Ethernet Cable Turned Into Antenna To Exploit Air-Gapped Computers

Good news, everyone! Security researcher [Mordechai Guri] has given us yet another reason to look askance at our computers and wonder who might be sniffing in our private doings.

This time, your suspicious gaze will settle on the lowly Ethernet cable, which he has used to exfiltrate data across an air gap. The exploit requires almost nothing in the way of fancy hardware — he used both an RTL-SDR dongle and a HackRF to receive the exfiltrated data, and didn’t exactly splurge on the receiving antenna, which was just a random chunk of wire. The attack, dubbed “LANtenna”, does require some software running on the target machine, which modulates the desired data and transmits it over the Ethernet cable using one of two methods: by toggling the speed of the network connection, or by sending raw UDP packets. Either way, an RF signal is radiated by the Ethernet cable, which was easily received and decoded over a distance of at least two meters. The bit rate is low — only a few bits per second — but that may be all a malicious actor needs to achieve their goal.

To be sure, this exploit is quite contrived, and fairly optimized for demonstration purposes. But it’s a pretty effective demonstration, but along with the previously demonstrated hard drive activity lights, power supply fans, and even networked security cameras, it adds another seemingly innocuous element to the list of potential vectors for side-channel attacks.

[via The Register]

28 thoughts on “Ethernet Cable Turned Into Antenna To Exploit Air-Gapped Computers

  1. Very cool. Also, I’m pretty sure that if you air gapping your systems then you are at the very least going to be using shielded LAN cable. I would hope you would use fiber to at least make tapping in difficult but there’s always cheapskates.

    1. I don’t know. Defense folks typically go foremost for certification. So, an airgapped workspace where you can sit close to network infrastructure with unchecked equipment – not gonna happen.

    2. Have you ever measured radiated or conducted emissions for a device which has Ethernet? A/B test with a “shielded” vs “unshielded” cable may result in a very similar emissions profile. There are many reasons for this, such as method of termination for the shield at each end of the cable, or root cause of the emission.

      1. Fun fact, actually did, when all you have is a broadband SDR and you need to find the Cat.6 going to your flat…

        To little surprise, Ethernet cable shielding is highly effective at ethernet frequencies (namely, symbol rate and the first 9 multiples of that

      2. Well, having sat around a couple of SCIFs with a Fluke Measuring Receiver, a couple of “Ghost Busters” and the combined experience of several thousand Electronic Warfare specialists back in to 80’s……

        Giggle

        Good luck.

  2. OK, I’m going to be the nay-sayer here: can we stop quoting Mordechai Guri? That guy runs a paper mill on the same idea for the last ~7 years.

    There’s nothing novel about “modulating the current in some computer peripheral, causing EMI”. The same “oh we have an airgapped computer, but for some reason we have an attacker that’s allowed to sit behind a plaster wall there and point a directive antenna at an “air-gapped” computer” boilerplate is attached, a photo is taken – and we have another paper. (or, we have an air-gapped computer and an unrestricted smartphone nearby. I’ll let you ponder what exactly “air gapped” might be in that case.)

    Then, because it sounds flashy, we use GSM frequencies (after we already wrote a paper that does exact the same, but didn’t mention GSM frequencies).

    There’s another variant, where they blink LEDs of switches, monitors, keyboards… guess what:

    When there is an airgapped computer, there will be someone who will check on you when you start pointing a camera at the monitor; your keyboard, or a switch.

    I’m not making this up: https://scholar.google.com/citations?user=F8gvBUkAAAAJ&hl=en

    1. haha i had the same feeling but i didn’t realize one person is behind so many of these stories.

      if you can run whatever software you want on the airgapped computer and freely carry hardware to it, just bring a usb stick

  3. You are not really air-gapped if you are connected to a copper cable without filtering or optical isolators. In military computers they even have filters and isolation on the AC power inputs. The facilities themselves are often shielded and they use fiber extensively.

    1. Hmmm… An airgapped network very easily compromised by RF signals on Ethernet cable. Only thing you need to do is install and run an executable on a laptop within the trusted side of the network.
      It seems to me:
      If you can install and run an executable on a laptop or server within the airgapped network, you don’t really have an airgapped network. It has been designed to be compromised. Standard “security 101” is to shut all unused ports, monitor all ports, shut all unauthorized port changes and disable uncontrolled data inputs, USB ETH, out-of-band management, everything.
      Airgapped means everything. Electrical, physical, mechanical, RF, sneakernet, etc. The government VSAT sites don’t even permit windows or cameras in secured network operations centers and IFL cables are conduited, buried and concreted.
      It’s why Solarwinds Orion was so pernicious. It was intentionally installed manually on airgapped systems by IT folks via sneakernet as a software update.

  4. I have some concerns about how practical this is :

    1. If you require software on the compromised system, how are you getting that in place across the air gap? I know you could use USB sticks or another insider to get them there but not too practical unless you are a three letter agency.

    2. I would think that most people that air gap their systems would be doing some sort of network surveillance and would have no problem detecting your strange transmissions.

    3. My experience with secure networks tells me that if you mess with your ethernet speed and such very much you are going to get your ethernet port shutdown pretty fast.

    4. How well and at what range are you able to pick up these signals in an electronically rich environment?

    I have experience with a very secure network environment that was tested for exactly this kind of EMI type of transmission. It turned out that the facility was so heavy in various electronic noise (lighting, motors, computers, monitors, radars, motion sensors, etc) that it was decided that the facility was self jamming when monitored from outside the building. They did not worry about threats inside the building very much (armed guards, dogs, biometric entry systems).

    1. I have pondered this too.

      But if you were an employee who is a bad actor you could install the software and let it sit until it find something it wants to send, maybe after a time delay (after the employee has moved on)

      For the transmission in amongst a load of noise, you can use correlation techniques where you transmit either 1’s or 0’s with long orthogonal strings per bit. The strings being agreed with the receiver. This would also increase the range of transmission as it helps give a correlation gain over the receiver noise. This trades off against bandwidth obviously but is still useful if the thing being stolen is relatively small, e.g. a private key.

        1. l was implying that if someone really wants the information that you are trying to keep secret they will ignore the practicalities and try anything.

          One of the seemingly impractical methods of obtaining information was “listening” to your keyboard strokes through a window.

          While that sounds pretty farfetched to me, remember all those shredded documents the Iranians reassembled?

          I’m sorry, but you would think all the “best and brightest” would have learned the lesson on how to DESTROY completely sensitive documents in an embassy.

          And I still want to know why the Presidential Palace and American Embassy in Kabul were NOT bombed into oblivion DURING the broadcasts by the Taliban leadership.

          While some of the Taliban are bat-shit crazy, I’m guessing that the obliteration of their leadership might have facilitated an attitude adjustment upon the rank and file.

          Damn. I’ll stop there and take my blood pressure medication.

    2. “not too practical unless you are a three letter agency.”

      This is literally who is going to be targeting an air gapped system.

      Your other points are valid but if your signal is simple enough (“Success!”) then it likely won’t be noticed.

  5. Few bits per second? My first modem was a 300 which is a few hundred bits per second. The dog slow 1541 disk drive generally reaches 400 bytes per second.

    This ethernet hack seems very slow and likely not useful for espionage.

  6. Why would an airgapped network have an ethernet cable hanging out of it?

    And if both ends were plugged into a computer (an air-gapped network) would there be less EF emanating from the cable?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.