literal and figurative sense of the word) who glance at your screen. Having noticed a stranger, protection creates visual effects on the screen (manipulates brightness and contrast) so that the stranger could not see what he should not see. With reduced brightness or contrast, only the user sees the contents of the screen.
The hardware part of the craft includes three sensors: a video camera, an ultrasonic range finder, and an ambient light sensor. The craft works as follows.

Take frames from a camcorder. He searches there for paired eyes that look at the screen. Counts how many people do it. If there are more than one, then it adjusts the brightness and contrast on the screen. Moreover, it regulates taking into account how far the user is from the screen and what kind of lighting is around him.

Five steps to the visual security of your gadgets

Based on the results of the polls, we have prepared recommendations that will help ensure visual security. These recommendations are relevant primarily for those managers and employees who regularly travel on business trips or work in an open space office, as well as for working remotely.
1. First, find out which of your data is confidential. Classify them according to how critical they are. This step then facilitates the configuration of role-based access to data.
2. Know all the places that circulate the data that you worry about. And make sure that they don’t fall into the wrong places. Monitor calls to them. Make sure that event logs (who, when and how accessed the data) are continuously generated.
3. Track all corporate users who work with sensitive data through remote access. And manage it in a smart way: when a user tries to access data from a reliable place (from his home, for example) – give, and if from an unreliable (for example, via public Wi-Fi) – block access or at least restrict it.
4. Encourage your employees to use password protected screensavers. And those who regularly work with confidential data in public places, provide a protective film.
5. Do not loom your screen in front of strangers. Computer screens and other gadgets must be positioned at such an angle that people cannot look at them.
It seems to be obvious recommendations, especially the latter. But the survey results and numerous embarrassments, such as those described at the beginning of the article, shout that we still have something to strive for in terms of providing visual security.







Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *