At one point during Black Hat USA 2015, researcher Ang Cui introduced malware into a relatively inexpensive laser printer so that it would sing its boot code to the audience. The eerie electronic warbling demonstrated the strange potential of amplified radio-frequency vibrations from I/O chips found in most electronics. While the Pantum P2502W laser printer won't make it onto American Idol any time soon, acoustic emissions from other devices may someday pose a real threat to enterprises as yet another channel for bad actors to exfiltrate sensitive data despite air gaps and other precautions.
Cui, a recent Columbia University graduate, began his research years ago when he compromised VoIP phones found within the office and leveraged that to eavesdrop on conversations within the enterprise. On the phones he changed the firmware to enable the built-in speakerphone mic to listen to conversations within the room while the phone was not in use and still in its cradle.
Sending the captured data over the existing computer network seemed risky, so Cui looked back on the some of the espionage methods employed in the Cold War. In particular, he was thinking about ways to get data out of a secure bunker, one with thick walls and air gapped systems. He showed a slide of a building at Elgin Air Force base designed with two-foot thick concrete walls.
Cui found that many data broadcast models used in the 1960s and 1970s depended on a faint transmitter coupled with a very large receiver. This evoked images of white panel trucks parked outside various embassies. For an attacker today this type of exfiltration isn't very practical.
Instead, Cui wondered whether you could have a "loud, intentionally generated compromising emanation" from the device. He looked through the more recent literature and found one project called the "Bit Whisperer." It could broadcast data but only at a rate of 1 to 4 bits an hour – not very useful.
Cui wanted to achieve better results but without using any special equipment. And he wanted to attack most any device. By injecting just seven lines of code, he turned the Pantum P2502W laser printer into an effective radio transmitter. He did so by rapidly flipping the power state of existing input and output pins and using different techniques. Each had its pros and cons.
By flipping the power state using Pulse Width Modulation (PWM) he could achieve 10khz – 4mhz; using General Purpose Input Output (GPIO) pins, 10khz – 5mhz; and on Universal Asynchronous Receive Transmitter (UART), 10khz – 4mhz. The initial results were all weak, so Cui set to work amplifying those signals, attempting to reach the 120Mhz – 205Mhz range, or just above the ultrasonic range that would "piss off dogs."
The relatively short wires of the GPIO connections wouldn't generate strong enough signals, despite flipping every available output pin. Better was the UART output. And, with the additional 10-foot cable, Cui said the UART generated a strong enough signal that it could be picked up outside the building, even though the two foot concrete wall.
Once the signals were strong enough, he still needed a way to make sense of the signals. He turned to amplitude-shift keying (ASK) and eventually settled upon On-Off Key (OOK) which is perhaps the simplest ASK. In OOK, a binary 1 would be represented by the presence of a fixed-amplitude carrier wave and a fixed frequency. A binary 0 would be the absence of that. So your printer could be humming 1s and 0s and you would have no idea.
What's scary is that this type of data exfiltration could occur with almost any "Internet of Things" device.
"A network [intrusion detection system] is no substitute for host-based defense," Cui told the Black Hat audience "You could monitor every known spectrum, but it would be very expensive and may not work. The best way is to have host-based defense baked into every embedded device."
Cui's full presentation can be found here.
Robert Vamosi is a CISSP and award-winning journalist. He is also the author of When Gadgets Betray Us: The Dark Side of Our Infatuation With New Technologies (Basic Books).
Data Protection Vendor Evaluation Toolkit
The toolkit contains an RFI-RFP criteria template and a corresponding vendor evaluation scorecard.
Related ArticlesMisconfigured Box Accounts Yield Sensitive Data
Nearly 100 companies were exposing sensitive data, including raw CAD files and Social Security Numbers, on misconfigured Box accounts.DDoS As a Cover for Data Theft
Distributed denial of service attacks are IT teams' worst nightmare - but they may be the least of your problems, experts say.Friday Five: 10/19 Edition
Data security takeaways from a recent 11th circuit court case, an insurance data breach, and more – catch up on the week’s infosec news with this roundup!