47 comments

[ 2.8 ms ] story [ 98.4 ms ] thread
> As Ars has noted in previous coverage, the techniques are theoretically effective, but their utility in real-world situations is limited. That's because the computers they target still must be infected by malware. If the computers aren't connected to the Internet, the compromise is likely to be extremely difficult and would most likely require the help of a malicious insider, who very well may have easier ways to obtain data stored on the machine.

Nonetheless, an interesting technique. Is it even possible to have a useful workstation these days without any USB devices?

> Is it even possible to have a useful workstation these days without any USB devices

All my gear is on the network these days. The only USB device I regularly plug is in a dumb 5V fan from the dollar store... I imagine these days it's more possible than ever.

Air-gapped computers (which is what this seems to be targeting) on the other hand are surely going to do all their data transfer over USB.

You have a networked keyboard/mouse?
Well, it's possible they have something like Synergy installed to control multiple machines, maybe.

Or else, perhaps they're talking about headless machines where it's just a box with power and ethernet.

I could see Synergy for a workstation, but eventually one of the turtles on the way down will most likely have a keyboard/mouse connected to USB. Headless for servers certainly.
Bluetooth - that's a network. Not to mention, my laptop has no external KB or mouse.
A lot of laptops present the keyboard and touchpad/whatever as internally connected USB devices.

So, if you want to disable USB by epoxying the externally facing connectors, that might work, but it means you can't do things like completely disable support at the BIOS or kernel level if you want those things to still work.

Well there's bluetooth, but I imagine that that opens up a whole new set problems.

I guess it's time to go back to PS/2

(comment deleted)
My office still has machines with PS/2 ports, keyboards and mice ;-)
(comment deleted)
Are you sure the USB fan isn't carrying a malicious payload? ;)
Perhaps we need a USB spec for 5v power only with connectors that do not even have pads/pins for I/O

Yes, I am aware you can buy "condom" adapters that provide this.

Coaxial power plugs meet that spec nicely.
Yeah, because the wires on the switch were too thin and after 2 weeks I had to open it up and resolder them :/ The data pins were definitely not connected
Even if you don't see anything connected to the pins, there could be an entire computer within the plug, connected from below, where you wouldn't be able to see it :)
The data pins could be connected to a small malicious payload hidden in the USB plug. I mean, in theory.
It could be exfiltrating by modulating fan speed.
> Air-gapped computers (which is what this seems to be targeting) on the other hand are surely going to do all their data transfer over USB.

Why? DVDs still exist.

You mean BluRay and even that is a bit small for some cases. Not to mention limited in terms of number of rewrites.
Hum, 4GB is a quite ok size for transferring data from "this one computer here" to "this other computer at the other end of the desk". It's pretty hard to conceive many¹ situations when you'll need to transport more than this at a single time between a secure computer and an insecure one. Some slowness on those few exceptions is a very low price to pay for disabling unverifiable two-way communication.

By the way, buying a new RW disk every several dozen data transfers is also a low price to pay.

The biggest problem is the very low throughput of optical drivers - writing to them takes ages. Still, if you need to airgap them, it's probably worth taking that hit.

1 - Original OS installation is a very clear exception, but it does not happen often.

4GB is very mediocre. Some situations that come to mind:

0) I've had Original OS installation occur fairly frequently (testing against the bleeding edge, testing installs against a clean install)

1) The installation of new software.

2) Anything with VMs.

3) The last set of builds I signed was 12GB for each set. Individual package files (which is what I needed to sign) didn't fit onto the 4GB USB sticks we had widespread. If there's a more classical use case for an airgapped secure computer, do tell.

If you're confident that you're dealing with plain vanilla USB sticks, what advantage does communicating over rewritable DVDs have over rewritable USB sticks? Both are just as "verified" forms of two-way communication.

You've obviously never dealt with classified networks. We have to deliver all of our software on DVDs.
Multiple discs, anyone?

If need be, you can always do a zero compression archive that is split into multiple segments, and put each of those on discs. The relevant software should be quite able to handle the disc shuffling.

You are exposing yourself to a considerable security risk with the dump 5V fan.
People do this. Many IT departments roll out Windows at least with reduced if not no USB capability.

This came up when I was doing something last week - the place I was doing it at had computers that would not mount a thumb drive.

There's an even more extreme form of that where people fill the USB sockets with hot glue. Extraordinary needs call for extraordinary measures.
There's an even more extreme form of that where people fill the USB sockets with epoxy.
There's an even more extreme form of that where people desolder the connectors.
Anybody who takes security truly seriously desolders the connectors AND fills them with bees.
Nah. Androctonus scorpions and deadly Australian funnel web spiders.
> Is it even possible to have a useful workstation these days without any USB devices?

A little epoxy putty can go a long way here.

9 foot range, 26 feet if you have a hard drive with a USB cable plugged in.

Doesn't work with thumbdrives.

More importantly, the airgapped computer needs to be already compromised before the attack can occur, and you must have write access to the drive.

While they show an Ubuntu machine next to the compromised machine, there is no signs that the malware works under ubuntu.

Neat research, but limited utility.

Also, the transfer rate is 80 bytes per second.
(comment deleted)
Plenty for sending out a password. For extra ownage, exploit the OHCI DMA to get memory access to anything.

Heck, it is easier to just connect a prepared radio with hardware exploit.

Right, but you won't be pulling down classified PDF's in any reasonable time. If you have access to the machine to run code, I don't see why you need "a password" particularly.

I thought the purpose was extracting information.

That's almost a megabyte per day, more with compression.
That's over twice as fast as my first modem was. Plenty of speed to get sensitive information out.
> Doesn't work with thumbdrives

One of the comments suggested "Thumbdrives probably aren't a risk (probably) since the circuits involved are small", but the article itself says that they do work: "USBee offers ranges of about nine feet when data is beamed over a small thumb drive"

An interesting new variant of what you might call "active TEMPEST": a program running on the target machine that changes its EM emission spectrum. Of course, if you can plug a thumbdrive into an airgapped machine and get a radio reciever within a few feet of it I really wouldn't call it "airgapped" enough. You might as well just write to the USB drive.

Maybe could be made to work with mice and keyboards, which have nice long cable antennas. They're supposed to be shielded but are often poor.

Play along at home: http://www.icrobotics.co.uk/wiki/index.php/Turning_the_Raspb...

Replace "few feet" with "up to about 100 m" for a properly designed EM signal and high sensitivity directional antennas.
My use for an air-gapped machine is for a personal CA (certificate authority). I'm using a RPi2 for this (no wifi). Proceedure: 1. Download all the software needed for the CA (possibly getting compromised packages). 2. Disconnect from the network, setup the CA. 3. Setup an intermediate CA on a YubiKey. 4. Turn off RPi2 and store micro-SD card with CA secrets in a safe. 5. If CA needed in the future, only plug in "CA" micro-SD when RPi is not connected to the network. 6. Since the CA is never in a machine connected to a network, even if the RPi2 is compromised (assuming it's not the secret generation) the secrets aren't leaked.

However, with this attack, or a similar one, maybe my laptop is also compromised and the RPi2 can exfiltrate to the laptop (which is nearby and connected to the network). Perhaps via toggling the caps-lock LED on the keyboard (at a high rate with low duty cycle so it's invisible to the eye) or via the monitor cable. Security is "fun"

This isn't any new research. It is believed this (air gap) is one of the ways Stuxnet spread many years ago [1]

[1] https://www.wired.com/2014/12/hacker-lexicon-air-gap/

The article says that Stuxnet spread to target machines by using files on infected USB drives. This is different, data is transmitted from an off-the-shelf drive via electromagnetic interference.