A TEMPEST in a Dongle

If a couple of generations of spy movies have taught us anything, it’s that secret agents get the best toys. And although it may not be as cool as a radar-equipped Aston Martin or a wire-flying rig for impossible vault heists, this DIY TEMPEST system lets you snoop on computers using secondary RF emissions.

If the term TEMPEST sounds familiar, it’s because we’ve covered it before. [Elliot Williams] gave an introduction to the many modalities that fall under the TEMPEST umbrella, the US National Security Agency’s catch-all codename for bridging air gaps by monitoring the unintended RF, light, or even audio emissions of computers. And more recently, [Brian Benchoff] discussed a TEMPEST hack that avoided the need for thousands of dollars of RF gear, reducing the rig down to an SDR dongle and a simple antenna. There’s even an app for that now: TempestSDR, a multiplatform Java app that lets you screen scrape a monitor based on its RF signature. Trouble is, getting the app running on Windows machines has been a challenge, but RTL-SDR.com reader [flatfishfly] solved some of the major problems and kindly shared the magic. The video below shows TempestSDR results; it’s clear that high-contrast images at easiest to snoop on, but it shows that a $20 dongle and some open-source software can bridge an air gap. Makes you wonder what’s possible with deeper pockets.

RF sniffing is only one of many ways to exfiltrate data from an air-gapped system. From power cords to security cameras, there seems to be no end to the ways to breach systems.

Continue reading “A TEMPEST in a Dongle”

Another Day, Another Air Gap Breached

What high-tech, ultra-secure data center would be complete without dozens of video cameras directed both inward and outward? After all, the best informatic security means nothing without physical security. But those eyes in the sky can actually serve as a vector for attack, if this air-gap bridging exploit using networked security cameras is any indication.

It seems like the Cyber Security Lab at Ben-Gurion University is the place where air gaps go to die. They’ve knocked off an impressive array of air gap bridging hacks, like modulating power supply fans and hard drive activity indicators. The current work centers on the IR LED arrays commonly seen encircling the lenses of security cameras for night vision illumination. When a networked camera is compromised with their “aIR-Jumper” malware package, data can be exfiltrated from an otherwise secure facility. Using the camera’s API, aIR-Jumper modulates the IR array for low bit-rate data transfer. The receiver can be as simple as a smartphone, which can see the IR light that remains invisible to the naked eye. A compromised camera can even be used to infiltrate data into an air-gapped network, using cameras to watch for modulated signals. They also demonstrated how arrays of cameras can be federated to provide higher data rates and multiple covert channels with ranges of up to several kilometers.

True, the exploit requires physical access to the cameras to install the malware, but given the abysmal state of web camera security, a little social engineering may be the only thing standing between a secure system and a compromised one.

Continue reading “Another Day, Another Air Gap Breached”

Getting Data Out Of Air-Gapped Networks Through The Power Cable

If you are an organisation that is custodian of sensitive information or infrastructure, it would be foolhardy of you to place it directly on the public Internet. No matter how good your security might be, there is always the risk that a miscreant could circumvent it, and perform all sorts of mischief. The solution employed therefore is to physically isolate such sensitive equipment from the rest of the world, creating an air gap. Nothing can come in and nothing can go out, or so goes the theory.

Well, that’s the theory, anyway. [Davidl] sends us some work that punches a hole in some air-gapped networks, allowing low-speed data to escape the air gap even if it doesn’t allow the reverse.

So how is this seemingly impossible task performed? The answer comes through the mains electrical infrastructure, if the air gap is bridged by a mains cable then the load on that mains cable can be modulated by altering the work undertaken by a computer connected to it. This modulation can then be detected with a current transformer, or even by compromising a UPS or electricity meter outside the air gap.

Of course, the Hackaday readership are all upstanding and law-abiding citizens of good standing, to whom such matters are of purely academic interest. Notwithstanding that, the article goes into the subject in great detail, and makes for a fascinating read.

We’ve touched on this subject before with such various techniques as broadcast radio interference and the noise from a fan,  as well as with an in-depth feature.

Do you trust your hard drive indication light?

Researchers in the past have exfiltrated information through air gaps by blinking all sorts of lights from LEDs in keyboards to the main display itself. However, all of these methods all have one problem in common: they are extremely noticeable. If you worked in a high-security lab and your computer screen started to blink at a rapid pace, you might be a little concerned. But fret not, a group of researchers has found a new light to blink (PDF warning). Conveniently, this light blinks “randomly” even without the help of a virus: it’s the hard drive activity indication light.

All jokes aside, this is a massive improvement over previous methods in more ways than one. Since the hard drive light can be activated without kernel access, this exploit can be enacted without root access. Moreover, the group’s experiments show that “sensitive data can be successfully leaked from air-gapped computers via the HDD LED at a maximum bit rate of 4000 bit/s (bits per second), depending on the type of receiver and its distance from the transmitter.” Notably, this speed is “10 times faster than the existing optical covert channels for air-gapped computers.”

We weren’t born last night, and this is not the first time we’ve seen information transmission over air gaps. From cooling fans to practical uses, we’ve seen air gaps overcome. However, there are also plenty of “air gaps” that contain more copper than air, and require correspondingly less effort.

Continue reading “Do you trust your hard drive indication light?”

Hacking the Aether: How Data Crosses the Air-Gap

It is incredibly interesting how many parts of a computer system are capable of leaking data in ways that is hard to imagine. Part of securing highly sensitive locations involves securing the computers and networks used in those facilities in order to prevent this. These IT security policies and practices have been evolving and tightening through the years, as malicious actors increasingly target vital infrastructure.

Sometimes, when implementing strong security measures on a vital computer system, a technique called air-gapping is used. Air-gapping is a measure or set of measures to ensure a secure computer is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. Sometimes it’s just ensuring the computer is off the Internet. But it may mean completely isolating for the computer: removing WiFi cards, cameras, microphones, speakers, CD-ROM drives, USB ports, or whatever can be used to exchange data. In this article I will dive into air-gapped computers, air-gap covert channels, and how attackers might be able to exfiltrate information from such isolated systems.

Continue reading “Hacking the Aether: How Data Crosses the Air-Gap”

Bridging the Air Gap; Data Transfer via Fan Noise

When you want to protect a computer connected to the Internet against attackers, you usually put it behind a firewall. The firewall controls access to the protected computer. However, you can defeat any lock and there are ways a dedicated attacker can compromise a firewall. Really critical data is often placed on a computer that is “air gapped.” That is, the computer isn’t connected at all to an insecure network.

An air gap turns a network security problem into a physical security problem. Even if you can infect the target system and collect data, you don’t have an easy way to get the data out of the secure facility unless you are physically present and doing something obvious (like reading from the screen into a phone). Right? Maybe not.

Researchers in Isreal have been devising various ways to transmit data from air walled computers. Their latest approach? Transmit data via changing the speed of cooling fans in the target computer. Software running on a cellphone (or other computer, obviously) can decode the data and exfiltrate it. You can see a video on the process below.

Continue reading “Bridging the Air Gap; Data Transfer via Fan Noise”

Simple Devices Protecting Our Water System

We are all used to turning on the faucet and having clean, drinkable water on demand. But think about what happens afterwards in your home: that water is used to wash dishes or water lawns and many other uses that render it undrinkable. What stops this nasty water from flowing back into your pipes and out of your kitchen faucet? A backflow preventer. This simple, but vital, part of your plumbing turns your water pipes into one-way systems that give out clean, drinkable water. This isn’t just about making your water taste nice: backflow preventers protect your water supply from things like brain-eating amoeba and E Coli that could kill.

Continue reading “Simple Devices Protecting Our Water System”