Hacking Air Gap Computer Project
The Air-Gap Jumpers
Ben-Gurion University of the Negev
Mordechai Guri, PhD The Head of R&D, Cyber-Security Research Center
Ben-Gurion University of the Negev, Israel
‹#› Ben-Gurion University of the Negev
About Me
Computer scientist (PhD)
Head of R&D Cyber-Security Research Center, BGU
Co-founder of Morphisec Endpoint Security
Research focus Advance Persistent Threats (APTs), Rootkits Security of embedded systems Low-level attacks/defense Mobile security Air-gap security
A profile on my research at WIRED by Andy Greenberg: https://www.wired.com/story/air-gap-researcher-mordechai-guri/
‹#› Ben-Gurion University of the Negev
https://cyber.bgu.ac.il/advanced-cyber/airgap
Papers and videos of this presentation can be found in my air-gap research page [1]
‹#› Ben-Gurion University of the Negev
Agenda
Background
Threats, attack-vectors
Air-gap jumping techniques (‘covert channels’)
Demo videos
Evaluation
Countermeasures
‹#› Ben-Gurion University of the Negev
Air Gap
Definition: A cyber security measure that secures computer network by physically isolating it from unsecured networks, such as the Internet or another unsecured local area networks.
Examples of the types of networks or systems that may be air gapped: Military defense system Critical infrastructure command and control centers Computerized medical equipment and healthcare Banking and finance sectors Cryptocurrencies air-gapped (‘cold’) wallets, blockchain
Air Gap
‹#› Ben-Gurion University of the Negev
Threats – Chain of Attack
Infiltration
• How attackers can place a malware in the air gapped network
C&C
• How attackers can send commands to the malware in the air-gapped network
Exfiltration
• How attacker can leak data from the air gapped network
Research QuestionPhase
‹#› Ben-Gurion University of the Negev
Infiltration
Despite the level of isolation, air-gapped networks are not immune to breaches
Supply Chain Attacks
Malicious Insiders
Deceived Insiders
‹#› Ben-Gurion University of the Negev
Infiltration (1)
07.2018:
‹#› Ben-Gurion University of the Negev
Infiltration (2)
US military base in the Middle East
A USB flash drive infected with a worm (Agent.BTZ) was left in the parking lot
Inserted into a laptop that attached to the United States Central Command network
From there it spread undetected to other classified and unclassified networks
The Pentagon spent nearly a year cleaning the worm from military networks
‹#› Ben-Gurion University of the Negev
Air-Gap Jumping Research
So, attackers can infect air-gapped networks
We assume that an attacker already has a foothold (APT) in the air-gapped network
The attacker want to exfiltrate data from the network No internet
‹#› Ben-Gurion University of the Negev
Air-Gap Covert Channels Acoustic Electromagnetic Magnetic
Electric Optical Thermal
Physical Media
‹#› Ben-Gurion University of the Negev
Physical Media
Many developed APTs are able to jump over air gaps via USB ([2]). Turla, MiniDuke, RedOctober Fanny Remsec …
Use USB flash drives to jump into air-gapped networks
Use USB flash drives to exfiltrate data from air-gapped networks
‹#› Ben-Gurion University of the Negev
Physical Media – Countermeasures
Physical media is forbidden (policy)
USB I/O activities are monitored
USB port blocks (hardware/software)
Write protected USB
‹#› Ben-Gurion University of the Negev
Acoustic
ACOUSTIC
‹#› Ben-Gurion University of the Negev
Ultrasonic
‹#› Ben-Gurion University of the Negev
Ultrasonic
BeatCoin demo: https://cyber.bgu.ac.il/advanced-cyber/airgap
‹#› Ben-Gurion University of the Negev
Ultrasonic
Range
Humans 20 Hz to ~18 kHz
Cats 55 Hz up to 79 kHz ( a range of 10.5 octaves)
Dogs 40 Hz to 60 kHz
Bats 1 kHz – 200 kHz
Mice 1 kHz to 70 kHz.
Dolphins 110 kHz
‹#› Ben-Gurion University of the Negev
Ultrasonic
20 Hz 24 Hz18 Hz
Near Ultrasonic
An ordinary computer can produce sound at a frequency band of 0-24kHz
‹#› Ben-Gurion University of the Negev
Ultrasonic
‹#› Ben-Gurion University of the Negev
Audio-Gap
The solution to the ultrasonic covert-channels: Maintaining an ‘Audio-Gap’
Common practices and security policies may prohibit the use of speakers [16]
Disable the audio hardware
‘hermetic’ solution?
‹#› Ben-Gurion University of the Negev
Fansmitter
Computer fans CPU cooling fans Chassis fans Power-supply fan GPU fans
The Blade Pass Frequency (BPF) Number of blades Rotation speed
Malware can control the fan speed (RPM) Control the BPF
‹#› Ben-Gurion University of the Negev
Fansmitter
Fansmitter demo: https://cyber.bgu.ac.il/advanced-cyber/airgap
‹#› Ben-Gurion University of the Negev
Fansmitter
Move to a “water cooling”?
‹#› Ben-Gurion University of the Negev
Diskfiltration
The actuator arm is controlled by a motor that moves the hard drive head arm
Can be controlled by malware by performing I/O between tracks (read/write)
With user level privileges (temp folder)
‹#› Ben-Gurion University of the Negev
DiskFiltration
DiskFiltration demo: https://cyber.bgu.ac.il/advanced-cyber/airgap
‹#› Ben-Gurion University of the Negev
MOSQUITO
Ultrasonic covert channel requires Speakers (transmit data) Microphones (receive data)
What if microphones are Banned Disconnected Muted Taped
Speakers-only environment
‹#› Ben-Gurion University of the Negev
MOSQUITO
A malware that exploit a specific audio chip feature
Reverse the connected speakers from output devices into input devices
Turn speakers/headphones/earphones to microphones
Speaker-to-Speaker communication
‹#› Ben-Gurion University of the Negev
MOSQUITO
MOSQUITO demo: https://cyber.bgu.ac.il/advanced-cyber/airgap
‹#› Ben-Gurion University of the Negev
Electromagentic
ELECTROMAGENTIC
‹#› Ben-Gurion University of the Negev
Electromagnetic – Basics
Electric current in a wire produces an electromagnetic field
The electromagnetic field depend the current pass through the wire
If we control the current in a wire, we control the electromagnetic emission Frequency Amplitude
‹#› Ben-Gurion University of the Negev
AirHopper
Screen cables are emanating electromagnetic radiation – depend on the ‘image’ transmitted in the cable
We can control the electromagnetic radiation by transmitting specially crafted images
We can adjust the electromagnetic radiation to the FM radio band! (88 Mhz-108 MHz)
Malware uses the video display as a FM transmitter to leak data Screen cable function as an antenna
‹#› Ben-Gurion University of the Negev
AirHopper
‹#› Ben-Gurion University of the Negev
AirHopper
AirHopper demo: https://cyber.bgu.ac.il/advanced-cyber/airgap
‹#› Ben-Gurion University of the Negev
GSMem
“feature-phones” might be allowed in some facilities
No camera, Bluetooth, Wi-Fi, FM, etc.
‹#› Ben-Gurion University of the Negev
GSMem
The CPU-memory bus emit electromagnetic radiation
We can control the radiation by building special patterns memory transfers
The radiation can be adjusted to the GSM, UMTS and LTE frequency bands (2G, 3G and 4G)
We use multi-channels to amplify the transmission
‹#› Ben-Gurion University of the Negev
GSMem
‹#› Ben-Gurion University of the Negev
GSMem
GSMem demo: https://cyber.bgu.ac.il/advanced-cyber/airgap
‹#› Ben-Gurion University of the Negev
USBee
Use the USB data bus to transmit RF signals
D+/D- as small antennas
Simple I/O operations (read/write)
No special permission is required
‹#› Ben-Gurion University of the Negev
USBee
USBee demo: https://cyber.bgu.ac.il/advanced-cyber/airgap
‹#› Ben-Gurion University of the Negev
Magnetic
MAGNETIC
‹#› Ben-Gurion University of the Negev
ODINI
‹#› Ben-Gurion University of the Negev
ODINI
Jump air-gaps and bypass Faraday cages
The ODINI method is based on an exploitation of the low-frequency magnetic fields generated by the computer’s CPU
Low frequency magnetic radiation propagates through the air, penetrating metal shielding such as Faraday cages
E.g., compass still works inside Faraday cages
‹#› Ben-Gurion University of the Negev
ODINI
ODINI demo: https://cyber.bgu.ac.il/advanced-cyber/airgap
‹#› Ben-Gurion University of the Negev
MAGNETO
‹#› Ben-Gurion University of the Negev
MAGNETO
MAGNETO demo: https://cyber.bgu.ac.il/advanced-cyber/airgap
‹#› Ben-Gurion University of the Negev
Electric
ELECTRIC
‹#› Ben-Gurion University of the Negev
PowerHammer
A malicious code running on a compromised computer can control the power consumption of the system by intentionally regulating the CPU utilization
Data is modulated, encoded, and transmitted on top of the current flow fluctuations
This it is conducted and propagated through the power lines
This phenomena is known as a ’conducted emission’
‹#› Ben-Gurion University of the Negev
PowerHammer
‹#› Ben-Gurion University of the Negev
Optical
OPTICAL
‹#› Ben-Gurion University of the Negev
Optical
Computer and peripherals are equipped with LEDs indicators
The LEDs are controllable from software/firmeware level
Malware can encode data on ‘blinks’
Can be intercepted by local cameras or remotely (e.g., drones)
‹#› Ben-Gurion University of the Negev
LED-it-GO
LED-it-GO demo: https://cyber.bgu.ac.il/advanced-cyber/airgap
‹#› Ben-Gurion University of the Negev
xLED
xLED demo: https://cyber.bgu.ac.il/advanced-cyber/airgap
‹#› Ben-Gurion University of the Negev
aIR-Jumper
Security camera are equipped with IR LEDs
Security cameras can ‘see’ IR
Can not seen by humans
‹#› Ben-Gurion University of the Negev
aIR-Jumper
aIR-Jumper demo: https://cyber.bgu.ac.il/advanced-cyber/airgap
‹#› Ben-Gurion University of the Negev
Thermal
THERMAL
‹#› Ben-Gurion University of the Negev
BitWhisper
Motivation
‹#› Ben-Gurion University of the Negev
BitWhisper
Computer are emitting heat from CPU GPU HDD Peripherals
Computer are equipped with built-in thermals sensor CPU/GPU Motherboard HDDs
Bi-Directional communication based on heat
‹#› Ben-Gurion University of the Negev
BitWhisper
• A computer can detect temperature change created by the adjacent computer
• Data is encoded via temperature changes
‹#› Ben-Gurion University of the Negev
BitWhisper
BitWhisper demo: https://cyber.bgu.ac.il/advanced-cyber/airgap
‹#› Ben-Gurion University of the Negev
Evaluation
Channel Type
Acoustic Electro magnetic /magnetic/electri c
Thermal Optical
Channel Characteristic
Stealth High High Medium (sensible)
Low / High
Channel Availability
High High Low (overnight attack)
Low (user absence)
Feasibility in Virtualization
Medium Medium Medium Medium
Hardware Availability
Medium-low High High High
Quality Medium Medium/low Low Medium
Required Privileges
Regular Regular/Root Regular/Root Regular
‹#› Ben-Gurion University of the Negev
Countermeasures
Method Type Relevancy to bridgeware types
Cost
Physical insulation/ Zoning/ Red/Black separation
Physical countermeasure s
Acoustic, Electromagnetic, Thermal, Optical
High
Wires and equipment shielding
Hardware countermeasure s
Electromagnetic (partial) Low-Medium
Signal filtering Hardware countermeasure s
Acoustic, Electromagnetic (partial)
Medium
Signal jamming Hardware countermeasure s
Electromagnetic Medium
Activity detection Software countermeasure s
Acoustic, Electromagnetic, Thermal, Optical
Low-Medium
Soft tempest Software countermeasure s
Electromagnetic Low
‹#› Ben-Gurion University of the Negev
Air-Gap Jumping
• Electromagnetic • AirHopper [3], GSMem [4], USBee [5]
• Magnetic • ODINI [6], MAGNETO [7]
• Electric • POWERHAMMER [8]
• Acoustic • MOSQUITO [9], Fansmitter [10], Diskfiltration [11]
• Optical • LED-it-GO [12], xLED [13], aIR-Jumper [14]
• Thermal • BitWhisper [15]
‹#› Ben-Gurion University of the Negev
Needs help with similar assignment?
We are available 24x7 to deliver the best services and assignment ready within 3-4 hours? Order a custom-written, plagiarism-free paper
Get Answer Over WhatsApp Order Paper Now