How to leak data from air-gaped computers using a USB device
Researchers at Ben-Gurion University of Negev have found a way to take a run-of-the-mill USB device and use it to leak data from an air-gapped computers via RF signals.
Academics with the school’s Cyber Security Research Labs division claim they’ve come up with software, dubbed USBee, that can modulate binary data over electromagnetic waves, and then transmit that data to a nearby receiver at 20 to 80 bytes per second.
Mordechai Guri, research and development manager of school’s cybersecurity research team, told Threatpost Tuesday that it wouldn’t be too difficult to infect a machine with the USBee software. It could be dropped on a computer by a malicious insider, through social engineering, an infected document or a malicious spam attachment.
Guri, Matan Monitz, and Yuval Elovici’s paper, “USBee: Air-Gap Covert-Channel via Electromagnetic Emission from USB,” (.PDF) was published Monday.
In a video posted by the researchers on Monday, they show how a computer with an antenna can pick up data transmitted to an unmodified USB external hard drive from a computer that’s not even connected to the internet. The researchers stress their attack method is solely based on software and doesn’t require any firmware.
Instead, the attack relies on electromagnetic radiation (EMR) – low level radiation, similar to Wi-Fi and cellular radio waves – generated by wires in a USB device’s data bus. Researchers determined that when sending data to a device, they can generate “controllable” EMR that can serve as a vehicle for modulated data. 6K buffers, when written to files on USB devices, usually as an arbitrary data block, can generate signals that are strong enough to be detected by a receiver.
That means, assuming USBee software has been installed on a compromised computer; an attacker could receive exfiltrated data, and decode it.
Since the attack is meant to steal binary data, an attacker wouldn’t be able to steal any large files, but could make off with keys, passwords, and other small bits of data, Guri said.
“With max speed of 50 to 80 bytes per second, attacker can extract encryption keys at few seconds (e.g., disk encryption keys). passwords, keylogging data, small files (e.g., password files, or personal information records, text files) and so on,” Guri told Threatpost.
Researchers kept the receiver fairly low tech. They used a $30 RTL-SDR software-defined radio they connected to a laptop. They based their reception code on GNU Radio, an open-source software development toolkit that’s used for the construction of radios. It provides signal-processing building blocks and can also extract, down convert and demodulate waveforms, as well.
The data is modulated with a frequency modulation scheme binary, FSK, but demodulated by researchers with an algorithm that converts a signal from its original domain.
The attack vector can have its drawbacks, the researchers say. Oftentimes sensitive computers are kept in restricted areas where electronic equipment, like receivers, are forbidden. Antivirus, or intrusion detection programs can also be used to identify repetitive activities carried out by USBee, such as its pattern of writing data to devices. Physically isolating USB components can limit the effectiveness of EMR as well, Guri claims. Users can add a special shielding cover to the emitting cables and USB components to limit the level of radiation.
It’s not the first time that USB devices have been transformed into air gapped spying devices. When NSA’s Tailored Access Operations (TAO) ANT, or Advanced Network Technology, catalog was leaked in 2013, it described COTTONMOUTH, a tool that permitted air gapped communication over a USB dongle, modded with an RF transmitter and receiver. At ShmooCon 2015, that revelation later spawned TURNIPSCHOOL, a microprocessor with a built-in radio onto a circuit board concealed in a USB cable, that was essentially a portable man-in-the-middle attack.
Researchers with the school, a public research university in Beersheba, Israel, have clearly developed a knack for stealing data from air gapped computers over the last few years.
It was only a few weeks ago that Guri, Elovici, and two other researchers published a paper describing how to exfiltrate data through the movements of a computer’s hard disk drive. In that paper the researchers claim a channel they call DiskFiltration, can be used along with a receiver to pick up acoustic signals. Like the USBee attack, any targeted machine would have to already be infected in order for an attacker to carry out data exfiltration.
Last year Guri, Munitz, and Elovici described a technique, BitWhisper, that uses heat to communicate between air gapped machines. The year before Guri, Elovici, and two other Ben-Gurion students described a way to leak data from an air-gapped machine to a mobile phone without using Wi-Fi or Bluetooth. Similar to how USBee decodes RF signals, that program, AirHopper, utilized the FM radio receivers commonly built into devices to decode radio signals from a computer’s video card.