Hacking in the Blind: (Almost) Invisible Runtime UI Attacks on Safety-Critical Terminals

TL;DR

This paper introduces a novel physical attack method on safety-critical terminals that manipulates user input without direct UI observation, demonstrating its effectiveness and stealth through user studies.

Contribution

It presents new techniques for tracking UI state and input in blind attack scenarios, enabling undetectable input modification on embedded safety-critical terminals.

Findings

Input modification attacks are difficult for users to detect.

The attack techniques can be implemented efficiently.

User study confirms attack effectiveness and stealthiness.

Abstract

Many terminals are used in safety-critical operations in which humans, through terminal user interfaces, become a part of the system control loop (e.g., medical and industrial systems). These terminals are typically embedded, single-purpose devices with restricted functionality, sometimes air-gapped and increasingly hardened. We describe a new way of attacking such terminals in which an adversary has only temporary, non-invasive, physical access to the terminal. In this attack, the adversary attaches a small device to the interface that connects user input peripherals to the terminal. The device executes the attack when the authorized user is performing safety-critical operations, by modifying or blocking user input, or injecting new input events. Given that the attacker has access to user input, the execution of this attack might seem trivial. However, to succeed, the attacker needs to overcome a number of challenges including the inability to directly observe the user interface and avoid being detected by the users. We present techniques that allow user interface state and input tracking. We evaluate these techniques and show that they can be implemented efficiently. We further evaluate the effectiveness of our attack through an online user study and find input modification attacks that are hard for the users to detect and would therefore lead to serious violations of the input integrity.