Computers housing the world's most sensitive data are usually "air-gapped" or isolated from the internet. They're also not connected to other systems that are internet-connected, and their Bluetooth feature is disabled, too. Sometimes, workers are not even allowed to bring mobile phones within range of the computers. All of this is done to keep important data out of the hands of remote hackers.
But these security measures may be futile in the face of a new technique researchers in Israel have developed for stealthily extracting sensitive data from isolated machines—using radio frequency signals and a mobile phone.
The attack recalls a method the NSA has been secretly using for at least six years to siphon data in a similar manner. An NSA catalogue of spy tools leaked online last year describes systems that use radio frequency signals to remotely siphon data from air-gapped machines using transceivers—a combination receiver and transmitter—attached to or embedded in the computer instead of a mobile phone. The spy agency has reportedly used the method in China, Russia and even Iran. But the exact technique for doing this has never been revealed.
The researchers in Israel make no claims that theirs is the method used by the NSA, but Dudu Mimran, chief technology officer at the Israeli lab behind the research, acknowledges that if student researchers have discovered a method for using radio signals to extract data from hard-to-reach systems, professionals with more experience and resources likely have discovered it, too.
"We are doing research way behind people [like that]," he told WIRED. "The people who are doing that are getting a lot of money and are doing that [full time]."
Dubbed "AirHopper" by the researchers at Cyber Security Labs at Ben Gurion University , the proof-of-concept technique allows hackers and spies to surreptitiously siphon passwords and other data from an infected computer using radio signals generated and transmitted by the computer and received by a mobile phone. The research was conducted by Mordechai Guri, Gabi Kedma, Assaf Kachlon, and overseen by their advisor Yuval Elovici.
The attack borrows in part from previous research showing how radio signals (.pdf) can be generated by a computer's video card (.pdf). The researchers in Israel have developed malware that exploits this vulnerability by generating radio signals that can transmit modulated data that is then received and decoded by the FM radio receiver built into mobile phones. FM receivers come installed in many mobile phones as an emergency backup, in part, for receiving radio transmissions when the internet and cell networks are down. Using this function, however, attackers can turn a ubiquitous and seemingly innocuous device into an ingenious spy tool. Though a company or agency may think it has protected its air-gapped network by detaching it from the outside world, the mobile phones on employee desktops and in their pockets still provide attackers with a vector to reach classified and other sensitive data.
The researchers tested two methods for transmitting digital data over audio signals but Audio Frequency-Shift Keying (A-FSK) turned out to be the most effective.
"[E]ach letter or character was keyed with different audio frequency," they note in a paper released last week (.pdf) that describes their technique. "Using less than 40 distinct audio frequencies, we were able to encode simple textual data—both alphabetical and numerical. This method is very effective for transmitting short textual massages such as identifiers, key-stroking, keep-alive messages and notifications."
The data can be picked up by a mobile phone up to 23 feet away and then transmitted over Wi-Fi or a cellular network to an attacker's command-and-control server. The victim's own mobile phone can be used to receive and transmit the stolen data, or an attacker lurking outside an office or lab can use his own phone to pick up the transmission.
Nobody’s Cellphone Is Really That Secure
"With appropriate software, compatible radio signals can be produced by a compromised computer, utilizing the electromagnetic radiation associated with the video display adapter," the researchers write. "This combination, of a transmitter with a widely used mobile receiver, creates a potential covert channel that is not being monitored by ordinary security instrumentation."
The researchers note that the chain of attack "is rather complicated," but it's not beyond the skills and abilities already seen in advanced attacks conducted by hackers in China and elsewhere. Or by the NSA.
Generally the most common method for infecting air-gapped machines is a USB flash drive or other removable media. Once one air-gapped machine is infected, the malware can spread to other machines on an air-gapped network. Data can be extracted the same way, though this is more of a challenge. The malware stores stolen data on the machine until a flash drive is inserted, at which point data is copied to the drive. When the flash drive is then inserted into another computer that's connected to the internet, the data gets transmitted back to the attackers' command-and-control center. This method takes time, however, since it requires the attacker to wait until someone inserts a flash drive into the air-gapped machine and carries it to an internet-connected machine.
AirHopper, however, doesn't require repeated action like this once the malware is installed. An attacker only needs to get their malicious transmitter code onto the targeted machine and then either install the malicious receiver component on the victim's mobile phone or use the attacker's own mobile phone in the vicinity of the computer to receive the data and transmit it to the attacker's command-and-control server. The malware can be programmed to store siphoned data on the infected machine for later transmission at specified hours or intervals. The researchers also devised methods for hiding the data transmission on the targeted machine to avoid detection, including transmitting data only when the monitor is turned off or in sleep mode and altering the FM receiver on the phone so that there is no audible tone when data is transmitted to it.
Although the distance for transmitting data from an infected computer to a mobile phone is limited—due to the limitations of the receiver in phones—attackers could use a stronger portable receiver, set up in a parking lot for example or installed on a drone flying overhead, to pick up data from greater distances.
There are other limitations, however. The proof-of-concept test allows for data to be transmitted at only 60 bytes a second—about a line of text per second—which limits the speed and volume at which attackers could siphon data. But Mimran notes that over time, a lot of sensitive data can still be extracted this way.
"We can take out whatever we want," he told WIRED. "That only depends on the malicious software that resides on the computer. If it is a keylogger, then you can take out whatever the user types."
A 100-byte password file takes 8-10 seconds to transmit using their method, and a day's worth of keystrokes takes up to 14 minutes to transmit this way. But a document just .5 megabytes in size can take up to 15 hours to transmit.
Extracting documents "would be very slow and it will take a long time," Mimran acknowledges, "but this [demonstration] is just a proof-of-concept. I guess the bad people can make it more sophisticated."
Indeed, the NSA catalogue of surveillance tools leaked last year , known as the ANT catalogue, describes something called the Cottonmouth-I , a hardware implant that resembles an ordinary USB plug except it has a tiny transceiver, called the HowlerMonkey, embedded in it for extracting data via RF signals. According to the New York Times, which published additional information about the Cottonmouth-I , the transceiver transmits the stolen data to a briefcase-sized NSA field station or relay station, called the Nightstand, which can be positioned up to eight miles away. Once the data is received by the relay station, it's further transmitted to the NSA's Remote Operations Center. Available since 2009, the Cottonmouth-1 is sold in packs of 50 for about $1 million.
This method of data extraction may have been used in Iran to siphon intelligence about the nuclear program there, the Times reports—perhaps in preparation for the Stuxnet attack, which sabotaged computers controlling centrifuges used to enrich uranium gas in Iran.
A USB plug, however, requires physical access to a targeted computer in the field or it requires the victim to unwittingly insert the USB plug into the computer before the transmission can occur. An alternative method to this, the leaked document notes, is embedding tiny circuit boards in the targeted computer to do the transmission. One way to compromise the machine would be to intercept new equipment enroute to a customer so that it arrives to the victim already equipped to transmit stolen data. According to the document published by the Times, the RF transceiver can also be used to implant malware on a targeted system, not just extract data from it.
Radio frequency hacks are difficult to mitigate, short of physically insulating computers and cables to prevent emissions from being picked up by receivers. This may be practical for military and other classified facilities to do, but not for commercial companies that are trying to protect sensitive data from such attacks. Prohibiting mobile phones from work areas will not help, since outside receivers can be used in place of mobile phones to extract data.
"We're disclosing there is this danger," Mimran says, "but the biggest problem that we are really working hard on is finding mitigation for that. From preliminary results, it's not easy."