Academics steal data from air-gapped systems using PC fan vibrations

auntjemima

auntjemima

[H]ard DCOTM x2
Joined
Mar 1, 2014
Messages
12,141
In past research, Guri and his team at the Ben-Gurion university's Cyber-Security Research Center have shown that attackers could steal data from secure systems using a plethora of techniques such as:

LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED
USBee - force a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data
AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan
DiskFiltration - use controlled read/write HDD operations to steal data via sound waves
BitWhisper - exfiltrate data from non-networked computers using heat emanations
Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems
xLED - use router or switch LEDs to exfiltrate data
aIR-Jumper - use a security camera's infrared capabilities to steal data from air-gapped networks
HVACKer - use HVAC systems to control malware on air-gapped systems
MAGNETO & ODINI - steal data from Faraday cage-protected systems
MOSQUITO - steal data from PCs using attached speakers and headphones
PowerHammer - steal data from air-gapped systems using power lines
CTRL-ALT-LED - steal data from air-gapped systems using keyboard LEDs
BRIGHTNESS - steal data from air-gapped systems using screen brightness variations

What a fun job.
 
no lock has been made that someone will not eventually be able to pick which is one of the main reasons (I would think anyways) why Fort Knox is protected by M1 Abrams and heavily armed guards
 
Jim Kim said:
In past research, Guri and his team at the Ben-Gurion university's Cyber-Security Research Center have shown that attackers could steal data from secure systems using a plethora of techniques such as:

LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED
USBee - force a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data
AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan
DiskFiltration - use controlled read/write HDD operations to steal data via sound waves
BitWhisper - exfiltrate data from non-networked computers using heat emanations
Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems
xLED - use router or switch LEDs to exfiltrate data
aIR-Jumper - use a security camera's infrared capabilities to steal data from air-gapped networks
HVACKer - use HVAC systems to control malware on air-gapped systems
MAGNETO & ODINI - steal data from Faraday cage-protected systems
MOSQUITO - steal data from PCs using attached speakers and headphones
PowerHammer - steal data from air-gapped systems using power lines
CTRL-ALT-LED - steal data from air-gapped systems using keyboard LEDs
BRIGHTNESS - steal data from air-gapped systems using screen brightness variations

What a fun job.
Click to expand...

Yeah, those listed are crazy. Like, the HDD LED one. I could see sending code, like Morse code, but data? I guess in 1's and 0's with one and off, but that would take ages AND how could you link 111 for instance.. the light would need to shutoff to come back on and give another signal.

Guess I have some reading to do.
 
kirbyrj said:
It sounds like you still need physical access to the computer to install some sort of malware before these techniques can be used to retrieve data.
Click to expand...
If you need physical access to the system to install your phony fans and controller software then it's not really an attack.
Unless your attack is so pre-meditated that you switch the fans on the exact system that you knew will be installed at the exact location where you want to steal data from.
 
For a secure air-gapped system, needing local access to install the software is somewhat of a limitation - although stuxnet demonstrated pretty clearly that air gaps can still be overcome.

But what about "grey hats," like Google? Or bad actors who are seeking people using normal system? For example, the various capabilities these researchers have demonstrated could be used for clandestine herd/cohort tracking by burying functions in mobile device drivers if not via traditional malware.
 
I remember my father telling me certain pieces of test equipment were forbidden
from secure places because the tubes were suspected to be microphonic.
Of course, they would also have to be in circuits that leak detectable RF...

He designed some parts of the surveillance reciever that Nixon abused to spy
on Watergate. So i figure he probably knew all sorts of even crazier things he
could tell, but would have to kill me...
 
Last edited:
auntjemima said:
Yeah, those listed are crazy. Like, the HDD LED one. I could see sending code, like Morse code, but data? I guess in 1's and 0's with one and off, but that would take ages AND how could you link 111 for instance.. the light would need to shutoff to come back on and give another signal.

Guess I have some reading to do.
Click to expand...
It wouldn't take ages to leak a password.
 
From reading the articles, the exploits listed are about installing a worm/virus/malware on a off-internet secure computer and then transmitting data to a smartphone or other wireless device without plugging anything in. Most of them are in the "theoretically" works category rather than being of any real practical use.
 
Skarth said:
From reading the articles, the exploits listed are about installing a worm/virus/malware on a off-internet secure computer and then transmitting data to a smartphone or other wireless device without plugging anything in. Most of them are in the "theoretically" works category rather than being of any real practical use.
Click to expand...

Yup. Literally impossible.
 
Jim Kim said:
In past research, Guri and his team at the Ben-Gurion university's Cyber-Security Research Center have shown that attackers could steal data from secure systems using a plethora of techniques such as:

LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED
USBee - force a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data
AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan
DiskFiltration - use controlled read/write HDD operations to steal data via sound waves
BitWhisper - exfiltrate data from non-networked computers using heat emanations
Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems
xLED - use router or switch LEDs to exfiltrate data
aIR-Jumper - use a security camera's infrared capabilities to steal data from air-gapped networks
HVACKer - use HVAC systems to control malware on air-gapped systems
MAGNETO & ODINI - steal data from Faraday cage-protected systems
MOSQUITO - steal data from PCs using attached speakers and headphones
PowerHammer - steal data from air-gapped systems using power lines
CTRL-ALT-LED - steal data from air-gapped systems using keyboard LEDs
BRIGHTNESS - steal data from air-gapped systems using screen brightness variations

What a fun job.
Click to expand...

These are obviously NOT secure systems. They are compromised systems.

These are interesting ways to get data out of a compromised air gapped system, but compromising the air gapped system is probably the harder part.
 
Reminds me of Eagle Eye (2008):

Coffeepic.png

In 2008, it was Hollywood fiction.
In 2020, it is just another aspect of the dark cyberpunk future. :borg:
 
For most of us, articles like this are interesting reading but little else. If you are someone managing an air-gap system, articles like this should be a warning to investigate anything that seems odd, no matter how trivial.
 
The only concern is if you're buying your shit from another country without good transparency. Then you're at risk. For example, we sold Saddam printers which sent us a copy of what was printed. We have chipsets and processors coming to us from China. Smooth move on our part.
 
kirbyrj said:
It sounds like you still need physical access to the computer to install some sort of malware before these techniques can be used to retrieve data.
Click to expand...

Not necessarily direct physical access, secured machines are always in need of updating and software installs. All it takes is one compromised update to make any of these techniques feasible. That being said, sensational headline is sensational as it implies that these machines are leaking data without any sort of special intervention, which is absolutely not true.
 
auntjemima said:
Yeah, those listed are crazy. Like, the HDD LED one. I could see sending code, like Morse code, but data? I guess in 1's and 0's with one and off, but that would take ages AND how could you link 111 for instance.. the light would need to shutoff to come back on and give another signal.

Guess I have some reading to do.
Click to expand...

Correct. One solution is to blink the LED fast enough to not be detectable by the human eye.
 
Guys there are very clear scenarios where this can matter.

1. You identify someone responsible for servers in a secure air gap protected facility.

2. You confirm they have access to bring their laptop with them into the facility.

3. You infiltrate their laptop and place code on it that uses the onboard microphone to listen for specific frequency changes in fan harmonics.

4. You also put code on it so you can ride that device's connection to a service processor of a server to input your code via a otherwise normal firmware update process.

5. You modify your code so it bypasses the vendors bios software security checks specifically put in place to validate the software as a genuine BIOS from the vendor.

6. You wait for the tech to use their laptop to update the firmware on the server, THEN infect it to communicate authentication information via harmonics while they are in the room of servers with your problem server.

7. You hope through snippets that you are able to gather all of the information you need in the window of time as to be useful to your end goals or establish a bad password pattern of someone in the office.

Yea that's all it would take and considering that laptop is going to be moving around and scanned for malware regularly not to mention replaced every x number of years your chances of successfully getting this all done are pretty much NIL to an actual secure environment.
 
There are a few very important things for the naysayers saying this is impossible and could never work in the real world to consider here:
  1. This has verifiably been successfully executed before.
  2. This has verifiably been successfully executed before.
  3. This has verifiably been successfully executed before.
  4. This has verifiably been successfully executed before.
  5. This has verifiably been successfully executed before.
  6. Just in case you missed the first 5 items, go and read them again.
  7. There is no such thing as a truly air-gapped system. This is a hypothetical ideal, but it isn't reality. Computers exist in order to get data out of them. If data is coming out, there is no air gap.
  8. These types of attacks don't require a laptop. They can be done via any type of drive, USB stick, uSD card, or even external PLC.
  9. State actors usually engage in multi-year campaigns to infiltrate the highest value target systems. If it takes a couple of years of having the malware out in the wild attempting to gain access, that's not just acceptable - it's normal.
  10. High value air-gapped systems routinely have service lives measured in fractional centuries. If it takes 5 years to gain access to a newly installed system, that means the hack could be bearing fruit for another 30-50 years.
But what if we aren't talking about state actors taking down nuclear programs and instead start looking at, say, Google or Facebook? They could implement these non-radio data transmission approaches to increase user tracking, for example. With your phone beeping data out of its speaker unbeknownst to you, you could end up walking around with a location beacon like a Tile.
 
auntjemima said:
Yeah, those listed are crazy. Like, the HDD LED one. I could see sending code, like Morse code, but data? I guess in 1's and 0's with one and off, but that would take ages AND how could you link 111 for instance.. the light would need to shutoff to come back on and give another signal.

Guess I have some reading to do.
Click to expand...
You can look up UART protocol or 1-wire protocol to get an idea of how you might send/receive data across a single channel. You probably can't send data very quickly like you said.
 
Thunderdolt said:
There are a few very important things for the naysayers saying this is impossible and could never work in the real world to consider here:
  1. This has verifiably been successfully executed before.
  2. This has verifiably been successfully executed before.
  3. This has verifiably been successfully executed before.
  4. This has verifiably been successfully executed before.
  5. This has verifiably been successfully executed before.
  6. Just in case you missed the first 5 items, go and read them again.
  7. Talking about state actors taking down nuclear programs and instead start looking at, say, Google or Facebook? They could implement these non-radio data transmission approaches to increase user tracking, for example. With your phone beeping data out of its speaker unbeknownst to you, you could end up walking around with a location beacon like a Tile.
Click to expand...

OK to address 1 through 6... in a controlled lab. That's great.. when you have a single server, and a single receiver be that a camera, or audio device listening for the frequency pitches.

To elaborate.. on the frequency changes... are you aware of what a white noise generator is? Imagine a computer room with 200 servers in it... your white noise... with the CRAC systems and other devices is insane. You will need a sound filtration system.. that I would consider it borderline impossible.

Now to get video... it's just not going to happen without a person being compromised or unknowingly installing a device that collects the data feed in question. Even then we are talking about a VERY HIGH level of difficulty.

To the statement that there is no such thing as air gaped networks. I can only elaborate so much but the statement is. You are wrong. There ARE truly airgapped systems. I've dispatched engineers to change out a failed drive once reported that had to leave all of their tools and personal belongings including clothing in a locker. Put on a provided jumpsuite and hardware that was shipped onsite (and or previously already there and in a box) then be escorted by an armed marine to swap the drive. At no time can they carry extraneous equipment. Everything they use is provided by the site. Once they are done they strip down again. Get to take another shower and get dressed to leave.

So yes... Air gap systems DO exist.

And what systems do you know of that sit around for half a century? Are you talking about Silo controls or something? Half a century would still be using punch cards for programming.
 
Grimlaking said:
OK to address 1 through 6... in a controlled lab. That's great.. when you have a single server, and a single receiver be that a camera, or audio device listening for the frequency pitches.
Click to expand...

The specific exploit in the headline was in a lab. Stuxnet, however, famously broke into Iran's airgapped nuclear systems over a decade ago. You think that was the only time an air gapped system was ever compromised?

Grimlaking said:
To elaborate.. on the frequency changes... are you aware of what a white noise generator is? Imagine a computer room with 200 servers in it... your white noise... with the CRAC systems and other devices is insane. You will need a sound filtration system.. that I would consider it borderline impossible.
Click to expand...

You should try listening to the 2.4Ghz band some time. Can you imagine being somewhere with 200 devices simultaneously trying to transmit data on 2.4Ghz? Literally impossible, right? Never going to happen? All of those devices all transmitting at once would just lead to white noise, right?

Grimlaking said:
unknowingly installing a device that collects the data feed in question. Even then we are talking about a VERY HIGH level of difficulty.
Click to expand...

Uh, yeah. Duh. That is exactly how this works. I'm not sure if you were being sarcastic with your statement.

Grimlaking said:
There ARE truly airgapped systems. I've dispatched engineers to change out a failed drive once
Click to expand...

New hard drive of outside origin? Air gap broken. 3rd party personnel granted physical access? Air gap broken.

The first rule of securing a system is to always assume the system isn't secure. A perfect air gap is a hypothetical ideal, not a reality. What good is a computer that doesn't accept any data?

Grimlaking said:
And what systems do you know of that sit around for half a century? Are you talking about Silo controls or something? Half a century would still be using punch cards for programming.
Click to expand...

We have silo systems running on floppy disks. Not the modern 3.5" ones either. Floppies have commercial use dating back the early 1970s. 1973 is 47 years ago as of the time of this post. We also have this from the Government accountability office:
Federal legacy IT investments are becoming increasingly obsolete: many use outdated software languages and hardware parts that are unsupported. Agencies reported using several systems that have components that are, in some cases, at least 50 years old. For example, Department of Defense uses 8- inch floppy disks in a legacy system that coordinates the operational functions of the nation’s nuclear forces
Click to expand...
 
Thunderdolt said:
The specific exploit in the headline was in a lab. Stuxnet, however, famously broke into Iran's airgapped nuclear systems over a decade ago. You think that was the only time an air gapped system was ever compromised?



You should try listening to the 2.4Ghz band some time. Can you imagine being somewhere with 200 devices simultaneously trying to transmit data on 2.4Ghz? Literally impossible, right? Never going to happen? All of those devices all transmitting at once would just lead to white noise, right?

Uh, yeah. Duh. That is exactly how this works. I'm not sure if you were being sarcastic with your statement.

New hard drive of outside origin? Air gap broken. 3rd party personnel granted physical access? Air gap broken.

The first rule of securing a system is to always assume the system isn't secure. A perfect air gap is a hypothetical ideal, not a reality. What good is a computer that doesn't accept any data?

We have silo systems running on floppy disks. Not the modern 3.5" ones either. Floppies have commercial use dating back the early 1970s. 1973 is 47 years ago as of the time of this post. We also have this from the Government accountability office:
Click to expand...

I'm not going to break this up into many sub quotes so my apologies.

Yes you can have crowded 2.4ghz communication channels all operating on the same frequency because of the bandwidth on that frequency range meaning the number of times you can chop it up before it becomes saturated and starts causing greater and greater degredation of network availability. While that sounds like white noise it's more akin to 10 violinists playing 10 songs who don't have overlapping timing or notes. If you can sort it in your head you can still hear 10 distinct songs at the same time.

White noise is when you have simultaneous overlapping sounds in the same frequency/pitch range.

In regards to the air gap, yes... nation states have found ways to penetrate otherwise inpeneterable systems. Like with Xerox copiers and the Russian Consulate. There are methods that will work given specific circumstances. And yes no system is 100% safe. I'll agree to that. But you literally need to be very lucky... (Idiot plugs in USB drive to system), have compromised the service provider (Xerox Provider), or have your way in built into hardware they will install or attach to the systems (Chinese Hack Chip). Or today even further with the idrac accessible front panels over NFC networks that Dell is selling, simply hack the cell phone the tech is carrying in his pocket. There are ways.

Yes a perfect air gap is a pipe dream. Given.

Yet you can reduce your risk. The debate isn't airgap is a waste all information should be public. It's is it, are these methods worth while. And I would argue that no this labs work is nothing but an operation in think tank money burning. That or we're only seeing the BS methods they reflect to the public.
 
You must log in or register to reply here.
Back
Top