HomeLatest ThreadsGreatest ThreadsForums & GroupsMy SubscriptionsMy Posts
DU Home » Latest Threads » Forums & Groups » Main » Latest Breaking News (Forum) » New air-gap jumper covert...

Fri Aug 12, 2016, 11:01 AM

New air-gap jumper covertly transmits data in hard-drive sounds

Source: Arstechnica

Researchers have devised a new way to siphon data out of an infected computer even when it has been physically disconnected from the Internet to prevent the leakage of sensitive information it stores.

The method has been dubbed "DiskFiltration" by its creators because it uses acoustic signals emitted from the hard drive of the air-gapped computer being targeted. It works by manipulating the movements of the hard drive's actuator, which is the mechanical arm that accesses specific parts of a disk platter so heads attached to the actuator can read or write data. By using so-called seek operations that move the actuator in very specific ways, it can generate sounds that transfer passwords, cryptographic keys, and other sensitive data stored on the computer to a nearby microphone. The technique has a range of six feet and a speed of 180 bits per minute, fast enough to steal a 4,096-bit key in about 25 minutes.

"An air-gap isolation is considered to be a hermetic security measure which can prevent data leakage," Mordechai Guri, a security researcher and the head of research and development in the cyber security labs at Israel's Ben-Gurion University, told Ars. "Confidential data, personal information, financial records and other type of sensitive information is stored within isolated networks. We show that despite the degree of isolation, the data can be exfiltrated (for example, to a nearby smart phone)."

Besides working against air-gapped computers, the covert channel can also be used to steal data from Internet-connected machines whose network traffic is intensively monitored by intrusion prevention devices, data loss prevention systems, and similar security measures. The technique is documented in a technical paper titled DiskFiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive Noise, which was published Thursday night. Guri and the other Ben-Gurion University researchers who devised the covert channel created the video demonstration below.

Read more: http://arstechnica.com/security/2016/08/new-air-gap-jumper-covertly-transmits-data-in-hard-drive-sounds/




20 replies, 2611 views

Reply to this thread

Back to top Alert abuse

Always highlight: 10 newest replies | Replies posted after I mark a forum
Replies to this discussion thread
Arrow 20 replies Author Time Post
Reply New air-gap jumper covertly transmits data in hard-drive sounds (Original post)
NWCorona Aug 2016 OP
Scalded Nun Aug 2016 #1
Mika Aug 2016 #3
William Seger Aug 2016 #9
William Seger Aug 2016 #10
Mika Aug 2016 #2
NWCorona Aug 2016 #4
neohippie Aug 2016 #5
NWCorona Aug 2016 #6
Statistical Aug 2016 #16
PersonNumber503602 Aug 2016 #20
jmowreader Aug 2016 #7
NWCorona Aug 2016 #8
jmowreader Aug 2016 #11
NWCorona Aug 2016 #12
Cicada Aug 2016 #13
csziggy Aug 2016 #18
Xithras Aug 2016 #14
recentevents Aug 2016 #15
Little Tich Aug 2016 #17
eppur_se_muova Aug 2016 #19

Response to NWCorona (Original post)

Fri Aug 12, 2016, 11:11 AM

1. Very interesting

I wonder if SSDs are vulnerable to the same threat.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Scalded Nun (Reply #1)

Fri Aug 12, 2016, 11:18 AM

3. Video I posted touches on e/m & IR systems for reading chips, circuits, & monitors.

 

e/m - electro/magnetic.
IR- infrared

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Mika (Reply #3)

Fri Aug 12, 2016, 12:03 PM

9. (deleted misplaced reply)

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Scalded Nun (Reply #1)

Fri Aug 12, 2016, 12:05 PM

10. No, but they're vulnerable to any number of similar techniques

Many years ago, Russian hackers hacked Canon point-and-shoot cameras by injecting a small piece of code that could read the firmware binary from memory and blink the camera's status light to reflect the 1s and 0s, one at a time, which could then be read by a photo sensor. (They used that information to reverse-engineer the firmware to create a very cool version of it, called CHDK, which can run user scripts to extend the functionality of the camera.) DiskFiltration, AirHopper, and Fansmitter are just a variation on the same idea but using different ways to indicate 1s and 0s, and there are lots of similar techniques. For such techniques to work, of course, the challenge is to first inject that reader code and then to get some kind of monitor in the vicinity, which is presumably very hard (but not impossible) for an air-gapped computer in a secure location.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to NWCorona (Original post)

Fri Aug 12, 2016, 11:15 AM

2. @ 20 bits per minute it's pretty useless.

 

It's not about hacking nor reading disc data.





Reply to this post

Back to top Alert abuse Link here Permalink


Response to Mika (Reply #2)

Fri Aug 12, 2016, 11:20 AM

4. I remember that story too! Interesting stuff.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to NWCorona (Original post)

Fri Aug 12, 2016, 11:31 AM

5. i'm guessing that most places that employ air gap as security don't allow phones in that environment

Interesting theoretical demonstration, but my guess is that in ultra secure environments that require air gapped systems such as say department of defense or similar places, employees are most likely also not able to bring a smart phone into the environment either, so while this sounds scary and is interesting, it's probably not likely to be used to steal anything super sensitive

Reply to this post

Back to top Alert abuse Link here Permalink


Response to neohippie (Reply #5)

Fri Aug 12, 2016, 11:40 AM

6. Absolutely! There's a reason for phone checks before entering secure facilities.

I

Reply to this post

Back to top Alert abuse Link here Permalink


Response to neohippie (Reply #5)

Fri Aug 12, 2016, 08:39 PM

16. The phone isn't a requirement just part of the demo.

Any microphone could be used to receive the acoustic signal from the drive. Spy agencies routinely use laser microphones to record conversations from a km away by measuring the movement (vibration) of windows caused by the sound waves inside.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to neohippie (Reply #5)

Mon Aug 15, 2016, 12:11 PM

20. It's still an additional tool that can be used, even if it is in a very specific situation

I'm sure there is or will be some situation where someone will find this to be a valid method of doing whatever it is they are doing.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to NWCorona (Original post)

Fri Aug 12, 2016, 11:45 AM

7. Let's see if I have this right

If I were an Evil Secret Agent I could break into a secure office building, infect a computer with some specialized malware, install a microphone within six feet of it and pick off sensitive data at 4800 baud by listening to the Morse Code this malware makes the hard drive heads tap out (assuming, naturally, that the computer I'm trying to attack doesn't have solid state drives, which are immune to this exploit because they have no heads)...or I could pay a maintenance crew to attach an antenna to the outside of the building and pick off, from 200 to 300 meters distance and at the full speed of your computer, the signals flowing through the plastic case on your computer and emanating from those cheap-ass USB and Ethernet cables you bought from OfficeMax four or five years ago.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to jmowreader (Reply #7)

Fri Aug 12, 2016, 11:59 AM

8. I see this being used in the private sector if anything to steal intellectual property.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to NWCorona (Reply #8)

Fri Aug 12, 2016, 12:15 PM

11. I don't see it being used at all

Your computer throws off electromagnetic energy all the time it's running, and those "compromising emanations" are detectable from a long ways off. It's far more trouble to try exploiting hard drive acoustics than to intercept the trash coming off your cables.

Oh...the biggest security risk is your monitor - they can't be shielded from the front, and they CAN be intercepted.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to jmowreader (Reply #11)

Fri Aug 12, 2016, 12:29 PM

12. I should have said "If used"

Just like the tech that reads the vibrations of the potato chip bag to hear what's being said in the vicinity. I find it interesting but not sure of the real world use.

Excellent point about the monitor!

Reply to this post

Back to top Alert abuse Link here Permalink


Response to NWCorona (Original post)

Fri Aug 12, 2016, 01:13 PM

13. I guess that's why I hear that Cars song in so many govt offices

I thought it was odd that so many Fed govt offices have the Cars song "You Might Think I'm Crazy" playing lately. I guess they play it to block air-gap hacking.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Cicada (Reply #13)

Sat Aug 13, 2016, 01:43 PM

18. Heh, heh, heh!

Reply to this post

Back to top Alert abuse Link here Permalink


Response to NWCorona (Original post)

Fri Aug 12, 2016, 06:43 PM

14. This is actually NOT new

There was a virus back in the 1980's that hijacked the PC speaker to do the same thing. Once the virus was installed (inside job), a tape recorder was hidden underneath a nearby floor panel to record the transmissions from the computer. As I recall, the hack was used to gain access to thousands of bank accounts in once incident (a smallish hack by todays standards, but huge back then).

According to lore, a similar concept was once used by Soviet agents to get data from another air gapped computer system. After an insider installed the virus, the computer would "pulse" power to various internal devices. The pulsing would cause a measurable difference in the electrical load the computer was pulling. The Soviet spies were able to measure the buildings electrical load from outside (trivial to do) and detect the pulses. The result was a very low rate data transmission via the buildings own power grid.

While it's an interesting trick nowadays, it's not particularly useful. 180 bits per minute works out to just under four days per megabyte. A moderately sized 1Gb dataset, downloadable in minutes on any computer with modern broadband, would take 10.5 YEARS to download via hard drive acoustics.

I'm not terribly worried.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to NWCorona (Original post)

Fri Aug 12, 2016, 07:16 PM

15. Safest computer

 

As I was told in one of my first computer security classes, the only way to make absolutely sure you computer isn't hacked is to turn it off, never use it, and lock it in a safe.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to NWCorona (Original post)

Fri Aug 12, 2016, 09:26 PM

17. I'm not going to any lose sleep over this one -it's slow and difficult to use.

It's an interesting approach, though.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to NWCorona (Original post)

Mon Aug 15, 2016, 11:02 AM

19. Just as SSDs are taking over ...

no actuator, no noise, no problem.

Reply to this post

Back to top Alert abuse Link here Permalink

Reply to this thread