SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
30 Aug 2016

Meet USBee, the malware that uses USB drives to covertly jump airgaps

In 2013, a document leaked by former National Security Agency contractor Edward Snowden illustrated how a specially modified USB device allowed spies to surreptitiously siphon data out of targeted computers, even when they were physically severed from the Internet or other networks.

Now, researchers have developed software that goes a step further by turning unmodified USB devices into covert transmitters that can funnel large amounts of information out of similarly "air-gapped" PCs.

The USBee — so named because it behaves like a bee that flies through the air taking bits from one place to another — is in many respects a significant improvement over the NSA-developed USB exfiltrator known as CottonMouth. That tool had to be outfitted with a hardware implant in advance and then required someone to smuggle it into the facility housing the locked-down computer being targeted. USBee, by contrast, turns USB devices already inside the targeted facility into a transmitter with no hardware modification required at all.

"We introduce a software-only method for short-range data exfiltration using electromagnetic emissions from a USB dongle," researchers from Israel's Ben-Gurion University wrote in a research paper published Monday. "Unlike other methods, our method doesn't require any [radio frequency] transmitting hardware since it uses the USB's internal data bus."

The software works on just about any storage device that's compliant with the USB 2.0 specification. Some USB devices such as certain types of cameras that don't receive a stream of bits from the infected computer, aren't suitable. USBee transmits data at about 80 bytes per second, fast enough to pilfer a 4096-bit decryption key in less than 10 seconds.

USBee offers ranges of about nine feet when data is beamed over a small thumb drive to as much as 26 feet when the USB device has a short cable, which acts as an antenna that extends the signal. USBee transmits data through electromagnetic signals, which are read by a GNU-radio-powered receiver and demodulator. As a result, an already-compromised computer can leak sensitive data even when it has no Internet or network connectivity, no speakers, and when both Wi-Fi and Bluetooth have been disabled. The following video demonstrates USBee in the lab:

USBee is the brainchild of a research team led by Mordechai Guri, head of research and development at Ben-Gurion's Cyber Security Center and the chief scientist officer at Morphisec Endpoint Security Solutions. Three weeks ago, they demonstrated a separate technique for bridging so-called computer airgaps that covertly transmits data in hard-drive noise.

Similar airgap-jumping attacks from the same team include AirHopper, which turns a computer's video card into an FM transmitter; BitWhisper, which relies on the exchange of heat-induced "thermal pings"; GSMem, which relies on cellular frequencies; and Fansmitter, which uses noise emitted by a computer fan to transmit data. In 2013, researchers with Germany's Fraunhofer Institute for Communication, Information Processing, and Ergonomics devised a technique that used inaudible audio signals to covertly transmit keystrokes and other sensitive data from air-gapped machines.

As experts have noted in previous coverage, the techniques are theoretically effective, but their utility in real-world situations is limited. That's because the computers they target still must be infected by malware. If the computers aren't connected to the Internet, the compromise is likely to be extremely difficult and would most likely require the help of a malicious insider, who very well may have easier ways to obtain data stored on the machine. Still, in certain cases, the air-gap jumpers could provide a crucial means to bypass otherwise insurmountable defenses when combined with other techniques in a targeted attack.

USBee works by sending USB drives a sequence of "0" in a way that causes the devices to generate detectable emissions at frequencies between the 240 megahertz and 480 Mhz. By carefully controlling the sequence, the electromagnetic radiation can be forced to carry modulated data that can be received and demodulated by a near-by receiver. The software requires no special privileges on the USB device. The radio receiver requires about $30 worth of hardware to work.

The growing body of airgap research highlights how important it is to develop special policies that go well beyond physically severing network connections when securing computers deemed highly sensitive. Such computers should, among other things, also be kept in restricted areas free of unauthorized electronic equipment, include antivirus or intrusion prevention systems that detect anomalous behavior, and be shielded from electromagnetic emissions.

Again, a tool like USBee is highly specialized and useful only in the rarified world of state-sponsored spies and high-stakes corporate espionage. But as the revelation of CottonMouth three years ago demonstrated, the NSA pursues such attacks. Given the low cost of USBee and its ability to work on most USB-based storage devices, it's a fair bet something like USBee has been available to the intelligence gatherers for a while now.

Tags:
USB information leaks
Source:
Ars Technica
1885
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015