Conference Paper

An optical covert-channel to leak data through an air-gap

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Guri et al also presented a method for data exfiltration from air-gapped networks via routers and switch LEDs [12]. Data can also be leaked optically through fast blinking images or low contrast bitmaps projected on the LCD screen [24]. In 2017, Guri et al presented aIR-Jumper, malware that uses the security cameras and their IR LEDs to communicate with air-gapped networks remotely [25]. ...
... Guri et al also presented DiskFiltration a method that uses the acoustic signals emitted from the hard disk drive's moving arm to exfiltrate data from air-gapped computers [32]. Acoustic Fansmitter [36], [31] (computer fan noise) DiskFiltration [32] (hard disk noise) Ultrasonic [28], [37] MOSQUITO (speaker-to-speaker) Thermal BitWhisper [13] Optical LED-it-GO [23] (hard drive LED) VisiSploit [24] (invisible pixels) Keyboard LEDs [21] [22] Router LEDs [12] aIR-Jumper [25] (security cameras) BRIGHTNESS (LCD brightness) [26] Vibration (Seismic) AiR-ViBeR, this paper (computer vibrations) ...
Preprint
Air-gap covert channels are special types of covert communication channels that enable attackers to exfiltrate data from isolated, network-less computers. Various types of air-gap covert channels have been demonstrated over the years, including electromagnetic, magnetic, acoustic, optical, and thermal. In this paper, we introduce a new type of vibrational (seismic) covert channel. We observe that computers vibrate at a frequency correlated to the rotation speed of their internal fans. These inaudible vibrations affect the entire structure on which the computer is placed. Our method is based on malware's capability of controlling the vibrations generated by a computer, by regulating its internal fan speeds. We show that the malware-generated covert vibrations can be sensed by nearby smartphones via the integrated, sensitive \textit{accelerometers}. Notably, the accelerometer sensors in smartphones can be accessed by any app without requiring the user permissions, which make this attack highly evasive. We implemented AiR-ViBeR, malware that encodes binary information, and modulate it over a low frequency vibrational carrier. The data is then decoded by malicious application on a smartphone placed on the same surface (e.g., on a desk). We discuss the attack model, provide technical background, and present the implementation details and evaluation results. Our results show that using AiR-ViBeR, data can be exfiltrated from air-gapped computer to a nearby smartphone on the same table, or even an adjacent table, via vibrations. Finally, we propose a set of countermeasures for this new type of attack.
... Magnetic MAGNETO (CPU-generated magnetic fields) [27] ODINI (Faraday shield bypass) [46] Electric PowerHammer (power lines) [42] Acoustic Fansmitter (computer fan noise) [40] DiskFiltration (hard disk noise) [37] Ultrasound [47] MOSQUITO (speaker-to-speaker) [38] [39] POWER-SUPPLAY (Play sound from Power-Supply) [26] CD-LEAK (sound from CD/DVD drives) [25] Thermal BitWhisper (CPU generated heat) [36] HOTSPOT ( CPU generated heat received by a smartphone) [23] Optical LED-it-GO (hard drive LED) [44] VisiSploit (invisible pixels) [30] Keyboard LEDs [55] [41] Router LEDs [43] aIR-Jumper (security cameras and infrared) [28] Vibrations ...
... Guri used the hard drive indicator LED [44], USB keyboard LEDs [41], router and switch LEDs [43], and security cameras and their IR LEDs [28], in order to exfiltrate data from air-gapped computers. Data can also be leaked optically through fast blinking images or low contrast bitmaps projected on the LCD screen [30]. ...
Preprint
In this paper, we show that attackers can exfiltrate data from air-gapped computers via Wi-Fi signals. Malware in a compromised air-gapped computer can generate signals in the Wi-Fi frequency bands. The signals are generated through the memory buses - no special hardware is required. Sensitive data can be modulated and secretly exfiltrated on top of the signals. We show that nearby Wi-Fi capable devices (e.g., smartphones, laptops, IoT devices) can intercept these signals, decode them, and send them to the attacker over the Internet. To extract the signals, we utilize the physical layer information exposed by the Wi-Fi chips. We implement the transmitter and receiver and discuss design considerations and implementation details. We evaluate this covert channel in terms of bandwidth and distance and present a set of countermeasures. Our evaluation shows that data can be exfiltrated from air-gapped computers to nearby Wi-Fi receivers located a distance of several meters away.
... These networks are separated from the Internet, based on the assumption that adversaries cannot infect a system if they cannot connect to it. As a response to these enhanced countermeasures, attackers have moved to more sophisticated covert-channel attacks (e.g., [4]- [6]) where they exfiltrate data over non-conventional channels that are not meant for communication, such as the radio frequency signals emanating from USB drives [7]. The authors in [8] develop malware to exfiltrate data through hard drive activity LEDs using a photodiode and an oscilloscope. ...
... Our proposed system can achieve higher data rates, and can be executed at much farther distances. The authors of [4] present an undetectable optical covert channel that uses LCD screens by embedding data within images. A thermal covert channel called BitWhisper is proposed in [16], which allows data to be exfiltrated from one computer to another; this channel has a data rate of only 1-8 bits per hour and both computers must be positioned close together. ...
Conference Paper
Full-text available
As the Internet of Things (IoT) continues to expand into every facet of our daily lives, security researchers have warned of its myriad security risks. While denial-of-service attacks and privacy violations have been at the forefront of research, covert channel communications remain an important concern. Utilizing a Bluetooth controlled light bulb, we demonstrate three separate covert channels, consisting of current utilization, luminosity and hue. To study the effectiveness of these channels, we implement exfiltration attacks using standard off-the-shelf smart bulbs and RGB LEDs at ranges of up to 160 feet. We analyze the identified channels for throughput, generality and stealthiness, and report transmission speeds of up to 832 bps.
... Many experiments of this type have been performed by Mordechai Guri [16][17][18] and other researchers [19][20][21]. For example, it is possible to use very low contrast or fast flickering images, which are invisible to human subjects, to transmit data using a computer display [22]. Another way is to use relatively cheap hardware to detect electromagnetic emissions from a USB [23]. ...
... Because some samples in the signals F and F may be lost, the algorithm is able to synchronize to the binary string. The decoding algorithm is presented in Algorithm 1. if correction = 1 and i < length(data) and data[i] = recvBit then 21: o f f set ← correction 22: ...
Article
Full-text available
The article presents a new concept—steganography in thermography. Steganography is a technique of hiding information in a non-obvious way and belongs to sciences related to information security. The proposed method, called ThermoSteg, uses a modification of one of the parameters of the thermal imaging camera—integration time—to embed the signal containing hidden information. Integration time changing makes the microbolometer array heat up while reading the sensors. The covert information can be extracted from the stream of thermograms recorded by another thermal camera that observes the first one. The covert channel created with the ThermoSteg method allows the transmission of covert data using a thermal sensor as a wireless data transmitter. This article describes a physical phenomenon that is exploited by the ThermoSteg method and two proposed methods of covert data extraction, and presents the results of experiments.
... Przeprowadzono wiele eksperymentów potwierdzających tę możliwość. Przykładowo możliwe jest zastosowanie obrazów o bardzo niskim kontraście lub szybko migoczących, niewidocznych dla ludzi, do przesyłania danych za pomocą wyświetlacza komputera [9]. Innym sposobem jest użycie stosunkowo taniego sprzętu do wykrywania emisji elektromagnetycznej z USB [10]. ...
Article
Full-text available
The article presents a new concept of using thermography – steganography in thermography. Steganography is a technique of hiding information in a non-obvious way and belongs to the field of science related to information security. This article examines three examples of steganographic channels – covert communication channels that use thermal imaging devices in three different ways. The first proposed method uses the possibility of alternating the scene observed by the infrared camera in a way that additional information is included in the thermogram. The second method, called ThermoSteg, uses modification of one of the parameters of the thermal imaging camera (integration time) to embed the signal containing hidden information. The third method is based on digital thermograms and the methods of replacing dead pixels in them by creating the so-called zombie pixels carrying secretive information. Three methods have been implemented under real conditions and proven to work in practice.
... proved that the exfiltration of potentially sensitive data from air-gaped systems is possible by creating a covert channel through the fast flickering of the light bulb whereas Zhou et al. (2018) managed to create a covert channel of an air-gaped system by exploiting the infrared interface. In Guri and Bykhovsky (2019) researchers achieved similar results by exploiting security cameras with infrared modules whereas Guri, Hasson, Kedma, and Elovici (2016) managed to exfiltrate data via invisible to human eye, low contrast and/or fast flickering images. Similarly in Costin (2016), researchers managed to abuse the functionality of normal/Infrared LEDs in order to create hard-to-identify, optical covert channels and/or even disturb the normal operation of nearby visual equipment via Denial-of-Service (DoS) and jamming attacks. ...
Chapter
The rapid evolution of the Internet-of-Things (IoT) introduces innovative services that span across various application domains. As a result, smart automation systems primarily designed for non-critical environments may also be installed in premises of critical sectors, without proper risk assessment. In this paper we focus on IoT-enabled attacks, that utilize components of the smart lighting ecosystem in popular installation domains. In particular, we present a holistic security evaluation on a popular smart lighting device (The specific model is not referred in this paper, since we are currently in the process of a responsible disclosure procedure with the vendor.), that is focused on vulnerabilities and misconfigurations found on hardware, embedded software, cloud services and mobile applications. In addition, we construct a Common Vulnerability Scoring System (CVSS) like vector for each attack scenario, in order to define the required capabilities and potential impact of these attack scenarios and examine their potential exploitability and impact.KeywordsInternet of ThingsSmart lightsVulnerability analysisReverse engineeringIoT-enabled attacks
... [44] uses a monitor status LED with a data rate of 20bit/s. Another method of using slow human visual perception was developed, in which data are leaked through hidden images displayed on a computer screen [45]. With this method, a nearly visible QR code (Quick Response code) is embedded on the computer screen. ...
Article
Full-text available
While operating, information processing devices or communication systems may emit unwanted signals (or alter existing ones) through electromagnetic waves, light, sound or power drain. These side-channels can be intercepted by anyone with scientific or technical knowledge and appropriate equipment, leading to a potentially high risk of security breaches. This survey focuses on these emanation side-channels and provides an extensive literature review. To provide an in-depth analysis despite the variety of attacks, we propose to classify the side-channels based on their intentionality, the type of attackers and the physical medium. Illustrative use-cases are presented and serve as a basis to infer individual threats. Particular attention is paid to electromagnetic side-channels which exhibit the highest criticality and have therefore been used in the most recent attacks. The main characteristics of the side-channels revealed by state-of-the-art papers are summarized, and recommendations on countermeasures are provided to protect any sensitive equipment.
... In 2018, Guri et al presented PowerHammer [16], a method to exfiltrate data from airgapped computers through power lines. Other types of air-gap covert channels based on acoustic [17]- [20], optical [21]- [28] and thermal [29] emissions have also been investigated. ...
Preprint
Air-gapped computers are systems that are kept isolated from the Internet since they store or process sensitive information. In this paper, we introduce an optical covert channel in which an attacker can leak (or, exfiltlrate) sensitive information from air-gapped computers through manipulations on the screen brightness. This covert channel is invisible and it works even while the user is working on the computer. Malware on a compromised computer can obtain sensitive data (e.g., files, images, encryption keys and passwords), and modulate it within the screen brightness, invisible to users. The small changes in the brightness are invisible to humans but can be recovered from video streams taken by cameras such as a local security camera, smartphone camera or a webcam. We present related work and discuss the technical and scientific background of this covert channel. We examined the channel's boundaries under various parameters, with different types of computer and TV screens, and at several distances. We also tested different types of camera receivers to demonstrate the covert channel. Lastly, we present relevant countermeasures to this type of attack. Lastly, we present relevant countermeasures to this type of attack.
... Alternatively, covert optical channels have been researched, with Loughry et al. providing the first call of attention to possible information exfiltration attacks on air-gapped systems by using LED light indicators [91]. Similar data-exfiltration attacks have been demonstrated using LCD displays [88], infrared [87], security camera infrared lights [89], air-gapped systems [90], and smart lights [92]. ...
Article
As technology becomes more widely available, millions of users worldwide have installed some form of smart device in their homes or workplaces. These devices are often off-the-shelf commodity systems, such as Google Home or Samsung SmartThings, that are installed by end-users looking to automate a small deployment. In contrast to these “plug-and-play” systems, purpose-built Enterprise Internet-of-Things (E-IoT) systems such as Crestron, Control4, RTI, Savant offer a smart solution for more sophisticated applications (e.g., complete lighting control, A/V management, security). In contrast to commodity systems, E-IoT systems are usually closed source, costly, require certified installers, and are overall more robust for their use cases. Due to this, E-IoT systems are often found in expensive smart homes, government and academic conference rooms, yachts, and smart private offices. However, while there has been plenty of research on the topic of commodity systems, no current study exists that provides a complete picture of E-IoT systems, their components, and relevant threats. As such, lack of knowledge of E-IoT system threats, coupled with the cost of E-IoT systems has led many to assume that E-IoT systems are secure. To address this research gap, raise awareness on E-IoT security, and motivate further research, this work emphasizes E-IoT system components, E-IoT vulnerabilities, solutions, and their security implications. In order to systematically analyze the security of E-IoT systems, we divide E-IoT systems into four layers: E-IoT Devices Layer, Communications Layer, Monitoring and Applications Layer, and Business Layer. We survey attacks and defense mechanisms, considering the E-IoT components at each layer and the associated threats. In addition, we present key observations in state-of-the-art E-IoT security and provide a list of open research problems that need further research.
... The hard disk drive (HDD) LEDs [45], router and switch LEDs [44], and security cameras and their IR LEDs [27], also proposed as methods for exfiltrating data from air-gapped networks. Researchers also showed how to exfiltrate data from air-gapped computers via screen brightness [28], and hidden images projected on the screen [31]. BitWhisper is a unique covert channel based on the thermal medium [37]. ...
Conference Paper
It is known that malware can leak data from isolated, air-gapped computers to nearby smartphones using ultrasonic waves. However, this covert channel requires access to the smartphone's microphone, which is highly protected in Android OS and iOS, and might be non-accessible, disabled, or blocked. In this paper we present `GAIROSCOPE,' an ultrasonic covert channel that doesn't require a microphone on the receiving side. Our malware generates ultrasonic tones in the resonance frequencies of the MEMS gyroscope. These inaudible frequencies produce tiny mechanical oscillations within the smartphone's gyroscope, which can be demodulated into binary information. Notably, the gyroscope in smartphones is considered to be a 'safe' sensor that can be used legitimately from mobile apps and javascript. We introduce the adversarial attack model and present related work. We provide the relevant technical background and show the design and implementation of GAIROSCOPE. We present the evaluation results and discuss a set of countermeasures to this threat. Our experiments show that attackers can exfiltrate sensitive information from air-gapped computers to smartphones located a few meters away via Speakers-to-Gyroscope covert channel.
... In [59], covert data channel utilizing compressive sensing technique has been devised in wireless sensor networks. A variety of covert channels for air-gapped computers have been proposed with using optical effusion [21], hard disk noise [22], magnetic signals [36], electromagnetic emission [20], thermal maneuver [19]. Heard et al. [25] utilized intent to set up inter-application covert channel in Android system. ...
Article
Full-text available
Owing to their hidden natures, covert channels can be utilized such that trojan applications can communicate stealthily with each other or exchange stolen private information without being revealed. To prevent damage incurred by covert channels, researchers have preemptively scrutinized diverse covert channels that can be devised by an attacker. Although covert channels based on sensor data may interest an attacker because sensing operation is a key task in Internet of Things (IoT), we do not find any covert channel studies that adapted the Sequential Probability Ratio Test (SPRT) to sensor data except our prior study HoCCS, where the SPRT is applied to sensor data in Android systems before an attackers conception; however, our previous study showed limitations owing to the static nature of the SPRT parameter settings and the method of mapping sensor data to sample types for covert channel creation. To demonstrate that these limitations can be pacified, we propose a covert channel that dynamically applies the SPRT to sensor data in IoT. In our proposed covert channel, stealthy information bit 1 (resp. 0) is encoded to and decoded from a sequence of sensor data when the SPRT with dynamic parameter settings accepts an alternate (resp. null) hypothesis. We implement our proposed covert channel in Raspberry Pi 3 Model B devices and evaluate it in terms of various metrics. Evaluation results indicate that every encoded stealthy information byte is successfully decoded in our covert channel. Furthermore, 3.513 samples and 28.105 SPRT executions at the most are required for encoding/decoding a stealthy information byte in our devised covert channel on an average, thus resulting in fast encoding/decoding in our covert channel. Finally, our developed covert channel yields a throughput ranging from 4097.5 to 9061.67 bits/sec.
... They have been studied for different purposes, such as operating systems [13], multicore chips [1,14], and cloud systems [15]. Covert channels can be set up using a large number of communication media that span from inaudible sound [16], inter-arrival timing of packets [17,18], magnetic field [19,20], inter-light [21,22] to voltage [23]. ...
Article
Full-text available
With increasing interest in multi-core systems, such as any communication systems, infra-structures can become targets for information leakages via covert channel communication. Covert channel attacks lead to leaking secret information and data. To design countermeasures against these threats, we need to have good knowledge about classes of covert channel attacks along with their properties. Temperature–based covert communication channel, known as Thermal Covert Channel (TCC), can pose a threat to the security of critical information and data. In this paper, we present a novel scheme against such TCC attacks. The scheme adds selective noise to the thermal signal so that any possible TCC attack can be wiped out. The noise addition only happens at instances when there are chances of correct information exchange to increase the bit error rate (BER) and keep the power consumption low. Our experiments have illustrated that the BER of a TCC attack can increase to 94% while having similar power consumption as that of state-of-the-art
... proved that the exfiltration of potentially sensitive data from air-gaped systems is possible by creating a covert channel through the fast flickering of the light bulb whereas Zhou et al. (2018) managed to create a covert channel of an air-gaped system by exploiting the infrared interface. In Guri and Bykhovsky (2019), researchers achieved similar results by exploiting security cameras with infrared modules whereas Guri et al. (2016) managed to exfiltrate data via invisible to human eye, low contrast and/or fast flickering images. Similarly in Costin (2016), researchers managed to abuse the functionality of normal/Infrared LEDs to create hard-to-identify, optical covert channels and/or even disturb the normal operation of nearby visual equipment via Denial-of-Service (DoS) and jamming attacks. ...
Article
Full-text available
Internet-of-Things (IoT) extends the provision of remotely managed services across different domains. At the same time, IoT devices primarily designed for home environments may also be installed within the premises of critical urban environments, such as government, banking and corporate domains, without proper risk evaluation. In this paper, we examine the effect of cascading attacks triggered by the integration of vulnerable smart lighting systems in critical domains. In particular, we utilise known vulnerabilities of smart lighting systems to demonstrate the potential risk propagation on popular installation domains found in smart cities and urban infrastructures and services. Based on validated vulnerabilities on popular off-the-shelf smart lighting systems, we set up realistic proof-of-concept connectivity scenarios for various urban infrastructures and domains. Using these scenarios, we evaluate the risk of cascading attacks, by applying a targeted risk assessment methodology for identifying and assessing IoT-enabled attacks.
... Nassi et al. used lasers and scanners to infiltrate air-gapped networks in the organization [42]. The LEDs in network devices, cameras, and screens [15] were also used for data leakage purposes [25]. Other works such as [19], [37] discuss a thermal covert communication between different computers and cores via the control of heat emission and sensing. ...
Preprint
This paper introduces a new type of attack on isolated, air-gapped workstations. Although air-gap computers have no wireless connectivity, we show that attackers can use the SATA cable as a wireless antenna to transfer radio signals at the 6 GHz frequency band. The Serial ATA (SATA) is a bus interface widely used in modern computers and connects the host bus to mass storage devices such as hard disk drives, optical drives, and solid-state drives. The prevalence of the SATA interface makes this attack highly available to attackers in a wide range of computer systems and IT environments. We discuss related work on this topic and provide technical background. We show the design of the transmitter and receiver and present the implementation of these components. We also demonstrate the attack on different computers and provide the evaluation. The results show that attackers can use the SATA cable to transfer a brief amount of sensitive information from highly secured, air-gap computers wirelessly to a nearby receiver. Furthermore, we show that the attack can operate from user mode, is effective even from inside a Virtual Machine (VM), and can successfully work with other running workloads in the background. Finally, we discuss defense and mitigation techniques for this new air-gap attack.
... Most LED-based optical covert channels use OOK modulation, and Zhou et al. showed that the efficiency could be improved by replacing OOK modulation with B-FSK modulation [30]. Another kind of optical covert channel manipulates the monitor screen [31,32]. By modifying a small amount of content displayed on the screen, information may be transmitted without being noticed by humans. ...
Article
Full-text available
An air-gapped computer is physically isolated from unsecured networks to guarantee effective protection against data exfiltration. Due to air gaps, unauthorized data transfer seems impossible over legitimate communication channels, but in reality many so-called physical covert channels can be constructed to allow data exfiltration across the air gaps. Most of such covert channels are very slow and often require certain strict conditions to work (e.g., no physical obstacles between the sender and the receiver). In this paper, we introduce a new through-wall physical covert channel named BitJabber that is extremely fast and has a long attacking distance. We show that this covert channel can be easily created by an unprivileged sender running on a victim’s computer. Specifically, the sender constructs the channel by using only memory accesses to modulate the electromagnetic (EM) signals generated by the DRAM clock. While possessing a very high bandwidth (up to 300,000 bps), this new covert channel is also very reliable (less than 1% error rate). More importantly, this covert channel can enable data exfiltration from an air-gapped computer enclosed in a room with thick walls up to 15 cm and the maximum attacking distance is more than 6 m.
... Guri et al also presented covert channels that use the hard drive indicator LED [16], the router LEDs [41], and security camera IR LEDs [42] to leak data from air-gapped networks. VisiSploit [43] is another optical covert channel in which data is leaked through a hidden image projected on an LCD screen. Guri also showed how to exfiltrate data from air-gapped computers via fast blinking images [44]. ...
Preprint
It is known that attackers can exfiltrate data from air-gapped computers through their speakers via sonic and ultrasonic waves. To eliminate the threat of such acoustic covert channels in sensitive systems, audio hardware can be disabled and the use of loudspeakers can be strictly forbidden. Such audio-less systems are considered to be \textit{audio-gapped}, and hence immune to acoustic covert channels. In this paper, we introduce a technique that enable attackers leak data acoustically from air-gapped and audio-gapped systems. Our developed malware can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker with limited capabilities. The malicious code manipulates the internal \textit{switching frequency} of the power supply and hence controls the sound waveforms generated from its capacitors and transformers. Our technique enables producing audio tones in a frequency band of 0-24khz and playing audio streams (e.g., WAV) from a computer power supply without the need for audio hardware or speakers. Binary data (files, keylogging, encryption keys, etc.) can be modulated over the acoustic signals and sent to a nearby receiver (e.g., smartphone). We show that our technique works with various types of systems: PC workstations and servers, as well as embedded systems and IoT devices that have no audio hardware at all. We provide technical background and discuss implementation details such as signal generation and data modulation. We show that the POWER-SUPPLaY code can operate from an ordinary user-mode process and doesn't need any hardware access or special privileges. Our evaluation shows that using POWER-SUPPLaY, sensitive data can be exfiltrated from air-gapped and audio-gapped systems from a distance of five meters away at a maximal bit rates of 50 bit/sec.
... VisiSploit [20] is another optical covert channel in which data is leaked through a hidden image projected on an LCD screen. With this method, the 'invisible' QR code that is embedded on the computer screen is obtained by a remote camera and is then reconstructed using basic image processing operations. ...
Preprint
Using the keyboard LEDs to send data optically was proposed in 2002 by Loughry and Umphress [1] (Appendix A). In this paper we extensively explore this threat in the context of a modern cyber-attack with current hardware and optical equipment. In this type of attack, an advanced persistent threat (APT) uses the keyboard LEDs (Caps-Lock, Num-Lock and Scroll-Lock) to encode information and exfiltrate data from airgapped computers optically. Notably, this exfiltration channel is not monitored by existing data leakage prevention (DLP) systems. We examine this attack and its boundaries for today's keyboards with USB controllers and sensitive optical sensors. We also introduce smartphone and smartwatch cameras as components of malicious insider and 'evil maid' attacks. We provide the necessary scientific background on optical communication and the characteristics of modern USB keyboards at the hardware and software level, and present a transmission protocol and modulation schemes. We implement the exfiltration malware, discuss its design and implementation issues, and evaluate it with different types of keyboards. We also test various receivers, including light sensors, remote cameras, 'extreme' cameras, security cameras, and smartphone cameras. Our experiment shows that data can be leaked from air-gapped computers via the keyboard LEDs at a maximum bit rate of 3000 bit/sec per LED given a light sensor as a receiver, and more than 120 bit/sec if smartphones are used. The attack doesn't require any modification of the keyboard at hardware or firmware levels.
Article
Modern Internet-enabled smart lights promise energy efficiency and many additional capabilities over traditional lamps. However, these connected lights also create a new attack surface, which can be maliciously used to violate users' privacy and security. In this paper, we design and evaluate novel attacks that take advantage of light emitted by modern smart bulbs, in order to infer users' private data and preferences. The first two attacks are designed to infer users' audio and video playback by a systematic observation and analysis of the multimedia-visualization functionality of smart light bulbs. The third attack utilizes the infrared capabilities of such smart light bulbs to create a covert-channel, which can be used as a gateway to exfiltrate user's private data out of their secured home or office network. A comprehensive evaluation of these attacks in various real-life settings confirms their feasibility and affirms the need for new privacy protection mechanisms.
Preprint
Full-text available
It is possible to attack a computer remotely through the front panel LEDs. Following on previous results that showed information leakage at optical wavelengths, now it seems practicable to inject information into a system as well. It is shown to be definitely feasible under realistic conditions (by infosec standards) of target system compromise; experimental results suggest it further may be possible, through a slightly different mechanism, even under high security conditions that put extremely difficult constraints on the attacker. The problem is of recent origin; it could not have occurred before a confluence of unrelated technological developments made it possible. Arduino-type microcontrollers are involved; this is an Internet of Things (IoT) vulnerability. Unlike some previous findings, the vulnerability here is moderate---at present---because it takes the infosec form of a classical covert channel. However, the architecture of several popular families of microcontrollers suggests that a Rowhammer-like directed energy optical attack that requires no malware might be possible. Phase I experiments yielded surprising and encouraging results; a covert channel is definitely practicable without exotic hardware, bandwidth approaching a Mbit/s, and the majority of discrete LEDs tested were found to be reversible on GPIO pins. Phase II experiments, not yet funded, will try to open the door remotely.
Chapter
Air–gap is an efficient technique for the improving of computer security. Proposed technique uses backlight modulation of monitor screen for data transmission from infected computer. The optimization algorithm for the segmentation of video stream is proposed for the improving of data transmission robustness. This algorithm is tested using Monte Carlo approach with full frame analysis for different values of standard deviations of additive Gaussian noise. Achieved results show improvements for proposed selective image processing for low values of standard deviation about ten times.
Chapter
Novel technique for data transmission from air–gap secured computer is considered in this paper. Backlight modulation of screen using BFSK allows data transmission that is not visible for human. The application of digital camera equipped and telescope allows data recovery during the lack of the user’s activity. Demodulation scheme with automatic selection of demodulation filters is presented. Different configuration of data transmission parameters and acquisition hardware were tested.
Article
Computers that contain sensitive information are often maintained in air-gapped isolation. In this defensive measure, a computer is disconnected from the Internet - logically and physically - preventing accidental or intentional leakage of sensitive information outward. In recent years it has been shown that malware can leak data over an air-gap by transmitting sonic and ultrasonic signals from a computer speaker. In order to eliminate such acoustic covert channels, current best practice recommends the elimination of speakers in secured computers, thereby creating a so-called ‘audio-gapped’ system. In this paper, we present ‘Fansmitter,’ a malware that can acoustically exfiltrate data from air-gapped computers, even when audio hardware and speakers are not present. Our method utilizes the noise emitted from the CPU, GPU, and chassis fans. We show that a software can regulate the internal fans’ rotation speed in order to control their acoustic signal, known as blade pass frequency (BPF). Binary data can be modulated and transmitted over these audio signals to a remote microphone (e.g., a nearby smartphone). We present design considerations, including acoustic waveform analysis, data modulation and demodulation, and data transmission and reception. We evaluate the acoustic covert channel with various fans at different distances and present the results. We also discuss issues such as stealth, interference, and countermeasures. Using our method we successfully transmitted data from audio-less, air-gapped computers, to a mobile phone in the same room. We demonstrated an effective transmission at distances of 1–8 m, with a maximum bit rate of 60 bit/min per fan.
Article
Air-gap covert channels are special types of covert communication channels that enable attackers to exfiltrate data from isolated, network-less computers. Various types of air-gap covert channels have been demonstrated over the years, including electromagnetic, magnetic, acoustic, optical, and thermal. In this paper, we introduce a new type of vibrational (seismic) covert channel. We observe that computers vibrate at a frequency correlated to the rotation speed of their internal fans. These inaudible vibrations affect the entire structure on which the computer is placed. Our method is based on malware’s capability of controlling the vibrations generated by a computer, by regulating its internal fan speeds. We show that the malware-generated covert vibrations can be sensed by nearby smartphones via the integrated, sensitive accelerometers. Notably, the accelerometer sensors in smartphones can be accessed by any app without requiring the user permissions, which make this attack highly evasive. We implemented AiR-ViBeR, malware that encodes binary information, and modulate it over a low frequency vibrational carrier. The data is then decoded by malicious application on a smartphone placed on the same surface of the air-gapped computer (e.g., on a desk). We discuss the attack model, provide technical background, and present the implementation details and evaluation results. Our results show that using AiR-ViBeR, data can be exfiltrated from air-gapped computer to a nearby smartphone on the same table, or even an adjacent table, via vibrations. Finally, we propose a set of countermeasures for this new type of attack.
Preprint
Full-text available
Exploiting thermal coupling among the cores of a processor to secretly communicate sensitive information is a serious threat in mobile, desktop, and server platforms. Existing works on temperature-based covert communication typically rely on controlling the execution of high-power CPU stressing programs to transmit confidential information. Such covert channels with high-power programs are typically easier to detect as they cause significant rise in temperature. In this work, we demonstrate that by leveraging vertical integration, it is sufficient to execute typical SPLASH-2 benchmark applications to transfer 200 bits per second (bps) of secret data via thermal covert channels. The strong vertical thermal coupling among the cores of a 3D multicore processor increases the rates of covert communication by 3.4X compared to covert communication in conventional 2D ICs. Furthermore, we show that the bandwidth of this thermal communication in 3D ICs is more resilient to thermal interference caused by applications running in other cores. This reduced interference significantly increases the danger posed by such attacks. We also investigate the effect of reducing inter-tier overlap between colluded cores and show that the covert channel bandwidth is reduced by up to 62% with no overlap.
Chapter
A methodological approach that allows automating and systematizing the manifestations of the effect of information security from leaks through technical transmission channels was proposed. The probabilistic model of threat execution has been supplemented. It makes it possible, on the basis of the proposed software (SW), to involve several experts to assess the relevance of threats of information leakage through technical channels for information transfer (TCIT) in the context of dynamic improvement of technical means of intelligence (TMI). The developed software in combination with software designed to assess the risks of information loss will allow a comprehensive assessment of the degree of security of TCIT companies. The developed software helps to reduce the cost of conducting highly specialized research in matters related to assessing the relevance of the threats of leakage of information on TCIT in the context of dynamic improvement of the TMI.KeywordsInformation leaksThreat assessmentCalculations automationTechnical channels of information transferInformation security
Article
Printers have become ubiquitous in modern office spaces, and their placement in these spaces been guided more by accessibility than security. Due to the proximity of printers to places with potentially high-stakes information, the possible misuse of these devices is concerning. We present a previously unexplored covert channel that effectively uses the sound generated by printers with inkjet technology to exfiltrate arbitrary sensitive data (unrelated to the apparent content of the document being printed) from an air-gapped network. We also discuss a series of defense techniques that can make these devices invulnerable to covert manipulation. The proposed covert channel works by malware installed on a computer with access to a printer, injecting certain imperceptible patterns into all documents that applications on the computer send to the printer. These patterns can control the printing process without visibly altering the original content of a document, and generate acoustic signals that a nearby acoustic recording device, such as a smartphone, can capture and decode. To prove and analyze the capabilities of this new covert channel, we carried out tests considering different types of document layouts and distances between the printer and recording device. We achieved a bit error ratio less than 5% and an average bit rate of approximately 0.5 bps across all tested printers at distances up to 4 m, which is sufficient to extract tiny bits of information.
Chapter
In this chapter, we analyze cybersecurity weaknesses in three use-cases of real-world cyber-physical systems: transportation (aviation), remote explosives and robotic weapons (fireworks pyrotechnics), and physical security (CCTV). The digitalization, interconnection, and IoT-nature of cyber-physical systems make them attractive targets. It is crucial to ensure that such systems are protected from cyber attacks, and therefore it is equally important to study and understand their major weaknesses.
Preprint
Full-text available
As technology becomes more widely available, millions of users worldwide have installed some form of smart device in their homes or workplaces. These devices are often off-the-shelf commodity systems, such as Google Home or Samsung SmartThings, that are installed by end-users looking to automate a small deployment. In contrast to these "plug-and-play" systems, purpose-built Enterprise Internet-of-Things (E-IoT) systems such as Crestron, Control4, RTI, Savant offer a smart solution for more sophisticated applications (e.g., complete lighting control, A/V management, security). In contrast to commodity systems, E-IoT systems are usually closed source, costly, require certified installers, and are overall more robust for their use cases. Due to this, E-IoT systems are often found in expensive smart homes, government and academic conference rooms, yachts, and smart private offices. However, while there has been plenty of research on the topic of commodity systems, no current study exists that provides a complete picture of E-IoT systems, their components, and relevant threats. As such, lack of knowledge of E-IoT system threats, coupled with the cost of E-IoT systems has led many to assume that E-IoT systems are secure. To address this research gap, raise awareness on E-IoT security, and motivate further research, this work emphasizes E-IoT system components, E-IoT vulnerabilities, solutions, and their security implications. In order to systematically analyze the security of E-IoT systems, we divide E-IoT systems into four layers: E-IoT Devices Layer, Communications Layer, Monitoring and Applications Layer, and Business Layer. We survey attacks and defense mechanisms, considering the E-IoT components at each layer and the associated threats. In addition, we present key observations in state-of-the-art E-IoT security and provide a list of open research problems that need further research.
Article
In this paper we show how two or more air-gapped computers in the same room, equipped with passive speakers, headphones, or earphones can covertly exchange data via ultrasonic waves. Microphones are not required. Our method is based on the capability of a malware to exploit a specific audio chip feature in order to reverse the connected speakers from output devices into input devices - unobtrusively rendering them microphones. We discuss the attack model and provide technical background and implementation details. We show that although the reversed speakers/headphones/earphones were not originally designed to perform as microphones, they still respond well to the near-ultrasonic range (18 kHz to 24 kHz). We evaluate the communication channel with different equipment, and at various distances and transmission speeds, and also discuss some practical considerations. Our results show that the speaker-to-speaker communication can be used to covertly transmit data between two air-gapped computers positioned a maximum of 9 m away from one another. Moreover, we show that two (microphone-less) headphones can exchange data from a distance of 3 m apart. This enables ‘headphones-to-headphones’ covert communication, which is discussed for the first time in this paper.
Article
The thermal covert channels (TCC's) in many-core systems can cause detrimental data breaches. In this paper, we present a three-step scheme to detect and fight against such TCC attacks. Specifically, in the detection step, each core calculates the spectrum of its own CPU workload traces that are collected over a few fixed time intervals, and then it applies a frequency scanning method to detect if there exists any TCC attack. In the next positioning step, the logical cores running the transmitter threads are located. In the last step, the physical CPU cores suspiciously engaging in a TCC attack have to undertake Dynamic Voltage Frequency Scaling (DVFS) such that any possible TCC trace will be essentially wiped out. Our experiments have confirmed that on average 97% of the TCC attacks can be detected, and with the proposed defense, the packet error rate (PER) of a TCC attack can soar to more than 70%, literally shutting down the attack in practical terms. The performance penalty caused by the inclusion of the proposed DVFS countermeasures is found to be only 3% for an 8×8 many-core system.
Article
As a means to thwart thermal covert channel attack in a multi-/many-core system, a strong heat noise whose frequency band coincides with that occupied by the thermal covert channel is injected to jam the channel. However, this undiscriminating channel jamming-based countermeasure will fail if a thermal covert channel is allowed to change its transmission frequency dynamically in response to the jamming. To combat this enhanced thermal covert channel, a more advanced countermeasure is needed and thus proposed that checks the frequency spectrum and tracks any possible covert channel. Only after a channel is detected to be susceptible, a thermal noise with this channel frequency is then emitted to jam the covert channel. The communication protocols and frequency changing scheme pertaining to this enhanced thermal covert channel are described in this article. The experimental results confirm that, when the proposed countermeasure is applied, the enhanced thermal covert channel, much more resilient to jamming, suffers from an extremely high packet error rate (PER), which makes any meaningful data leakage practically impossible. As the proposed countermeasure method is poised to contain dangerous thermal covert channel attacks with an anti-jamming capability, it lends itself well to secure multi-/many-core systems.
Article
Exploiting thermal coupling among the cores of a processor to secretly communicate sensitive information is a serious threat in mobile, desktop, and server platforms. Existing works on temperature-based covert communication typically rely on controlling the execution of high-power CPU stressing programs to transmit confidential information. Such covert channels with high-power programs are typically easier to detect as they cause significant rise in temperature. In this work, we demonstrate that by leveraging vertical integration, it is sufficient to execute typical SPLASH-2 benchmark applications to transfer 200 bits per second (bps) of secret data via thermal covert channels. The strong vertical thermal coupling among the cores of a 3-D multicore processor increases the rates of covert communication by 3.4 $\times$ compared to covert communication in conventional 2-D integrated circuits (ICs). Furthermore, we show that the bandwidth of this thermal communication in 3-D ICs is more resilient to thermal interference caused by applications running in other cores. This reduced interference significantly increases the danger posed by such attacks. We also investigate the effect of reducing intertier overlap between colluded cores and show that the covert channel bandwidth is reduced by up to 62% with no overlap.
Article
In this paper, we evaluate an optical covert channel in which sensitive information (textual or binary) is exfiltrated from air-gapped computers through the LCD screen. Our experiments show that low contrast and fast blinking images which are invisible to human subjects, can be recovered from photos taken by a local camera. Consequentially, we show that malware on a compromised computer can obtain sensitive data (e.g., files, images, encryption keys, passwords), and project it onto a computer LCD screen, invisible and unbeknownst to users. An attacker can reconstruct the hidden data using a photo taken by a local camera. In order to demonstrate the feasibility of this type of attack and evaluate the channel's stealth, we conducted a battery of tests with 40 users. We also examined the channel’s boundaries under various parameters, with different types of encoded objects, at several distances, and using several kinds of cameras.
Conference Paper
Conference Paper
Full-text available
Air gaps are generally considered to be a very efficient information security protection. However, this technique also showed limitations, involving finding covert channels for bridging the air gap. Interestingly, recent publications have pointed out that a smart use of the intentional electromagnetic interferences introduced new threats for information security. In this paper, an innovative way for remotely communicating with a malware installed on a computer by involving the induced perturbations is discussed leading to the design of a new air gap bridging covert channel.
Article
Full-text available
Information is the most critical asset of modern organizations, and accordingly coveted by adversaries. When highly sensitive data is involved, an organization may resort to air-gap isolation, in which there is no networking connection between the inner network and the external world. While infiltrating an air-gapped network has been proven feasible in recent years (e.g., Stuxnet), data exfiltration from an air-gapped network is still considered to be one of the most challenging phases of an advanced cyber-attack. In this paper we present "AirHopper", a bifurcated malware that bridges the air-gap between an isolated network and nearby infected mobile phones using FM signals. While it is known that software can intentionally create radio emissions from a video display unit, this is the first time that mobile phones are considered in an attack model as the intended receivers of maliciously crafted radio signals. We examine the attack model and its limitations, and discuss implementation considerations such as stealth and modulation methods. Finally, we evaluate AirHopper and demonstrate how textual and binary data can be exfiltrated from physically isolated computer to mobile phones at a distance of 1-7 meters, with effective bandwidth of 13-60 Bps (Bytes per second).
Article
Full-text available
Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilizes audio modulation/demodulation to exchange data between the computing systems over the air medium. The underlying network stack is based on a communication system that was originally designed for robust underwater communication. We adapt the communication system to implement covert and stealthy communications by utilizing the ultrasonic frequency range. We further demonstrate how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks. A covert acoustical mesh network can be conceived as a meshed botnet or malnet that is accessible via inaudible audio transmissions. Different applications of covert acoustical mesh networks are presented, including the use for remote keylogging over multiple hops. It is shown that the concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered. Finally, countermeasures against covert acoustical mesh networks are discussed, including the use of lowpass filtering in computing systems and a host-based intrusion detection system for analyzing audio input and output in order to detect any irregularities.
Article
Full-text available
Industrial systems consider only partially security, mostly relying on the basis of "isolated" networks, and con-trolled access environments. Monitoring and control systems such as SCADA/DCS are responsible for managing critical infrastructures operate in these environments, where a false sense of security assumptions is usually made. The Stuxnet worm attack demonstrated widely in mid 2010 that many of the security assumptions made about the operating environment, technological capabilities and potential threat risk analysis are far away from the reality and challenges modern industrial systems face. We investigate in this work the highly sophisticated aspects of Stuxnet, the impact that it may have on existing security considerations and pose some thoughts on the next generation SCADA/DCS systems from a security perspective.
Article
Full-text available
Information and computer security is supported largely by passwords which are the principle part of the authentication process. The most common computer authentication method is to use alphanumerical username and password which has significant drawbacks. To overcome the vulnerabilities of traditional methods, visual or graphical password schemes have been developed as possible alternative solutions to text-based scheme. A potential drawback of graphical password schemes is that they are more vulnerable to shoulder surfing than conventional alphanumeric text passwords. When users input their passwords in a public place, they may be at risk of attackers stealing their password. An attacker can capture a password by direct observation or by recording the individual’s authentication session. This is referred to as shouldersurfing and is a known risk, of special concern when authenticating in public places. In this paper we will present a survey on graphical password schemes from 2005 till 2009 which are proposed to be resistant against shoulder surfing attacks.
Article
Full-text available
A previously unknown form of compromising emanations has been discovered. LED status indicators on data communication equipment, under certain conditions, are shown to carry a modulated optical signal that is significantly correlated with information being processed by the device. Physical access is not required; the attacker gains access to all data going through the device, including plaintext in the case of data encryption systems. Experiments show that it is possible to intercept data under realistic conditions at a considerable distance. Many different sorts of devices, including modems and Internet Protocol routers, were found to be vulnerable. A taxonomy of compromising optical emanations is developed, and design changes are described that will successfully block this kind of "Optical TEMPEST" attack.
Article
Air gaps are generally considered to be a very efficient information security protection. However, this technique also showed limitations, involving finding covert channels for bridging the air gap. Interestingly, recent publications have pointed out that a smart use of the intentional electromagnetic interferences introduced new threats for information security. In this paper, an innovative way for remotely communicating with a malware already installed on a computer by involving the induced perturbations is discussed leading to the design of a new air gap bridging covert channel.
Article
In recent years researchers have demonstrated how attackers could use USB connectors implanted with RF transmitters to exfiltrate data from secure, and even air-gapped, computers (e.g., COTTONMOUTH in the leaked NSA ANT catalog). Such methods require a hardware modification of the USB plug or device, in which a dedicated RF transmitter is embedded. In this paper we present USBee, a software that can utilize an unmodified USB device connected to a computer as a RF transmitter. We demonstrate how a software can intentionally generate controlled electromagnetic emissions from the data bus of a USB connector. We also show that the emitted RF signals can be controlled and modulated with arbitrary binary data. We implement a prototype of USBee, and discuss its design and implementation details including signal generation and modulation. We evaluate the transmitter by building a receiver and demodulator using GNU Radio. Our evaluation shows that USBee can be used for transmitting binary data to a nearby receiver at a bandwidth of 20 to 80 BPS (bytes per second).
Article
Air-gapped computers are disconnected from the Internet physically and logically. This measure is taken in order to prevent the leakage of sensitive data from secured networks. In the past, it has been shown that malware can exfiltrate data from air-gapped computers by transmitting ultrasonic signals via the computer's speakers. However, such acoustic communication relies on the availability of speakers on a computer. In this paper, we present 'DiskFiltration,' a covert channel which facilitates the leakage of data from an air-gapped compute via acoustic signals emitted from its hard disk drive (HDD). Our method is unique in that, unlike other acoustic covert channels, it doesn't require the presence of speakers or audio hardware in the air-gapped computer. A malware installed on a compromised machine can generate acoustic emissions at specific audio frequencies by controlling the movements of the HDD's actuator arm. Digital Information can be modulated over the acoustic signals and then be picked up by a nearby receiver (e.g., smartphone, smartwatch, laptop, etc.). We examine the HDD anatomy and analyze its acoustical characteristics. We also present signal generation and detection, and data modulation and demodulation algorithms. Based on our proposed method, we developed a transmitter on a personal computer and a receiver on a smartphone, and we provide the design and implementation details. We also evaluate our covert channel on various types of internal and external HDDs in different computer chassis and at various distances. With DiskFiltration we were able to covertly transmit data (e.g., passwords, encryption keys, and keylogging data) between air-gapped computers to a smartphone at an effective bit rate of 180 bits/minute (10,800 bits/hour) and a distance of up to two meters (six feet).
Article
Because computers may contain or interact with sensitive information, they are often air-gapped and in this way kept isolated and disconnected from the Internet. In recent years the ability of malware to communicate over an air-gap by transmitting sonic and ultrasonic signals from a computer speaker to a nearby receiver has been shown. In order to eliminate such acoustic channels, current best practice recommends the elimination of speakers (internal or external) in secure computers, thereby creating a so-called 'audio-gap'. In this paper, we present Fansmitter, a malware that can acoustically exfiltrate data from air-gapped computers, even when audio hardware and speakers are not present. Our method utilizes the noise emitted from the CPU and chassis fans which are present in virtually every computer today. We show that a software can regulate the internal fans' speed in order to control the acoustic waveform emitted from a computer. Binary data can be modulated and transmitted over these audio signals to a remote microphone (e.g., on a nearby mobile phone). We present Fansmitter's design considerations, including acoustic signature analysis, data modulation, and data transmission. We also evaluate the acoustic channel, present our results, and discuss countermeasures. Using our method we successfully transmitted data from air-gapped computer without audio hardware, to a smartphone receiver in the same room. We demonstrated the effective transmission of encryption keys and passwords from a distance of zero to eight meters, with bit rate of up to 900 bits/hour. We show that our method can also be used to leak data from different types of IT equipment, embedded systems, and IoT devices that have no audio hardware, but contain fans of various types and sizes.
Conference Paper
Air-gapped networks are isolated, separated both logically and physically from public networks. Although the feasibility of invading such systems has been demonstrated in recent years, exfiltration of data from air-gapped networks is still a challenging task. In this paper we present GSMem, a malware that can exfiltrate data through an air-gap over cellular frequencies. Rogue software on an infected target computer modulates and transmits electromagnetic signals at cellular frequencies by invoking specific memory-related instructions and utilizing the multichannel memory architecture to amplify the transmission. Furthermore, we show that the transmitted signals can be received and demodulated by a rootkit placed in the baseband firmware of a nearby cellular phone. We present crucial design issues such as signal generation and reception, data modulation, and transmission detection. We implement a prototype of GSMem consisting of a transmitter and a receiver and evaluate its performance and limitations. Our current results demonstrate its efficacy and feasibility, achieving an effective transmission distance of 1-5.5 meters with a standard mobile phone. When using a dedicated, yet affordable hardware receiver, the effective distance reached over 30 meters.
Article
The emergence of high frame rate computational displays has created an opportunity for viewing experiences impossible on traditional displays. These displays can create views personalized to multiple users, encode hidden messages, or even decompose and encode a targeted light field to create glasses-free 3D views [Masia et al. 2013].
Article
This paper presents a new metric, which we call Signal Available to Attacker (SAVAT), that measures the side channel signal created by a specific single-instruction difference in program execution, i.e. The amount of signal made available to a potential attacker who wishes to decide whether the program has executed instruction/event A or instruction/event B. We also devise a practical methodology for measuring SAVAT in real systems using only user-level access permissions and common measurement equipment. Finally, we perform a case study where we measure electromagnetic (EM) emanations SAVAT among 11 different instructions for three different laptop systems. Our findings from these experiments confirm key intuitive expectations, e.g. That SAVAT between on-chip instructions and off-chip memory accesses tends to be higher than between two on-chip instructions. However, we find that particular instructions, such as integer divide, have much higher SAVAT than other instructions in the same general category (integer arithmetic), and that last-level-cache hits and misses have similar (high) SAVAT. Overall, we confirm that our new metric and methodology can help discover the most vulnerable aspects of a processor architecture or a program, and thus inform decision-making about how to best manage the overall side channel vulnerability of a processor, a program, or a system.
Conference Paper
We take a closer look at keyboard acoustic emanations specifically for the purpose of eavesdropping over random passwords. In this scenario, dictionary and HMM language models are not applicable; the attacker can only utilize the raw acoustic information which has been recorded. We investigate several existing signal processing techniques for our purpose, and introduce a novel technique -- time-frequency decoding -- that improves the detection accuracy compared to previous techniques. We also carefully examine the effect of typing style -- a crucial variable largely ignored by prior research -- on the detection accuracy. Our results show that using the same typing style (hunt and peck) for both training and decoding the data, the best case success rate for detecting correctly the typed key is 64% per character. The results also show that changing the typing style, to touch typing, during the decoding stage reduces the success rate, but using the time-frequency technique, we can still achieve a success rate of around 40% per character. Our work takes the keyboard acoustic attack one step further, bringing it closer to a full-fledged vulnerability under realistic scenarios (different typing styles and random passwords). Our results suggest that while the performance of these attacks degrades under such conditions, it is still possible, utilizing the time-frequency technique, to considerably reduce the exhaustive search complexity of retrieving a random password.
Conference Paper
We have developed a high-frame-rate LED display. Full-color images with high brightness are refreshed at 480 frames per second. In order to transmit such a high framerate signal via conventional 120-Hz DVI, we have introduced a spatiotemporal mapping for its signal input. Four adjacent pixels in each frame in DIV signal are converted into successive four fields. This spatiotemporal mapping improves perceived image quality for stereoscopic display and also enables us to implement a kind of steganography. The developed 480-fps LED display was utilized for stereoscopic 3D display without glasses and image interpolation has been demonstrated. Furthermore, the developed high-frame-rate LED display has been utilized for a new signage technique based on a spatiotemporal steganography. A text is hidden in successive frames so that it is unnoticeable because we cannot distinguish high frame rate images. The hidden text can be decoded by viewing through a waving hand.
Article
Steganography is the science that involves communicating secret data in an appropriate multimedia carrier, e.g., image, audio, and video files. It comes under the assumption that if the feature is visible, the point of attack is evident, thus the goal here is always to conceal the very existence of the embedded data. Steganography has various useful applications. However, like any other science it can be used for ill intentions. It has been propelled to the forefront of current security techniques by the remarkable growth in computational power, the increase in security awareness by, e.g., individuals, groups, agencies, government and through intellectual pursuit. Steganography's ultimate objectives, which are undetectability, robustness (resistance to various image processing methods and compression) and capacity of the hidden data, are the main factors that separate it from related techniques such as watermarking and cryptography. This paper provides a state-of-the-art review and analysis of the different existing methods of steganography along with some common standards and guidelines drawn from the literature. This paper concludes with some recommendations and advocates for the object-oriented embedding mechanism. Steganalysis, which is the science of attacking steganography, is not the focus of this survey but nonetheless will be briefly discussed.
Conference Paper
Shoulder-surfing - using direct observation techniques, such as looking over someone's shoulder, to get passwords, PINs and other sensitive personal information - is a problem that has been difficult to overcome. When a user enters information using a keyboard, mouse, touch screen or any traditional input device, a malicious observer may be able to acquire the user's password credentials. We present EyePassword, a system that mitigates the issues of shoulder surfing via a novel approach to user input. With EyePassword, a user enters sensitive input (password, PIN, etc.) by selecting from an on-screen keyboard using only the orientation of their pupils (i.e. the position of their gaze on screen), making eavesdropping by a malicious observer largely impractical. We present a number of design choices and discuss their effect on usability and security. We conducted user studies to evaluate the speed, accuracy and user acceptance of our approach. Our results demonstrate that gaze-based password entry requires marginal additional time over using a keyboard, error rates are similar to those of using a keyboard and subjects preferred the gaze-based password entry approach over traditional methods.
Article
Computer keyboards are often used to transmit confidential data such as passwords. Since they contain electronic components, keyboards eventually emit electromagnetic waves. These emanations could reveal sensitive information such as keystrokes. The technique generally used to detect compromising emanations is based on a wide-band receiver, tuned on a specific frequency. However, this method may not be optimal since a significant amount of information is lost during the signal acquisition. Our approach is to acquire the raw signal directly from the antenna and to process the entire captured electromagnetic spectrum. Thanks to this method, we detected four different kinds of compromising electromagnetic emanations generated by wired and wireless keyboards. These emissions lead to a full or a partial recovery of the keystrokes. We implemented these side-channel attacks and our best practical attack fully recovered 95\% of the keystrokes of a PS/2 keyboard at a distance up to 20 meters, even through walls. We tested 12 different keyboard models bought between 2001 and 2008 (PS/2, USB, wireless and laptop). They are all vulnerable to at least one of the four attacks. We conclude that most of modern computer keyboards generate compromising emanations (mainly because of the manufacturer cost pressures in the design). Hence, they are not safe to transmit confidential information.
Article
Human ability to resolve temporal variation, or flicker, in the luminance (brightness) or chromaticity (color) of an image declines with increasing frequency and is limited, within the central visual field, to a critical flicker frequency of approximately 50 and 25 Hz, respectively. Much remains unknown about the neural filtering that underlies this frequency-dependent attenuation of flicker sensitivity, most notably the number of filtering stages involved and their neural loci. Here we use the process of flicker adaptation, by which an observer's flicker sensitivity is attenuated after prolonged exposure to flickering lights, as a functional landmark. We show that flicker adaptation is more sensitive to high temporal frequencies than is conscious perception and that prolonged exposure to invisible flicker of either luminance or chromaticity, at frequencies above the respective critical flicker frequency, can compromise our visual sensitivity. This suggests that multiple filtering stages, distributed across retinal and cortical loci that straddle the locus for flicker adaptation, are involved in the neural filtering of high temporal frequencies by the human visual system.
Conference Paper
It is well known that eavesdroppers can reconstruct video screen content from radio frequency emanations. We discuss techniques that enable the software on a computer to control the electromagnetic radiation it transmits. This can be used for both attack and defence. To attack a system, malicious code can encode stolen information in the machine’s RF emissions and optimise them for some combination of reception range, receiver cost and covertness. To defend a system, a trusted screen driver can display sensitive information using fonts which minimise the energy of these emissions. There is also an interesting potential application to software copyright protection.
Article
Electronic equipment can emit unintentional signals from which eavesdroppers may reconstruct processed data at some distance. This has been a concern for military hardware for over half a century. The civilian computer-security community became aware of the risk through the work of van Eck in 1985. Military "Tempest" shielding test standards remain secret and no civilian equivalents are available at present. The topic is still largely neglected in security textbooks due to a lack of published experimental data. This report documents eavesdropping experiments on contemporary computer displays. It discusses the nature and properties of compromising emanations for both cathode-ray tube and liquid-crystal monitors. The detection equipment used matches the capabilities to be expected from well-funded professional eavesdroppers. All experiments were carried out in a normal unshielded office environment. They therefore focus on emanations from display refresh signals, where periodic averaging can be used to obtain reproducible results in spite of varying environmental noise. Additional experiments described in this report demonstrate how to make information emitted via the video signal more easily receivable, how to recover plaintext from emanations via radio-character recognition, how to estimate remotely precise video-timing parameters, and how to protect displayed text from radio-frequency eavesdroppers by using specialized screen drivers with a carefully selected video card. Furthermore, a proposal for a civilian radio-frequency emission-security standard is outlined, based on path-loss estimates and published data about radio noise levels. Finally, a new optical eavesdropping technique is demonstrated that reads CRT displays at a distance. It observes high-frequency variations of the light emitted, even after diffuse reflection. Experiments with a typical monitor show that enough video signal remains in the light to permit the reconstruction of readable text from signals detected with a fast photosensor. Shot-noise calculations provide an upper bound for this risk.
How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last
  • D Goodin
  • K E Group
Military Computer Attack Confirmed
  • B Knowlton
The Malicious Insider
  • Trip Wire
  • Irfhan Khimji
social-engineering-the-usb-way
  • S Stasiukonis
How to make a computer screen INVISIBLE
  • S Griffith
Chapter 12: Color Images
  • W Burger
  • M J Burge
Agent.btz: a Source of Inspiration?
  • A Gostev
Meet “badBIOS,” the mysterious Mac and PC malware that jumps airgaps
  • D Goodin
Best Spy Pen Mini Hidden Cameras
  • N Techy
Seven grayscale conversion algorithms
  • T Helland