Bypassing an Air Gap via Radio

Monday, November 3, 2014 @ 03:11 PM gHale

An attacker can transmit sensitive information from isolated computers to nearby mobile phones by using radio signals, researchers said.

While it is rare and often appearing true on the surface, but not really the case underneath, there are organizations that attempt to air gap to secure their most sensitive information.

Air Gap Beaten by Printer
ICS Attack Responses
Espionage Group Targets NATO, EU
Insider Threat ‘Underestimated:’ DHS

If done properly, the measure can be efficient because the protected devices end up isolated from the Internet, which makes them difficult to compromise.

Getting a piece of malware onto isolated computers can occur in various ways, including with removable drives, such as in the case of Stuxnet, and outsourced software or hardware components. However, the more difficult part is getting that piece of malware to remotely transmit sensitive data from the infected computer.

That is exactly where a proof-of-concept malware developed by researchers at the Ben Gurion University in Israel shows they are able to steal information from an air gapped device.

Researchers showed data exfiltration from an isolated device is possible via radio signals captured by a mobile device. The proof-of-concept malware they have created, called “AirHopper,” uses the infected computer’s graphics card to emit electromagnetic signals to a nearby mobile phone that’s set up to capture the data.

“With appropriate software, compatible radio signals can be produced by a compromised computer, utilizing the electromagnetic radiation associated with the video display adapter. This combination, of a transmitter with a widely used mobile receiver, creates a potential covert channel that is not being monitored by ordinary security instrumentation,” researchers said in a paper.

The attack has four main steps: Getting the piece of malware onto the isolated computer, installing malicious code on one or more mobile phones, setting up a command and control (C&C) channel with the infected mobile device, and transmitting signals emanated by the isolated computer back to the attacker.

“The main idea behind the research is to use radio frequencies in order to transmit the secret data from the computer to the mobile phone,” the researchers said. “Mobile phones usually come equipped with FM radio receivers and it is already known that software can intentionally create radio emissions from a video display unit. Yes, from the computer screen. Still, this is the first time that a mobile phone is considered in an attack model as the intended receiver of maliciously crafted radio signals emitted from the screen of the isolated computer.”

Once the data sends to the phone, it can end up forwarded to the attackers via the Internet or SMS messages, the researchers said.

With more and more organizations adopting bring-your-own-device (BYOD), personal mobile devices — which are relatively easy to infect with malware– often end up carried in and out of the physical perimeter, making such an attack highly plausible.

Experiments conducted with AirHopper show data can end up transmitted from the physically isolated device to a mobile phone up to 23 feet away at 13-60 Bytes per second, which researchers say is enough to steal a secret password.

“The chain of attack is rather complicated, but is not beyond the level of skill and effort employed in modern Advanced Persistent Threats (APTs),” the researchers said.

Leave a Reply

You must be logged in to post a comment.