Mind the (Air) Gap
According to new research, air gapped systems can be defeated by low-frequency signals from the devices themselves and inexpensive mobile phones.
In a previous blog I talked about malware-based exfiltration of data from ordinary devices in the workplace, such as a printer or a VoIP phone. Briefly, malware could cause the I/O pins on common chips to broadcast data over low-frequency radio waves – a long carrier wave would be a binary 1, and none would be a binary 0.
This begs the question: Could this low frequency signal be used to defeat air gapped CPU systems as well?
There's a security model where an air gapped computer is not connected to the Internet nor to any computer that is connected to the Internet. That computer can't share data with the outside world unless someone physically copies the data to a removable media and then pastes that data on a second system with access to the Internet. A typical countermeasure is to disable the CD and USB ports; often they are physically sealed. But new research suggests that data from an air gapped computer could still be broadcast to an inexpensive mobile phone. How?
A normal working computer emits radio frequencies that can be vulnerable to differential power analysis side-channel attacks. For example, when data moves from the CPU to the RAM it generates a fixed-amplitude carrier wave and a fixed frequency. This can be measured externally with a sensitive receiver. Thus a binary code of 1s and 0s could be exfiltrated if someone were to listen for it.
Mobile phones, even inexpensive ones, can become very sensitive receivers of low-frequency broadcasts. In a paper published last month for this year's Usenix Security Symposium in Washington, DC, a team from the Cyber Security Research Center at Ben-Gurion University of the Negev found a way to make a low-end feature phone become a radio receiver. In the study the researchers were looking at the normal emissions from an infected computer, but it seems possible that such a system could also listen for broadcasts from a compromised office machine such as a printer or a VoIP phone. Malware on the air gapped computer could be installed through physical access, or even somewhere along the supply chain as the unit is shipped to the location.
In this attack, a proof-of-concept program called GSMem was used to force the computer’s memory bus to act as a simple broadcast antenna. The bus could then transmit data to a nearby cellular-enabled mobile phone. This new research builds on the team's previous research exfiltrating data via Wi-Fi networks alone.
In a secure environment, where smartphones are not allowed, sometimes companies allow feature phones. Often the companies that do allow feature phones into sensitive areas provide company-owned phones, but COPE (corporate-owned, personally-enabled) phones can still be infected with malware. Even phones without cameras, video capabilities or Wi-Fi can be useful to an attacker, the researchers point out.
To infect the mobile phone, the research team created ReceiverHandler, a rootkit which becomes embedded into the baseband firmware of the phone. This could be installed through direct physical access to the phone or via a malicious app. The exfiltrated information is stored on the phone and later transmitted via GSM mobile-data or SMS. If a smartphone is used, then the proof-of-concept malware can also take advantage of local Wi-Fi. Smartphones, the researchers note, have better radio frequency reception and therefore offer a higher exfiltration rate.
That said only a little bit of data can be broadcast or received this way. However, the data exfiltrated is enough to capture usernames and passwords. This could allow a remote attack to gain direct access to these sensitive systems or services at a later date.
Robert Vamosi is a CISSP and award-winning journalist. He is also the author of When Gadgets Betray Us: The Dark Side of Our Infatuation With New Technologies (Basic Books).