> As Ars has noted in previous coverage, the techniques are theoretically effective, but their utility in real-world situations is limited. That's because the computers they target still must be infected by malware. If the computers aren't connected to the Internet, the compromise is likely to be extremely difficult and would most likely require the help of a malicious insider, who very well may have easier ways to obtain data stored on the machine.
Nonetheless, an interesting technique. Is it even possible to have a useful workstation these days without any USB devices?
> Is it even possible to have a useful workstation these days without any USB devices
All my gear is on the network these days. The only USB device I regularly plug is in a dumb 5V fan from the dollar store... I imagine these days it's more possible than ever.
Air-gapped computers (which is what this seems to be targeting) on the other hand are surely going to do all their data transfer over USB.
I could see Synergy for a workstation, but eventually one of the turtles on the way down will most likely have a keyboard/mouse connected to USB. Headless for servers certainly.
A lot of laptops present the keyboard and touchpad/whatever as internally connected USB devices.
So, if you want to disable USB by epoxying the externally facing connectors, that might work, but it means you can't do things like completely disable support at the BIOS or kernel level if you want those things to still work.
Yeah, because the wires on the switch were too thin and after 2 weeks I had to open it up and resolder them :/ The data pins were definitely not connected
Even if you don't see anything connected to the pins, there could be an entire computer within the plug, connected from below, where you wouldn't be able to see it :)
Hum, 4GB is a quite ok size for transferring data from "this one computer here" to "this other computer at the other end of the desk".
It's pretty hard to conceive many¹ situations when you'll need to transport more than this at a single time between a secure computer and an insecure one. Some slowness on those few exceptions is a very low price to pay for disabling unverifiable two-way communication.
By the way, buying a new RW disk every several dozen data transfers is also a low price to pay.
The biggest problem is the very low throughput of optical drivers - writing to them takes ages. Still, if you need to airgap them, it's probably worth taking that hit.
1 - Original OS installation is a very clear exception, but it does not happen often.
4GB is very mediocre. Some situations that come to mind:
0) I've had Original OS installation occur fairly frequently (testing against the bleeding edge, testing installs against a clean install)
1) The installation of new software.
2) Anything with VMs.
3) The last set of builds I signed was 12GB for each set. Individual package files (which is what I needed to sign) didn't fit onto the 4GB USB sticks we had widespread. If there's a more classical use case for an airgapped secure computer, do tell.
If you're confident that you're dealing with plain vanilla USB sticks, what advantage does communicating over rewritable DVDs have over rewritable USB sticks? Both are just as "verified" forms of two-way communication.
If need be, you can always do a zero compression archive that is split into multiple segments, and put each of those on discs. The relevant software should be quite able to handle the disc shuffling.
Right, but you won't be pulling down classified PDF's in any reasonable time. If you have access to the machine to run code, I don't see why you need "a password" particularly.
One of the comments suggested "Thumbdrives probably aren't a risk (probably) since the circuits involved are small", but the article itself says that they do work: "USBee offers ranges of about nine feet when data is beamed over a small thumb drive"
An interesting new variant of what you might call "active TEMPEST": a program running on the target machine that changes its EM emission spectrum. Of course, if you can plug a thumbdrive into an airgapped machine and get a radio reciever within a few feet of it I really wouldn't call it "airgapped" enough. You might as well just write to the USB drive.
Maybe could be made to work with mice and keyboards, which have nice long cable antennas. They're supposed to be shielded but are often poor.
My use for an air-gapped machine is for a personal CA (certificate authority). I'm using a RPi2 for this (no wifi).
Proceedure:
1. Download all the software needed for the CA (possibly getting compromised packages).
2. Disconnect from the network, setup the CA.
3. Setup an intermediate CA on a YubiKey.
4. Turn off RPi2 and store micro-SD card with CA secrets in a safe.
5. If CA needed in the future, only plug in "CA" micro-SD when RPi is not connected to the network.
6. Since the CA is never in a machine connected to a network, even if the RPi2 is compromised (assuming it's not the secret generation) the secrets aren't leaked.
However, with this attack, or a similar one, maybe my laptop is also compromised and the RPi2 can exfiltrate to the laptop (which is nearby and connected to the network). Perhaps via toggling the caps-lock LED on the keyboard (at a high rate with low duty cycle so it's invisible to the eye) or via the monitor cable.
Security is "fun"
The article says that Stuxnet spread to target machines by using files on infected USB drives. This is different, data is transmitted from an off-the-shelf drive via electromagnetic interference.
47 comments
[ 2.8 ms ] story [ 98.4 ms ] threadNonetheless, an interesting technique. Is it even possible to have a useful workstation these days without any USB devices?
All my gear is on the network these days. The only USB device I regularly plug is in a dumb 5V fan from the dollar store... I imagine these days it's more possible than ever.
Air-gapped computers (which is what this seems to be targeting) on the other hand are surely going to do all their data transfer over USB.
Or else, perhaps they're talking about headless machines where it's just a box with power and ethernet.
So, if you want to disable USB by epoxying the externally facing connectors, that might work, but it means you can't do things like completely disable support at the BIOS or kernel level if you want those things to still work.
I guess it's time to go back to PS/2
Yes, I am aware you can buy "condom" adapters that provide this.
http://www.mycablemart.com/store/cart.php?m=product_detail&p...
The fancy ones available elsewhere sometimes have red plugs to differentiate.
Why? DVDs still exist.
By the way, buying a new RW disk every several dozen data transfers is also a low price to pay.
The biggest problem is the very low throughput of optical drivers - writing to them takes ages. Still, if you need to airgap them, it's probably worth taking that hit.
1 - Original OS installation is a very clear exception, but it does not happen often.
0) I've had Original OS installation occur fairly frequently (testing against the bleeding edge, testing installs against a clean install)
1) The installation of new software.
2) Anything with VMs.
3) The last set of builds I signed was 12GB for each set. Individual package files (which is what I needed to sign) didn't fit onto the 4GB USB sticks we had widespread. If there's a more classical use case for an airgapped secure computer, do tell.
If you're confident that you're dealing with plain vanilla USB sticks, what advantage does communicating over rewritable DVDs have over rewritable USB sticks? Both are just as "verified" forms of two-way communication.
If need be, you can always do a zero compression archive that is split into multiple segments, and put each of those on discs. The relevant software should be quite able to handle the disc shuffling.
This came up when I was doing something last week - the place I was doing it at had computers that would not mount a thumb drive.
A little epoxy putty can go a long way here.
Doesn't work with thumbdrives.
More importantly, the airgapped computer needs to be already compromised before the attack can occur, and you must have write access to the drive.
While they show an Ubuntu machine next to the compromised machine, there is no signs that the malware works under ubuntu.
Neat research, but limited utility.
Heck, it is easier to just connect a prepared radio with hardware exploit.
I thought the purpose was extracting information.
One of the comments suggested "Thumbdrives probably aren't a risk (probably) since the circuits involved are small", but the article itself says that they do work: "USBee offers ranges of about nine feet when data is beamed over a small thumb drive"
Maybe could be made to work with mice and keyboards, which have nice long cable antennas. They're supposed to be shielded but are often poor.
Play along at home: http://www.icrobotics.co.uk/wiki/index.php/Turning_the_Raspb...
However, with this attack, or a similar one, maybe my laptop is also compromised and the RPi2 can exfiltrate to the laptop (which is nearby and connected to the network). Perhaps via toggling the caps-lock LED on the keyboard (at a high rate with low duty cycle so it's invisible to the eye) or via the monitor cable. Security is "fun"
[1] https://www.wired.com/2014/12/hacker-lexicon-air-gap/