This team used patterns of memory access instructions to modulate a memory bus to generate GSM-band signals that can be read from a hacked baseband. That is a thing that happened.
Somehow this reminds me of the various "floppy drive plays the Imperial March" hacks only this time it is "system RAM plays the arbitrary-bits-of-information fugue in C major on the electromagnetic spectrum." The research needed to get this to work is stunning.
The recent Rowhammer.js paper showed that you don't even need non-temporal instructions to achieve faults---regular accesses, with a clever eviction strategy, will do: http://arxiv.org/abs/1507.06955
This type of news reminds me of that scene from the first (live action) Transformers movie where the girl hacker is telling the three-letter suit types that they need to be thinking in a whole other level of technology in order to understand their adversary.
I suppose though, that this means if you have /critical/ security things it really just means you need to have the kind of physical security you hear about in scifi and fictional spy game settings. Not just plain airgaps, but proper Faraday cages, and even vibration dampening (for servers too, not just 'meeting rooms'). Probably even thermal regulation so that there's always /consistent/ output.
Just to clarify: They're talking about going into an air-gapped network (i.e. cut off from the outside world as far as network transmission of data goes) and using a conveniently-placed (and hacked) cell phone to read signals, convert them into useful data, and transmit that to the attacker? So the cell phone works as a sort of spigot that pours that data into outside networks? Let me know if I'm not reading this right.
You can, by several means, infect computers on the way to the air-gapped facility.
People will use it to store sensitive information, and now you have access to it. You just solved half of the problem.
Now, how to get this data? Internet? No. air-gapped. Send someone to retrieve the machine by force? Too risk and will alert the enemy. Solution: infect the cell phones of the people working there.
Your machine will be continuously broadcasting the information you want and when the infected phone come close to it, communication will occur.
Definitely. Most sophisticated hacking involves multiple steps and sometimes boxes (esp w/ C&C). People should expect the same in EMSEC attacks. And wireless, reprogrammable devices are always a threat that even NSA et al haven't mapped all specifics on. It's why any installation allowing them is insecure to EMSEC by default in my book.
Air gaped computers, still need software to run, MS Office, AudoCAD, SolidWorks, MATLAB or any other thing, they still get updated MATLAB 2014 -> 2015 and so on.
This is the biggest malware entry point.
On the security engineering side, isolated networks monitor less what comes in, but they are extremely strict about what comes out.
Only a bit related: does anyone know a) why it is standard in scientific papers to be written in 2-col layout and b) how to convert said 2-col layout to a READABLE 1-col layout?!
Man, this is driving me nuts on desktop and mobile.
In the case of this specific paper from this specific conference, you're in a lot of luck. USENIX put out the full proceedings as a giant PDF, an ePub, and a Mobi ([1]).
If you want to reflow arbitrary pdfs, then you should check out k2pdfopt ([2]). It's how I read academic papers on my Kindle. It does lots of tricks to slice out a useful format from pdfs of many different formats and make them pretty solid on a different screen size.
> why it is standard in scientific papers to be written in 2-col layout
For much the same reason as in newspapers: Because it maintains a readable text column width (in terms of words/characters per line) while increasing information density on the page. The other (less common) alternative uses one column with large text and large margins, with only slightly more words/characters per line as each column of the two-column format.
Old is New Again meme. ;) True: rooms or safe's are best route. There's also more suppliers for that and more willing to work with non-defense customers. However, you've always been limited on desktop and notebooks in high security assessment given all the functionality (esp wireless) in them. There's just way too much risk. So, I recommended hardened thin-clients/monitor/keyboard/mouse plus key servers in a shielded room, no wireless anything, shielding of building from external signals where possible, and of course a lot of distance around the building. Costs quickly become an issue and most just don't do TEMPEST/EMSEC at all. Open season when the attacks get democratized. ;)
It should be possible to vary the sleep states of the processor, at least if you are root. That should give you something like 50 W amplitude. No idea how that would look on the other side of the power supply.
It's pretty obvious, but perhaps worth noting that this requires the malware be installed on the computer somehow. That in itself is probably a challenge for an air gapped computer.
Or if you simply do what the REDACTED government did when they released StuxNet which is infect thumb drives and leave them near by the building in the parking lot. People pick up and plug in anything.
This is amazing, I don't think I would have ever thought of that. Of course, it's efficacy is a bit mitigated in that if you could manage to get malware onto such a computer, then there are likely easier ways to exfiltrate the data than presented in this paper. The POC model is nonetheless impressive.
This would be a great side project to play around with on an Arduino or something.
I wonder what easier ways to exfiltrate data do you see?
An air-gapped computer is likely devoid of any special radio-frequency hardware (no wi-fi or BT). Acoustic signals (via speaker or mechanical moving parts) and visible light signals (via the screen or various LEDs) are easy to notice.
OTOH a GSM frequency signal is not readily visible and also does not look like coming from a computer unless you look pretty hard; a signal at this frequency can be coming from a mobile device of a passer-by across the street.
My design many years ago was for "shielded" cables that would stop EM leaks in testing except for frequencies they wouldn't be looking for and especially upon receipt of a signal. Sent it to a bunch of people including in defense to create awareness of the risk. Last forum I posted it on was Schneier's blog during a discussion on hardware subversion. TAO leaked later to reveal RAGEMASTER, a VGA cable modification for leaking monitor signals to emanation attack gear. Independent invention or thieving bastards? (shrugs)
Interesting, though, to see they came up with same solution. Just like old keyboard and pin pad attacks. The user has to enter it (input) or see it (monitor). There are many ways to stop outsiders from getting into that information. So, my idea (and NSA's as well) was to make that raw data come to us in whatever way possible. Simpler methods were available such as cheap bugs at 10Ghz that amateur spectrum tools wouldn't see. However, I found natural emanations to be best risk because (a) they're always there, (b) they often increase for non-suspect reasons, and (c) nobody did detection or defense outside of TEMPEST customers.
It's why I keep advising a damn-near Manhattan project on EMSEC all the way from rooms to COTS components down to automating analysis in synthesis tools for ASIC's. The latter already do it quite a bit for non-malicious interference but the game changes going from designing Murphy's ASIC to designing Satan's. ;) Whatever is produced should bring technical sophistication and cost down dramatically with plenty reusable solutions & reference components.
Are they? If you can switch the LED fast enough (so the keyboard LEDs are out) and you keep the dark periods brief enough you should be able to hide it quite well. If you modulate it right you might be able to pick the data out of the reflections on walls, whiteboards, etc, perhaps even from outside a window.
I mean something simple, such as just using the usb itself or through social engineering to take data. If you can manage to load malware onto the computer, you can probably steal the data in a much easier way.
It's also much more efficient given the communication rate in the article is on the order of just bits/s. Of course, if you're looking for a steady stream of data over time, then this is probably the optimal solution.
The supply chain for the computer and the phones of nearby personnel is hackable, given a sufficiently resourced and un-savory-agency. Which gives you a nice datastream that didn't depend on anyone having done anything obviously stupid, and doesn't depend on social engineering to get usb sticks out of the facility.
> if you could manage to get malware onto such a computer, then there are likely easier ways to exfiltrate the data than presented in this paper.
I'm not so sure. It's much easier to drop an infected thumb drive in a parking lot than to get that thumb drive back after it's been plugged into a facility computer.
Here I thought it was going to be related to the power-spike decryption that's been show before(and can be hardened against by balancing bits flipped).
Ben Gurion is on a win streak in emanation attacks. Neat example with a common culprit: writings on TEMPEST said cellphones within meters of a STU-III telephone compromised it immediately with inadvertant, active attack. This is going in opposite direction with a known attack vector. A nice example of a "known unknown." That wireless devices, cellphones or SOC's, greatly increase risk in EMSEC is even more evident with this. Gotta stay banned in high-security organizations and that presents very tough tradeoffs along with supply chain issues in terms of SOC's. Identifying the hidden functions of SOC's (including analog/RF) is a cat-and-mouse game that rivals the brains that go into software attack and defense from what examples insiders gave me.
Far as EMSEC, I've pushed people in INFOSEC to consider it for a decade. I argued we should because (a) U.S. used such attacks since 1914 w/ Russia using them wisely in Cold War, (b) there's a sizeable industry on defense (TEMPEST) side, (c) most commercial/personal systems were massively vulnerable, and (d) research in possibly hostile countries continued. Supported even more by leaked NSA TAO catalog that features emanation attacks, including one (RAGEMASTER) that looks like my past work. All outside high-security said it was theoretical (despite use by Russia), no evidence/detection of any attacks (how would they lol?), or so rare as to be not important (again, measured how?). Took a while for it to really hit mainstream attention and I'm glad to see people in recent years are finally worrying about a 101-year old attack strategy (emanations).
Ben Gurion's results, past and present, support my case: a new cat-and-mouse game could form on pro side for stealing classified or trade secret information with emanation attacks. Declassified documents on TEMPEST history showed defenders had a hard time for first decade even for passive attacks. The likes of NSA, Russia, Israel, and maybe China are decades ahead of defenders with Israeli researchers innovating the most on attacks. NSA valued it so much, even against allies, that it once diluted its capabilities when sharing with UK and (IIRC) Canada to keep them behind (read: vulnerable).
My recommendation is that research-funding organizations in as many countries as possible start dropping money on their best E.E.'s to recreate those decades of research. Reducing the signal, shielding, masking... all of it for each component that's common in systems. Another easy route, which I used to recommend, was EMSEC safes or rooms with filters on cabling plus the myriad other leaks that crop up (even toilets lol). Seemed to be easier, but not easy, as there were more companies doing it than securing arbitrary equipment operating in the open. We do a ton of research until even our undergrads and amateurs can apply given techniques to solve the problems for boxes, safes, or rooms they own. Maybe. It's quite complicated...
Regardless, these attacks will only get better and for more parties. NSA et al long figured out it was best attack albeit required specialists and sometimes physical presence. Demanded they save it for high priority targets. Attacks with cellphones and interdiction, along with radios in COTS stuff, mean physical presence might not be an issue in future attacks. The game's heating up and defenders got a lot of catch-up to do. I suggest they start by studying the field of electromagnetic compatibility (EMC) [1], books on TEMPEST shielding [2], commercial sector [3], and declassified military documents on similar subjects (some in [4], esp Red-Black).
[3] http://www.tempest-inc.com/
(Found this in my bookmarks. Think they were good and helped with self-tests, too. Been too long time, though, so memory is fuzzy & many firms are gone.)
Are we that surprised? I remember being blown away to read that a program could modulate a CPU to play music over an FM radio -- though whenever I google I'm not able to find that reference.
But are we that surprised that a cell phone has software-defined radio, or is extremely sensitive in the gigahertz frequency range? Or that a hacked baseband can listen to the cues from a memory bus in that range, and isolate some predefined pattern that is extremely distinguishable? Or that a memory bus can emit noise at those frequencies? Or that this can be controlled via software?
I mean, this isn't - "this web site can send a text message from any airgapped computer without a sim card, by modulating its CPU to broadcast to all cell phone towers. Using pure CSS."
If that were in javascript, if it didn't require a hacked or modified anything - now that is the realm of science fiction :)
Well, of course none of these things are all particularly noteworthy in isolation. But it takes someone to put them all together into a working PoC.
On the Javascript part, they might very well be able to port this. Since any modern browser now JITs Javascript, it just becomes a matter of sculpting the JS to get the desired native code from the JIT.
I would be extremely impressed with a javascript solution. The reader part of it boils down to: "Hacked baseband can discern two special PC memory access patterns from each other" - which, if you're willing to transmit for long enough, is all it takes to exfiltrate.
I've never heard of modulating a CPU to play FM radio, but I've heard of using VGA/CRT patterns to modulate music on FM radio. Which is still impressive, but at least a little less surprising what with the cables and mechanical cathode rays and stuff being large, external items..?
