Article

MAGNETO: Covert Channel between Air-Gapped Systems and Nearby Smartphones via CPU-Generated Magnetic Fields

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

In this paper, we show that attackers can leak data from isolated, air-gapped computers to nearby smartphones via covert magnetic signals. The proposed covert channel works even if a smartphone is kept inside a Faraday shielding case, which aims to block any type of inbound and outbound wireless communication (Wi-Fi, cellular, Bluetooth, etc.). The channel also works if the smartphone is set in airplane mode in order to block any communication with the device. We implement a malware that controls the magnetic fields emanating from the computer by regulating workloads on the CPU cores. Sensitive data such as encryption keys, passwords, or keylogging data is encoded and transmitted over the magnetic signals. A smartphone located near the computer receives the covert signals with its magnetic sensor. We present technical background, and discuss signal generation, data encoding, and signal reception. We show that the proposed covert channel works from a user-level process, without requiring special privileges, and can successfully operate from within an isolated virtual machine (VM).

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... However, recent research has discovered that many physical side effects of computation on air-gapped computers can be exploited to construct so-called physical covert channels to re-enable data exfiltration. The physical side effects that can be exploited are various, including thermal [2], optical [3][4][5][6], magnetic [7][8][9], acoustic [10][11][12][13], or electromagnetic (EM) [14][15][16][17]. The communication distance of such covert channels is usually very short, ranging from several centimeters to several meters, due to the high attenuation of the exploited physical effects in the distance. ...
... As the magnetic field around a computer can be affected by manipulating components like hard disk drives [9] and CPUs [7,8], magnetic covert channels have also been constructed. The magnetic field can be measured by either specialized equipment like a digital magnetometer or any hardware equipped with magnetic sensors like mobile phones. ...
... Similar to the previous work [2][3][4][5][6][7][8][9][10][11][12][13][14][15][16]34], in this paper, we explore how to construct a covert communication channel between a pair of air-gapped sender and receiver. We assume that the sender has been placed on the victim computer that stores or processes the secret data of interest, and the sender can acquire the secret through techniques like microarchitectural side-channels [39]. ...
Article
Full-text available
An air-gapped computer is physically isolated from unsecured networks to guarantee effective protection against data exfiltration. Due to air gaps, unauthorized data transfer seems impossible over legitimate communication channels, but in reality many so-called physical covert channels can be constructed to allow data exfiltration across the air gaps. Most of such covert channels are very slow and often require certain strict conditions to work (e.g., no physical obstacles between the sender and the receiver). In this paper, we introduce a new through-wall physical covert channel named BitJabber that is extremely fast and has a long attacking distance. We show that this covert channel can be easily created by an unprivileged sender running on a victim’s computer. Specifically, the sender constructs the channel by using only memory accesses to modulate the electromagnetic (EM) signals generated by the DRAM clock. While possessing a very high bandwidth (up to 300,000 bps), this new covert channel is also very reliable (less than 1% error rate). More importantly, this covert channel can enable data exfiltration from an air-gapped computer enclosed in a room with thick walls up to 15 cm and the maximum attacking distance is more than 6 m.
... In essential infrastructures and other corporate environments with highly sensitive information, it is common to have air-gapped systems, that is, computing devices with no network connection. As a result, a great amount of networkless covert channels have been proposed (e.g., [3], [4]). ...
... Their use in networks protocols was one common application [7] and they have been specially applied in air-gapped computers, that is devices isolated from public or insecure networks. In this vein, a wide array of approaches have been proposed - [8] presents a malware to exfiltrate data through cellular GSM frequencies; [9] through the blinking pattern of keyboard LEDs; [3] through electric emissions on power lines; [4] through the magnetic fields of computers, using a smartphone to receive the covert signals with its magnetic sensor; [10] through the speakers of a computer considering acoustic signals emitted from its hard drive; [11] through the LED of a computer hard drive; [12] through blinking infrarred LEDs of computer devices; [13] through LEDs located in network equipments such as switches or routers; [6] through vibrations by controlling the fan speed of a computer; and [14] through the turn of power supplies into speakers by manipulating their internal switching frequency. With the same purpose but not focusing on air-gapped devices, [15] proposes the use of electromagnetic signals as a covert channel between a laptop and a smartphone. ...
... presents all experimental results.4 https://bearssl.org/speed.html ...
Conference Paper
The widespread adoption of smartphones make them essential in daily routines. Thus, they can be used to create a covert channel without raising suspicions. To avoid detection, networkless communications are preferred. In this paper, we propose SmartLED, a mechanism to build covert channels leveraging a widely available smartphone feature-its notification LED. The secret is encoded through LED blinks using Manhattan encoding. SmartLED is assessed in real-world indoor and outdoor scenarios, considering different distances up to 5 meters. Our results show that the best performance is achieved in dark settings-34.8 s. are needed to exfiltrate a 7-byte password to a distance of 1 m. Remarkably, distance does not cause a great impact on effective transmission time and shorter blinks do not lead to substantially greater transmission errors.
... As it has been discovered in prior work [30,38], the magnetometer on mobile devices is susceptible to the electromagnetic radiation emanated from electronic devices located nearby. In particular, high CPU workload on a device typically requires more power, which results in a higher produced electromagnetic field. ...
... The reaction of magnetometers to electromagnetic activity emitted by computer components has been used to establish inter-device covert channels. Researchers used magnetometers to receive covert signals from a nearby computer encoded into hard drive activity [19], CPU activity [30], and combined I/O activity [38]. Matyunin et al. [37] proposed a magnetometer-based intra-device covert channel on smartphones. ...
... Second, in principle, magnetometer sensors are suscpetible to external electromagnetic noise. However, as shown in other works [30,38], magnetometers are affected by the noise from nearby computers only at short distances (≤15cm). We performed all experiments in a typical office environment with natural arrangement of multiple electronic devices, such as laptops, WiFi access points, and other smartphones. ...
Preprint
Full-text available
Recent studies have shown that aggregate CPU usage and power consumption traces on smartphones can leak information about applications running on the system or websites visited. In response, access to such data has been blocked for mobile applications starting from Android 7. In this work, we explore a new source of side-channel leakage for this class of attacks. Our method is based on the fact that electromagnetic activity caused by mobile processors leads to noticeable disturbances in magnetic sensor measurements on mobile devices, with the amplitude being proportional to the CPU workload. Therefore, recorded sensor data can be analyzed to reveal information about ongoing activities. The attack works on a number of devices: We evaluated 59 models of modern smartphones and tablets and observed the reaction of the magnetometer to CPU activity on 39 of them. On selected devices, we were able to successfully identify which application has been opened (with up to 90% accuracy) or which web page has been loaded (up to 91% accuracy). We believe that the presented side channel poses a significant risk to end users' privacy, as the sensor data can be recorded from native apps and even from web pages without user permissions. Finally, we discuss possible countermeasures to prevent the presented information leakage.
... As it has been discovered in prior work [30,38], the magnetometer on mobile devices is susceptible to the electromagnetic radiation emanated from electronic devices located nearby. In particular, high CPU workload on a device typically requires more power, which results in a higher produced electromagnetic field. ...
... The reaction of magnetometers to electromagnetic activity emitted by computer components has been used to establish interdevice covert channels. Researchers used magnetometers to receive covert signals from a nearby computer encoded into hard drive activity [19], CPU activity [30], and combined I/O activity [38]. Matyunin et al. [37] proposed a magnetometer-based intra-device covert channel on smartphones. ...
... Second, in principle, magnetometer sensors are suscpetible to external electromagnetic noise. However, as shown in other works [30,38], magnetometers are affected by the noise from nearby computers only at short distances (≤15cm). We performed all experiments in a typical office environment with natural arrangement of multiple electronic devices, such as laptops, WiFi access points, and other smartphones. ...
Conference Paper
Recent studies have shown that aggregate CPU usage and power consumption traces on smartphones can leak information about applications running on the system or websites visited. In response, access to such data has been blocked for mobile applications starting from Android 8. In this work, we explore a new source of side-channel leakage for this class of attacks. Our method is based on the fact that electromagnetic activity caused by mobile processors leads to noticeable disturbances in magnetic sensor measurements on mobile devices, with the amplitude being proportional to the CPU workload. Therefore, recorded sensor data can be analyzed to reveal information about ongoing activities. The attack works on a number of devices: we evaluated 80 models of modern smartphones and tablets and observed the reaction of the magnetometer to the CPU activity on 56 of them. On selected devices we were able to successfully identify which application has been opened (with up to 90% accuracy) or which web page has been loaded (up to 91% accuracy). The presented side channel poses a significant risk to end users' privacy, as the sensor data can be recorded from native apps or even from web pages without user permissions. Finally, we discuss possible countermeasures to prevent the presented information leakage.
... In this type of communication, a malware modulates binary information over the electromagnetic waves radiating from computer components (LCD screens, communication cables, computer buses, and hardware peripherals [12], [13], [14], [15], [16]). Other types of air-gap covert channels based on magnetic [17], [18], acoustic [19], [20] optical, [21] and thermal [22] emissions have also been investigated. In this paper, we present a new type of electric (current flow) covert channel. ...
... They showed that the low-frequency magnetic fields bypass Faraday cages and metal shields. Guri et al also demonstrated MAGNETO [18], a malware which is capable of leaking data from air-gapped computers to nearby smartphones via magnetic signals. They used the magnetometer sensor integrated in smartphones to measure the change in magnetic fields. ...
Article
In this paper we provide an implementation, evaluation, and analysis of PowerHammer, a malware (bridgeware [1]) that uses power lines to exfiltrate data from air-gapped computers. In this case, a malicious code running on a compromised computer can control the power consumption of the system by intentionally regulating the CPU utilization. Data is modulated, encoded, and transmitted on top of the current flow fluctuations, and then it is conducted and propagated through the power lines. This phenomena is known as a 'conducted emission'. We present two versions of the attack. Line level powerhammering: In this attack, the attacker taps the in-home power lines1 that are directly attached to the electrical outlet. Phase level power-hammering: In this attack, the attacker taps the power lines at the phase level, in the main electrical service panel. In both versions of the attack, the attacker measures the emission conducted and then decodes the exfiltrated data. We describe the adversarial attack model and present modulations and encoding schemes along with a transmission protocol. We evaluate the covert channel in different scenarios and discuss signal-to-noise (SNR), signal processing, and forms of interference. We also present a set of defensive countermeasures. Our results show that binary data can be covertly exfiltrated from air-gapped computers through the power lines at bit rates of 1000 bit/sec for the line level power-hammering attack and 10 bit/sec for the phase level power-hammering attack.
... In light of Maxwell's equations, how can one justify the notion that Eve is unable to observe secret electromagnetic actions by Alice and Bob? Alice and Bob can try to use a Faraday cage to block their signal, but a Faraday cage does not create a truly isolated environment (see, e.g., [3] and [12]); it merely applies some scrambling to the signals emitted from that environment. One could hypothesize that Eve is not observing the actions by Alice and Bob-perhaps Eve is underfunded, or simply lazy-but this is obviously not "absolute security, guaranteed by the fundamental laws of physics". ...
Article
It is often claimed that the security of quantum key distribution (QKD) is guaranteed by the laws of physics. However, this claim is content-free if the underlying theoretical definition of QKD is not actually compatible with the laws of physics. This paper observes that (1) the laws of physics pose serious obstacles to the security of QKD and (2) the same laws are ignored in all QKD "security proofs".
... The same researchers also introduced USBee [9], a malware that used the USB data bus to generate electromagnetic signals to transmit data over the air. In 2018 Guri et al presented ODINI [10] and MAGNETO [11], two attacks that enable the exfiltration of data via magnetic signals generated by the computer CPU cores. The receiver may be a magnetic sensor or a smartphone located near the computer. ...
Preprint
Using the keyboard LEDs to send data optically was proposed in 2002 by Loughry and Umphress [1] (Appendix A). In this paper we extensively explore this threat in the context of a modern cyber-attack with current hardware and optical equipment. In this type of attack, an advanced persistent threat (APT) uses the keyboard LEDs (Caps-Lock, Num-Lock and Scroll-Lock) to encode information and exfiltrate data from airgapped computers optically. Notably, this exfiltration channel is not monitored by existing data leakage prevention (DLP) systems. We examine this attack and its boundaries for today's keyboards with USB controllers and sensitive optical sensors. We also introduce smartphone and smartwatch cameras as components of malicious insider and 'evil maid' attacks. We provide the necessary scientific background on optical communication and the characteristics of modern USB keyboards at the hardware and software level, and present a transmission protocol and modulation schemes. We implement the exfiltration malware, discuss its design and implementation issues, and evaluate it with different types of keyboards. We also test various receivers, including light sensors, remote cameras, 'extreme' cameras, security cameras, and smartphone cameras. Our experiment shows that data can be leaked from air-gapped computers via the keyboard LEDs at a maximum bit rate of 3000 bit/sec per LED given a light sensor as a receiver, and more than 120 bit/sec if smartphones are used. The attack doesn't require any modification of the keyboard at hardware or firmware levels.
... Next, two of the accepted papers consider aspects of steganography in distributed systems. Guri proposes MAGNETO, a covert channel that exploits CPU-generated magnetic fields to enable a communication between air-gapped systems [6]. Another covert channel for VoIP communications is presented by Saenger, Mazurczyk, Keller and Caviglione [7]. ...
Article
This special issue was desired to foster the progress in research on the development of novel defense methods in information security, especially for sophisticated and networked/hyper-connected systems, including those within IoT and CPS scenarios.
... 1) ODINI and MAGNETO: The ODINI [55] and MAG-NETO [56] attacks enable the exfiltration of data via magnetic signals generated by the computer processors. Magnetic signals can also be generated from the reading/writing heads of hard disk drives [57]. ...
Article
Cryptocurrency wallets store the wallets private key(s), and hence, are a lucrative target for attackers. With possession of the private key, an attacker virtually owns all of the currency in the compromised wallet. Managing cryptocurrency wallets offline, in isolated ('air-gapped') computers, has been suggested in order to secure the private keys from theft. Such air-gapped wallets are often referred to as 'cold wallets.' In this paper, we show how private keys can be exfiltrated from air-gapped wallets. In the adversarial attack model, the attacker infiltrates the offline wallet, infecting it with malicious code. The malware can be preinstalled or pushed in during the initial installation of the wallet, or it can infect the system when removable media (e.g., USB flash drive) is inserted into the wallet's computer in order to sign a transaction. These attack vectors have repeatedly been proven feasible in the last decade (e.g., [1],[2],[3],[4],[5],[6],[7],[8],[9],[10]). Having obtained a foothold in the wallet, an attacker can utilize various air-gap covert channel techniques (bridgeware [11]) to jump the airgap and exfiltrate the wallets private keys. We evaluate various exfiltration techniques, including physical, electromagnetic, electric, magnetic, acoustic, optical, and thermal techniques. This research shows that although cold wallets provide a high degree of isolation, it is not beyond the capability of motivated attackers to compromise such wallets and steal private keys from them. We demonstrate how a 256-bit private key (e.g., bitcoin's private keys) can be exfiltrated from an offline, air-gapped wallet of a fictional character named Satoshi within a matter of seconds
... Finally, induced optical emanations [28]- [35] and [8, Appendix A] are properly considered out-of-band covert channels [36]- [38], despite being compromising optical emanations in the time domain, because they are purposely induced by a nefarious software or hardware agent, or by activity that is controllable by a third party, introduced into the target system by the attacker. Control and remote sensing of magnetic fields, or instantaneous electrical power demand, similarly are a covert channel, not TEMPEST [39], [40]. ...
Preprint
Full-text available
Research on optical TEMPEST has moved forward since 2002 when the first pair of papers on the subject emerged independently and from widely separated locations in the world within a week of each other. Since that time, vulnerabilities have evolved along with systems, and several new threat vectors have consequently appeared. Although the supply chain ecosystem of Ethernet has reduced the vulnerability of billions of devices through use of standardised PHY solutions, other recent trends including the Internet of Things (IoT) in both industrial settings and the general population, High Frequency Trading (HFT) in the financial sector, the European General Data Protection Regulation (GDPR), and inexpensive drones have made it relevant again for consideration in the design of new products for privacy. One of the general principles of security is that vulnerabilities, once fixed, sometimes do not stay that way.
... The signal are received by FM radio chip in a standard smartphone. Electromagnetic covert channels are discussed in [4]- [9] and newer magnetic convert channels discussed in [10], [11]. Hanspach and Goetz [12] present a method for near-ultrasonic covert networking using speakers and microphones. ...
Preprint
Air-gapped computers are systems that are kept isolated from the Internet since they store or process sensitive information. In this paper, we introduce an optical covert channel in which an attacker can leak (or, exfiltlrate) sensitive information from air-gapped computers through manipulations on the screen brightness. This covert channel is invisible and it works even while the user is working on the computer. Malware on a compromised computer can obtain sensitive data (e.g., files, images, encryption keys and passwords), and modulate it within the screen brightness, invisible to users. The small changes in the brightness are invisible to humans but can be recovered from video streams taken by cameras such as a local security camera, smartphone camera or a webcam. We present related work and discuss the technical and scientific background of this covert channel. We examined the channel's boundaries under various parameters, with different types of computer and TV screens, and at several distances. We also tested different types of camera receivers to demonstrate the covert channel. Lastly, we present relevant countermeasures to this type of attack. Lastly, we present relevant countermeasures to this type of attack.
Conference Paper
Preprint
Full-text available
It is possible to attack a computer remotely through the front panel LEDs. Following on previous results that showed information leakage at optical wavelengths, now it seems practicable to inject information into a system as well. It is shown to be definitely feasible under realistic conditions (by infosec standards) of target system compromise; experimental results suggest it further may be possible, through a slightly different mechanism, even under high security conditions that put extremely difficult constraints on the attacker. The problem is of recent origin; it could not have occurred before a confluence of unrelated technological developments made it possible. Arduino-type microcontrollers are involved; this is an Internet of Things (IoT) vulnerability. Unlike some previous findings, the vulnerability here is moderate---at present---because it takes the infosec form of a classical covert channel. However, the architecture of several popular families of microcontrollers suggests that a Rowhammer-like directed energy optical attack that requires no malware might be possible. Phase I experiments yielded surprising and encouraging results; a covert channel is definitely practicable without exotic hardware, bandwidth approaching a Mbit/s, and the majority of discrete LEDs tested were found to be reversible on GPIO pins. Phase II experiments, not yet funded, will try to open the door remotely.
Article
Full-text available
The article presents a new concept—steganography in thermography. Steganography is a technique of hiding information in a non-obvious way and belongs to sciences related to information security. The proposed method, called ThermoSteg, uses a modification of one of the parameters of the thermal imaging camera—integration time—to embed the signal containing hidden information. Integration time changing makes the microbolometer array heat up while reading the sensors. The covert information can be extracted from the stream of thermograms recorded by another thermal camera that observes the first one. The covert channel created with the ThermoSteg method allows the transmission of covert data using a thermal sensor as a wireless data transmitter. This article describes a physical phenomenon that is exploited by the ThermoSteg method and two proposed methods of covert data extraction, and presents the results of experiments.
Article
Full-text available
The proposed StegoFrameOrder (SFO) method enables the transmission of covert data in wireless computer networks exploiting non-deterministic algorithms of medium access (such as the distributed coordination function), especially in IEEE 802.11 networks. Such a covert channel enables the possibility of leaking crucial information outside secured network in a manner that is difficult to detect. The SFO method embeds hidden bits of information in the relative order of frames transmitted by wireless terminals operating on the same radio channel. The paper presents an idea of this covert channel, its implementation, and possible variants. The paper also discusses implementing the SFO method in a real environment and the experiments performed in the real-world scenario.
Article
Computers that contain sensitive information are often maintained in air-gapped isolation. In this defensive measure, a computer is disconnected from the Internet - logically and physically - preventing accidental or intentional leakage of sensitive information outward. In recent years it has been shown that malware can leak data over an air-gap by transmitting sonic and ultrasonic signals from a computer speaker. In order to eliminate such acoustic covert channels, current best practice recommends the elimination of speakers in secured computers, thereby creating a so-called ‘audio-gapped’ system. In this paper, we present ‘Fansmitter,’ a malware that can acoustically exfiltrate data from air-gapped computers, even when audio hardware and speakers are not present. Our method utilizes the noise emitted from the CPU, GPU, and chassis fans. We show that a software can regulate the internal fans’ rotation speed in order to control their acoustic signal, known as blade pass frequency (BPF). Binary data can be modulated and transmitted over these audio signals to a remote microphone (e.g., a nearby smartphone). We present design considerations, including acoustic waveform analysis, data modulation and demodulation, and data transmission and reception. We evaluate the acoustic covert channel with various fans at different distances and present the results. We also discuss issues such as stealth, interference, and countermeasures. Using our method we successfully transmitted data from audio-less, air-gapped computers, to a mobile phone in the same room. We demonstrated an effective transmission at distances of 1–8 m, with a maximum bit rate of 60 bit/min per fan.
Article
Full-text available
The increase in computing capabilities of mobile devices has, in the last few years, made possible a plethora of complex operations performed from smartphones and tablets end users, for instance, from a bank transfer to the full management of home automation. Clearly, in this context, the detection of malicious applications is a critical and challenging task, especially considering that the user is often totally unaware of the behavior of the applications installed on their device. In this paper, we propose a method to detect inter-app communication i.e., a colluding communication between different applications with data support to silently exfiltrate sensitive and private information. We based the proposed method on model checking, by representing Android applications in terms of automata and by proposing a set of logic properties to reduce the number of comparisons and a set of logic properties automatically generated for detecting colluding applications. We evaluated the proposed method on a set of 1092 Android applications, including different colluding attacks, by obtaining an accuracy of 1, showing the effectiveness of the proposed method.
Article
With new cryptocurrencies being frequently introduced to the market, the demand for cryptomining - a fundamental operation associated with most of the cryptocurrencies - has initiated a new stream of earning financial gains. The cost associated with the lucrative cryptomining has driven general masses to unethically mine cryptocurrencies using plundered resources in the public organizations (e.g., universities) as well as in the corporate sector that follows Bring Your Own Device (BYOD) culture. Such exploitation of the resources causes financial detriment to the affected organizations, which often discover the abuse when the damage has already been done. In this paper, we present a novel approach that leverages magnetic side-channel to detect covert cryptomining. Our proposed approach works even when the examiner does not have login-access or root-privileges on the suspect device. It merely requires the physical proximity of the examiner and a magnetic sensor, which is often available on smartphones. The fundamental idea of our approach is to profile the magnetic field emission of a processor for the set of available mining algorithms. We built a complete implementation of our system using advanced machine learning techniques. In our experiments, we included all the cryptocurrencies supported by the top-10 mining pools, which collectively comprise the largest share of the cryptomining market. Moreover, we tested our methodology primarily on two different laptops. By using the data recorded from the magnetometer of an ordinary smartphone, our classifier achieved an average precision of over 88% and an average F1 score of 87%. Apart from our primary goal - which is to identify covert cryptomining - we also performed four additional experiments to further evaluate our approach. We found that due to its underlying design, our system is future-ready and can readily adapt even to zero-day cryptocurrencies.
Conference Paper
Full-text available
Information leakage through covert channels is a growing and persistent threat, even for physical perimeters considered as highly secure. We study a new approach for data exfiltration using a malicious storage device which subtly transmits data through blinking infrared LEDs. This approach could be used by an attacker trying to leak sensitive data stored in the device, such as credentials, cryptographic keys or a small classified document. An ideal application for this approach is when an attacker is capable of sneaking a malicious device inside a protected perimeter and has remote control over a camera inside such perimeter. The device can then collect information and transmit directly to the attacker, without the need of recovering the device to obtain the captured information, erase evidence or prevent a forensic investigation. We discuss techniques for improving communication efficiency up to 15 bits per second per LED, and possible countermeasures for mitigation.
Conference Paper
Full-text available
Experimental analysis of computer systems' power consumption has become an integral part of system performance evaluation , efficiency management, and model-based analysis. As with all measurements, repeatability and reproducibility of power measurements are a major challenge. Nominally identical systems can have different power consumption running the same workload under otherwise identical conditions. This behavior can also be observed for individual system components. Specifically, CPU power consumption can vary amongst different samples of nominally identical CPUs. This in turn has a significant impact on the overall system power, considering that a system's processor is the largest and most dynamic power consumer of the overall system. The concrete impact of CPU sample power variations is unknown, as comprehensive studies about differences in power consumption for nominally identical systems are currently missing. We address this lack of studies by conducting measurements on four different processor types from two different architectures. For each of these types, we compare up to 30 physical processor samples with a total sum of 90 samples over all processor types. We analyze the variations in power consumption for the different samples using six different workloads over five load levels. Additionally, we analyze how these variations change for different processor core counts and architectures. The results of this paper show that selection of a processor sample can have a statistically significant impact on power consumption. With no correlation to performance, power consumption for nominally identical processors can differ as much as 29.6% in idle and 19.5% at full load. We also show that these variations change over different architectures and processor types.
Article
Full-text available
Information is the most critical asset of modern organizations, and accordingly coveted by adversaries. When highly sensitive data is involved, an organization may resort to air-gap isolation, in which there is no networking connection between the inner network and the external world. While infiltrating an air-gapped network has been proven feasible in recent years (e.g., Stuxnet), data exfiltration from an air-gapped network is still considered to be one of the most challenging phases of an advanced cyber-attack. In this paper we present "AirHopper", a bifurcated malware that bridges the air-gap between an isolated network and nearby infected mobile phones using FM signals. While it is known that software can intentionally create radio emissions from a video display unit, this is the first time that mobile phones are considered in an attack model as the intended receivers of maliciously crafted radio signals. We examine the attack model and its limitations, and discuss implementation considerations such as stealth and modulation methods. Finally, we evaluate AirHopper and demonstrate how textual and binary data can be exfiltrated from physically isolated computer to mobile phones at a distance of 1-7 meters, with effective bandwidth of 13-60 Bps (Bytes per second).
Article
Full-text available
Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilizes audio modulation/demodulation to exchange data between the computing systems over the air medium. The underlying network stack is based on a communication system that was originally designed for robust underwater communication. We adapt the communication system to implement covert and stealthy communications by utilizing the ultrasonic frequency range. We further demonstrate how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks. A covert acoustical mesh network can be conceived as a meshed botnet or malnet that is accessible via inaudible audio transmissions. Different applications of covert acoustical mesh networks are presented, including the use for remote keylogging over multiple hops. It is shown that the concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered. Finally, countermeasures against covert acoustical mesh networks are discussed, including the use of lowpass filtering in computing systems and a host-based intrusion detection system for analyzing audio input and output in order to detect any irregularities.
Article
Full-text available
An active compensation technique is presented for improving the performance of a mu -metal magnetically shielded room. Active compensation is established by measuring the magnetic field inside the room by a SQUID magnetometer. The output of this sensor is amplified and connected to a coil surrounding the room. The magnetic field generated in this way compensates the measured field inside the room. Active compensation was tested for magnetic fields in the vertical direction in a shielded room with one mu -metal shield. At low frequencies a shielding improvement of typically 40 dB was obtained. Measurements performed on a room with two mu -metal shields indicated that the attainable improvement is not limited by the amount of mu -metal applied in the room. The active compensation set-up is described in detail and experiments performed on the two magnetically shielded rooms are presented and discussed.
Article
Full-text available
Magnetic sensors can be classified according to whether they measure the total magnetic field or the vector components of the magnetic field. The techniques used to produce both types of magnetic sensors encompass many aspects of physics and electronics. Here, we describe and compare most of the common technologies used for magnetic field sensing. These include search coil, fluxgate, optically pumped, nuclear precession, SQUID, Hall-effect, anisotropic magnetoresistance, giant magnetoresistance, magnetic tunnel junctions, giant magnetoimpedance, magnetostrictive/piezoelectric composites, magnetodiode, magnetotransistor, fiber optic, magnetooptic, and microelectromechanical systems-based magnetic sensors. The usage of these sensors in relation to working with or around Earth's magnetic field is also presented
Article
Full-text available
A previously unknown form of compromising emanations has been discovered. LED status indicators on data communication equipment, under certain conditions, are shown to carry a modulated optical signal that is significantly correlated with information being processed by the device. Physical access is not required; the attacker gains access to all data going through the device, including plaintext in the case of data encryption systems. Experiments show that it is possible to intercept data under realistic conditions at a considerable distance. Many different sorts of devices, including modems and Internet Protocol routers, were found to be vulnerable. A taxonomy of compromising optical emanations is developed, and design changes are described that will successfully block this kind of "Optical TEMPEST" attack.
Article
Air-gapped computers are computers which are kept isolated from the Internet, because they store and process sensitive information. When highly sensitive data is involved, an air-gapped computer might also be kept secluded in a Faraday cage. The Faraday cage prevents the leakage of electromagnetic signals emanating from various computer parts, which may be picked up by an eavesdropping adversary remotely. The air-gap separation, coupled with the Faraday shield, provides a high level of isolation, preventing the potential leakage of sensitive data from the system. In this paper, we show how attackers can bypass Faraday cages and air-gaps in order to leak data from highly secure computers. Our method is based on an exploitation of the magnetic field generated by the computer CPU. Unlike electromagnetic radiation (EMR), low frequency magnetic radiation propagates though the air, penetrating metal shielding such as Faraday cages (e.g., compass still works inside Faraday cages). We introduce a malware code-named ODINI that can control the low frequency magnetic fields emitted from the infected computer by regulating the load of the CPU cores. Arbitrary data can be modulated and transmitted on top of the magnetic emission and received by a magnetic receiver (bug) placed nearby. We provide technical background and examine the characteristics of the magnetic fields. We implement a malware prototype and discuss the design considerations along with the implementation details. We also show that the malicious code does not require special privileges (e.g., root) and can successfully operate from within isolated virtual machines (VMs) as well.
Article
Infrared (IR) light is invisible to humans, but cameras are optically sensitive to this type of light. In this paper, we show how attackers can use surveillance cameras and infrared light to establish bi-directional covert communication between the internal networks of organizations and remote attackers. We present two scenarios: exfiltration (leaking data out of the network) and infiltration (sending data into the network). Exfiltration. Surveillance and security cameras are equipped with IR LEDs, which are used for night vision. In the exfiltration scenario, malware within the organization access the surveillance cameras across the local network and controls the IR illumination. Sensitive data such as PIN codes, passwords, and encryption keys are then modulated, encoded, and transmitted over the IR signals. Infiltration. In an infiltration scenario, an attacker standing in a public area (e.g., in the street) uses IR LEDs to transmit hidden signals to the surveillance camera(s). Binary data such as command and control (C&C) and beacon messages are encoded on top of the IR signals. The exfiltration and infiltration can be combined to establish bidirectional, 'air-gap' communication between the compromised network and the attacker. We discuss related work and provide scientific background about this optical channel. We implement a malware prototype and present data modulation schemas and a basic transmission protocol. Our evaluation of the covert channel shows that data can be covertly exfiltrated from an organization at a rate of 20 bit/sec per surveillance camera to a distance of tens of meters away. Data can be covertly infiltrated into an organization at a rate of over 100 bit/sec per surveillance camera from a distance of hundreds of meters to kilometers away.
Conference Paper
In the past, it has been shown that malware can exfiltrate data from air-gapped (isolated) networks by transmitting ultrasonic signals via the computer’s speakers. However, such a communication relies on the availability of speakers on a computer. In this paper, we present ‘DiskFiltration’, a method to leak data from speakerless computers via covert acoustic signals emitted from its hard disk drive (HDD) (Video: https://www.youtube.com/watch?v=H7lQXmSLiP8 or http://cyber.bgu.ac.il/advanced-cyber/airgap). Although it is known that HDDs generate acoustical noise, it has never been studied in the context of a malicious covert-channel. Notably, the magnetic HDDs dominate the storage wars, and most PCs, servers, and laptops todays are installed with HDD drive(s). A malware installed on a compromised machine can generate acoustic emissions at specific audio frequencies by controlling the movements of the HDD’s actuator arm. Binary Information can be modulated over the acoustic signals and then be picked up by a nearby receiver (e.g., microphone, smartphone, laptop, etc.). We examine the HDD anatomy and analyze its acoustical characteristics. We also present signal generation and detection, and data modulation and demodulation algorithms. Based on our proposed method, we developed a transmitter and a receiver for PCs and smartphones, and provide the design and implementation details. We examine the channel capacity and evaluate it on various types of internal and external HDDs in different computer chassis and at various distances. With DiskFiltration we were able to covertly transmit data (e.g., passwords, encryption keys, and keylogging data) between air-gapped computers to a nearby receiver at an effective bit rate of 180 bits/min (10,800 bits/h).
Conference Paper
In this paper we present a method that allows attackers to covertly leak data from isolated, air-gapped computers. Our method utilizes the hard disk drive (HDD) activity LED which exists in most of today’s desktop PCs, laptops, and servers. We show that a malware can indirectly control the HDD LED, turning it on and off rapidly (up to 5800 blinks per second) – a rate that exceeds the visual perception capabilities of humans. Sensitive information can be encoded and leaked over the LED signals, which can then be received remotely by different kinds of cameras and light sensors (Demonstration video: https://www.youtube.com/watch?v=4vIu8ld68fc). Compared to other LED methods, our method is unique, because it is also covert; the HDD activity LED routinely flickers frequently, and therefore the user may not be suspicious of changes in its activity. We discuss attack scenarios and present the necessary technical background regarding the HDD LED and its hardware control. We also present various data modulation methods and describe the implementation of a user-level malware that doesn’t require a kernel component. During the evaluation, we examined the physical characteristics of different colored HDD LEDs (red, blue, and white) and tested different types of receivers: remote cameras, ‘extreme’ cameras, security cameras, smartphone cameras, drone cameras, and optical sensors. Finally, we discuss hardware and software countermeasures for such a threat. Our experiment shows that sensitive data can successfully be leaked from air-gapped computers via the HDD LED at a maximum bit rate of 120 bit/s (bits per second) when a video camera is used as a receiver, and 4000 bit/s when a light sensor is used for the reception. Notably, the maximal speed is 10 times faster than the existing optical covert channels for air-gapped computers. These rates allow rapid exfiltration of encryption keys, keystroke logging, and text and binary files.
Article
In this paper we show how attackers can covertly leak data (e.g., encryption keys, passwords and files) from highly secure or air-gapped networks via the row of status LEDs that exists in networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device ('side-channel'), intentionally controlling the status LEDs to carry any type of data ('covert-channel') has never studied before. A malicious code is executed on the LAN switch or router, allowing full control of the status LEDs. Sensitive data can be encoded and modulated over the blinking of the LEDs. The generated signals can then be recorded by various types of remote cameras and optical sensors. We provide the technical background on the internal architecture of switches and routers (at both the hardware and software level) which enables this type of attack. We also present amplitude and frequency based modulation and encoding schemas, along with a simple transmission protocol. We implement a prototype of an exfiltration malware and discuss its design and implementation. We evaluate this method with a few routers and different types of LEDs. In addition, we tested various receivers including remote cameras, security cameras, smartphone cameras, and optical sensors, and also discuss different detection and prevention countermeasures. Our experiment shows that sensitive data can be covertly leaked via the status LEDs of switches and routers at a bit rates of 10 bit/sec to more than 1Kbit/sec per LED.
Article
Information is the most critical asset of modern organizations, and accordingly it is one of the resources most coveted by adversaries. When highly sensitive data is involved, an organization may resort to air gap isolation in which there is no networking connection between the inner network and the external world. While infiltrating an air-gapped network has been proven feasible in recent years, data exfiltration from an air-gapped network is still considered one of the most challenging phases of an advanced cyber-attack. In this article, we present “AirHopper,” a bifurcated malware that bridges the air gap between an isolated network and nearby infected mobile phones using FM signals. While it is known that software can intentionally create radio emissions from a video card, this is the first time that mobile phones serve as the intended receivers of the maliciously crafted electromagnetic signals. We examine the attack model and its limitations and discuss implementation considerations such as modulation methods, signal collision, and signal reconstruction. We test AirHopper in an existing workplace at a typical office building and demonstrate how valuable data such as keylogging and files can be exfiltrated from physically isolated computers to mobile phones at a distance of 1--7 meters, with an effective bandwidth of 13--60 bytes per second.
Article
Because computers may contain or interact with sensitive information, they are often air-gapped and in this way kept isolated and disconnected from the Internet. In recent years the ability of malware to communicate over an air-gap by transmitting sonic and ultrasonic signals from a computer speaker to a nearby receiver has been shown. In order to eliminate such acoustic channels, current best practice recommends the elimination of speakers (internal or external) in secure computers, thereby creating a so-called 'audio-gap'. In this paper, we present Fansmitter, a malware that can acoustically exfiltrate data from air-gapped computers, even when audio hardware and speakers are not present. Our method utilizes the noise emitted from the CPU and chassis fans which are present in virtually every computer today. We show that a software can regulate the internal fans' speed in order to control the acoustic waveform emitted from a computer. Binary data can be modulated and transmitted over these audio signals to a remote microphone (e.g., on a nearby mobile phone). We present Fansmitter's design considerations, including acoustic signature analysis, data modulation, and data transmission. We also evaluate the acoustic channel, present our results, and discuss countermeasures. Using our method we successfully transmitted data from air-gapped computer without audio hardware, to a smartphone receiver in the same room. We demonstrated the effective transmission of encryption keys and passwords from a distance of zero to eight meters, with bit rate of up to 900 bits/hour. We show that our method can also be used to leak data from different types of IT equipment, embedded systems, and IoT devices that have no audio hardware, but contain fans of various types and sizes.
Article
Use of magnetic sensors is rapidly expanding, driven by user demands in automotive, industrial, military/aerospace and consumer applications. Initially, magnetic sensors were developed and used almost exclusively for navigation and tracking purposes, mostly in the military/aerospace and industrial arenas. A key factor in selecting the right type of sensor is cost. Some manufacturers foresee costs for their chips at less than a dollar for consumer electronic items like mobile phones. Another crucial parameter is sensitivity. Designing a magnetometer with a wider bandwidth can alleviate noise sensitivity levels. The GMR effect discovered in the late 1980s is actually a quantum effect. GMR sensors utilize the quantum nature of electrons that have two spin states, up and down. Conducting electrons with spin direction parallel to the sensor film's magnetic orientation move easily and thus produce low electrical resistance.
Conference Paper
Air-gapped networks are isolated, separated both logically and physically from public networks. Although the feasibility of invading such systems has been demonstrated in recent years, exfiltration of data from air-gapped networks is still a challenging task. In this paper we present GSMem, a malware that can exfiltrate data through an air-gap over cellular frequencies. Rogue software on an infected target computer modulates and transmits electromagnetic signals at cellular frequencies by invoking specific memory-related instructions and utilizing the multichannel memory architecture to amplify the transmission. Furthermore, we show that the transmitted signals can be received and demodulated by a rootkit placed in the baseband firmware of a nearby cellular phone. We present crucial design issues such as signal generation and reception, data modulation, and transmission detection. We implement a prototype of GSMem consisting of a transmitter and a receiver and evaluate its performance and limitations. Our current results demonstrate its efficacy and feasibility, achieving an effective transmission distance of 1-5.5 meters with a standard mobile phone. When using a dedicated, yet affordable hardware receiver, the effective distance reached over 30 meters.
Article
Smartphones and tablets have become prime targets for malware, due to the valuable private and corporate information they hold. While Anti-Virus (AV) program may successfully detect malicious applications (apps), they remain ineffective against low-level rootkits that evade detection mechanisms by masking their own presence. Furthermore, any detection mechanism run on the same physical device as the monitored OS can be compromised via application, kernel or boot-loader vulnerabilities. Consequentially, trusted detection of kernel rootkits in mobile devices is a challenging task in practice. In this paper we present JoKER - a system which aims at detecting rootkits in the Android kernel by utilizing the hardware's Joint Test Action Group (JTAG) interface for trusted memory forensics. Our framework consists of components that extract areas of a kernel's memory and reconstruct it for further analysis. We present the overall architecture along with its implementation, and demonstrate that the system can successfully detect the presence of stealthy rootkits in the kernel. The results show that although JTAG's main purpose is system testing, it can also be used for malware detection where traditional methods fail.
Article
It has been assumed that the physical separation (air-gap) of computers provides a reliable level of security, such that should two adjacent computers become compromised, the covert exchange of data between them would be impossible. In this paper, we demonstrate BitWhisper, a method of bridging the air-gap between adjacent compromised computers by using their heat emissions and built-in thermal sensors to create a covert communication channel. Our method is unique in two respects: it supports bidirectional communication, and it requires no additional dedicated peripheral hardware. We provide experimental results based on implementation of BitWhisper prototype, and examine the channel properties and limitations. Our experiments included different layouts, with computers positioned at varying distances from one another, and several sensor types and CPU configurations (e.g., Virtual Machines). We also discuss signal modulation and communication protocols, showing how BitWhisper can be used for the exchange of data between two computers in a close proximity (at distance of 0-40cm) at an effective rate of 1-8 bits per hour, a rate which makes it possible to infiltrate brief commands and exfiltrate small amount of data (e.g., passwords) over the covert channel.
Conference Paper
Secret communication via network has always been an area of interest for many. It has not only attracted the trusted parties to communicate with each other secretly but has also attracted the hackers/attackers to find ways to discover and leak the information and use the network in a manner that violate security policies. Steganography and covert channels are most widely used approaches for secret communication. Number of detecting techniques has been proposed for steganography and covert channel detection. This paper covers detecting techniques of covert channel only as the covert channel is a modern way of leaking information and it is difficult to detect such channels. Covert channel falls into two categories: storage covert channel and timing covert channel. Storage covert channel is created by manipulating the header fields of packets whereas timing covert channel is created by timing of event i.e. arrival pattern of packets. In this paper different techniques for detecting storage and timing covert has been surveyed and analysis of these techniques is done.
Article
Social engineering continues to be an increasing attack vector for the propagation of malicious programs. For this article, we collected data on malware incidents and highlighted the prevalence and longevity of social engineering malware. We developed a framework that shows the steps social engineering malware executes to be successful. To explain its pervasiveness and persistence, we discuss some common avenues through which such attacks occur. The attack vector is a combination of psychological and technical ploys, which includes luring a computer user to execute the malware, and combating any existing technical countermeasures. We describe some of the prevalent psychological ploys and technical countermeasures used by social engineering malware. We show how the techniques used by purveyors of such malware have evolved to circumvent existing countermeasures. The implications of our analyses lead us to emphasize (1) the importance for organizations to plan a comprehensive information security program, and (2) the shared social responsibility required to combat social engineering malware.
Article
Even as cell phones have shrunk in size while boasting an ever-increasing array of features, two things about them haven't changed much: they still sprout a stubby antenna and, if you want a headset, you have to put up with an unwieldy wire connecting the headset and the phone. Thanks to a patented technology called near-field magnetic communication (NFMC), from Aura Communications, one can also cut the cord between the phone and the headset. While the concepts behind magnetic induction communication have been around for decades, Aura's engineers are the first to develop and implement practical solutions capturing the benefits of this technology. NFMC communicates wirelessly by coupling a very-low-power quasistatic magnetic field at 13.56 MHz. This paper discusses further the benefits of this technology.
Conference Paper
It is well known that eavesdroppers can reconstruct video screen content from radio frequency emanations. We discuss techniques that enable the software on a computer to control the electromagnetic radiation it transmits. This can be used for both attack and defence. To attack a system, malicious code can encode stolen information in the machine’s RF emissions and optimise them for some combination of reception range, receiver cost and covertness. To defend a system, a trusted screen driver can display sensitive information using fonts which minimise the energy of these emissions. There is also an interesting potential application to software copyright protection.
Article
Electronic equipment can emit unintentional signals from which eavesdroppers may reconstruct processed data at some distance. This has been a concern for military hardware for over half a century. The civilian computer-security community became aware of the risk through the work of van Eck in 1985. Military "Tempest" shielding test standards remain secret and no civilian equivalents are available at present. The topic is still largely neglected in security textbooks due to a lack of published experimental data. This report documents eavesdropping experiments on contemporary computer displays. It discusses the nature and properties of compromising emanations for both cathode-ray tube and liquid-crystal monitors. The detection equipment used matches the capabilities to be expected from well-funded professional eavesdroppers. All experiments were carried out in a normal unshielded office environment. They therefore focus on emanations from display refresh signals, where periodic averaging can be used to obtain reproducible results in spite of varying environmental noise. Additional experiments described in this report demonstrate how to make information emitted via the video signal more easily receivable, how to recover plaintext from emanations via radio-character recognition, how to estimate remotely precise video-timing parameters, and how to protect displayed text from radio-frequency eavesdroppers by using specialized screen drivers with a carefully selected video card. Furthermore, a proposal for a civilian radio-frequency emission-security standard is outlined, based on path-loss estimates and published data about radio noise levels. Finally, a new optical eavesdropping technique is demonstrated that reads CRT displays at a distance. It observes high-frequency variations of the light emitted, even after diffuse reflection. Experiments with a typical monitor show that enough video signal remains in the light to permit the reconstruction of readable text from signals detected with a fast photosensor. Shot-noise calculations provide an upper bound for this risk.
Elements of electromagnetics
  • M N Sadiku
M. N. Sadiku, Elements of electromagnetics. Oxford university press, 2014.
Evading android runtime analysis via sandbox detection
  • T Vidas
  • N Christin
T. Vidas and N. Christin, "Evading android runtime analysis via sandbox detection," in Proceedings of the 9th ACM symposium on Information, computer and communications security, 2014, pp. 447-458.
Air-Gap Covert Channels
  • B Carrara
B. Carrara, "Air-Gap Covert Channels," Université d'Ottawa/University of Ottawa, 2016.
Security Engineering
  • R Anderson
R. Anderson, "Emission security," Security Engineering,, pp. 523-546, 2008.
Compromising Electromagnetic Emanations of Wired and Wireless Keyboards
  • M Vuagnoux
  • S Pasini
M. Vuagnoux and S. Pasini, "Compromising Electromagnetic Emanations of Wired and Wireless Keyboards.," in USENIX security symposium, 2009, pp. 1-16.
Red october diplomatic cyber attacks investigation
  • K Zao
K. ZAO, "Red october diplomatic cyber attacks investigation.".