-
COVID-bit: Keep a Distance of (at least) 2m From My Air-Gap Computer!
Authors:
Mordechai Guri
Abstract:
Air-gapped systems are isolated from the Internet due to the sensitive information they handle. This paper presents COVID-bit, a new COVert channel attack that leaks sensitive information over the air from highly isolated systems. The information emanates from the air-gapped computer over the air to a distance of 2m and more and can be picked up by a nearby insider or spy with a mobile phone or la…
▽ More
Air-gapped systems are isolated from the Internet due to the sensitive information they handle. This paper presents COVID-bit, a new COVert channel attack that leaks sensitive information over the air from highly isolated systems. The information emanates from the air-gapped computer over the air to a distance of 2m and more and can be picked up by a nearby insider or spy with a mobile phone or laptop. Malware on an air-gapped computer can generate radio waves by executing crafted code on the target system. The malicious code exploits the dynamic power consumption of modern computers and manipulates the momentary loads on CPU cores. This technique allows the malware to control the computer's internal utilization and generate low-frequency electromagnetic radiation in the 0 - 60 kHz band. Sensitive information (e.g., files, encryption keys, biometric data, and keylogging) can be modulated over the emanated signals and received by a nearby mobile phone at a max speed of 1000 bits/sec. We show that a smartphone or laptop with a small \$1 antenna carried by a malicious insider or visitor can be used as a covert receiver. Notably, the attack is highly evasive since it executes from an ordinary user-level process, does not require root privileges, and is effective even within a Virtual Machine (VM). We discuss the attack model and provide technical details. We implement air-gap transmission of texts and files, and present signal generation and data modulation. We test the covert channel and show evaluation results. Finally, we present a set of countermeasures to this air-gap attack.
△ Less
Submitted 7 December, 2022;
originally announced December 2022.
-
ETHERLED: Sending Covert Morse Signals from Air-Gapped Devices via Network Card (NIC) LEDs
Authors:
Mordechai Guri
Abstract:
Highly secure devices are often isolated from the Internet or other public networks due to the confidential information they process. This level of isolation is referred to as an 'air-gap .'
In this paper, we present a new technique named ETHERLED, allowing attackers to leak data from air-gapped networked devices such as PCs, printers, network cameras, embedded controllers, and servers. Networke…
▽ More
Highly secure devices are often isolated from the Internet or other public networks due to the confidential information they process. This level of isolation is referred to as an 'air-gap .'
In this paper, we present a new technique named ETHERLED, allowing attackers to leak data from air-gapped networked devices such as PCs, printers, network cameras, embedded controllers, and servers. Networked devices have an integrated network interface controller (NIC) that includes status and activity indicator LEDs. We show that malware installed on the device can control the status LEDs by blinking and alternating colors, using documented methods or undocumented firmware commands. Information can be encoded via simple encoding such as Morse code and modulated over these optical signals. An attacker can intercept and decode these signals from tens to hundreds of meters away. We show an evaluation and discuss defensive and preventive countermeasures for this exfiltration attack.
△ Less
Submitted 21 August, 2022;
originally announced August 2022.
-
GAIROSCOPE: Injecting Data from Air-Gapped Computers to Nearby Gyroscopes
Authors:
Mordechai Guri
Abstract:
It is known that malware can leak data from isolated, air-gapped computers to nearby smartphones using ultrasonic waves. However, this covert channel requires access to the smartphone's microphone, which is highly protected in Android OS and iOS, and might be non-accessible, disabled, or blocked.
In this paper we present `GAIROSCOPE,' an ultrasonic covert channel that doesn't require a microphon…
▽ More
It is known that malware can leak data from isolated, air-gapped computers to nearby smartphones using ultrasonic waves. However, this covert channel requires access to the smartphone's microphone, which is highly protected in Android OS and iOS, and might be non-accessible, disabled, or blocked.
In this paper we present `GAIROSCOPE,' an ultrasonic covert channel that doesn't require a microphone on the receiving side. Our malware generates ultrasonic tones in the resonance frequencies of the MEMS gyroscope. These inaudible frequencies produce tiny mechanical oscillations within the smartphone's gyroscope, which can be demodulated into binary information. Notably, the gyroscope in smartphones is considered to be a 'safe' sensor that can be used legitimately from mobile apps and javascript. We introduce the adversarial attack model and present related work. We provide the relevant technical background and show the design and implementation of GAIROSCOPE. We present the evaluation results and discuss a set of countermeasures to this threat. Our experiments show that attackers can exfiltrate sensitive information from air-gapped computers to smartphones located a few meters away via Speakers-to-Gyroscope covert channel.
△ Less
Submitted 20 August, 2022;
originally announced August 2022.
-
SATAn: Air-Gap Exfiltration Attack via Radio Signals From SATA Cables
Authors:
Mordechai Guri
Abstract:
This paper introduces a new type of attack on isolated, air-gapped workstations. Although air-gap computers have no wireless connectivity, we show that attackers can use the SATA cable as a wireless antenna to transfer radio signals at the 6 GHz frequency band. The Serial ATA (SATA) is a bus interface widely used in modern computers and connects the host bus to mass storage devices such as hard di…
▽ More
This paper introduces a new type of attack on isolated, air-gapped workstations. Although air-gap computers have no wireless connectivity, we show that attackers can use the SATA cable as a wireless antenna to transfer radio signals at the 6 GHz frequency band. The Serial ATA (SATA) is a bus interface widely used in modern computers and connects the host bus to mass storage devices such as hard disk drives, optical drives, and solid-state drives. The prevalence of the SATA interface makes this attack highly available to attackers in a wide range of computer systems and IT environments. We discuss related work on this topic and provide technical background. We show the design of the transmitter and receiver and present the implementation of these components. We also demonstrate the attack on different computers and provide the evaluation. The results show that attackers can use the SATA cable to transfer a brief amount of sensitive information from highly secured, air-gap computers wirelessly to a nearby receiver. Furthermore, we show that the attack can operate from user mode, is effective even from inside a Virtual Machine (VM), and can successfully work with other running workloads in the background. Finally, we discuss defense and mitigation techniques for this new air-gap attack.
△ Less
Submitted 15 July, 2022;
originally announced July 2022.
-
LANTENNA: Exfiltrating Data from Air-Gapped Networks via Ethernet Cables
Authors:
Mordechai Guri
Abstract:
Air-gapped networks are wired with Ethernet cables since wireless connections are strictly prohibited.
In this paper we present LANTENNA - a new type of electromagnetic attack allowing adversaries to leak sensitive data from isolated, air-gapped networks. Malicious code in air-gapped computers gathers sensitive data and then encodes it over radio waves emanating from the Ethernet cables, using t…
▽ More
Air-gapped networks are wired with Ethernet cables since wireless connections are strictly prohibited.
In this paper we present LANTENNA - a new type of electromagnetic attack allowing adversaries to leak sensitive data from isolated, air-gapped networks. Malicious code in air-gapped computers gathers sensitive data and then encodes it over radio waves emanating from the Ethernet cables, using them as antennas. A nearby receiving device can intercept the signals wirelessly, decode the data, and send it to the attacker. We discuss the exfiltration techniques, examine the covert channel characteristics, and provide implementation details. Notably, the malicious code can run in an ordinary user-mode process and successfully operate from within a virtual machine. We evaluate the covert channel in different scenarios and present a set of countermeasures. Our experiments show that with the LANTENNA attack, data can be exfiltrated from air-gapped computers to a distance of several meters away.
△ Less
Submitted 30 September, 2021;
originally announced October 2021.
-
AIR-FI: Generating Covert Wi-Fi Signals from Air-Gapped Computers
Authors:
Mordechai Guri
Abstract:
In this paper, we show that attackers can exfiltrate data from air-gapped computers via Wi-Fi signals. Malware in a compromised air-gapped computer can generate signals in the Wi-Fi frequency bands. The signals are generated through the memory buses - no special hardware is required. Sensitive data can be modulated and secretly exfiltrated on top of the signals. We show that nearby Wi-Fi capable d…
▽ More
In this paper, we show that attackers can exfiltrate data from air-gapped computers via Wi-Fi signals. Malware in a compromised air-gapped computer can generate signals in the Wi-Fi frequency bands. The signals are generated through the memory buses - no special hardware is required. Sensitive data can be modulated and secretly exfiltrated on top of the signals. We show that nearby Wi-Fi capable devices (e.g., smartphones, laptops, IoT devices) can intercept these signals, decode them, and send them to the attacker over the Internet. To extract the signals, we utilize the physical layer information exposed by the Wi-Fi chips. We implement the transmitter and receiver and discuss design considerations and implementation details. We evaluate this covert channel in terms of bandwidth and distance and present a set of countermeasures. Our evaluation shows that data can be exfiltrated from air-gapped computers to nearby Wi-Fi receivers located a distance of several meters away.
△ Less
Submitted 12 December, 2020;
originally announced December 2020.
-
POWER-SUPPLaY: Leaking Data from Air-Gapped Systems by Turning the Power-Supplies Into Speakers
Authors:
Mordechai Guri
Abstract:
It is known that attackers can exfiltrate data from air-gapped computers through their speakers via sonic and ultrasonic waves. To eliminate the threat of such acoustic covert channels in sensitive systems, audio hardware can be disabled and the use of loudspeakers can be strictly forbidden. Such audio-less systems are considered to be \textit{audio-gapped}, and hence immune to acoustic covert cha…
▽ More
It is known that attackers can exfiltrate data from air-gapped computers through their speakers via sonic and ultrasonic waves. To eliminate the threat of such acoustic covert channels in sensitive systems, audio hardware can be disabled and the use of loudspeakers can be strictly forbidden. Such audio-less systems are considered to be \textit{audio-gapped}, and hence immune to acoustic covert channels.
In this paper, we introduce a technique that enable attackers leak data acoustically from air-gapped and audio-gapped systems. Our developed malware can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker with limited capabilities. The malicious code manipulates the internal \textit{switching frequency} of the power supply and hence controls the sound waveforms generated from its capacitors and transformers. Our technique enables producing audio tones in a frequency band of 0-24khz and playing audio streams (e.g., WAV) from a computer power supply without the need for audio hardware or speakers. Binary data (files, keylogging, encryption keys, etc.) can be modulated over the acoustic signals and sent to a nearby receiver (e.g., smartphone). We show that our technique works with various types of systems: PC workstations and servers, as well as embedded systems and IoT devices that have no audio hardware at all. We provide technical background and discuss implementation details such as signal generation and data modulation. We show that the POWER-SUPPLaY code can operate from an ordinary user-mode process and doesn't need any hardware access or special privileges. Our evaluation shows that using POWER-SUPPLaY, sensitive data can be exfiltrated from air-gapped and audio-gapped systems from a distance of five meters away at a maximal bit rates of 50 bit/sec.
△ Less
Submitted 1 May, 2020;
originally announced May 2020.
-
AiR-ViBeR: Exfiltrating Data from Air-Gapped Computers via Covert Surface ViBrAtIoNs
Authors:
Mordechai Guri
Abstract:
Air-gap covert channels are special types of covert communication channels that enable attackers to exfiltrate data from isolated, network-less computers. Various types of air-gap covert channels have been demonstrated over the years, including electromagnetic, magnetic, acoustic, optical, and thermal.
In this paper, we introduce a new type of vibrational (seismic) covert channel. We observe tha…
▽ More
Air-gap covert channels are special types of covert communication channels that enable attackers to exfiltrate data from isolated, network-less computers. Various types of air-gap covert channels have been demonstrated over the years, including electromagnetic, magnetic, acoustic, optical, and thermal.
In this paper, we introduce a new type of vibrational (seismic) covert channel. We observe that computers vibrate at a frequency correlated to the rotation speed of their internal fans. These inaudible vibrations affect the entire structure on which the computer is placed. Our method is based on malware's capability of controlling the vibrations generated by a computer, by regulating its internal fan speeds. We show that the malware-generated covert vibrations can be sensed by nearby smartphones via the integrated, sensitive \textit{accelerometers}. Notably, the accelerometer sensors in smartphones can be accessed by any app without requiring the user permissions, which make this attack highly evasive. We implemented AiR-ViBeR, malware that encodes binary information, and modulate it over a low frequency vibrational carrier. The data is then decoded by malicious application on a smartphone placed on the same surface (e.g., on a desk). We discuss the attack model, provide technical background, and present the implementation details and evaluation results. Our results show that using AiR-ViBeR, data can be exfiltrated from air-gapped computer to a nearby smartphone on the same table, or even an adjacent table, via vibrations. Finally, we propose a set of countermeasures for this new type of attack.
△ Less
Submitted 13 April, 2020;
originally announced April 2020.
-
BRIGHTNESS: Leaking Sensitive Data from Air-Gapped Workstations via Screen Brightness
Authors:
Mordechai Guri,
Dima Bykhovsky,
Yuval Elovici
Abstract:
Air-gapped computers are systems that are kept isolated from the Internet since they store or process sensitive information.
In this paper, we introduce an optical covert channel in which an attacker can leak (or, exfiltlrate) sensitive information from air-gapped computers through manipulations on the screen brightness. This covert channel is invisible and it works even while the user is workin…
▽ More
Air-gapped computers are systems that are kept isolated from the Internet since they store or process sensitive information.
In this paper, we introduce an optical covert channel in which an attacker can leak (or, exfiltlrate) sensitive information from air-gapped computers through manipulations on the screen brightness. This covert channel is invisible and it works even while the user is working on the computer. Malware on a compromised computer can obtain sensitive data (e.g., files, images, encryption keys and passwords), and modulate it within the screen brightness, invisible to users. The small changes in the brightness are invisible to humans but can be recovered from video streams taken by cameras such as a local security camera, smartphone camera or a webcam. We present related work and discuss the technical and scientific background of this covert channel. We examined the channel's boundaries under various parameters, with different types of computer and TV screens, and at several distances. We also tested different types of camera receivers to demonstrate the covert channel. Lastly, we present relevant countermeasures to this type of attack. Lastly, we present relevant countermeasures to this type of attack.
△ Less
Submitted 3 February, 2020;
originally announced February 2020.
-
CTRL-ALT-LED: Leaking Data from Air-Gapped Computers via Keyboard LEDs
Authors:
Mordechai Guri,
Boris Zadov,
Dima Bykhovsky,
Yuval Elovici
Abstract:
Using the keyboard LEDs to send data optically was proposed in 2002 by Loughry and Umphress [1] (Appendix A). In this paper we extensively explore this threat in the context of a modern cyber-attack with current hardware and optical equipment. In this type of attack, an advanced persistent threat (APT) uses the keyboard LEDs (Caps-Lock, Num-Lock and Scroll-Lock) to encode information and exfiltrat…
▽ More
Using the keyboard LEDs to send data optically was proposed in 2002 by Loughry and Umphress [1] (Appendix A). In this paper we extensively explore this threat in the context of a modern cyber-attack with current hardware and optical equipment. In this type of attack, an advanced persistent threat (APT) uses the keyboard LEDs (Caps-Lock, Num-Lock and Scroll-Lock) to encode information and exfiltrate data from airgapped computers optically. Notably, this exfiltration channel is not monitored by existing data leakage prevention (DLP) systems. We examine this attack and its boundaries for today's keyboards with USB controllers and sensitive optical sensors. We also introduce smartphone and smartwatch cameras as components of malicious insider and 'evil maid' attacks. We provide the necessary scientific background on optical communication and the characteristics of modern USB keyboards at the hardware and software level, and present a transmission protocol and modulation schemes. We implement the exfiltration malware, discuss its design and implementation issues, and evaluate it with different types of keyboards. We also test various receivers, including light sensors, remote cameras, 'extreme' cameras, security cameras, and smartphone cameras. Our experiment shows that data can be leaked from air-gapped computers via the keyboard LEDs at a maximum bit rate of 3000 bit/sec per LED given a light sensor as a receiver, and more than 120 bit/sec if smartphones are used. The attack doesn't require any modification of the keyboard at hardware or firmware levels.
△ Less
Submitted 10 July, 2019;
originally announced July 2019.
-
BeatCoin: Leaking Private Keys from Air-Gapped Cryptocurrency Wallets
Authors:
Mordechai Guri
Abstract:
Cryptocurrency wallets store the wallets private key(s), and hence, are a lucrative target for attackers. With possession of the private key, an attacker virtually owns all of the currency in the compromised wallet. Managing cryptocurrency wallets offline, in isolated ('air-gapped') computers, has been suggested in order to secure the private keys from theft. Such air-gapped wallets are often refe…
▽ More
Cryptocurrency wallets store the wallets private key(s), and hence, are a lucrative target for attackers. With possession of the private key, an attacker virtually owns all of the currency in the compromised wallet. Managing cryptocurrency wallets offline, in isolated ('air-gapped') computers, has been suggested in order to secure the private keys from theft. Such air-gapped wallets are often referred to as 'cold wallets.' In this paper, we show how private keys can be exfiltrated from air-gapped wallets. In the adversarial attack model, the attacker infiltrates the offline wallet, infecting it with malicious code. The malware can be preinstalled or pushed in during the initial installation of the wallet, or it can infect the system when removable media (e.g., USB flash drive) is inserted into the wallet's computer in order to sign a transaction. These attack vectors have repeatedly been proven feasible in the last decade (e.g., [1],[2],[3],[4],[5],[6],[7],[8],[9],[10]). Having obtained a foothold in the wallet, an attacker can utilize various air-gap covert channel techniques (bridgeware [11]) to jump the airgap and exfiltrate the wallets private keys. We evaluate various exfiltration techniques, including physical, electromagnetic, electric, magnetic, acoustic, optical, and thermal techniques. This research shows that although cold wallets provide a high degree of isolation, it is not beyond the capability of motivated attackers to compromise such wallets and steal private keys from them. We demonstrate how a 256-bit private key (e.g., bitcoin's private keys) can be exfiltrated from an offline, air-gapped wallet of a fictional character named Satoshi within a matter of seconds
△ Less
Submitted 23 April, 2018;
originally announced April 2018.
-
PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines
Authors:
Mordechai Guri,
Boris Zadov,
Dima Bykhovsky,
Yuval Elovici
Abstract:
In this paper we provide an implementation, evaluation, and analysis of PowerHammer, a malware (bridgeware [1]) that uses power lines to exfiltrate data from air-gapped computers. In this case, a malicious code running on a compromised computer can control the power consumption of the system by intentionally regulating the CPU utilization. Data is modulated, encoded, and transmitted on top of the…
▽ More
In this paper we provide an implementation, evaluation, and analysis of PowerHammer, a malware (bridgeware [1]) that uses power lines to exfiltrate data from air-gapped computers. In this case, a malicious code running on a compromised computer can control the power consumption of the system by intentionally regulating the CPU utilization. Data is modulated, encoded, and transmitted on top of the current flow fluctuations, and then it is conducted and propagated through the power lines. This phenomena is known as a 'conducted emission'. We present two versions of the attack. Line level powerhammering: In this attack, the attacker taps the in-home power lines1 that are directly attached to the electrical outlet. Phase level power-hammering: In this attack, the attacker taps the power lines at the phase level, in the main electrical service panel. In both versions of the attack, the attacker measures the emission conducted and then decodes the exfiltrated data. We describe the adversarial attack model and present modulations and encoding schemes along with a transmission protocol. We evaluate the covert channel in different scenarios and discuss signal-to-noise (SNR), signal processing, and forms of interference. We also present a set of defensive countermeasures. Our results show that binary data can be covertly exfiltrated from air-gapped computers through the power lines at bit rates of 1000 bit/sec for the line level power-hammering attack and 10 bit/sec for the phase level power-hammering attack.
△ Less
Submitted 10 April, 2018;
originally announced April 2018.
-
MOSQUITO: Covert Ultrasonic Transmissions between Two Air-Gapped Computers using Speaker-to-Speaker Communication
Authors:
Mordechai Guri,
Yosef Solewicz,
Andrey Daidakulov,
Yuval Elovici
Abstract:
In this paper we show how two (or more) airgapped computers in the same room, equipped with passive speakers, headphones, or earphones can covertly exchange data via ultrasonic waves. Microphones are not required. Our method is based on the capability of a malware to exploit a specific audio chip feature in order to reverse the connected speakers from output devices into input devices - unobtrusiv…
▽ More
In this paper we show how two (or more) airgapped computers in the same room, equipped with passive speakers, headphones, or earphones can covertly exchange data via ultrasonic waves. Microphones are not required. Our method is based on the capability of a malware to exploit a specific audio chip feature in order to reverse the connected speakers from output devices into input devices - unobtrusively rendering them microphones. We discuss the attack model and provide technical background and implementation details. We show that although the reversed speakers/headphones/earphones were not originally designed to perform as microphones, they still respond well to the near-ultrasonic range (18kHz to 24kHz). We evaluate the communication channel with different equipment, and at various distances and transmission speeds, and also discuss some practical considerations. Our results show that the speaker-to-speaker communication can be used to covertly transmit data between two air-gapped computers positioned a maximum of nine meters away from one another. Moreover, we show that two (microphone-less) headphones can exchange data from a distance of three meters apart. This enables 'headphones-to-headphones' covert communication, which is discussed for the first time in this paper.
△ Less
Submitted 16 March, 2018; v1 submitted 9 March, 2018;
originally announced March 2018.
-
ODINI : Esca** Sensitive Data from Faraday-Caged, Air-Gapped Computers via Magnetic Fields
Authors:
Mordechai Guri,
Boris Zadov,
Andrey Daidakulov,
Yuval Elovici
Abstract:
Air-gapped computers are computers which are kept isolated from the Internet, because they store and process sensitive information. When highly sensitive data is involved, an air-gapped computer might also be kept secluded in a Faraday cage. The Faraday cage prevents the leakage of electromagnetic signals emanating from various computer parts, which may be picked up by an eavesdrop** adversary r…
▽ More
Air-gapped computers are computers which are kept isolated from the Internet, because they store and process sensitive information. When highly sensitive data is involved, an air-gapped computer might also be kept secluded in a Faraday cage. The Faraday cage prevents the leakage of electromagnetic signals emanating from various computer parts, which may be picked up by an eavesdrop** adversary remotely. The air-gap separation, coupled with the Faraday shield, provides a high level of isolation, preventing the potential leakage of sensitive data from the system. In this paper, we show how attackers can bypass Faraday cages and air-gaps in order to leak data from highly secure computers. Our method is based on an exploitation of the magnetic field generated by the computer CPU. Unlike electromagnetic radiation (EMR), low frequency magnetic radiation propagates though the air, penetrating metal shielding such as Faraday cages (e.g., compass still works inside Faraday cages). We introduce a malware code-named ODINI that can control the low frequency magnetic fields emitted from the infected computer by regulating the load of the CPU cores. Arbitrary data can be modulated and transmitted on top of the magnetic emission and received by a magnetic receiver (bug) placed nearby. We provide technical background and examine the characteristics of the magnetic fields. We implement a malware prototype and discuss the design considerations along with the implementation details. We also show that the malicious code does not require special privileges (e.g., root) and can successfully operate from within isolated virtual machines (VMs) as well.
△ Less
Submitted 7 February, 2018;
originally announced February 2018.
-
MAGNETO: Covert Channel between Air-Gapped Systems and Nearby Smartphones via CPU-Generated Magnetic Fields
Authors:
Mordechai Guri,
Andrey Daidakulov,
Yuval Elovici
Abstract:
In this paper, we show that attackers can leak data from isolated, air-gapped computers to nearby smartphones via covert magnetic signals. The proposed covert channel works even if a smartphone is kept inside a Faraday shielding case, which aims to block any type of inbound and outbound wireless communication (Wi-Fi, cellular, Bluetooth, etc.). The channel also works if the smartphone is set in ai…
▽ More
In this paper, we show that attackers can leak data from isolated, air-gapped computers to nearby smartphones via covert magnetic signals. The proposed covert channel works even if a smartphone is kept inside a Faraday shielding case, which aims to block any type of inbound and outbound wireless communication (Wi-Fi, cellular, Bluetooth, etc.). The channel also works if the smartphone is set in airplane mode in order to block any communication with the device. We implement a malware that controls the magnetic fields emanating from the computer by regulating workloads on the CPU cores. Sensitive data such as encryption keys, passwords, or keylogging data is encoded and transmitted over the magnetic signals. A smartphone located near the computer receives the covert signals with its magnetic sensor. We present technical background, and discuss signal generation, data encoding, and signal reception. We show that the proposed covert channel works from a user-level process, without requiring special privileges, and can successfully operate from within an isolated virtual machine (VM).
△ Less
Submitted 7 February, 2018;
originally announced February 2018.
-
aIR-Jumper: Covert Air-Gap Exfiltration/Infiltration via Security Cameras & Infrared (IR)
Authors:
Mordechai Guri,
Dima Bykhovsky,
Yuval Elovici
Abstract:
Infrared (IR) light is invisible to humans, but cameras are optically sensitive to this type of light.
In this paper, we show how attackers can use surveillance cameras and infrared light to establish bi-directional covert communication between the internal networks of organizations and remote attackers. We present two scenarios: exfiltration (leaking data out of the network) and infiltration (s…
▽ More
Infrared (IR) light is invisible to humans, but cameras are optically sensitive to this type of light.
In this paper, we show how attackers can use surveillance cameras and infrared light to establish bi-directional covert communication between the internal networks of organizations and remote attackers. We present two scenarios: exfiltration (leaking data out of the network) and infiltration (sending data into the network). Exfiltration. Surveillance and security cameras are equipped with IR LEDs, which are used for night vision. In the exfiltration scenario, malware within the organization access the surveillance cameras across the local network and controls the IR illumination. Sensitive data such as PIN codes, passwords, and encryption keys are then modulated, encoded, and transmitted over the IR signals. Infiltration. In an infiltration scenario, an attacker standing in a public area (e.g., in the street) uses IR LEDs to transmit hidden signals to the surveillance camera(s). Binary data such as command and control (C&C) and beacon messages are encoded on top of the IR signals. The exfiltration and infiltration can be combined to establish bidirectional, 'air-gap' communication between the compromised network and the attacker. We discuss related work and provide scientific background about this optical channel. We implement a malware prototype and present data modulation schemas and a basic transmission protocol. Our evaluation of the covert channel shows that data can be covertly exfiltrated from an organization at a rate of 20 bit/sec per surveillance camera to a distance of tens of meters away. Data can be covertly infiltrated into an organization at a rate of over 100 bit/sec per surveillance camera from a distance of hundreds of meters to kilometers away.
△ Less
Submitted 17 September, 2017;
originally announced September 2017.
-
xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs
Authors:
Mordechai Guri,
Boris Zadov,
Andrey Daidakulov,
Yuval Elovici
Abstract:
In this paper we show how attackers can covertly leak data (e.g., encryption keys, passwords and files) from highly secure or air-gapped networks via the row of status LEDs that exists in networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device ('side-channel'), int…
▽ More
In this paper we show how attackers can covertly leak data (e.g., encryption keys, passwords and files) from highly secure or air-gapped networks via the row of status LEDs that exists in networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device ('side-channel'), intentionally controlling the status LEDs to carry any type of data ('covert-channel') has never studied before. A malicious code is executed on the LAN switch or router, allowing full control of the status LEDs. Sensitive data can be encoded and modulated over the blinking of the LEDs. The generated signals can then be recorded by various types of remote cameras and optical sensors. We provide the technical background on the internal architecture of switches and routers (at both the hardware and software level) which enables this type of attack. We also present amplitude and frequency based modulation and encoding schemas, along with a simple transmission protocol. We implement a prototype of an exfiltration malware and discuss its design and implementation. We evaluate this method with a few routers and different types of LEDs. In addition, we tested various receivers including remote cameras, security cameras, smartphone cameras, and optical sensors, and also discuss different detection and prevention countermeasures. Our experiment shows that sensitive data can be covertly leaked via the status LEDs of switches and routers at a bit rates of 10 bit/sec to more than 1Kbit/sec per LED.
△ Less
Submitted 4 June, 2017;
originally announced June 2017.
-
HVACKer: Bridging the Air-Gap by Attacking the Air Conditioning System
Authors:
Yisroel Mirsky,
Mordechai Guri,
Yuval Elovici
Abstract:
Modern corporations physically separate their sensitive computational infrastructure from public or other accessible networks in order to prevent cyber-attacks. However, attackers still manage to infect these networks, either by means of an insider or by infiltrating the supply chain. Therefore, an attacker's main challenge is to determine a way to command and control the compromised hosts that ar…
▽ More
Modern corporations physically separate their sensitive computational infrastructure from public or other accessible networks in order to prevent cyber-attacks. However, attackers still manage to infect these networks, either by means of an insider or by infiltrating the supply chain. Therefore, an attacker's main challenge is to determine a way to command and control the compromised hosts that are isolated from an accessible network (e.g., the Internet).
In this paper, we propose a new adversarial model that shows how an air gapped network can receive communications over a covert thermal channel. Concretely, we show how attackers may use a compromised air-conditioning system (connected to the internet) to send commands to infected hosts within an air-gapped network. Since thermal communication protocols are a rather unexplored domain, we propose a novel line-encoding and protocol suitable for this type of channel. Moreover, we provide experimental results to demonstrate the covert channel's feasibility, and to calculate the channel's bandwidth. Lastly, we offer a forensic analysis and propose various ways this channel can be detected and prevented.
We believe that this study details a previously unseen vector of attack that security experts should be aware of.
△ Less
Submitted 30 March, 2017;
originally announced March 2017.
-
LED-it-GO: Leaking (a lot of) Data from Air-Gapped Computers via the (small) Hard Drive LED
Authors:
Mordechai Guri,
Boris Zadov,
Eran Atias,
Yuval Elovici
Abstract:
In this paper we present a method which allows attackers to covertly leak data from isolated, air-gapped computers. Our method utilizes the hard disk drive (HDD) activity LED which exists in most of today's desktop PCs, laptops and servers. We show that a malware can indirectly control the HDD LED, turning it on and off rapidly (up to 5800 blinks per second) - a rate that exceeds the visual percep…
▽ More
In this paper we present a method which allows attackers to covertly leak data from isolated, air-gapped computers. Our method utilizes the hard disk drive (HDD) activity LED which exists in most of today's desktop PCs, laptops and servers. We show that a malware can indirectly control the HDD LED, turning it on and off rapidly (up to 5800 blinks per second) - a rate that exceeds the visual perception capabilities of humans. Sensitive information can be encoded and leaked over the LED signals, which can then be received remotely by different kinds of cameras and light sensors. Compared to other LED methods, our method is unique, because it is also covert - the HDD activity LED routinely flickers frequently, and therefore the user may not be suspicious to changes in its activity. We discuss attack scenarios and present the necessary technical background regarding the HDD LED and its hardware control. We also present various data modulation methods and describe the implementation of a user-level malware, that doesn't require a kernel component. During the evaluation, we examine the physical characteristics of different colored HDD LEDs (red, blue, and white) and tested different types of receivers: remote cameras, extreme cameras, security cameras, smartphone cameras, drone cameras, and optical sensors. Finally, we discuss hardware and software countermeasures for such a threat. Our experiment shows that sensitive data can be successfully leaked from air-gapped computers via the HDD LED at a maximum bit rate of 4000 bits per second, depending on the type of receiver and its distance from the transmitter. Notably, this speed is 10 times faster than the existing optical covert channels for air-gapped computers. These rates allow fast exfiltration of encryption keys, keystroke logging, and text and binary files.
△ Less
Submitted 22 February, 2017;
originally announced February 2017.
-
SPEAKE(a)R: Turn Speakers to Microphones for Fun and Profit
Authors:
Mordechai Guri,
Yosef Solewicz,
Andrey Daidakulov,
Yuval Elovici
Abstract:
It is possible to manipulate the headphones (or earphones) connected to a computer, silently turning them into a pair of eavesdrop** microphones - with software alone. The same is also true for some types of loudspeakers. This paper focuses on this threat in a cyber-security context. We present SPEAKE(a)R, a software that can covertly turn the headphones connected to a PC into a microphone. We p…
▽ More
It is possible to manipulate the headphones (or earphones) connected to a computer, silently turning them into a pair of eavesdrop** microphones - with software alone. The same is also true for some types of loudspeakers. This paper focuses on this threat in a cyber-security context. We present SPEAKE(a)R, a software that can covertly turn the headphones connected to a PC into a microphone. We present technical background and explain why most of PCs and laptops are susceptible to this type of attack. We examine an attack scenario in which malware can use a computer as an eavesdrop** device, even when a microphone is not present, muted, taped, or turned off. We measure the signal quality and the effective distance, and survey the defensive countermeasures.
△ Less
Submitted 22 November, 2016;
originally announced November 2016.
-
9-1-1 DDoS: Threat, Analysis and Mitigation
Authors:
Mordechai Guri,
Yisroel Mirsky,
Yuval Elovici
Abstract:
The 911 emergency service belongs to one of the 16 critical infrastructure sectors in the United States. Distributed denial of service (DDoS) attacks launched from a mobile phone botnet pose a significant threat to the availability of this vital service. In this paper we show how attackers can exploit the cellular network protocols in order to launch an anonymized DDoS attack on 911. The current F…
▽ More
The 911 emergency service belongs to one of the 16 critical infrastructure sectors in the United States. Distributed denial of service (DDoS) attacks launched from a mobile phone botnet pose a significant threat to the availability of this vital service. In this paper we show how attackers can exploit the cellular network protocols in order to launch an anonymized DDoS attack on 911. The current FCC regulations require that all emergency calls be immediately routed regardless of the caller's identifiers (e.g., IMSI and IMEI). A rootkit placed within the baseband firmware of a mobile phone can mask and randomize all cellular identifiers, causing the device to have no genuine identification within the cellular network. Such anonymized phones can issue repeated emergency calls that cannot be blocked by the network or the emergency call centers, technically or legally. We explore the 911 infrastructure and discuss why it is susceptible to this kind of attack. We then implement different forms of the attack and test our implementation on a small cellular network. Finally, we simulate and analyze anonymous attacks on a model of current 911 infrastructure in order to measure the severity of their impact. We found that with less than 6K bots (or $100K hardware), attackers can block emergency services in an entire state (e.g., North Carolina) for days. We believe that this paper will assist the respective organizations, lawmakers, and security professionals in understanding the scope of this issue in order to prevent possible 911-DDoS attacks in the future.
△ Less
Submitted 8 September, 2016;
originally announced September 2016.
-
USBee: Air-Gap Covert-Channel via Electromagnetic Emission from USB
Authors:
Mordechai Guri,
Matan Monitz,
Yuval Elovici
Abstract:
In recent years researchers have demonstrated how attackers could use USB connectors implanted with RF transmitters to exfiltrate data from secure, and even air-gapped, computers (e.g., COTTONMOUTH in the leaked NSA ANT catalog). Such methods require a hardware modification of the USB plug or device, in which a dedicated RF transmitter is embedded. In this paper we present USBee, a software that c…
▽ More
In recent years researchers have demonstrated how attackers could use USB connectors implanted with RF transmitters to exfiltrate data from secure, and even air-gapped, computers (e.g., COTTONMOUTH in the leaked NSA ANT catalog). Such methods require a hardware modification of the USB plug or device, in which a dedicated RF transmitter is embedded. In this paper we present USBee, a software that can utilize an unmodified USB device connected to a computer as a RF transmitter. We demonstrate how a software can intentionally generate controlled electromagnetic emissions from the data bus of a USB connector. We also show that the emitted RF signals can be controlled and modulated with arbitrary binary data. We implement a prototype of USBee, and discuss its design and implementation details including signal generation and modulation. We evaluate the transmitter by building a receiver and demodulator using GNU Radio. Our evaluation shows that USBee can be used for transmitting binary data to a nearby receiver at a bandwidth of 20 to 80 BPS (bytes per second).
△ Less
Submitted 30 August, 2016;
originally announced August 2016.
-
DiskFiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive Noise
Authors:
Mordechai Guri,
Yosef Solewicz,
Andrey Daidakulov,
Yuval Elovici
Abstract:
Air-gapped computers are disconnected from the Internet physically and logically. This measure is taken in order to prevent the leakage of sensitive data from secured networks. In the past, it has been shown that malware can exfiltrate data from air-gapped computers by transmitting ultrasonic signals via the computer's speakers. However, such acoustic communication relies on the availability of sp…
▽ More
Air-gapped computers are disconnected from the Internet physically and logically. This measure is taken in order to prevent the leakage of sensitive data from secured networks. In the past, it has been shown that malware can exfiltrate data from air-gapped computers by transmitting ultrasonic signals via the computer's speakers. However, such acoustic communication relies on the availability of speakers on a computer. In this paper, we present 'DiskFiltration,' a covert channel which facilitates the leakage of data from an air-gapped compute via acoustic signals emitted from its hard disk drive (HDD). Our method is unique in that, unlike other acoustic covert channels, it doesn't require the presence of speakers or audio hardware in the air-gapped computer. A malware installed on a compromised machine can generate acoustic emissions at specific audio frequencies by controlling the movements of the HDD's actuator arm. Digital Information can be modulated over the acoustic signals and then be picked up by a nearby receiver (e.g., smartphone, smartwatch, laptop, etc.). We examine the HDD anatomy and analyze its acoustical characteristics. We also present signal generation and detection, and data modulation and demodulation algorithms. Based on our proposed method, we developed a transmitter on a personal computer and a receiver on a smartphone, and we provide the design and implementation details. We also evaluate our covert channel on various types of internal and external HDDs in different computer chassis and at various distances. With DiskFiltration we were able to covertly transmit data (e.g., passwords, encryption keys, and keylogging data) between air-gapped computers to a smartphone at an effective bit rate of 180 bits/minute (10,800 bits/hour) and a distance of up to two meters (six feet).
△ Less
Submitted 11 August, 2016;
originally announced August 2016.
-
Personal Information Leakage During Password Recovery of Internet Services
Authors:
Mordechai Guri,
Eyal Shemer,
Dov Shirtz,
Yuval Elovici
Abstract:
In this paper we examine the standard password recovery process of large Internet services such as Gmail, Facebook, and Twitter. Although most of these services try to maintain user privacy, with regard to registration information and other personal information provided by the user, we demonstrate that personal information can still be obtained by unauthorized individuals or attackers. This inform…
▽ More
In this paper we examine the standard password recovery process of large Internet services such as Gmail, Facebook, and Twitter. Although most of these services try to maintain user privacy, with regard to registration information and other personal information provided by the user, we demonstrate that personal information can still be obtained by unauthorized individuals or attackers. This information includes the full (or partial) email address, phone number, friends list, address, etc. We examine different scenarios and demonstrate how the details revealed in the password recovery process can be used to deduct more focused information about users.
△ Less
Submitted 4 August, 2016;
originally announced August 2016.
-
VisiSploit: An Optical Covert-Channel to Leak Data through an Air-Gap
Authors:
Mordechai Guri,
Ofer Hasson,
Gabi Kedma,
Yuval Elovici
Abstract:
In recent years, various out-of-band covert channels have been proposed that demonstrate the feasibility of leaking data out of computers without the need for network connectivity. The methods proposed have been based on different type of electromagnetic, acoustic, and thermal emissions. However, optical channels have largely been considered less covert: because they are visible to the human eye a…
▽ More
In recent years, various out-of-band covert channels have been proposed that demonstrate the feasibility of leaking data out of computers without the need for network connectivity. The methods proposed have been based on different type of electromagnetic, acoustic, and thermal emissions. However, optical channels have largely been considered less covert: because they are visible to the human eye and hence can be detected, they have received less attention from researchers. In this paper, we introduce VisiSploit, a new type of optical covert channel which, unlike other optical methods, is also stealthy. Our method exploits the limitations of human visual perception in order to unobtrusively leak data through a standard computer LCD display. Our experiments show that very low contrast or fast flickering images which are invisible to human subjects, can be recovered from photos taken by a camera. Consequentially, we show that malicious code on a compromised computer can obtain sensitive data (e.g., images, encryption keys, passwords), and project it onto a computer LCD screen, invisible and unbeknownst to users, allowing an attacker to reconstruct the data using a photo taken by a nearby (possibly hidden) camera. In order to demonstrate the feasibility of this type of attack and evaluate the channel's stealth, we conducted a battery of tests with 40 human subjects. We also examined the channel's boundaries under various parameters, with different types of encoded objects, at several distances, and using several kinds of cameras. Our results show that binary data can be leaked via our covert channel. Further research and discussion may widen the scope of this field beyond its current boundaries, yielding novel attack paradigms that exploit the subtle mechanisms of human visual perception.
△ Less
Submitted 19 July, 2016; v1 submitted 13 July, 2016;
originally announced July 2016.
-
Fansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers
Authors:
Mordechai Guri,
Yosef Solewicz,
Andrey Daidakulov,
Yuval Elovici
Abstract:
Because computers may contain or interact with sensitive information, they are often air-gapped and in this way kept isolated and disconnected from the Internet. In recent years the ability of malware to communicate over an air-gap by transmitting sonic and ultrasonic signals from a computer speaker to a nearby receiver has been shown. In order to eliminate such acoustic channels, current best pra…
▽ More
Because computers may contain or interact with sensitive information, they are often air-gapped and in this way kept isolated and disconnected from the Internet. In recent years the ability of malware to communicate over an air-gap by transmitting sonic and ultrasonic signals from a computer speaker to a nearby receiver has been shown. In order to eliminate such acoustic channels, current best practice recommends the elimination of speakers (internal or external) in secure computers, thereby creating a so-called 'audio-gap'. In this paper, we present Fansmitter, a malware that can acoustically exfiltrate data from air-gapped computers, even when audio hardware and speakers are not present. Our method utilizes the noise emitted from the CPU and chassis fans which are present in virtually every computer today. We show that a software can regulate the internal fans' speed in order to control the acoustic waveform emitted from a computer. Binary data can be modulated and transmitted over these audio signals to a remote microphone (e.g., on a nearby mobile phone). We present Fansmitter's design considerations, including acoustic signature analysis, data modulation, and data transmission. We also evaluate the acoustic channel, present our results, and discuss countermeasures. Using our method we successfully transmitted data from air-gapped computer without audio hardware, to a smartphone receiver in the same room. We demonstrated the effective transmission of encryption keys and passwords from a distance of zero to eight meters, with bit rate of up to 900 bits/hour. We show that our method can also be used to leak data from different types of IT equipment, embedded systems, and IoT devices that have no audio hardware, but contain fans of various types and sizes.
△ Less
Submitted 19 June, 2016;
originally announced June 2016.
-
JoKER: Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface
Authors:
Mordechai Guri,
Yuri Poliak,
Bracha Shapira,
Yuval Elovici
Abstract:
Smartphones and tablets have become prime targets for malware, due to the valuable private and corporate information they hold. While Anti-Virus (AV) program may successfully detect malicious applications (apps), they remain ineffective against low-level rootkits that evade detection mechanisms by masking their own presence. Furthermore, any detection mechanism run on the same physical device as t…
▽ More
Smartphones and tablets have become prime targets for malware, due to the valuable private and corporate information they hold. While Anti-Virus (AV) program may successfully detect malicious applications (apps), they remain ineffective against low-level rootkits that evade detection mechanisms by masking their own presence. Furthermore, any detection mechanism run on the same physical device as the monitored OS can be compromised via application, kernel or boot-loader vulnerabilities. Consequentially, trusted detection of kernel rootkits in mobile devices is a challenging task in practice. In this paper we present JoKER - a system which aims at detecting rootkits in the Android kernel by utilizing the hardware's Joint Test Action Group (JTAG) interface for trusted memory forensics. Our framework consists of components that extract areas of a kernel's memory and reconstruct it for further analysis. We present the overall architecture along with its implementation, and demonstrate that the system can successfully detect the presence of stealthy rootkits in the kernel. The results show that although JTAG's main purpose is system testing, it can also be used for malware detection where traditional methods fail.
△ Less
Submitted 13 December, 2015;
originally announced December 2015.
-
BitWhisper: Covert Signaling Channel between Air-Gapped Computers using Thermal Manipulations
Authors:
Mordechai Guri,
Matan Monitz,
Yisroel Mirski,
Yuval Elovici
Abstract:
It has been assumed that the physical separation (air-gap) of computers provides a reliable level of security, such that should two adjacent computers become compromised, the covert exchange of data between them would be impossible. In this paper, we demonstrate BitWhisper, a method of bridging the air-gap between adjacent compromised computers by using their heat emissions and built-in thermal se…
▽ More
It has been assumed that the physical separation (air-gap) of computers provides a reliable level of security, such that should two adjacent computers become compromised, the covert exchange of data between them would be impossible. In this paper, we demonstrate BitWhisper, a method of bridging the air-gap between adjacent compromised computers by using their heat emissions and built-in thermal sensors to create a covert communication channel. Our method is unique in two respects: it supports bidirectional communication, and it requires no additional dedicated peripheral hardware. We provide experimental results based on implementation of BitWhisper prototype, and examine the channel properties and limitations. Our experiments included different layouts, with computers positioned at varying distances from one another, and several sensor types and CPU configurations (e.g., Virtual Machines). We also discuss signal modulation and communication protocols, showing how BitWhisper can be used for the exchange of data between two computers in a close proximity (at distance of 0-40cm) at an effective rate of 1-8 bits per hour, a rate which makes it possible to infiltrate brief commands and exfiltrate small amount of data (e.g., passwords) over the covert channel.
△ Less
Submitted 26 March, 2015;
originally announced March 2015.
-
AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones using Radio Frequencies
Authors:
Mordechai Guri,
Gabi Kedma,
Assaf Kachlon,
Yuval Elovici
Abstract:
Information is the most critical asset of modern organizations, and accordingly coveted by adversaries. When highly sensitive data is involved, an organization may resort to air-gap isolation, in which there is no networking connection between the inner network and the external world. While infiltrating an air-gapped network has been proven feasible in recent years (e.g., Stuxnet), data exfiltrati…
▽ More
Information is the most critical asset of modern organizations, and accordingly coveted by adversaries. When highly sensitive data is involved, an organization may resort to air-gap isolation, in which there is no networking connection between the inner network and the external world. While infiltrating an air-gapped network has been proven feasible in recent years (e.g., Stuxnet), data exfiltration from an air-gapped network is still considered to be one of the most challenging phases of an advanced cyber-attack. In this paper we present "AirHopper", a bifurcated malware that bridges the air-gap between an isolated network and nearby infected mobile phones using FM signals. While it is known that software can intentionally create radio emissions from a video display unit, this is the first time that mobile phones are considered in an attack model as the intended receivers of maliciously crafted radio signals. We examine the attack model and its limitations, and discuss implementation considerations such as stealth and modulation methods. Finally, we evaluate AirHopper and demonstrate how textual and binary data can be exfiltrated from physically isolated computer to mobile phones at a distance of 1-7 meters, with effective bandwidth of 13-60 Bps (Bytes per second).
△ Less
Submitted 2 November, 2014;
originally announced November 2014.