Researchers find new ways to siphon off sensitive data from ’empty’ computers

Why is this important: In a world where cyberattacks can devastate critical infrastructure, governments, law enforcement and public institutions use so-called “isolated” systems to prevent even the most ambitious attempts. That said, a team of Israeli security researchers still manages to consistently come up with ideas on how organizations could improve their security posture.

For years, Israeli security researchers at Ben-Gurion University have sought ways to exploit physically isolated computers to exfiltrate sensitive data. The team led by Dr. Mordechai Guri is well known for finding new and unorthodox methods of accessing so-called air gap systems.

Various techniques they discovered include using computer RAM as a small Wi-Fi transmitter, manipulating screen brightness to send ones and zeros through security cameras, or adjusting the speed of cooling fans to create vibrations that can be easily recorded using a smartphone.

Researchers recently developed a pair of attack methods called Gairoscope and EtherLED. As explained in the two related research papers, these new exploits serve as a reminder that inventive hackers can circumvent even the most stringent security measures using relatively simple principles.

As its name suggests, the Gairoscope attack relies on a smartphone gyroscope, a microelectromechanical device (MEMS) sensitive to mechanical oscillations. In this case, researchers are using specially crafted malware that can emit “secret acoustic sound waves” using computer speakers.

A smartphone gyroscope easily picks up these vibrations from the air but requires additional work. The researchers explain that many mobile applications use gyroscopes to improve the user experience. Thus, users are more likely to approve of apps accessing the gyroscope than the microphone – a behavior that attackers can exploit.

Another advantage of this method is that there is no visual indicator on iOS or Android when the gyroscope is in use, while there is one that gives the user a warning when the microphone is active. . This opens up new avenues for the smartphone side of the exploit, such as injecting the malicious JavaScript code onto a legitimate website or web application instead of jumping through hoops to run malware on the device.

The Gairoscope method allows an attacker to exfiltrate data up to eight bits per second, faster than most known covert acoustic methods. It may not seem like much, but it should be enough to transmit valuable information such as passwords, storage encryption keys, etc.

Guri and his team were able to use an Android app to decode a typed message on the target computer in seconds (video above). However, an important limitation is that the maximum distance for reliable transmission is eight meters (26 feet).

Protection against the Gairoscope can be done either by prohibiting the use of loudspeakers or by filtering out the resonant frequencies generated by air gap systems using a special audio filter.

The second method of attack relies on the green and amber status and activity LEDs found on many network adapters. Previously, Guri’s team designed exploits based on activity lights found on hard drives, switches, Wi-Fi routers, and keyboards, with data transmission speeds of up to 6,000 bits. per second.

EtherLED is a little more difficult to achieve, as it requires a direct line of sight between the target device and any surveillance cameras the attacker might be able to compromise. It would also be possible for someone to use a drone to exfiltrate sensitive data, provided the network activity lights face a window.

However, using security cameras is much more feasible. Last year, hackers gained access to 150,000 cameras in schools, hospitals, police stations, prisons and companies like Tesla and Equinox. From there, all they would have to do is record the flashing lights of an infected network interface card to steal data.

In the related article, Guri explains that EtherLED can be used to leak a password in a second and an RSA key in just under a minute. The speed varies depending on the modulation used and whether attackers could compromise the network card driver or firmware. The maximum distance for reliable data transmission varies from 10 to 100 meters, depending on the camera.

Mitigation of the attack can be done in a number of ways, ranging from covering the LEDs with black tape to deploying firmware-level countermeasures that scramble any visual cues attackers might try to use.

As easy as it is to rule out the possibility of attacks like Gairoscope and EtherLED occurring in the wild, this research is still essential. Over the past two years, we’ve seen reports detailing cyber espionage groups targeting isolated systems in South Korea and Japan.

Header credit: FLYD