G 0.21 Manipulation of Hardware or Software

Manipulation is understood to mean any form of deliberate but hidden intervention to alter target objects of any kind without notice. Manipulations of hardware or software can be carried out, among other reasons, out of feelings of revenge, to deliberately cause damage, to gain personal advantages, or for enrichment. The focus can be on devices of all kinds, accessories, data storage media (e.g., DVDs, USB sticks), applications, databases, or similar.

Manipulations of hardware and software do not always result in immediate damage. However, if the information processed with them is compromised, this can result in all kinds of security impacts (loss of confidentiality, integrity, or availability). The manipulations can be all the more effective the later they are discovered, the more comprehensive the knowledge of the attackers, and the more far-reaching the effects on a business process. The impacts range from unauthorized access to sensitive data to the destruction of data storage media or IT systems. Manipulations can thus also result in significant downtime.

Examples:

• In a Swiss financial company, employees manipulated the deployment software for certain financial services. This made it possible for them to illegally obtain large sums of money.
• Through manipulations of ATMs, attackers have repeatedly succeeded in reading data stored on payment cards without authorization. In combination with eavesdropped PINs, this data was later misused to withdraw money at the expense of the cardholders.