Hacking Air Gap Computer Project

The Air-Gap Jumpers

Ben-Gurion University of the Negev

Mordechai Guri, PhD The Head of R&D, Cyber-Security Research Center

Ben-Gurion University of the Negev, Israel

 

 

‹#› Ben-Gurion University of the Negev

About Me

 Computer scientist (PhD)

 Head of R&D Cyber-Security Research Center, BGU

 Co-founder of Morphisec Endpoint Security

 Research focus  Advance Persistent Threats (APTs), Rootkits  Security of embedded systems  Low-level attacks/defense  Mobile security  Air-gap security

 A profile on my research at WIRED by Andy Greenberg: https://www.wired.com/story/air-gap-researcher-mordechai-guri/

 

 

‹#› Ben-Gurion University of the Negev

https://cyber.bgu.ac.il/advanced-cyber/airgap

 Papers and videos of this presentation can be found in my air-gap research page [1]

 

 

‹#› Ben-Gurion University of the Negev

Agenda

 Background

 Threats, attack-vectors

 Air-gap jumping techniques (‘covert channels’)

 Demo videos

 Evaluation

 Countermeasures

 

 

‹#› Ben-Gurion University of the Negev

Air Gap

Definition: A cyber security measure that secures computer network by physically isolating it from unsecured networks, such as the Internet or another unsecured local area networks.

Examples of the types of networks or systems that may be air gapped:  Military defense system  Critical infrastructure command and control centers  Computerized medical equipment and healthcare  Banking and finance sectors  Cryptocurrencies air-gapped (‘cold’) wallets, blockchain

Air Gap

 

 

‹#› Ben-Gurion University of the Negev

Threats – Chain of Attack

Infiltration

• How attackers can place a malware in the air gapped network

C&C

• How attackers can send commands to the malware in the air-gapped network

Exfiltration

• How attacker can leak data from the air gapped network

Research QuestionPhase

 

 

‹#› Ben-Gurion University of the Negev

Infiltration

 Despite the level of isolation, air-gapped networks are not immune to breaches

 Supply Chain Attacks

 Malicious Insiders

 Deceived Insiders

 

 

‹#› Ben-Gurion University of the Negev

Infiltration (1)

07.2018:

 

 

‹#› Ben-Gurion University of the Negev

Infiltration (2)

 US military base in the Middle East

 A USB flash drive infected with a worm (Agent.BTZ) was left in the parking lot

 Inserted into a laptop that attached to the United States Central Command network

 From there it spread undetected to other classified and unclassified networks

 The Pentagon spent nearly a year cleaning the worm from military networks

 

 

‹#› Ben-Gurion University of the Negev

Air-Gap Jumping Research

 So, attackers can infect air-gapped networks

 We assume that an attacker already has a foothold (APT) in the air-gapped network

 The attacker want to exfiltrate data from the network  No internet

 

 

‹#› Ben-Gurion University of the Negev

Air-Gap Covert Channels Acoustic Electromagnetic Magnetic

Electric Optical Thermal

Physical Media

 

 

‹#› Ben-Gurion University of the Negev

Physical Media

 Many developed APTs are able to jump over air gaps via USB ([2]).  Turla,  MiniDuke,  RedOctober  Fanny  Remsec  …

 Use USB flash drives to jump into air-gapped networks

 Use USB flash drives to exfiltrate data from air-gapped networks

 

 

‹#› Ben-Gurion University of the Negev

Physical Media – Countermeasures

 Physical media is forbidden (policy)

 USB I/O activities are monitored

 USB port blocks (hardware/software)

 Write protected USB

 

 

‹#› Ben-Gurion University of the Negev

Acoustic

ACOUSTIC

 

 

‹#› Ben-Gurion University of the Negev

Ultrasonic

 

 

‹#› Ben-Gurion University of the Negev

Ultrasonic

BeatCoin demo: https://cyber.bgu.ac.il/advanced-cyber/airgap

 

 

‹#› Ben-Gurion University of the Negev

Ultrasonic

Range

Humans 20 Hz to ~18 kHz

Cats 55 Hz up to 79 kHz ( a range of 10.5 octaves)

Dogs 40 Hz to 60 kHz

Bats 1 kHz – 200 kHz

Mice 1 kHz to 70 kHz.

Dolphins 110 kHz

 

 

‹#› Ben-Gurion University of the Negev

Ultrasonic

20 Hz 24 Hz18 Hz

Near Ultrasonic

An ordinary computer can produce sound at a frequency band of 0-24kHz

 

 

‹#› Ben-Gurion University of the Negev

Ultrasonic

 

 

‹#› Ben-Gurion University of the Negev

Audio-Gap

 The solution to the ultrasonic covert-channels: Maintaining an ‘Audio-Gap’

 Common practices and security policies may prohibit the use of speakers [16]

 Disable the audio hardware

 ‘hermetic’ solution?

 

 

‹#› Ben-Gurion University of the Negev

Fansmitter

 Computer fans  CPU cooling fans  Chassis fans  Power-supply fan  GPU fans

 The Blade Pass Frequency (BPF)  Number of blades  Rotation speed

 Malware can control the fan speed (RPM)  Control the BPF

 

 

‹#› Ben-Gurion University of the Negev

Fansmitter

Fansmitter demo: https://cyber.bgu.ac.il/advanced-cyber/airgap

 

 

‹#› Ben-Gurion University of the Negev

Fansmitter

 Move to a “water cooling”?

 

 

‹#› Ben-Gurion University of the Negev

Diskfiltration

 The actuator arm is controlled by a motor that moves the hard drive head arm

 Can be controlled by malware by performing I/O between tracks (read/write)

 With user level privileges (temp folder)

 

 

‹#› Ben-Gurion University of the Negev

DiskFiltration

DiskFiltration demo: https://cyber.bgu.ac.il/advanced-cyber/airgap

 

 

‹#› Ben-Gurion University of the Negev

MOSQUITO

 Ultrasonic covert channel requires  Speakers (transmit data)  Microphones (receive data)

 What if microphones are  Banned  Disconnected  Muted  Taped

 Speakers-only environment

 

 

‹#› Ben-Gurion University of the Negev

MOSQUITO

 A malware that exploit a specific audio chip feature

 Reverse the connected speakers from output devices into input devices

 Turn speakers/headphones/earphones to microphones

 Speaker-to-Speaker communication

 

 

‹#› Ben-Gurion University of the Negev

MOSQUITO

MOSQUITO demo: https://cyber.bgu.ac.il/advanced-cyber/airgap

 

 

‹#› Ben-Gurion University of the Negev

Electromagentic

ELECTROMAGENTIC

 

 

‹#› Ben-Gurion University of the Negev

Electromagnetic – Basics

 Electric current in a wire produces an electromagnetic field

 The electromagnetic field depend the current pass through the wire

 If we control the current in a wire, we control the electromagnetic emission  Frequency  Amplitude

 

 

‹#› Ben-Gurion University of the Negev

AirHopper

 Screen cables are emanating electromagnetic radiation – depend on the ‘image’ transmitted in the cable

 We can control the electromagnetic radiation by transmitting specially crafted images

 We can adjust the electromagnetic radiation to the FM radio band! (88 Mhz-108 MHz)

 Malware uses the video display as a FM transmitter to leak data  Screen cable function as an antenna

 

 

‹#› Ben-Gurion University of the Negev

AirHopper

 

 

‹#› Ben-Gurion University of the Negev

AirHopper

AirHopper demo: https://cyber.bgu.ac.il/advanced-cyber/airgap

 

 

‹#› Ben-Gurion University of the Negev

GSMem

 “feature-phones” might be allowed in some facilities

 No camera, Bluetooth, Wi-Fi, FM, etc.

 

 

‹#› Ben-Gurion University of the Negev

GSMem

 The CPU-memory bus emit electromagnetic radiation

 We can control the radiation by building special patterns memory transfers

 The radiation can be adjusted to the GSM, UMTS and LTE frequency bands (2G, 3G and 4G)

 We use multi-channels to amplify the transmission

 

 

‹#› Ben-Gurion University of the Negev

GSMem

 

 

‹#› Ben-Gurion University of the Negev

GSMem

GSMem demo: https://cyber.bgu.ac.il/advanced-cyber/airgap

 

 

‹#› Ben-Gurion University of the Negev

USBee

 Use the USB data bus to transmit RF signals

 D+/D- as small antennas

 Simple I/O operations (read/write)

 No special permission is required

 

 

‹#› Ben-Gurion University of the Negev

USBee

USBee demo: https://cyber.bgu.ac.il/advanced-cyber/airgap

 

 

‹#› Ben-Gurion University of the Negev

Magnetic

MAGNETIC

 

 

‹#› Ben-Gurion University of the Negev

ODINI

 

 

‹#› Ben-Gurion University of the Negev

ODINI

 Jump air-gaps and bypass Faraday cages

 The ODINI method is based on an exploitation of the low-frequency magnetic fields generated by the computer’s CPU

 Low frequency magnetic radiation propagates through the air, penetrating metal shielding such as Faraday cages

 E.g., compass still works inside Faraday cages

 

 

‹#› Ben-Gurion University of the Negev

ODINI

ODINI demo: https://cyber.bgu.ac.il/advanced-cyber/airgap

 

 

‹#› Ben-Gurion University of the Negev

MAGNETO

 

 

‹#› Ben-Gurion University of the Negev

MAGNETO

MAGNETO demo: https://cyber.bgu.ac.il/advanced-cyber/airgap

 

 

‹#› Ben-Gurion University of the Negev

Electric

ELECTRIC

 

 

‹#› Ben-Gurion University of the Negev

PowerHammer

 A malicious code running on a compromised computer can control the power consumption of the system by intentionally regulating the CPU utilization

 Data is modulated, encoded, and transmitted on top of the current flow fluctuations

 This it is conducted and propagated through the power lines

 This phenomena is known as a ’conducted emission’

 

 

‹#› Ben-Gurion University of the Negev

PowerHammer

 

 

‹#› Ben-Gurion University of the Negev

Optical

OPTICAL

 

 

‹#› Ben-Gurion University of the Negev

Optical

 Computer and peripherals are equipped with LEDs indicators

 The LEDs are controllable from software/firmeware level

 Malware can encode data on ‘blinks’

 Can be intercepted by local cameras or remotely (e.g., drones)

 

 

‹#› Ben-Gurion University of the Negev

LED-it-GO

LED-it-GO demo: https://cyber.bgu.ac.il/advanced-cyber/airgap

 

 

‹#› Ben-Gurion University of the Negev

xLED

xLED demo: https://cyber.bgu.ac.il/advanced-cyber/airgap

 

 

‹#› Ben-Gurion University of the Negev

aIR-Jumper

 Security camera are equipped with IR LEDs

 Security cameras can ‘see’ IR

 Can not seen by humans

 

 

‹#› Ben-Gurion University of the Negev

aIR-Jumper

aIR-Jumper demo: https://cyber.bgu.ac.il/advanced-cyber/airgap

 

 

‹#› Ben-Gurion University of the Negev

Thermal

THERMAL

 

 

‹#› Ben-Gurion University of the Negev

BitWhisper

Motivation

 

 

‹#› Ben-Gurion University of the Negev

BitWhisper

 Computer are emitting heat from  CPU  GPU  HDD  Peripherals

 Computer are equipped with built-in thermals sensor  CPU/GPU  Motherboard  HDDs

 Bi-Directional communication based on heat

 

 

‹#› Ben-Gurion University of the Negev

BitWhisper

• A computer can detect temperature change created by the adjacent computer

• Data is encoded via temperature changes

 

 

‹#› Ben-Gurion University of the Negev

BitWhisper

BitWhisper demo: https://cyber.bgu.ac.il/advanced-cyber/airgap

 

 

‹#› Ben-Gurion University of the Negev

Evaluation

Channel Type

Acoustic Electro magnetic /magnetic/electri c

Thermal Optical

Channel Characteristic

Stealth High High Medium (sensible)

Low / High

Channel Availability

High High Low (overnight attack)

Low (user absence)

Feasibility in Virtualization

Medium Medium Medium Medium

Hardware Availability

Medium-low High High High

Quality Medium Medium/low Low Medium

Required Privileges

Regular Regular/Root Regular/Root Regular

 

 

‹#› Ben-Gurion University of the Negev

Countermeasures

Method Type Relevancy to bridgeware types

Cost

Physical insulation/ Zoning/ Red/Black separation

Physical countermeasure s

Acoustic, Electromagnetic, Thermal, Optical

High

Wires and equipment shielding

Hardware countermeasure s

Electromagnetic (partial) Low-Medium

Signal filtering Hardware countermeasure s

Acoustic, Electromagnetic (partial)

Medium

Signal jamming Hardware countermeasure s

Electromagnetic Medium

Activity detection Software countermeasure s

Acoustic, Electromagnetic, Thermal, Optical

Low-Medium

Soft tempest Software countermeasure s

Electromagnetic Low

 

 

‹#› Ben-Gurion University of the Negev

Air-Gap Jumping

• Electromagnetic • AirHopper [3], GSMem [4], USBee [5]

• Magnetic • ODINI [6], MAGNETO [7]

• Electric • POWERHAMMER [8]

• Acoustic • MOSQUITO [9], Fansmitter [10], Diskfiltration [11]

• Optical • LED-it-GO [12], xLED [13], aIR-Jumper [14]

• Thermal • BitWhisper [15]

 

 

‹#› Ben-Gurion University of the Negev

Needs help with similar assignment?

We are available 24x7 to deliver the best services and assignment ready within 3-4 hours? Order a custom-written, plagiarism-free paper

Get Answer Over WhatsApp Order Paper Now