These attacks work against defenders that can’t be bothered to implement WW2 era defences. These kinds of “attacks” have been well understood for a good 70 years now.
It’s simply restating the obvious. Nothing has changed, unshielded electronics continue to let out measurable EM emissions. The people who worry about this sort of thing have been shielding their electronics since well before computers as we know them existed.
> Probably took non-zero effort to develop?
In the sense that doing anything takes non-zero effort by definition.
> I won't be surprised if even the power connection becomes a future (unintended) means of data transmission.
That's already a thing. From the same author as the TFA, PowerHammer [1] exfiltrates data using current flow fluctuations. There's also Powermitter [2] (from some researchers at Wuhan University), which is exfiltration via power supply EMF leakage.
Powerline communications usually needs dedicated Ethernet (or what have you) <-> power line converter... I think they meant something more like powerhammer [1] which works by controlling processor workload, causing the power draw of the system to throttle up and down in such a way that it becomes a useful exfiltration channel (assuming your adversary can tap into a distribution board and measure power usage).
What do you mean by copycat? As in he takes someone else's paper and gives it a clever name? Or do you just mean he is using lots of silly methods of doing data exfil?
Nope, that same author has tons of papers about exfiltrating data from air gapped systems using many different mechanisms. Copycat is the wrong way of thinking about it. All different but do the same kind of thing.
The value is pretty limited when the answer is consistently and predictably "Yes".
The author is clearly an expert in exfiltration and has deep insights in the area. But instead of working on presenting the big picture, prefers to throw breadcrumbs to the community. After a dozen of "exfiltration using X" papers, one would at least expect an SoK paper.
I know of at least two security-related workshops that explicitly call for "negative results". So, even failures in this research field are definitely publishable, if accompanied with adequate insights.
The list you gave quite neatly illustrates why EMSEC zones exist. If your security posture includes physical exclusion out to a distance where these signals are no longer discernible above the background noise, and/or you have faraday cages built into the walls as in the case of a standard SCIF, then these attacks aren't likely to be effective.
Pretty sure that the point of an EMSEC zone is to enable the use of commercial off the shelf (COTS) computing gear for classified processing. TEMPEST equipment is very expensive and a SCIF obviates the need for it.
A new day and a "new" air-gap exfiltration from this dude.
What ENI generating buses and peripherals are left now that he's done sata, dram, cpu, fanspeed and ethernet?
There was an exploit which caused "air-gapped" servers on the bottom of a rack to undergo heat/cool cycles so that servers above it in the same rack could sense the low-frequency digital temperature signal via their own temperature sensors.
This feels like one of those classic things, though, where you read this and go "ha ha, that'll never be valuable or even work in real life", and then in ten years you read an article that's something like "Hackers Steal Ugandan President's Credit Card Data by Reading a Single Bit".
Identifying attack vectors is just building up an arsenal of tools that can potentially be used depending on the circumstance.
The standardization of protocols and physical components on computers, paired with the accessibility of global wealth from computers, means that the payout is always there for obscure attacks. They just may have to be incorporated into large toolsets with significant automation to know when it's the right tool for the job.
> They basically churn out a metric fuckload of the same thing, different bus.
Notably, most of the attacks from Mordechai's lab describe low-bandwidth channels for deliberate data exfiltration. These attacks would only apply in unusual situations where an attacker can run arbitrary code on a machine, but the machine is isolated from the outside world. (Scenarios like Iranian nuclear facilities come to mind.)
You say that but I am actively dealing with a chinese malware(public info) I won't name that does just that but with USB. It sideloads a dll when a shortcut opens a legit app on a USB (shortcut is tricky in that it looke like a folder and opens a folder also when you click on it) it then collecte all kinds of documents and exfils to the internet but if there is no internet it archives it back to the USB so next time it runs with internet access it will also exfil any docs on the USB from the airgapped machines, fortunately just a spillover infection for us but these tricks in the paper would enable to not wait for a USB or internet access, it would be more realtime. Like if it is an ICS system for nuclear centrifuges it will send back what ir found and accept destructive tasks.
Not only that. Due to the extremely low bandwidth in these channels and being one way, sendimg documents would be extremely slow.
Likely on the order of hours or days for a text only word document.
You cannot do any re-transmissions for broken bits.
And the range is VERY low for normal PC's that have had to pass EMC tests. For an all glass gamer RGB PC the things will be different.
Well but that is exactly the point of air-gapping. It's meant to give the institution a guarantee that, no matter how badly the box might be owned, no matter if the user themselves is compromised, stuff won't get out. If a user with admin rights on the machine can get it to communicate with the external world, that's an air gap failure.
Right, my point is that this is a class of attacks which are only relevant to a specific, small class of users. It's irrelevant to users who have intentionally enabled any kind of network communications on their computer, and it's also irrelevant to users who have robust controls on what code is executing on their system, or who run untrusted code in an environment which isolates it from hardware (like a virtual machine).
So, in short, it only affects ineptly managed secure environments.
> this is a class of attacks which are only relevant to a specific, small class of users
Yes.
> It's irrelevant to users who have intentionally enabled any kind of network communications on their computer
No, there are lots of use-cases at least for LAN communications.
> it's also irrelevant to users who have robust controls on what code is executing on their system, or who run untrusted code in an environment which isolates it from hardware (like a virtual machine).
No, it's relevant in those cases too, as part of a defense in depth strategy.
> No, there are lots of use-cases at least for LAN communications.
What I'm trying to get at here is that bizarre sidechannels like fan noise or SATA EMI are only relevant when the system administrator has thoroughly locked down all other possible channels of communication. If the system is connected to a wired network, it can communicate with other systems over that; if the network is connected to the Internet, even indirectly, there are probably ways to get data out through there. If the system has a WiFi card or Bluetooth adapter, that can be used to transmit data, even if there isn't an applicable network in range. Etc, etc.
These are all practical attacks. Most of us are just not the right customer for them
For most people, if you are trying to exfiltrate some customer data to sell on the black market, are you going to spend a bunch of development time blinking a LED and setting up a receiver? Nah you’d just move to some other victim because you are trying to make a profit, not waste more money
But someone like a government trying to spy on another country… the cost of spies is pretty high… but pay some engineers to spend all day trying to make a LED blink some data is relatively cheap
That said, I think a lot of these attacks are kind of boring even if they were unpublished. If anyone here was paid 6 figures to do nothing all day but figure out some obscure variables in your computers to flip to exfiltrate some data, I’d be disappointed if you couldn’t figure anything out. I think most of these attacks are kind of obvious.
They are practical, just not widespread. There is no reason for them to be widespread. One use-case is to obtain data from air-gapped machines that do not connect to the Internet. More broadly, these are for targeted attacks not for dumping JS onto everyone who visits wikipedia.
I love these extreme air gap exploits. Detecting keyboard entry by analyzing the sound of the typing and reading CRT monitor radiation to mirror the screen from a distance come to mind.
But have any of these extreme exploits ever been used in the wild? They all seem impossible to pull off in anything but lab controlled conditions.
> But have any of these extreme exploits ever been used in the wild?
I suspect you're going to find out in 50 years when government documents (not inherently US gov) are declassified.
State level spying is the only thing I can think of where the value of the information is so high (making the effort of this kind of attack is worth it) and where there are many scenarios where the volume of highly valuable information is comparatively tiny.
Just as some very off the cuff examples of what I mean by the latter. We don't need to exfiltrate satellite photos of things (gigabytes of data), but, it could be very valuable to exfiltrate the metadata of what they are looking at (coordinates and time)
Also, exfiltrating information like names of sources or meeting points or other methods can be trivial amounts of data but finding even a single compromised person on our side would be immensely valuable!
> I'm curious if there is significant difference between egress and ingress into air gaped systems.
I would expect so. I'm fairly certain there's a big difference between pulling fuzzy data out and figuring out what it means as opposed to trying to electromagnetically fling fuzzy data into a system that's not supposed to have information flung at it and having the system accept what you mean.
Soviet agents secretly installed tiny sensing devices in about a dozen embassy typewriters. The devices picked up the contents of documents typed by embassy secretaries and transmitted them by antennas hidden in the embassy walls. The antennas, in turn, relayed the signals to a listening post outside the
embassy. “Depending on the location of the bugged typewriters, the Soviets were able to receive copies of everything from routine administrative memos to highly classified documents.
“One intelligence officer said the potential compromise of
sensitive information should be viewed with ‘considerable
seriousness.’ “Another intelligence expert said no one knows for sure how many or what secrets were compromised. A third official
called the entire affair a fiasco.
Not exactly the same thing, because it required modifying the devices in question, but during the Cold War the Soviets managed to implant some really fascinating bugs into typewriters used inside the US Embassy:
Yeah... it's hard to know what exactly they get up to in that world, but the floor put under their capabilities by what has been publicly exposed doesn't exactly support the "nah, it's all too hard and nobody would ever bother" argument at all. Even if we assume without real reason to do so that we've heard the most impressive stuff from them, but it's just a small sampling of the number of times they've used it, if your adversary is a state-level actor, you should assume the very, very worst. If you're wrong, it won't be by much.
Read Google's Project Zero blog, too: https://googleprojectzero.blogspot.com/ We don't know that these exploits in particular are used, but consider that Project Zero is the moral equivalent of a hobby for Google. What would it look like to have hundreds of people at that rough skill level, training each other, practicing all the time, and building software support for each other?
The capabilities of attackers are not bounded by your imagination.
Yeah, Snowden mentioned in his experience at NSA they did use tricks like this and this was late 2000's. There is an interview he gives where he goes under a blanket to type his password on a laptop to avoid the crt reader thingy.
Is there any source that it was the crt reading thing specifically? I remember that part of the documentary but I am still wondering if he had a specific attack in mind when he did that.
Van Eck phreaking works through walls. I haven't seen the interview but most likely he was just hiding the physical act of typing, since that too can leak information about a password.
> But have any of these extreme exploits ever been used in the wild?
They all seem impossible to pull off in anything but lab controlled
conditions.
Not at all. I've seen clearly with my own eyes the image of one
persons VT100 CRT tube appearing on another across the room because
the ground shielding had disconnected. If you have a high gain YAGI
antenna, digital RF buffers and some fancy modern DSP lord only knows
what you can snoop through the walls.
Most of this is solved by having a simple metal (steel) PC case and
grounding the PSU though. Use good quality cables with FCC/IEC badges
not the bargain bucket Chinese ones.
I used to see this happen with our old TV's at an old house with really bad grounding. I always wondered why it did that.
We could be playing a video game or movie, and set all the other tv's to channel 2 or something like that, while we played on channel 1. You could see the action on each of them. Almost 1:1 on the reaction times, albeit a little fuzzy.
"The antenna was invented in 1926 by Shintaro Uda of Tohoku Imperial
University, Japan, with a lesser role played by his colleague
Hidetsugu Yagi." [1]
This is not exactly that - this is the use of a SATA bus as an RF radiator to do a (very slow) covert exfiltration channel from an air-gapped computer.
Yeah... but I mean, if the computer is in a steel/aluminum box (likely) then both the distances and locations you can be to be able to intercept that 6ghz signal are pretty limited.
It's a neat attack, but to pull it off you pretty much need both physical access AND the ability to install virused software on the target. Perhaps something the CIA/NSA pull off such as stuxnet? Even then, the point of an air-gapped computer is that installing such software would be pretty difficult in the first place.
I don't mean that the attack isn't possible/wouldn't necessarily work. I'm saying it's impractical given that one of the steps to execute it is "have physical access to the machine, the ability to install software, and time to sit around and record the outbound data (or to be able to revisit the site and collect a recording device)."
With each of those requirements, there are easier and faster ways to get data off a machine. If you can install software you can likely download data that software would access. If you can access the machine twice and install software that runs in the background between visits, you can install your keylogger/data collectors and simply record the data on the device.
Stuxnet wasn't about getting data out of the machine, it was about breaking machines. It worked well because it didn't require physical access to the machines. It spread as a virus through the regular updates that Iran was doing for their machines.
If you had such a stuxnet virus in your back pocket, then you can likely steal the data and record it back on the USB device (or any plugged in USB device) on the system.
I'd say it's a solid "no", and the author says as much in the paper.
> We transmitted the data with a bit rate of 1 bit/sec, which
is shown to be the minimal time to generate a signal which is
strong enough for modulation. The BER for PC-1 is presented
in Table VI. As can be seen, the BER of 1% - 5% is maintained
between 0 - 90 cm. With a greater distance of 120 cm, the
BER is significantly higher and reaches 15%. With PC-2 and
PC-3, the bit error rates (BER) are less than 5% only in short
proximity up to 30 cm, and hence the attack is relevant only
for short ranges in these computers.
This particular attack is a weak 6 GHz signal that can exfil about 1 bit/s from a metre away. It's neat, but impractical.
Pretty sure a ferrite beads can shut this down anyway. But this seems like a more practical question of "If they can get that close do they really need this?" They've already had USB or software access in some form already.
Yup, that's the part that makes this attack completely impractical. You are trying to leak information but first you have to install a virus on the computer? Neat concept, wildly impractical.
I mean, Stuxnet is an illustrative example that has been seen in the wild (and the rare exception of one that became public - in general, if you'd be the target of something like this and found out, the results of that analysis would be classified and unpublishable), and there have been almost 20 years to do improvements since Stuxnet was first developed, so there definitely are real attacks aiming to do stuff and/or exfiltrate data from air-gapped computers after "installing a virus on the computer" - and it's quite clear that Stuxnet did achieve a significant practical effect.
Don't let an attacker run code on your system in the first place. (yes, shielding would of course help against this specific attack, but you have a long list of things to worry about before this kind of thing even becomes relevant)
It wouldn't take much shielding at all for this specific one... you could line a case with a faraday mesh material which would probably me enough for most similar attacks.
That said, for most of these kinds of things, you have to get a malicious payload on such a system. The stuxnet approach is one way, if you have specific targets. Aside from that, you pretty much need phyxical access and be able to load a malicious software. At that point, you may as well stick a small usb bluetooth/wireless dongle, depending on the situation... assuming it's a standard desktop, there's a good chance of unused USB 2 header you could piggy back on.
At that point, an actual faraday cage or mesh on the room in question would be the next practical vector. Some secure buildings are up to 6' thick walls, no communications out except through known devices on wired ports with software checking in place (seen this in finance).
Even a faraday cage would be insufficient if I can get a powermeter into a power outlet on the same circuit. Or if we're talking about a datacenter, I just need a good electrical measurement device (Voltage, Amperage, Frequency, PF) on the cable outside.
I can, in this example, just have the computer use more power to signal a 1 and less power to signal a 0. For a DC I just ramp up the entire DC load. Do that over the span of a week or so to make it less noticable.
At that point, you may as well stick a small usb bluetooth/wireless dongle, depending on the situation...
Right, but there are places where if you stick an unapproved USB device into a computer's USB port, a nice person from security taps you on the shoulder 10 minutes later. In those cases, you may well have the ability to run code on the computer, but no ability to attach removable storage. It's at least plausible (if not exactly probable) that something like this could come into play for somebody looking to exfiltrate a small amount of data from a system they have access to.
I'm thinking something closer to (but perhaps not exactly) like the Edward Snowden kind of scenario. Something where you access to the computer, but can't use the other common place means of getting data off of the machine and out the door. Yeah, it's a stretch, but it's not beyond the bounds of imagination.
Download it from the Internet? Key in the source by hand and compile it locally? Type in the bytes with a hex editor? I mean, there's a lot of possible ways. Note "possible", perhaps even "plausible", but maybe not "probable". And a lot of it would come down to the details of the local situation.
And if you're wondering, I can confirm that I've definitely worked at places where you were not allowed to plug in a USB device (I literally saw a co-worker get the "tap on the shoulder" from Security for doing that), but yet many (most?) Internet downloads were allowed. Does that make sense? Arguably not. Does it happen in the real world? Absolutely yes.
Was in a similar situation before... Was allowed to use my personal device tethered to my cell on the other side of a table... if I needed to look anything up online. Copying code files from read text is not fun at all, spinning in the chair and moving over regularly... didn't have to do it too much... but that's what higher security means in some places. Nothing touches the internal network but your hands (so to speak).
Gain physical access to a machine, install malware that gathers data and transmits it using this vulnerability. Only works if you can set up a listening post within range of the PC.
Certainly very limited utility, and definitely not something any of us should actually be worried about. But it probably is something to be aware of if you run IT for an embassy or any other entity that could be targeted by a highly motivated state sponsored actor.
There are various ways how you can push in malware to isolated systems (compromised USB drives used to be common, and still seem to work in some penetration tests; but in general, you might succeed in getting someone to deliver a malicious document file to such a system with some zero-day in it. Also, compromised hardware - e.g. ship them a USB mouse that 12 hours after plugging in technically becomes also a USB storage device and a USB keyboard to send commands to install stuff), but then you have the trouble of what that malware should do once on those systems - being able to establish a communications channel is useful in such a scenario. So there's definitely a role for such tools, only these scenarios are relevant only to quite expensive targeted attacks, essentially spycraft by state actors, not for e.g. commercial ransomware operators.
You don't need physical access, but you can't do it via Internet. An intercepted/faked software CD/USB would probably be a good vector. They have to install software somehow.
To my understanding (haven't yet read the paper, just the abstract) - most full-disk encryption schemes are implemented in OS as opposed to in-hardware, so if the attacker has deep access to the system they could probably find a way to write unencrypted data to disk? That may not work inside a VM though
It probably does. In the code example on page 5, disk activity is only generated to send a "1", while a "0" is encoded as a time with no disk activity.
Cost yes, but also inflexible cables, more space required for transducers, harder to have a bus where multiple devices access the same transmission medium, can't include power in the same connector etc.
Happy to see that vulnerability names keep going deeper into the metal space: they seem to be making small steps from dad-heavy-metal into the territory of black and doom, corresponding to sometime in the 1970s.
I, of course, will continue to advocate for full-on grindcore. “Putrid Air Carries Pestilent Waves of Betrayal and Decay” or gtfo.
This isn’t the first security software to be called Satan— I remember reading about one back in the 90s for breaking into networks. I guess it’s been long enough that it wouldn’t cause any confusion.
Ironically, I was thrown off (briefly) because I remember reading about the original SATAN back in the day. I may be wrong, but I think it was a precursor to nmap? I haven't looked it up and this was in the late 90's.
See the other ≈50 copycat papers of the author: https://www.semanticscholar.org/author/Mordechai-Guri/226003...
At some point the author is going to run out of clever puns...