Computers housing the world’s most sensitive data are usually “air-gapped” or isolated from the internet. They’re also not connected to other systems that are internet-connected, and their Bluetooth feature is disabled.
Sometimes, workers are not even allowed to bring mobile phones within range of the computers. All of this is done to keep important data out of the hands of remote hackers.
But these security measures may be futile in the face of a new technique researchers in Israel have developed for stealthily extracting sensitive data from isolated machines — using radio frequency signals and a mobile phone. The attack recalls a method the NSA has been secretly using for at least six years to siphon data in a similar manner. An NSA catalogue of spy tools leaked online last year describes systems that use radio frequency signals to remotely siphon data from air-gapped machines using transceivers — a combination receiver and transmitter — attached to or embedded in the computer instead of a mobile phone.
The spy agency has reportedly used the method in China, Russia and even Iran. But the exact technique for doing this has never been revealed. The researchers in Israel make no claims that theirs is the method used by the NSA, but Dudu Mimran, chief technology officer at the Israeli lab behind the research, acknowledges that if student researchers have discovered a method for using radio signals to extract data from hard-to-reach systems, professionals with more experience and resources likely have discovered it, too.
Dubbed “AirHopper” by the researchers at Cyber Security Labs at Ben Gurion University, the proof-of-concept technique allows hackers and spies to surreptitiously siphon passwords and other data from an infected computer using radio signals generated and transmitted by the computer and received by a mobile phone. The research was conducted by Mordechai Guri, Gabi Kedma, Assaf Kachlon, and overseen by their advisor Yuval Elovici.
Using this function, however, attackers can turn a ubiquitous and seemingly innocuous device into an ingenious spy tool. Though a company or agency may think it has protected its air-gapped network by detaching it from the outside world, the mobile phones on employee desktops and in their pockets still provide attackers with a vector to reach classified and other sensitive data. The researchers tested two methods for transmitting digital data over audio signals but Audio Frequency-Shift Keying (A-FSK) turned out to be the most effective.
The data can be picked up by a mobile phone up to 23 feet away and then transmitted over Wi-Fi or a cellular network to an attacker’s command-and-control server. The victim’s own mobile phone can be used to receive and transmit the stolen data, or an attacker lurking outside an office or lab can use his own phone to pick up the transmission.
The researchers note that the chain of attack “is rather complicated,” but it’s not beyond the skills and abilities already seen in advanced attacks conducted by hackers in China and elsewhere. Or by the NSA. Generally the most common method for infecting air-gapped machines is a USB flash drive or other removable media.
The malware stores stolen data on the machine until a flash drive is inserted, at which point data is copied to the drive. When the flash drive is then inserted into another computer that’s connected to the internet, the data gets transmitted back to the attackers’ command-and-control center. This method takes time, however, since it requires the attacker to wait until someone inserts a flash drive into the air-gapped machine and carries it to an internet-connected machine.
The malware can be programmed to store siphoned data on the infected machine for later transmission at specified hours or intervals. The researchers also devised methods for hiding the data transmission on the targeted machine to avoid detection, including transmitting data only when the monitor is turned off or in sleep mode and altering the FM receiver on the phone so that there is no audible tone when data is transmitted to it.
There are other limitations, however. The proof-of-concept test allows for data to be transmitted at only 60 bytes a second—about a line of text per second—which limits the speed and volume at which attackers could siphon data. But Mimran notes that over time, a lot of sensitive data can still be extracted this way. “We can take out whatever we want,” he told. “That only depends on the malicious software that resides on the computer. If it is a keylogger, then you can take out whatever the user types.”
A 100-byte password file takes 8-10 seconds to transmit using their method, and a day’s worth of keystrokes takes up to 14 minutes to transmit this way. But a document just .5 megabytes in size can take up to 15 hours to transmit. Extracting documents “would be very slow and it will take a long time,” Mimran acknowledges, “but this [demonstration] is just a proof-of-concept. I guess the bad people can make it more sophisticated.”
Indeed, the NSA catalogue of surveillance tools leaked last year, known as the ANT catalogue, describes something called the Cottonmouth-I, a hardware implant that resembles an ordinary USB plug except it has a tiny transceiver, called the HowlerMonkey, embedded in it for extracting data via RF signals. The transceiver transmits the stolen data to a briefcase-sized NSA field station or relay station, called the Nightstand, which can be positioned up to eight miles away.
A USB plug, however, requires physical access to a targeted computer in the field or it requires the victim to unwittingly insert the USB plug into the computer before the transmission can occur. An alternative method to this, the leaked document notes, is embedding tiny circuit boards in the targeted computer to do the transmission. One way to compromise the machine would be to intercept new equipment enroute to a customer so that it arrives to the victim already equipped to transmit stolen data. According to the document published by the Times, the RF transceiver can also be used to implant malware on a targeted system, not just extract data from it.
Radio frequency hacks are difficult to mitigate, short of physically insulating computers and cables to prevent emissions from being picked up by receivers. This may be practical for military and other classified facilities to do, but not for commercial companies that are trying to protect sensitive data from such attacks.
Prohibiting mobile phones from work areas will not help, since outside receivers can be used in place of mobile phones to extract data. “We’re disclosing there is this danger,” Mimran says, “but the biggest problem that we are really working hard on is finding mitigation for that. From preliminary results, it’s not easy.”