CAPEC-634: Probe Audio and Video Peripherals
The adversary exploits the target system's audio and video functionalities through malware or scheduled tasks. The goal is to capture sensitive information about the target for financial, personal, political, or other gains which is accomplished by collecting communication data between two parties via the use of peripheral devices (e.g. microphones and webcams) or applications with audio and video capabilities (e.g. Skype) on a system.
Last updated
Overview
CAPEC-634 (Probe Audio and Video Peripherals) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- Knowledge of the target device's or application’s vulnerabilities that can be capitalized on with malicious code. The adversary must be able to place the malicious code on the target device.
Skills required
- High skill: To deploy a hidden process or malware on the system to automatically collect audio and video data.
Consequences
What a successful CAPEC-634 attack can achieve.
Read Data
Affects: Confidentiality
How to mitigate it
Defenses that reduce the risk of CAPEC-634.
- Prevent unknown code from executing on a system through the use of an allowlist policy.
- Patch installed applications as soon as new updates become available.
Examples
An adversary can capture audio and video, and transmit the recordings to a C2 server or a similar capability.
An adversary can capture and record from audio peripherals in a vehicle via a Car Whisperer attack. If an adversary is within close proximity to a vehicle with Bluetooth capabilities, they may attempt to connect to the hands-free system when it is in pairing mode. With successful authentication, if an authentication system is present at all, an adversary may be able to play music/voice recordings, as well begin a recording and capture conversations happening inside the vehicle. Successful authentication relies on the pairing security key being set to a default value, or by brute force (which may be less practical in an outside environment) Depending on the sensitivity of the information being discussed, this scenario can be extremely compromising.