In a previous blog I talked about malware-based exfiltration of data from ordinary devices in the workplace, such as a printer or a VoIP phone. Briefly, malware could cause the I/O pins on common chips to broadcast data over low-frequency radio waves – a long carrier wave would be a binary 1, and none would be a binary 0.
This begs the question: Could this low frequency signal be used to defeat air gapped CPU systems as well?
There's a security model where an air gapped computer is not connected to the Internet nor to any computer that is connected to the Internet. That computer can't share data with the outside world unless someone physically copies the data to a removable media and then pastes that data on a second system with access to the Internet. A typical countermeasure is to disable the CD and USB ports; often they are physically sealed. But new research suggests that data from an air gapped computer could still be broadcast to an inexpensive mobile phone. How?
A normal working computer emits radio frequencies that can be vulnerable to differential power analysis side-channel attacks. For example, when data moves from the CPU to the RAM it generates a fixed-amplitude carrier wave and a fixed frequency. This can be measured externally with a sensitive receiver. Thus a binary code of 1s and 0s could be exfiltrated if someone were to listen for it.
Mobile phones, even inexpensive ones, can become very sensitive receivers of low-frequency broadcasts. In a paper published last month for this year's Usenix Security Symposium in Washington, DC, a team from the Cyber Security Research Center at Ben-Gurion University of the Negev found a way to make a low-end feature phone become a radio receiver. In the study the researchers were looking at the normal emissions from an infected computer, but it seems possible that such a system could also listen for broadcasts from a compromised office machine such as a printer or a VoIP phone. Malware on the air gapped computer could be installed through physical access, or even somewhere along the supply chain as the unit is shipped to the location.
In this attack, a proof-of-concept program called GSMem was used to force the computer’s memory bus to act as a simple broadcast antenna. The bus could then transmit data to a nearby cellular-enabled mobile phone. This new research builds on the team's previous research exfiltrating data via Wi-Fi networks alone.
In a secure environment, where smartphones are not allowed, sometimes companies allow feature phones. Often the companies that do allow feature phones into sensitive areas provide company-owned phones, but COPE (corporate-owned, personally-enabled) phones can still be infected with malware. Even phones without cameras, video capabilities or Wi-Fi can be useful to an attacker, the researchers point out.
To infect the mobile phone, the research team created ReceiverHandler, a rootkit which becomes embedded into the baseband firmware of the phone. This could be installed through direct physical access to the phone or via a malicious app. The exfiltrated information is stored on the phone and later transmitted via GSM mobile-data or SMS. If a smartphone is used, then the proof-of-concept malware can also take advantage of local Wi-Fi. Smartphones, the researchers note, have better radio frequency reception and therefore offer a higher exfiltration rate.
That said only a little bit of data can be broadcast or received this way. However, the data exfiltrated is enough to capture usernames and passwords. This could allow a remote attack to gain direct access to these sensitive systems or services at a later date.
Robert Vamosi is a CISSP and award-winning journalist. He is also the author of When Gadgets Betray Us: The Dark Side of Our Infatuation With New Technologies (Basic Books).
Data Protection Security Audit Checklist
Are you ready for your next security audit? Our checklist has 12 questions to help you prepare.
Related ArticlesFriday Five: 1/11 Edition
Google can limit 'right to be forgotten,' selling real-time phone location data, and more - catch up with the week's infosec news with this roundup!Irish Data Protection Commission Disappointed With 2020 Budget
The data protection commission, one of the world's most vigilant, is disappointed in the government for its smaller-than-expected budget next year.Almost 60,000 Post-GDPR Data Breaches Reported in Europe
Research published this week suggests there have been over 59,000 data breaches reported to data protection authorities in Europe since GDPR went into effect last year.