T 0.21 Manipulation of Hardware or Software

Manipulation is defined as any form of targeted but secret intervention aiming to change target objects of all kinds in an unnoticed way. Manipulation of hardware or software can be performed, in, amongst other situations, when being influenced by desire of vengeance, to deliberately generate damage, to obtain personal advantages or gain. It can focus on all kinds of devices, accessories, data storage media (e.g. DVDs, USB sticks), applications and databases or the like.

Manipulation of hardware and software does not always lead to a direct loss. However, if such processed information is impaired, this can lead to all types of security implications (loss of confidentiality, integrity or availability). Manipulations can thereby be all the more effective the later they are discovered, the more extensive the knowledge the perpetrators have, and by how much more profound the effects on a work process would be. The effects range from the unauthorized inspection of sensitive data to even destruction of data storage media or IT systems. Manipulation can thus also result in considerable downtimes.

Examples:

• In a Swiss financial company, an employee had manipulated the software used for certain financial services. This made it possible for him to illegally gain large amounts of money.
• By manipulating ATMs, attackers succeeded several times to illegally read the data stored on payment cards. In conjunction with PINs spied out, this data was then misused to withdraw money at the expense of the cardholder.