[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
research-article

Air-Gap Electromagnetic Covert Channel

Published: 31 July 2023 Publication History

Abstract

Air-gapped systems are isolated from the Internet due to the sensitive information they handle. This article introduces a covert channel attack that leaks sensitive information over the air from highly isolated systems. The information emanates from the air-gapped computer over the air and can be picked up by a nearby insider or spy with a mobile phone or laptop. Malware on an air-gapped computer can generate radio waves by executing crafted code on the target system. The malicious code exploits the dynamic power consumption of modern computers and manipulates the momentary loads on CPU cores. This technique allows the malware to control the computer&#x0027;s internal utilization and generate low-frequency electromagnetic radiation in the 0&#x2013;60 kHz band. Sensitive information (e.g., files, encryption keys, biometric data, and keylogging) can be modulated over the emanated signals and received by a nearby mobile phone at a max speed of 1,000 bits/sec. We show that a smartphone or laptop with a small <inline-formula><tex-math notation="LaTeX">${\$}$</tex-math><alternatives><mml:math><mml:mi>$</mml:mi></mml:math><inline-graphic xlink:href="guri-ieq1-3300035.gif"/></alternatives></inline-formula>1 antenna carried by a malicious insider or visitor can be used as a covert receiver. Notably, the attack is highly evasive since it executes from an ordinary user-level process, does not require root privileges, and is effective even within a virtual machine (VM). We discuss the attack model and provide technical details. We implement air-gap transmission of texts and files and present signal generation and data modulation. We test the covert channel and show evaluation results. Finally, we present a set of countermeasures to this air-gap attack.

References

[1]
8 of the world's biggest insider threat security incidents| infosec resources, 2020. Accessed: Apr. 19, 2023. [Online]. Available: https://resources.infosecinstitute.com/topic/8-of-the-worlds-biggest-insider-threat-security-incidents/
[2]
Agent.btz - wikipedia, 2016. Accessed: Jan. 01, 2023. [Online]. Available: https://en.wikipedia.org/wiki/Agent.BTZ
[3]
Electrospaces.net: Us military and intelligence computer networks, 2015. Accessed: Jan. 01, 2023. [Online]. Available: https://www.electrospaces.net/2015/03/us-military-and-intelligence-computer.html
[4]
ESET research discovers cyber espionage framework Ramsay | eset, 2020. Accessed: Jan. 01, 2023. [Online]. Available: https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-discovers-cyber-espionage-framework-ramsay/
[6]
Hackers target the air-gapped networks of the Taiwanese and Philippine military | zdnet, 2020. Accessed: Jan. 01, 2023. [Online]. Available: https://www.zdnet.com/article/hackers-target-the-air-gapped-networks-of-the-taiwanese-and-philippine-military/
[7]
Nia - NATO information assurance, 2023. Accessed: Apr. 19, 2023. [Online]. Available: https://www.ia.nato.int/niapc/tempest/certification-scheme
[8]
Nist updates cybersecurity guidance for supply chain risk management | nist, 2022. Accessed: Apr. 19, 2023. [Online]. Available: https://www.nist.gov/news-events/news/2022/05/nist-updates-cybersecurity-guidance-supply-chain-risk-management
[9]
No big deal., “kremlin hackers ‘jumped air-gapped networks’ to PWN us power utilities - The register,” 2018. Accessed: Jan. 01, 2023. [Online]. Available: https://www.theregister.co.uk/2018/07/24/russia_us_energy_grid_hackers/
[10]
pthread_suspend(3t) [hpux man page], 2022. Accessed: Jan. 01, 2023. [Online]. Available: https://www.unix.com/man-page/hpux/3T/pthread_suspend/
[11]
Russian hackers using USB malware to target Ukraine, 2023. Accessed: Jun. 26, 2023. [Online]. Available: https://www.bankinfosecurity.com/russian-hackers-using-usb-malware-to-target-ukraine-a-22318
[12]
Submarine spy couple tried to sell nuclear secrets to Brazil - the New York times, 2022. Accessed: Jan. 01, 2023. [Online]. Available: https://www.nytimes.com/2022/03/15/us/politics/submarine-spy-brazil.html
[13]
Suspendthread function (processthreadsapi.h) - win32 apps | microsoft learn, 2022. Accessed: Jan. 01, 2023. [Online]. Available: https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-suspendthread
[14]
Tick group weaponized secure USB drives to target air-gapped critical systems, 2018. Accessed: Jan. 01, 2023. [Online]. Available: https://unit42.paloaltonetworks.com/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/
[15]
Ubuntu manpage: Cpupower-frequency-set - A small tool which allows to modify CPUfreq settings, 2022. Accessed: Jan. 01, 2023. [Online]. Available: http://manpages.ubuntu.com/manpages/impish/man1/cpupower-frequency-set.1.html
[16]
H. Aldawood and G. Skinner, “Educating and raising awareness on cyber security social engineering: A literature review,” in Proc. IEEE Int. Conf. Teach. Assessment Learn. Eng., 2018, pp. 62–68.
[17]
Z. Bauman et al., “After Snowden: Rethinking the impact of surveillance,” Int. Political Sociol., vol. 8, no. 2, pp. 121–144, 2014.
[18]
K. H. Billings and T. Morey, Switchmode Power Supply Handbook. New York, NY, USA: McGraw-Hill, 2011.
[19]
I. Cadirci, B. Saka, and Y. Eristiren, “Practical EMI-filter-design procedure for high-power high-frequency SMPS according to MIL-STD 461,” in IEE Proc.-Electric Power Appl., vol. 152, no. 4, pp. 775–782, 2005.
[20]
G. Camurati and A. Francillon, “Noise-SDR: Arbitrary modulation of electromagnetic noise from unprivileged software and its impact on emission security,” in Proc. IEEE Symp. Secur. Privacy, 2022, pp. 1193–1210.
[21]
G. Camurati, S. Poeplau, M. Muench, T. Hayes, and A. Francillon, “Screaming channels: When electromagnetic side channels meet radio transceivers,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2018, pp. 163–177.
[22]
D. Carlin, P. O’Kane, S. Sezer, and J. Burgess, “Detecting cryptomining using dynamic analysis,” in Proc. 16th Annu. Conf. Privacy Secur. Trust, 2018, pp. 1–6.
[23]
L. Caviglione et al., “Tight arms race: Overview of current malware threats and trends in their detection,” IEEE Access, vol. 9, pp. 5371–5396, 2020.
[24]
İ. G. Çavuşoglu, H. Alemdar, and E. Onur, “Covert channel detection using machine learning,” in Proc. 28th Signal Process. Commun. Appl. Conf., 2020, pp. 1–4.
[25]
J. Choi, H.-Y. Yang, and D.-H. Cho, “TEMPEST comeback: A realistic audio eavesdropping threat on mixed-signal SoCs,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2020, pp. 1085–1101.
[26]
R. A. Dalke, C. L. Holloway, P. McKenna, M. Johansson, and A. S. Ali, “Effects of reinforced concrete structures on RF communications,” IEEE Trans. Electromagn. Compat., vol. 42, no. 4, pp. 486–496, Nov. 2000.
[27]
A. Damodaran, F. Di Troia, C. A. Visaggio, T. H. Austin, and M. Stamp, “A comparison of static, dynamic, and hybrid analysis for malware detection,” J. Comput. Virol. Hacking Techn., vol. 13, no. 1, pp. 1–12, 2017.
[28]
D. Das, “An Indian nuclear power plant suffered a cyberattack. here's what you need to know. - The Washington Post (04/11/2019),” 2019. [Online]. Available: https://www.washingtonpost.com
[29]
P. Dinsmore, “NIPRNet/SIPRNet cyber security architecture review,” in Proc. AFCEA Defensive Cyber Operations Symp., 2016.
[30]
A. Dorais-Joncas and F. Munõz, “Jumping the air gap,” 2021.
[31]
W. Enck and L. Williams, “Top five challenges in software supply chain security: Observations from 30 industry and government organizations,” IEEE Secur. Privacy, vol. 20, no. 2, pp. 96–100, mar./Apr. 2022.
[32]
M. Gebai and M. R. Dagenais, “Survey and analysis of kernel and userspace tracers on Linux: Design, implementation, and overhead,” ACM Comput. Surv., vol. 51, no. 2, pp. 1–33, 2018.
[33]
N. Gupta, A. Tiwari, S. T. S. Bukkapatnam, and R. Karri, “Additive manufacturing cyber-physical system: Supply chain cybersecurity and risks,” IEEE Access, vol. 8, pp. 47322–47333, 2020.
[34]
M. Guri, “MAGNETO: Covert channel between air-gapped systems and nearby smartphones via CPU-generated magnetic fields,” Future Gener. Comput. Syst., vol. 115, pp. 115–125, 2021.
[35]
M. Guri, “POWER-SUPPLaY: Leaking sensitive data from air-gapped, audio-gapped systems by turning the power supplies into speakers,” IEEE Trans. Dependable Secure Comput., vol. 20, no. 1, pp. 313–330, Jan./Feb. 2023.
[36]
M. Guri, “USBCulprit: USB-borne air-gap malware,” in Proc. Eur. Interdiscipl. Cybersecurity Conf., 2021, pp. 7–13.
[37]
M. Guri, “AIR-FI: Leaking data from air-gapped computers using Wi-Fi frequencies,” IEEE Trans. Dependable Secure Comput., vol. 20, no. 3, pp. 2547–2564, May/Jun. 2023.
[38]
M. Guri, D. Bykhovsky, and Y. Elovici, “BRIGHTNESS: Leaking sensitive data from air-gapped workstations via screen brightness,” in Proc. 12th CMI Conf. Cybersecurity Privacy, 2019, pp. 1–6.
[39]
M. Guri, O. Hasson, G. Kedma, and Y. Elovici, “An optical covert-channel to leak data through an air-gap,” in Proc. IEEE 14th Annu. Conf. Privacy Secur. Trust, 2016, pp. 642–649.
[40]
M. Guri, A. Kachlon, O. Hasson, G. Kedma, Y. Mirsky, and Y. Elovici, “GSMem: Data exfiltration from air-gapped computers over GSM frequencies,” in Proc. USENIX Secur. Symp., 2015, pp. 849–864.
[41]
M. Guri, G. Kedma, A. Kachlon, and Y. Elovici, “AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies,” in Proc. IEEE 9th Int. Conf. Malicious Unwanted Softw. Americas, 2014, pp. 58–67.
[42]
M. Guri, M. Monitz, and Y. Elovici, “USBee: Air-gap covert-channel via electromagnetic emission from USB,” in Proc. 14th Annu. Conf. Privacy Secur. Trust, 2016, pp. 264–268.
[43]
M. Guri, M. Monitz, Y. Mirski, and Y. Elovici, “BitWhisper: Covert signaling channel between air-gapped computers using thermal manipulations,” in Proc. IEEE 28th Comput. Secur. Found. Symp., 2015, pp. 276–289.
[44]
M. Guri, Y. Solewicz, A. Daidakulov, and Y. Elovici, “Acoustic data exfiltration from speakerless air-gapped computers via covert hard-drive noise (DiskFiltration),” in Proc. Eur. Symp. Res. Comput. Secur., Springer, 2017, pp. 98–115.
[45]
M. Guri, Y. Solewicz, and Y. Elovici, “MOSQUITO: Covert ultrasonic transmissions between two air-gapped computers using speaker-to-speaker communication,” in Proc. IEEE Conf. Dependable Secure Comput., 2018, pp. 1–8.
[46]
M. Guri, Y. Solewicz, and Y. Elovici, “Fansmitter: Acoustic data exfiltration from air-gapped computers via fans noise,” Comput. Secur., vol. 91, 2020, Art. no.
[47]
M. Guri, B. Zadov, D. Bykhovsky, and Y. Elovici, “CTRL-ALT-LED: Leaking data from air-gapped computers via keyboard leds,” in Proc. IEEE 43rd Annu. Comput. Softw. Appl. Conf., 2019, pp. 801–810.
[48]
M. Guri, B. Zadov, D. Bykhovsky, and Y. Elovici, “PowerHammer: Exfiltrating data from air-gapped computers through power lines,” IEEE Trans. Inf. Forensics Secur., vol. 15, pp. 1879–1890, Nov. 2019.
[49]
M. Guri, B. Zadov, and Y. Elovici, “LED-it-GO: Leaking (A lot of) data from air-gapped computers via the (small) hard drive LED,” in Proc. Int. Conf. Detection Intrusions Malware Vulnerability Assessment, Cham: Springer International Publishing, 2017, pp. 161–184.
[50]
M. Guri, B. Zadov, and Y. Elovici, “ODINI: Escaping sensitive data from faraday-caged, air-gapped computers via magnetic fields,” IEEE Trans. Inf. Forensics Secur., vol. 15, pp. 1190–1203, Aug. 2019.
[51]
M. Hanspach and M. Goetz, “On covert acoustical mesh networks in air,” 2014,.
[52]
J. He, Q. Fu, Y. Gao, C. Zhang, and J. Zhou, “Radiated emission prediction of a SMPS based on time domain EMF-circuit co-simulation,” in Proc. 7th Int. Power Electron. Motion Control Conf., 2012, pp. 1082–1086.
[53]
M. Hegarty, Y. E. Sagduyu, T. Erpek, and Y. Shi, “Deep learning for spectrum awareness and covert communications via unintended RF emanations,” in Proc. ACM Workshop Wireless Secur. Mach. Learn., New York, NY, USA, 2022, pp. 27–32.
[54]
W. J. Heinbockel, E. R. Laderman, and G. J. Serrao, Supply Chain Attacks and Resiliency Mitigations. McLean, VR, USA: The MITRE Corporation, 2017, pp. 1–30.
[55]
I. Homoliak, F. Toffalini, J. Guarnizo, Y. Elovici, and M. Ochoa, “Insight into insiders and it: A survey of insider threat taxonomies, analysis, modeling, and countermeasures,” ACM Comput. Surveys, vol. 52, no. 2, pp. 1–40, 2019.
[56]
N. Hou and Y. Zheng, “CloakLoRa: A covert channel over LoRa PHY,” in Proc. IEEE 28th Int. Conf. Netw. Protoc., Los Alamitos, CA, USA, 2020, pp. 1–11.
[58]
N. Kaloudi and J. Li, “The AI-based cyber threat landscape: A survey,” ACM Comput. Surveys, vol. 53, no. 1, pp. 1–34, 2020.
[59]
M. G. Kuhn and R. J. Anderson, “Soft tempest: Hidden data transmission using electromagnetic emanations,” in Proc. Int. Workshop Inf. Hiding, Springer, 1998, pp. 124–142.
[60]
M. G. Kuhn, “Compromising emanations: Eavesdropping risks of computer displays,” PhD thesis, Univ. Cambridge, 2002.
[61]
D. Kushner, “The real story of stuxnet,” IEEE Spectr., vol. 3, no. 50, pp. 48–53, Mar. 2013.
[62]
E. Le Sueur and G. Heiser, “Dynamic voltage and frequency scaling: The laws of diminishing returns,” in Proc. Int. Conf. Power Aware Comput. Syst., 2010, pp. 1–8.
[63]
G. Li, G. Cai, and Y. Song, “Study on the analysis of VLF communication jamming effectiveness,” in Proc. 2nd Int. Conf. Electric Technol. Civil Eng., 2012, pp. 2798–2800.
[64]
F. Lin and D. Y. Chen, “Reduction of power supply EMI emission by switching frequency modulation,” IEEE Trans. Power Electron., vol. 9, no. 1, pp. 132–137, Jan. 1994.
[65]
L. Liu, O. De Vel, Q.-L. Han, J. Zhang, and Y. Xiang, “Detecting and preventing cyber insider threats: A survey,” IEEE Commun. Surveys Tuts., vol. 20, no. 2, pp. 1397–1417, Second Quarter 2018.
[66]
J. Loughry and D. A. Umphress, “Information leakage from optical emanations,” ACM Trans. Inf. Syst. Secur., vol. 5, no. 3, pp. 262–289, 2002.
[67]
A. Madhavapeddy, R. Sharp, D. Scott, and A. Tse, “Audio networking: The forgotten wireless technology,” IEEE Pervasive Comput., vol. 4, no. 3, pp. 55–60, Third Quarter 2005.
[68]
K. Mainali and R. Oruganti, “Conducted EMI mitigation techniques for switch-mode power converters: A survey,” IEEE Trans. Power Electron., vol. 25, no. 9, pp. 2344–2356, Sep. 2010.
[69]
[70]
B. Nassi, A. Shamir, and Y. Elovici, “Xerox day vulnerability,” IEEE Trans. Inf. Forensics Secur., vol. 14, no. 2, pp. 415–430, Feb. 2019.
[71]
M. Ohm, H. Plate, A. Sykosch, and M. Meier, “Backstabbers knife collection: A review of open source software supply chain attacks,” in Proc. 17th Int. Conf. Detection Intrusions Malware Vulnerability Assessment, Lisbon, Portugal, Springer, 2020, pp. 23–43.
[72]
M. Reed, J. F. Miller, and P. Popick, “Supply chain attack patterns: Framework and catalog,” Office of the Deputy Assistant Secretary of Defense for Systems Engineering, 2014.
[73]
F. Reghenzani, G. Massari, and W. Fornaciari, “The real-time Linux kernel: A survey on preempt_rt,” ACM Comput. Surveys, vol. 52, no. 1, pp. 1–36, 2019.
[74]
I. Santos, F. Brezo, B. Sanz, C. Laorden, and P. G. Bringas, “Using opcode sequences in single-class learning to detect unknown malware,” IET Inf. Secur., vol. 5, no. 4, pp. 220–227, 2011.
[75]
Z. Shao, M. A. Islam, and S. Ren, “Your noise, my signal: Exploiting switching noise for stealthy data exfiltration from desktop computers,” in Proc. ACM Meas. Anal. Comput. Syst., vol. 4, no. 1, pp. 1–39, 2020.
[76]
C. Shen, T. Liu, J. Huang, and R. Tan, “When LoRa meets EMR: Electromagnetic covert channels can be super resilient,” in Proc. IEEE Symp. Secur. Privacy, Los Alamitos, CA, USA, 2021, pp. 1304–1317.
[77]
S. Staff, “Documents reveal top NSA hacking unit,” Spiegel Online, vol. 29, 2013.
[78]
W. Stone et al., “Electromagnetic signal attenuation in construction materials,” Nat. Inst. Standards Technol., Gaithersburg, MD, USA, NIST Interagency/Intern. Rep. (NISTIR), 1997. Accessed: Aug. 01, 2023. [Online]. Available: https://doi.org/10.6028/NIST.IR.6055
[79]
J. Straub, “Modeling attack, defense and threat trees and the cyber kill chain, ATT&CK and stride frameworks as blackboard architecture networks,” in Proc. IEEE Int. Conf. Smart Cloud, 2020, pp. 148–153.
[80]
B. E. Strom et al., “Finding cyber threats with ATT&CK-based analytics,” The MITRE Corporation, Bedford, MA, Tech. Rep. MTR170202, 2017.
[81]
D. Tian, R. Ma, X. Jia, and C. Hu, “A kernel rootkit detection approach based on virtualization and machine learning,” IEEE Access, vol. 7, pp. 91657–91666, 2019.
[82]
O. Trescases, G. Wei, A. Prodic, and W. T. Ng, “An EMI reduction technique for digitally controlled SMPS,” IEEE Trans. Power Electron., vol. 22, no. 4, pp. 1560–1565, Jul. 2007.
[83]
J. von Kistowski, H. Block, J. Beckett, C. Spradling, K.-D. Lange, and S. Kounev, “Variations in CPU power consumption,” in Proc. 7th ACM/SPEC Int. Conf. Perform. Eng., 2016, pp. 147–158.
[84]
W. Wang, B. Ferrell, X. Xu, K. W. Hamlen, and S. Hao, “SEISMIC: SEcure in-lined script monitors for interrupting cryptojacks,” in Proc. 23rd Eur. Symp. Res. Comput. Secur., Barcelona, Spain, 2018, pp. 122–142.
[85]
M. Wenzl, G. Merzdovnik, J. Ullrich, and E. Weippl, “From hack to elaborate technique–A survey on binary rewriting,” ACM Comput. Surveys, vol. 52, no. 3, pp. 1–37, 2019.
[86]
W. Wong et al., “Crossing the air gap–An ultrasonic covert channel,” PhD thesis, Royal Military College Canada, Kingston, ON, Canada, 2018. Accessed: Aug. 01 2023. [Online]. Available: https://espace.rmc.ca/jspui/bitstream/11264/1581/1/Thesis%20-%20Wesley%20Wong.pdf
[87]
Z. Yang, Q. Huang, and Q. Zhang, “NICScatter: Backscatter as a covert channel in mobile devices,” in Proc. 23rd Annu. Int. Conf. Mobile Comput. Netw., 2017, pp. 356–367.
[88]
Z. Zhan, Z. Zhang, and X. Koutsoukos, “BitJabber: The world's fastest electromagnetic covert channel,” in Proc. IEEE Int. Symp. Hardware Oriented Secur. Trust, Los Alamitos, CA, USA, 2020, pp. 35–45.
[89]
J. Zhang, X. Ji, W. Xu, Y.-C. Chen, Y. Tang, and G. Qu, “MagView: A distributed magnetic covert channel via video encoding and decoding,” in Proc. IEEE Conf. Comput. Commun., 2020, pp. 357–366.

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image IEEE Transactions on Dependable and Secure Computing
IEEE Transactions on Dependable and Secure Computing  Volume 21, Issue 4
July-Aug. 2024
2808 pages

Publisher

IEEE Computer Society Press

Washington, DC, United States

Publication History

Published: 31 July 2023

Qualifiers

  • Research-article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 0
    Total Downloads
  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 20 Dec 2024

Other Metrics

Citations

View Options

View options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media