"In past research, Guri and his team at the Ben-Gurion university's Cyber-Security Research Center have shown that attackers could steal data from secure systems using a plethora of techniques such as:
LED-it-Go - exfiltrate data from air-gapped systems via an
HDD's activity LED
USBee - force a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data
AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan
DiskFiltration - use controlled read/write HDD operations to steal data via sound waves
BitWhisper - exfiltrate data from non-networked computers using heat emanations
Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems
xLED - use router or switch LEDs to exfiltrate data
aIR-Jumper - use a security camera's infrared capabilities to steal data from air-gapped networks
HVACKer - use HVAC systems to control malware on air-gapped systems
MAGNETO & ODINI - steal data from Faraday cage-protected systems
MOSQUITO - steal data from PCs using attached speakers and headphones
PowerHammer - steal data from air-gapped systems using power lines
CTRL-ALT-LED - steal data from air-gapped systems using keyboard LEDs
BRIGHTNESS - steal data from air-gapped systems using screen brightness variations
Can I get some clarity on the types of data they extract?
Looking at blinking LEDs tells me that the HDD is on and processing something, yes, but it doesn’t tell me the digits of the credit card number it’s processing (for example).
Do they researchers track the value of the information they “steal”? Or is any data at all valuable?
"Guri's research doesn't look at ways of compromising and planting malware on these super-secure systems" ... "malicious code planted on an air-gapped system can control the speed at which fans work"
Ohhh I misunderstood; I thought they were stealing data by simply observing the blinking LED, not that they had infiltrated the computer and were controlling the LED.
The term "exfiltrate" implies that the data is being "pushed" or otherwise sent outward from the machine, as opposed to being harvested from the outside.
Allmost (or all?) of those attacks are only possible, if the target computer is infected.
And the scenario is that the virus wants to send data out, to a nearby decice which is also infected.
It's about how to get data out once you've already compromised the machine. You control the blinking of the LED to match match the data you want to capture out.
Basically the idea is that air gapped is still not secure. If someone plugs in a foreign flash drive into a computer that is air gapped one would think the data can’t leave the secure machine. With these methods though, it’s clear that any hardware observable to the outside world can be used to exfiltrate data
Well, I think anyone could have thought of the screen or speakers or, well the usb you achieved to plug to get data out of a computer. You have no network but I doubt you can consider airgapped a pc you just plugged a usb device into. Why not plug a mini wifi chip then ?
> AirHopper - use the local GPU card to emit electromagnetic signals
I had this on my W10 1909 machine until the recent MS updates earlier this week. No AV, not even MS own AV picks it up, but I have found a way to detect it.
> DiskFiltration - use controlled read/write HDD operations to steal data via sound waves
There is almost nothing I miss about spinning disks, but having an audible indication that something was going wrong was helpful. I refer to inappropriate disk usage (too little or too much) rather than the noises that preceded a disk death.
You know how some electric cars create fake engine noise at low speeds to avoid sneaking up on pedestrians?
I wish that was an option with SSDs. A little speaker included with the package that I could toggle on. All it does it make fake HDD sounds. Bonus if those sounds match the underlying logical distance and “shape” of the read/write activity.
If you've got an SSD connected by a power cord, presumably you could insert an electric-current-meter to see how much power it's drawing, then hook up a speaker to make corresponding sounds.
Maybe also put a temperature probe inside of the SSD's box (perhaps directly on a controller-IC?), then another probe just outside of the SSD's box (or inside of it, but away from the controller-IC?), then use that temperature difference too?
A software solution would probably be easier, but then you'd have to trust the system to give correct information, which I guess would defeat the point.
Someone who'd really want to go at this might make their own controller to place between the motherboard and SSD. But unless it's passive/transparent, allowing the normal SSD driver to be used, that'd seem to require writing a driver for the controller too.
For a brief second I thought your link was the Radiohead cover that used old computer equipment, including hard drives as speakers. Here’s that link: https://youtu.be/pmfHHLfbjNQ
Thanks for sharing that! I had forgotten that Radiohead help a competition to remix Nude. Interesting tidbit from the YouTube summary:
Radiohead held an online contest to remix "Nude" from their album - "In Rainbows" This was quite a difficult task for everybody that entered, as Nude is in 6/8 timing, and 63bpm. Most music that's played in clubs is around 120bpm and usually 4/4 timing...
...I decided to take the piss a bit, as the contest seemed to be in that spirit. Based on the lyric (and alternate title) "Big Ideas: Don't get any" I grouped together a collection of old redundant hardware, and placed them in a situation where they're trying their best to do something that they're not exactly designed to do, and not quite getting there. It doesn't sound great, as it's not supposed to.
I personally disagree and think it sounds awesome but I get what he means.
I would say they are impractical if you have perfect physical security. Assuming your initial condition is that the air-gapped system is 100% clean to start with, you would need physical access at least one time to kick off the show for all of these crazy schemes.
Air gapping only means lack of network interfaces, so sneakernet is used to transmit data.
And sneakernet (floppies back then) was the primary delivery medium for computer viruses before it was common for personal computers to have internet access.
In regard to your 2nd question, there are a few ways I'm aware of:
1. USB devices. If you need to move software from outside the air gap to inside, it's pretty easy to imagine somebody copying malicious software unintentionally through that. You might think that typical AV could detect it, but that could either be worked around, disabled by the operators of those systems, or simply not up-to-date because they're in the air gap.
2. Sometimes, air-gapped systems still have some kind of tunnel that allows an exceptional connection between a system outside the air gap. If you knew how to access that tunnel, you could effectively compromise the air gapped network.
I'm sure there are more ways too. But those are a few I know off-hand.
If stuxnet [1] is a possibility, then yes, these attacks are a thing in the real world. They may be rare, but I think nation states are very interested in research like this for precisely the reason that this could happen to them.
Consider the threat model for a moment. You have an airgapped machine, users who use that airgapped machine, and data that must get loaded onto the airgapped machine through some means. You need to land your malware on the machine so you need to understand the security posture of it to tailor proper evasions and which also align to your goals. Can you run with a simple recompiled Mimikatz or do you need to craft a custom multi-stage post-exploitation toolkit?
The malware needs to be deployed via existing trusted means of data transfer so you need to understand what that trust model is and search for weaknesses you may exploit. Is data transfer as simple as plugging in a USB stick or are there multiple gating functions like signature verification, etc on adjacent systems before you can move to the primary?
The data transfer is usually executed by a human being who must plug in some media with your malware on it either wittingly or unwittingly. The former requires working that human as an asset over a long term blackmail or HUMINT campaign. The latter involves compromising the supply chain that ends with executables being copied to the media vector.
These are concentric circles of controls between you and that airgap - but each has a weakness. There are entire agencies and organizations who live, breath, and execute targeted searches for those weaknesses. So yes, in my opinion these are real threats IF an adversary that has the capability, time, and funding to perform the above falls within your organization's threat model.
"Banks regularly use Faraday-shielded rooms to protect servers."
But they do not seem to be air gapped, as then the use of the data would be very limited.
I would assume, the main interest in air gapped systems are top secret, high value research projects, as well as many secret agencies, who must assume, that their IT equipment comes with a backdoor installed at hardware level.
Other ways of getting the virus in: at some point, the computer needs software and data. When the data comes in, so can a virus and uae a unknown zero day exploit.
Except for the ultra slow data extraction part, all other aspects are feasible to a highly motivated state actor. There's a habit of stuxnet being raised as a catchall example of what can be done, but it really was a highly remarkable operation and also answers your second question. They basically infected all the vendors that had access to the airgapped machines for maintenance and got the software onto the machine through someone pluggin in their usb. I think it was said they actually ended up just planting/converting a mole in the vendors during access for more reliability but it's still quite extraordinary
> In fact, data can be exfiltrated through vibrations at a lowly speed of half a bit per second, making AiR-ViBeR one of the slowest exfiltration methods that Guri and his team have come up with in recent years.
My personal private key has a file size of 3,243 bytes. At the quoted speed, it would take ~14.4 hours to steal assuming that the time spent recording is completely continuous.
A single ASCII character would take 16 seconds to "steal".
I suppose for plain text files, converting the encoding from extended ASCII (aka 8-bit) to regular ASCII (7-bit) is worthwhile if one really wants to pursue this type of worthwhile.
Although in retrospect you can get even higher speedups by condensing the character encoding table down to A-z and 0-9 and omitting quite a few of the ASCII characters from the lookup table.
that's the slowest method of exfiltration (as mentioned in your quote). I looked at USBee (one of the other methods mentioned by the article) and found [0] which says:
> USBee transmits data at about 80 bytes per second, fast enough to pilfer a 4096-bit decryption key in less than 10 seconds.
These methods are only going to be deployed for very high value data, so it's likely you would want a method of flagging a certain machine as infected (which something like AiR-ViBeR would be very suitable for) so you can use something more high frequency (but maybe more likely to be detected) to get larger amounts of data off the drive.
If you're going to the trouble of setting up this kind of exfiltration plan, that 14 hours is probably less than 1% of your expended man hours. But the critical element is that it is nearly unstoppable and undetectable after the fact unless the source is recording all EMF and audio state around it. If your attack code deletes itself when its done, all the "normal" data loss prevention controls are irrelevant.
Yep. As long as you have control over the system, you can use any physical phenomenon to communicate: blink the LEDs, beep with the speaker, tap it out with robot arm etc. Not very groundbreaking per se.
Here’s an article from 2016 about the same team. In this attack, they use the sound of the fans instead of the vibration. The difference is, they would need microphone permissions in infected smartphones, whereas the vibration method can be transmitted with accelerometers (which doesn’t require user’s permission)
Use case for air gapping technics, despite their small bandwidth:
- very powerful agencies with the aim to get valuable information exists
- they want and do infect as many systems as possible automatically, by sneaking into them by all means avaiable (OS updates, hardware backdoors, zero days, ..), wih the hope of getting to valuable targets eventually (but zombies have a value, too)
- any organization with very sensitive data, high value research or other (smaller) intelligence agency knows that, so they try to have their most sensitive data on air gapped networks or single computers.
- the attackers already drown in information and do not want their virus to be exposed so easy, so air gapping technics will likely be not used normaly to reduce dedection risk (also the are slow and unreliable)
But, now to get the most sensitive informations, all the atackers have to do, is checking if the system is air-gapped. Means, it is likely that it is a high value target.
Now the various technices come into play, so the virus tries to communicate with the outside world in the hope of a also infected device nearby with which it can maybe exchange a few kb.
If he can make a small connection, then a human (or algorithm) can check, if it is really a high value target worth deploying more sophisticated attacks, or just a paranoid hacker trying to protect his personal stuff, or just a old forgotting pc.
In other words, if you have really sensitive data, air gapping it, might be the way to attract attackers in the first place ..
In theory, anything that can have at least two distinct observable states can be used to store/transmit data. That is, after all, the whole principle which makes binary digital computing possible.
> Guri says that malicious code planted on an air-gapped system can control the speed at which fans work. By moderating fan speed up and down, the attacker can control the frequency of the vibrations coming off the fan.
Ah, so it's a malicious program using fan vibrations to communicate data to an attacker via sound where the attacker doesn't have a network connection to the computer the malicious program is running on?
I thought it was going to be something to do with e.g. passively reading passwords/keys via the fan vibrations somehow when the system was running non-malicious code.
given the list of other exploits these guys have for exfiltrating data from airgapped computers, it seems like if you are going to the trouble of making an airgapped computer, you should put it in its own room with no other computers and that nobody is allowed to bring their phone into.
Why is this research? Everyone knows that software can control fan speed either directly with commands or indirectly with load. Everyone also knows you can hear the sounds fans make and microphones can pick up sounds or vibrations. It seems to be just a mundane engineering job or hobby project. Maybe there's some value in getting a higher bandwidth or longer range detection or whatever, but the basic principle is too obviously true to need to be proved.
How fun. Practical implementation in most cases is movie plot level implausible, but for certain high value systems we already know that state level actors have the resources and patience to do something like build a side channel link by having air gapped systems relay in and out via acoustics with HVAC or whatever.
This is going to be a lot more serious as IOY device capabilities increase -- so many available microphones and radios built into everything.
66 comments
[ 2.8 ms ] story [ 141 ms ] thread"In past research, Guri and his team at the Ben-Gurion university's Cyber-Security Research Center have shown that attackers could steal data from secure systems using a plethora of techniques such as:
LED-it-Go - exfiltrate data from air-gapped systems via an
HDD's activity LED
USBee - force a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data
AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan
DiskFiltration - use controlled read/write HDD operations to steal data via sound waves
BitWhisper - exfiltrate data from non-networked computers using heat emanations
Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems
xLED - use router or switch LEDs to exfiltrate data
aIR-Jumper - use a security camera's infrared capabilities to steal data from air-gapped networks
HVACKer - use HVAC systems to control malware on air-gapped systems
MAGNETO & ODINI - steal data from Faraday cage-protected systems
MOSQUITO - steal data from PCs using attached speakers and headphones
PowerHammer - steal data from air-gapped systems using power lines
CTRL-ALT-LED - steal data from air-gapped systems using keyboard LEDs
BRIGHTNESS - steal data from air-gapped systems using screen brightness variations
Looking at blinking LEDs tells me that the HDD is on and processing something, yes, but it doesn’t tell me the digits of the credit card number it’s processing (for example).
Do they researchers track the value of the information they “steal”? Or is any data at all valuable?
https://en.wikipedia.org/wiki/Van_Eck_phreaking
(and if you have access to the machine, then this only makes it easier to get data out)
I had this on my W10 1909 machine until the recent MS updates earlier this week. No AV, not even MS own AV picks it up, but I have found a way to detect it.
There is almost nothing I miss about spinning disks, but having an audible indication that something was going wrong was helpful. I refer to inappropriate disk usage (too little or too much) rather than the noises that preceded a disk death.
I wish that was an option with SSDs. A little speaker included with the package that I could toggle on. All it does it make fake HDD sounds. Bonus if those sounds match the underlying logical distance and “shape” of the read/write activity.
If you've got an SSD connected by a power cord, presumably you could insert an electric-current-meter to see how much power it's drawing, then hook up a speaker to make corresponding sounds.
Maybe also put a temperature probe inside of the SSD's box (perhaps directly on a controller-IC?), then another probe just outside of the SSD's box (or inside of it, but away from the controller-IC?), then use that temperature difference too?
A software solution would probably be easier, but then you'd have to trust the system to give correct information, which I guess would defeat the point.
Someone who'd really want to go at this might make their own controller to place between the motherboard and SSD. But unless it's passive/transparent, allowing the normal SSD driver to be used, that'd seem to require writing a driver for the controller too.
This means that one could theoretically use a harddrive as a microphone!
See https://www.youtube.com/watch?v=tDacjrSCeq4 for a demo, yelling at harddrives increases their latency.
Radiohead held an online contest to remix "Nude" from their album - "In Rainbows" This was quite a difficult task for everybody that entered, as Nude is in 6/8 timing, and 63bpm. Most music that's played in clubs is around 120bpm and usually 4/4 timing...
...I decided to take the piss a bit, as the contest seemed to be in that spirit. Based on the lyric (and alternate title) "Big Ideas: Don't get any" I grouped together a collection of old redundant hardware, and placed them in a situation where they're trying their best to do something that they're not exactly designed to do, and not quite getting there. It doesn't sound great, as it's not supposed to.
I personally disagree and think it sounds awesome but I get what he means.
I wonder if you could design something to sit inline on an IDE connection and emulate hard disk sounds in relation to read/write workloads...
https://www.usenix.org/node/190937
One issue that jumps out at me is if the system is air-gapped, how does the malicious software get there in the first place without being detected?
And sneakernet (floppies back then) was the primary delivery medium for computer viruses before it was common for personal computers to have internet access.
1. USB devices. If you need to move software from outside the air gap to inside, it's pretty easy to imagine somebody copying malicious software unintentionally through that. You might think that typical AV could detect it, but that could either be worked around, disabled by the operators of those systems, or simply not up-to-date because they're in the air gap.
2. Sometimes, air-gapped systems still have some kind of tunnel that allows an exceptional connection between a system outside the air gap. If you knew how to access that tunnel, you could effectively compromise the air gapped network.
I'm sure there are more ways too. But those are a few I know off-hand.
[1] Stuxnet had compromised airgapped computers
The malware needs to be deployed via existing trusted means of data transfer so you need to understand what that trust model is and search for weaknesses you may exploit. Is data transfer as simple as plugging in a USB stick or are there multiple gating functions like signature verification, etc on adjacent systems before you can move to the primary?
The data transfer is usually executed by a human being who must plug in some media with your malware on it either wittingly or unwittingly. The former requires working that human as an asset over a long term blackmail or HUMINT campaign. The latter involves compromising the supply chain that ends with executables being copied to the media vector.
These are concentric circles of controls between you and that airgap - but each has a weakness. There are entire agencies and organizations who live, breath, and execute targeted searches for those weaknesses. So yes, in my opinion these are real threats IF an adversary that has the capability, time, and funding to perform the above falls within your organization's threat model.
"Banks regularly use Faraday-shielded rooms to protect servers."
But they do not seem to be air gapped, as then the use of the data would be very limited.
I would assume, the main interest in air gapped systems are top secret, high value research projects, as well as many secret agencies, who must assume, that their IT equipment comes with a backdoor installed at hardware level.
Other ways of getting the virus in: at some point, the computer needs software and data. When the data comes in, so can a virus and uae a unknown zero day exploit.
USB pendrives, https://en.m.wikipedia.org/wiki/Stuxnet
I am just working on a chart that shows a tooltip when the mouse cursor hovers over a data point.
Everytime the tooltip is shown, my laptop cheeps
edit: or even if I just scroll the browser window
https://dl.acm.org/doi/10.1145/2851486
> In fact, data can be exfiltrated through vibrations at a lowly speed of half a bit per second, making AiR-ViBeR one of the slowest exfiltration methods that Guri and his team have come up with in recent years.
My personal private key has a file size of 3,243 bytes. At the quoted speed, it would take ~14.4 hours to steal assuming that the time spent recording is completely continuous.
A single ASCII character would take 16 seconds to "steal".
Although in retrospect you can get even higher speedups by condensing the character encoding table down to A-z and 0-9 and omitting quite a few of the ASCII characters from the lookup table.
> USBee transmits data at about 80 bytes per second, fast enough to pilfer a 4096-bit decryption key in less than 10 seconds.
These methods are only going to be deployed for very high value data, so it's likely you would want a method of flagging a certain machine as infected (which something like AiR-ViBeR would be very suitable for) so you can use something more high frequency (but maybe more likely to be detected) to get larger amounts of data off the drive.
[0] https://arstechnica.com/information-technology/2016/08/meet-...
https://www.wired.com/2016/06/clever-attack-uses-sound-compu...
- very powerful agencies with the aim to get valuable information exists
- they want and do infect as many systems as possible automatically, by sneaking into them by all means avaiable (OS updates, hardware backdoors, zero days, ..), wih the hope of getting to valuable targets eventually (but zombies have a value, too)
- any organization with very sensitive data, high value research or other (smaller) intelligence agency knows that, so they try to have their most sensitive data on air gapped networks or single computers.
- the attackers already drown in information and do not want their virus to be exposed so easy, so air gapping technics will likely be not used normaly to reduce dedection risk (also the are slow and unreliable)
But, now to get the most sensitive informations, all the atackers have to do, is checking if the system is air-gapped. Means, it is likely that it is a high value target.
Now the various technices come into play, so the virus tries to communicate with the outside world in the hope of a also infected device nearby with which it can maybe exchange a few kb.
If he can make a small connection, then a human (or algorithm) can check, if it is really a high value target worth deploying more sophisticated attacks, or just a paranoid hacker trying to protect his personal stuff, or just a old forgotting pc.
In other words, if you have really sensitive data, air gapping it, might be the way to attract attackers in the first place ..
Computer security is hard.
Ah, so it's a malicious program using fan vibrations to communicate data to an attacker via sound where the attacker doesn't have a network connection to the computer the malicious program is running on?
I thought it was going to be something to do with e.g. passively reading passwords/keys via the fan vibrations somehow when the system was running non-malicious code.
This is going to be a lot more serious as IOY device capabilities increase -- so many available microphones and radios built into everything.