The most sensitive work environments, like nuclear power plants, demand the strictest security. Usually this is achieved by air-gapping computers from the Internet and preventing workers from inserting USB sticks into computers. When the work is classified or involves sensitive trade secrets, companies often also institute strict rules against bringing smartphones into the workspace, as these could easily be turned into unwitting listening devices.
But researchers in Israel have devised a new method for stealing data that bypasses all of these protections—using the GSM network, electromagnetic waves and a basic low-end mobile phone. The researchers are calling the finding a "breakthrough" in extracting data from air-gapped systems and say it serves as a warning to defense companies and others that they need to immediately "change their security guidelines and prohibit employees and visitors from bringing devices capable of intercepting RF signals," says Yuval Elovici, director of the Cyber Security Research Center at Ben-Gurion University of the Negev, where the research was done.
The attack requires both the targeted computer and the mobile phone to have malware installed on them, but once this is done the attack exploits the natural capabilities of each device to exfiltrate data. Computers, for example, naturally emit electromagnetic radiation during their normal operation, and cell phones by their nature are "agile receivers" of such signals. These two factors combined create an "invitation for attackers seeking to exfiltrate data over a covert channel," the researchers write in a paper about their findings.
(Score: 0) by Anonymous Coward on Tuesday July 28 2015, @08:10PM
old news
(Score: 1, Informative) by Anonymous Coward on Tuesday July 28 2015, @08:22PM
TEMPEST is about stopping passive spying like reading a monitor based on em emissions. TEMPEST might help with active exfil attacks like this, or it might not given they start with different sets of assumptions that overlap but are not identical.
(Score: 3, Funny) by Anonymous Coward on Tuesday July 28 2015, @08:27PM
Reminds me a lot of Van Eck phreaking. When I was in a hotel in the Philippines as part of a business venture, a couple of my friends demonstrated how to do it. I later went on to include it in a chapter of Cryptonomicon, which I was ghost-writing for Stephenson. Nice guy, but can't really write too well. I originally met him at a party thrown for JFK, who I met through my secret service days.
I actually did the hard parts of the setup for the phreak for them, but had the courtesy to write myself out of the book. I'm a humble guy after all.
-MichaelDavidCrawford
(Score: 2) by takyon on Tuesday July 28 2015, @08:50PM
Internet Hate Machine!
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by kurenai.tsubasa on Wednesday July 29 2015, @12:35AM
I'm divided (mod down for picking on the poor guy?|try to get this thing up to the elusive +5 troll!), so I will give you a virtual +0 facepalm [tinypic.com] mod.
(Score: 0) by Anonymous Coward on Tuesday July 28 2015, @08:36PM
Both devices have to have the software. Lets see, vnc for android and vnc server on any flavor PC would be enough to screw someone up. Easy enough.
(Score: 2) by dyingtolive on Tuesday July 28 2015, @08:38PM
Yeah, totally. Gotta love that "TCP over magic pixie dust to access AIRGAPPED servers" option that's been in VNC for the last 10 years, after all.
Don't blame me, I voted for moose wang!
(Score: 0) by Anonymous Coward on Tuesday July 28 2015, @10:58PM
You must not know what "airgap" means.
Perhaps http://slashdot.com/ [slashdot.com] would be more your speed for a while.
(Score: 3, Interesting) by slinches on Tuesday July 28 2015, @08:39PM
If you already have malware on the target computer, why do you need the cell phone? It was probably infected by using a compromised flash drive, so you can just use that to get the data out.
The only way I can think of where this sort of thing would be useful is if it's common practice to not allow use of any writable media on air gapped systems. Is that actually the case? It would make it rather difficult to get any work done.
(Score: 1) by mechanicjay on Tuesday July 28 2015, @09:04PM
Exactly what my reaction was. You already have access to the machine, WTF? The only way this make sense is if you use the infected machine/phone pair as a keylogger, I guess.
Regardless, much like the last bit of "I can't believe this actually works" research that came out of Israel https://soylentnews.org/article.pl?sid=14/08/21/2051216/ [soylentnews.org], Yes, it works in a lab, so it's theoretically possible, but the Real World application of such? I don't know.
My VMS box beat up your Windows box.
(Score: 1) by mechanicjay on Tuesday July 28 2015, @09:12PM
On second thought, perhaps the skepticism as the real-world application of security cracking coming out of Israel isn't the point.
Conspiracy Theorist Mode: on
Perhaps the point is that they're really going for it....these are the artifacts of research that are getting published -- what's just getting funneled right to the Intelligence Agencies? Is Israel a stealth player in the Gloabal Cyberwar? Is this their method of public dick waggling, telling the world, "All your base are belong to us?"
CTM: off
Regardless of how much fun the above is, there's some interesting security stuff going on there which we should probably all be keeping tabs on.
My VMS box beat up your Windows box.
(Score: 3, Insightful) by LoRdTAW on Tuesday July 28 2015, @09:17PM
Great, you infected the PC via a USB stick? Now how do you get data out of it?
You missed the part about the infected system being air gapped. Meaning no connection to the outside world whatsoever. Imagine a PC without any connectivity save for a power cable. No wifi, no modem, no serial, no ethernet, no nothing.
(Score: 2) by jcross on Tuesday July 28 2015, @09:54PM
What if the required malware were compact enough to memorize or write down and type in on the target machine? I mean, that was the only way to get software onto a hobbyist computer back in the day.
(Score: 2) by slinches on Tuesday July 28 2015, @10:07PM
How about by writing the data to the USB stick and waiting until someone plugs it into a computer with internet access? If you can get a file one way across the air gap, the same method should work on the way out.
(Score: 2) by Ezber Bozmak on Tuesday July 28 2015, @10:16PM
> How about by writing the data to the USB stick and waiting
Because waiting is unreliable and takes time if it even works at all. For example, with classified systems r/w media becomes classified as soon as it is connected to a classified system, regardless of whether you deliberately wrote any data to it or not. When people need to get unclassified material off a classified system they typically just burn a DVD from a fresh blank because that is a much more controlled process.
(Score: 2) by dyingtolive on Tuesday July 28 2015, @10:20PM
That also means someone has to screw up a second time. This could also be audited through various different ways, and unless you did something sneaky, increases the odds of being noticed (what's this pwn3d.txt on my usb stick with 1 other file?!)
This is wizardry enough that it's likely it wouldn't be noticed if you got away with the initial infection. Even the person with the phone might be an unwitting dupe, and then the data is off through the internet. Otherwise to have no one intentionally in on the hack onsite, you'd still need to get it off the USB without direct access.
Don't blame me, I voted for moose wang!
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @08:35AM
Ok, a use case for you: Insider employee walks into airgapped room, installs malware which, for instance, is a key logger and maybe reads off other log files over time and transmits them continually. Then a few weeks later the nefarious cleaning company walks past the airgapped room and puts in a cell phone type device implanted into the extension cable for the wall lamp by the pot-plant in the waiting room nearby. Said device then discovers whatever secrets are in the airgapped computer. Cleaning company cleans pot-plant and replaces cable with new device with lots of fresh memory to fill up with log files, keylogs and whatever else.
(Score: 3, Informative) by LoRdTAW on Tuesday July 28 2015, @09:11PM
This isn't about a one-way attack like stuxnet where the objective was to damage a system without receiving anything (more akin to a heat seeking missile). This is a quasi two way attack wherein the malware transmitted by a USB stick will allow the infected system to emit data like a beacon. The air-gapped part is the challenge. If you want to get data out of the system, you need a receiver. In this case, the cell phone is the receiver. The reason this is significant is some companies ban smartphones but may allow dumb phones. This hack demonstrates that even dumb phones can act as receivers. They also mention that a more powerful receiver (meaning one using a high gain antenna and advanced signal processing) which allows for higher bit rates and could allow the attacker to park a vehicle with said receiver outside of a building.
(Score: 0) by Anonymous Coward on Wednesday July 29 2015, @09:31AM
Of course, all of those attacks could be mitigated by covering the computer in a Faraday cage.
(Score: 2) by LoRdTAW on Wednesday July 29 2015, @12:18PM
True. But how many sensitive systems are CURRENTLY in a faraday cage?
(Score: 2) by maxwell demon on Wednesday July 29 2015, @07:07PM
I'm pretty sure I've heard about the possibility of turning internal computer wires into sending antennas by software years ago. Therefore I'd expect anything really security critical to be in Faraday cages, provided whoever is responsible for security is worth the money he earns.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by acid andy on Tuesday July 28 2015, @08:49PM
This makes me wonder how feasible it would be for someone to hand craft an executable file without any development environment on the machine. I don't think it's possible to enter every binary value via Windows Notepad for example by using ASCII or Unicode equivalents. Maybe someone would have more luck creating the code in a paint program.
If a cat has kittens, does a rat have rittens, a bat bittens and a mat mittens?
(Score: 0) by Anonymous Coward on Tuesday July 28 2015, @09:58PM
I once saw an x86 .com written for dos that used only 80 columns of ANSI characters.
It generated pretty colors on screen but I can't find it anymore.
(Score: 2) by Ezber Bozmak on Tuesday July 28 2015, @10:22PM
how feasible it would be for someone to hand craft an executable file without any development environment on the machine. I don't think it's possible to enter every binary value via Windows Notepad for example by using ASCII or Unicode equivalents.
That is a solved problem from the early days of PCs.
Back then, when a 300bps modem was bleeding edge, lots of hobbyist magazines published ascii-encoded binaries you could type into your computer. The trick was that they used a loader, a trivial program that was written in machine code that was all ascii. The loader was just smart enough to parse the rest of the file and decode it into raw machine code and then jump to the right address in memory.
(Score: 2) by gidds on Thursday July 30 2015, @12:47PM
...(or at least, the one that I have second-hand experience of), not just smartphones but all mobile phones are banned. As are music players of all kinds (flash, CD, cassette), CDRs, and other storage devices. And there are guys with machine guns to ensure compliance. Even employees' hard drives must be removed and locked away whenever they leave their desks.
Compared to that, the environment described in this story doesn't sound very secure to start with.
[sig redacted]