Air-gapped networks are isolated, separated both logically and physically from public networks. For example, military, industrial, and financial networks. Although the feasibility of invading such systems has been demonstrated in recent years, communication of data to/from air-gapped networks is a challenging task to attackers to perpetrate, an even more difficult threat to defend against.
New methods of communicating with air gapped networks are currently being exposed, some advanced and difficult to mitigate. These new found vulnerabilities have wide reaching implications on what we considered to be a foolproof solution to network security –the placement of a physical air gap.
But it doesn’t stop there – new techniques of covertly getting information in and out of air gapped networks are being exposed. Thus it is important not only to publicize these vectors of attack, but their countermeasures and feasibility as well.
In this talk, we will outline the steps an attacker must take in order to bridge an air gapped network. We will review the state-of-the-art techniques over thermal, radio, and acoustic channels, and discuss each one’s countermeasures and feasibility. Most of techniques in this talk were discovered in our labs by researcher Mordichai Guri under the supervision of Prof. Yuval Elovici.
--- Mordechai Guri
Mordechai Guri is an accomplished computer scientist and security expert with over 20 years of practical research experience. He earned his Bsc and Msc Suma Cum Laude, from the computer science department at the Hebrew University of Jerusalem.
--- Yisroel Mirsky
Yisroel Mirsky is a Ph.D. candidate supervised by Prof. Bracha Shapira and Prof. Yuval Elovici, in the department of Information Systems Engineering in Ben-Gurion University.
--- Yuval Elovici
Yuval Elovici is the director of the Telekom Innovation Laboratories at Ben-Gurion University of the Negev (BGU), head of BGU Cyber Security Research Center, and a Professor in the Department of Information Systems Engineering at BGU.
4. The Air-Gap Approach
Definition
An air-gap is a cyber security measure for
securing a computer network by physically
isolating it from other networks, such as the
public Internet or another unsecured local area
network.
6. Examples of networks or systems
that may be air-gapped
• Military defense systems
• Financial Systems (stock exchange)
• Industrial control (SCADA…)
• Critical Infrastructure
• Power Plants
• Refineries
• Traffic Control – Airports
• Command and Control Centers
• Computerized medical equipment
• …etc
10. Perform Action
• Steal Sensitive Data
• Manipulate Control
Systems
• Delete Records
• Deactivate Subsystem
• DDoS
• Self-Destruct
11. What to do about the air-gap after the initial infection?
Air-gapped Network The Internet
Air Gap
Outbound
Inbound
12. Usage of the In/Outbound Channels
Inbound
• Send Commands
• Flexibility in controlling the attack
• “When” act
• Update Malware
• New Modules
• Fixes…
• Change encryption key
Outbound
• Exfiltration
• Receive recorded information
• Reports
• Acks on commands
• Progress of lateral movement
16. Introduction to HVACKer
• Modern PCs have embedded thermal sensors.
• These sensors can be used to detect temp. changes in
the environment.
• By manipulating the room temperature of the isolated
network, we can communicate with the PC.
17. Q: How do you remotely change the
room temperature?
A: Hack the HVAC!
• Insecure networks may overlap the same
space as an air-gapped network.
• One such network is the HVAC (heating
ventilation and Air Conditioning) system.
18. Many HVACs provide an internet
portal for remote management
E.g. Tridium Niagara AX platform
There are
• 36,287 Niagara
web portals
exposed
• Only 269 of
them
protected
wuith HTTPS
25. HVACKER - Countermeasures
• Disable / Secure HVAC Web portals
• Monitor environmental temperature
• Malware signatures
26.
27.
28. Introduction to Bitwhisper
• Computers emit heat into their environment
• Computers can detect changes in the env.’s temp
…let’s make a bidirectional channel
between neighboring computers!
29. But why?...
• In some cases, air-gapped machines are placed in close proximity
with connected ones
Example: leased computing space
• A thermal channel between two end-points would provide the
attacker the ability both send commands and receive information
• Can be achieved from within a VM
57. Overview
Data Exfiltration from Speakerless Air-Gapped
Computers via Covert Hard Drive Noise
Transmitter: Hard Drive
Receiver: Microphone –
(laptop, smartphone… etc)
68. Overview
Indicator lights leak information!
Transmitter: Device LED
Receiver: Camera, sensor,…
Information Leakage from Optical Emanations
JOE LOUGHRY, and DAVID A. UMPHRESS
What if these
LEDs where
used to actively
exfiltrate data?
90. AirHopper - Introduction
• Many workplaces have a BYOD policy
• Smartphones can be used to receive radio signals
• If we can get ordinary PCs to emit radio signals,
then we have an outbound channel
93. How do antennas work?
• Antennas emit radio waves (EMR) by oscillating
current through their Terminals
• Radio waves are characterized by their frequency
(oscillation in Hz) and amplitude (strength in dBm)
94. One way to emit EMR…
…is to get the display to
send specific signals
over the cable
97. AirHopper - Countermeasures
• Strict zoning: No smartphones within a proximity of
20 meters of an air gapped computer with a screen.
• Insulation: Shield the display cables better.
• Jamming: Emit noise in the 87.5-108 MHz band
• Signature: Scan for related graphics manipulations
98.
99.
100.
101. GSMem - Introduction
• Feature phones (mobiles with no wifi, Bluetooth…) are
allowed into restricted zones.
• Feature phones can be used to receive other
transmissions broadcasted over cellular frequencies.
• The CPU-Memory BUS of an ordinary computer can be
exploited to transmit signals over cellular frequencies.
104. Emitting a Signal
• Observation 1: A large CPU-RAM
transfer builds up oscillating current in
the configuration. – bypass the cache
• Observation 2: The BUS transfers bits
at the FSB speed, emitting the energy
around that frequency (e.g. 800 MHz)
105. Sending a Bit (modulation)
To send a bit,
We use a variant of B-ASK:
Send(“0”):
Do nothing for T seconds
Send(“1”):
Raise amplitude for T seconds
We then place all the bits into frames…
106. Transmitter Properties
• Only has a 4KB memory footprint
• No root/admin required
• No APIs are used
• Affects Intel and AMD architectures…
• Works on Windows/Linux…
107. Receiving the Signal
To read the raw signals (our modulation), one
must modify the firmware of the baseband chip.
This will not deter highly motivated, and resourceful threats
…as we’ve seen in the past.
In our tests we used an open source baseband
software (OsmocomBB) and a compatible
Motorola C123 GSM phone.
We also used a Universal Software Radio
Peripheral (USRP B210) for a higher quality analysis
108. Receiving a bit, and some more…
A Very Simplistic Approach:
1. Listen on “best” frequency
2. Search for the ‘1010’ preamble (each bit T seconds long)
• Threshold based (dynamically changed)
3. Extract 12 bit payload if preamble found
119. A sequence of ‘0’ bits to a USB device generates a
detectable emission between 240MHz and 480MHz
(The USB 2.0 clock speed)
USBee uses B-FSK
encoding to
modulate data:
Binary w.r.t. the
NRZI encoding is
written to the
USB device
accordingly
The malware on the Host does not require any
special permissions to write to the USB!
126. Who should be worries about
these “CREATIVE” attacks?
“Desperate times call for desperate measures”
If your air-gapped network is…
• A plausible target for an APT
• Limited with regards to “insider” activity
• Part of a restricted zone that allows visitors
127. The Most Plausible Attacks
Exfiltration by EMR: GSMem, AirHopper, USBee
Stealthy, while being easy and practical for an
attacker to implement and execute.
128. ConclusionSummary:
• We reviewed the 4 types of channels that can bridge air-gaps.
• Reminder: the assumption is that the target network has been
infected prior!
Take-aways:
• Air-gapping a network does not provide a guaranteed
disconnect.
• Not everybody is a target!
• If you are a target, consider precautions (e.g. zoning)
depending on the sensitivity of your network