Air-Gapped Computer Hacked (Again)

An anonymous reader writes: Researchers from Ben Gurion University managed to extract GSM signals from air gapped computers using only a simple cellphone. According to Yuval Elovici, head of the University’s Cyber Security Research Center, the air gap exploit works because of the fundamental way that computers put out low levels of electromagnetic radiation. The attack requires both the targeted computer and the mobile phone to have malware installed on them. Once the malware has been installed on the targeted computer, the attack exploits the natural capabilities of each device to exfiltrate data using electromagnetic radiation.

Old news is so exciting

[Anonymous Coward]

This just in, TEMPEST is a thing. Again.

Re:Old news is so exciting

[dave1791]

Parent beat me to the comment. TEMPEST has been around since at least the 80's folks.

Re:Old news is so exciting

[fuzzyfuzzyfungus]

It isn't conceptually novel; but doing a practical TEMPEST attack with nothing but a dumbphone, with a fairly unobtrusive software modification, rather than a relatively classy SDR rig or some antenna-covered fed-van is a nice practical refinement.

Really, how many 'tech news' stories are actually conceptually novel, rather than "Thing you could lease from IBM for the GDP of a small country in the 60s and 70s, or buy from Sun or SGI for somewhere between the price of a new house and the price of a new car in the 80s and early 90s, is now available in a battery powered and pocket sized device that shows ads!" Conceptual novelty has a special place, of course; but one ought not to scorn engineering refinement.

Re:Old news is so exciting

[SuiteSisterMary]

Sure, but it still involves physical access to the machine. Headline should have read something like 'novel new way to get data remotely off of compromised non-networked computers'.

Re:

[SuiteSisterMary]

So when the NSA intercepts your hardware before it's delivered?

Just look for the guy in the black suit, sunglasses, and earpiece lurking around the door of your server room with a cell phone plugged into his laptop.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

It isn't conceptually novel; but doing a practical TEMPEST attack with nothing but a dumbphone ...

You obviously did not bother to read the article. Not only does it require malware be installed on the target computer, but it requires malware to be installed on the cellphone as well. Dumb phones (which are not even mentioned in the article) cannot download malware and would require a custom chip installed. While feature phones (also not even mentioned) can download apps, they MAY lack the CPU power necessary to run the decoder malware. It seems like a much ado about nothing to me. The only way to infect

Re:

[fuzzyfuzzyfungus]

The article named the phone as the Motorola C123. Apparently that model has an atypically well-understood baseband, which is probably why it was picked; but that handset is dumb as a rock except by comparison to the utter antiques from the age of analog cellular or something. I don't even think it has one of the teeny little JREs that phones used to have.

Re:

[AHuxley]

The TEMPEST origins are within the CIA going back to the very early 1950's.
The UK stumbled on TEMPEST like results thanks to a leaky embassy cypher machine in 1952 that offered up plain text.
France was the main target going into the 1950's until corrective hardware was added in the early 1960's.
The US and UK also had success with the new methods in Berlin and Vienna against Soviet communications networks.
In theory every advanced cryptographic expert should have been fully aware of the issues into the 19

Re:

[delt0r]

Exactly what i was going to say. I remember how easy it was to read the old CRT monitors remotely that you couldn't see.

"If you install x on both computers...."

[jafiwam]

This is just a new way to make a very slow, very crappy network connection via unexpected hardware.

"Hacking" has SOME meaning ya dummies. It implies that there isn't a willful participant at one end and the data breech happened anyway.

Whatever this is... it isn't 'hacking'.

Re:

[Anonymous Coward]

Agreed. I'm tired of people demonstrating "hacks" that could not occur under any normal circumstances, just for publicity's sake. It's become annoying and really serves to dilute the concern that should be shown when legitimate security holes are found.

Re:

[ComputerGeek01]

Do you actually know what a toolchain is you idiot? Script kiddies are welcome to stay home.

Re:"If you install x on both computers...."

[fuzzyfuzzyfungus]

It isn't a standalone hack, since placing the implant is left as an exercise for the reader; but exfiltration is a necessary ingredient of hacks in situations where a network connection either doesn't exist or can't safely be used.

Re:

[Nerrd]

""Hacking" has SOME meaning ya dummies" Yes - and the meaning of the term "hacking" has little to do with criminal activity or the breaching of a computer network. That meaning, is quite new.

Re:"If you install x on both computers...."

[gstoddart]

But so what? If you can get someone inside the secure area where the super secret machines are, and you can put a small amount of malware on them, you can gain access to them.

Yes, you won't do this with a remote exploit, but if you can subvert one person you can get into stuff.

So, like in Ocean's 11 where the guy dressed as the technician hooks into the system and nobody knows it, this is a way in which the bad guys can get your stuff.

And if you know that air gapped computers likely rely on some form of portable media on some form of regular schedule, and you can target that remotely, you really don't need a willing participant on the other end. The portable media might do the job for you without anybody even knowing about it.

If I can compromise your top secret computers by figuring out the weak link of getting this stuff onto them, then from an espionage sense of the word, I'm inside 'yer stuff and I can has cheeseburger.

It sure as hell is hacking by any meaningful sense of the word.

To many of us, 'hack' absolutely includes a clever new way of gaining access to something by exploiting something something unexpected. Doing it over an air gap is pretty unexpected since traditionally we say computers are secure if they're not connected to a network and inside a locked room. With this, not so much.

Once you have the technique, the social engineering or other cheating to get the access is something pretty much well covered by the rest of the espionage playbook. Hell, it's pretty well covered in books and movies.

Re:

[Rick in China]

As soon as the article got to "The attack requires both the targeted computer and the mobile phone to have malware installed on them"..... I stopped reading.

Re:

[Anonymous Coward]

Recalibrating hardware to perform in a way that it was not intended, but grants a user access to an otherwise closed system is not a hack!

This is exactly the meaning that "hacking" has, you fucking idiot.

Re:

[fuzzyfuzzyfungus]

Unfortunately, as our fine folks in the TAO group have apparently proven on multiple occasions, even people with fancy access control tend to have very little power until the package shows up at their loading dock. What happens earlier in the process is less encouraging.

Re:

[oobayly]

In other news - I can get into any car and drive off with it.

All I need to do is get the owner to leave the key on the front-right wheel.

Hacked Computer with air gap not completely secure

[cnaumann]

That headline would be a little more accurate but far less sexy.

Re:

[The MAZZTer]

"Oh yes, I thought of something," panted Ford.

Arthur looked up expectantly.

"But unfortunately," continued Ford, "it rather involved being on the other side of this airtight hatchway. [google.com]" He kicked the hatch they'd just been through.

Re:

[The MAZZTer]

Bah, screwed up the link. https://www.google.com/search?q=site%3Ablogs.msdn.com%2Fb%2Foldnewthing+%22It+rather+involved+being+on+the+other+side+of+this+airtight+hatchway%22 [google.com]

Re:

[fisted]

You screwed it up yet again. Here you go [msdn.com]

If you have physical access...

[Attila Dimedici]

So, this still requires physical access to the computer. I certainly hope that no one thought that it was possible to prevent someone with physical access to a computer from extracting data from said computer. You can make it difficult for them to do it, but not impossible.

Re:If you have physical access...

[gstoddart]

It requires someone to have access, but not necessarily you.

Say I know every Tuesday you need to transfer data to your air gapped computers. Now, assume the source of that data is somehow less secure and I can target that. Now, the person who is supposed to be in there is the only one who ever is, and unknowingly transfers the appropriate code to get into your systems.

See, the thing about security is that it's only as strong as the weakest link. If there is ever any data transfer in or out of your secure system, that becomes the weak link.

With some cleverness and patience, it is entirely possible this can be done entirely remotely, with all of the physical access being done by trusted people. And then your assertion about needing physical access becomes provably false.

Assuming your air-gapped machine periodically needs new inputs, and assuming you don't have people type that in from paper copy ... then however you get stuff on or off that computer is the thing you target.

Sure, the guys with guns and video cameras won't let me into your secure room. But they do let someone in. And that someone can be made to be unwittingly do your dirty work.

I don't think my scenario is even remotely implausible. If you have enough motivation, patience, and resources, you can accomplish an awful lot when it comes to bypassing security. And most nation states have all of those things, and lots of people actively working on it.

Re:

[Attila Dimedici]

OK, you are right. You only need the ability to insert your malicious code onto something that will be taken to the computer and set up to install. If you have the ability to both get your software installed on the computer and the ability to monitor its electromagnetic output, you can access the data on that computer. Guess what, I would have told you ten years ago that if you have the ability to get your software installed on a computer, you have the ability to access the data on said computer.

Re:

[jimbolauski]

Changing the frequency band the data is transmitted on is not a significant refinement. You still need two compromised devices in close proximity to each other and the bandwidth is severely limited.

Re:

[NatasRevol]

If there is ever any data transfer in or out of your secure system, that becomes the weak link.

If your 'air-gapped system' ever required data transfer in or out, it's NOT AN AIR GAPPED SYSTEM.

Re:

[gstoddart]

Or, conversely, if your machine never has any data which comes in or out, then you somehow have created a perfect closed system which has all the information it ever needs and can never be updated.

In which case it's probably useless.

Air gapped doesn't mean you never periodically put in new data or extract results, it means you don't have it connected to anything.

If you never add new data, and you never extract any, your computer is probably doing a really damned boring task which probably doesn't need to be

Re:

[NatasRevol]

Yes, because hermetically seal an individual computer is the same as air-gapping a set of computers.

Pedants are ... funny.

Re:

[AHuxley]

An embassy site or massive gov building might open to visitors, cleaning contractors, new staff, insiders with faith or cult like foreign loyalties, people offering products for demo or sale, tours, public requests within that magic air gap distance thats not miles on a classic mil base but down to floors or 100's of feet.
The classic secure communications room might be very secure to trusted staff only but the wider network might be very leaky over 10's-100 of feet beyond physical security.
Physical acces

Re:

[Attila Dimedici]

You are missing the part where they had to install their malicious software on the computer in question in order to accomplish this hack.

Re:

[gstoddart]

So what?

Ever hear of Stuxnet? Do you know it was largely spread with infected USB drives?

It's not like there has never been a situation in which someone has gotten malware installed through this kind of thing. And once you know you have the exploit, you can start figuring out how to get it there.

Security tends to fail when humans are involved, because sooner or later someone messes up.

History has told us repeatedly that this is achievable without ever actually needing to have physical access yourself, you

Re:

[bobbied]

You don't seriously think that they haven't thought about protecting their network connections outside of that super secure room do you?

Last time I checked, anything that carried data between these super secure locations was required to be encrypted by approved encryption devices using randomly assigned keys which changed frequently... Plus the infrastructure that carried the wiring had to be secured from tampering and frequently inspected... These networks don't "leak" as you might expect, but are well is

Re:

[account_deleted]

Comment removed based on user account deletion

Meh.

[msauve]

"The attack requires both the targeted computer and the mobile phone to have malware installed on them."

In other news, data can be exfiltrated from air-gapped computers if others can see the screen or hear the speaker. Even worse if they have WiFi installed on them.

Re:

[Sarten-X]

Those vectors are easily noticeable, though. Malware controlling the computer's electrical usage is so subtle as to be easily missed.

Re:

[bobbied]

Malware is ALWAYS detectable... It may take awhile to scan, but if you really want to be 100% sure something is clean, there are ways.

I'd be pretty surprised if there are not processes and procedures in place to catch such things as they happen.....

Re:

[AHuxley]

Thats easy to do with a Tailored Access Operations unit like hardware upgrade to all exported systems to a nation or front company over many years and upgrades.
All computers arrives ready for collection as installed by default. For admin staff or the more secure communications room. Just waiting for an alternative network day, weeks, months later after local install and site testing.

Stop the press

[Big Hairy Ian]

Malware used in Hacking!!! Seriously though if you're taking security that seriously you'll be sitting in a Fariday Cage for most of your professional career. Hmmm Idea for a kickstarter though a "Fariday Cage Iphone case" :D

really bad title

[bloodhawk]

NO, the air gap computer wasn't hacked. If you require them to install malware on it then it wasn't actually hacked, the air gapping is to prevent any malware from getting in. This is like a heap of other sensational articles from security researchers that claim how weak somethings security is as long as they had physical access or admin access, yeah no shit Sherlock, if you can install software on a computer you can do all sorts of nifty shit.

Re:

[Anonymous Coward]

The tittle is bad.... but it is still a "hack." One reason to air gap a network is to prevent the exfiltration of data, which this is able to do through a covert channel. This program circumvents that security, albeit with the high bar of first needing a way to install malware on the machine and leave a phone nearby.

So James Bond breaks into the high security area, installs the malware, and leaves. From then on classified data can be slowly siphoned without anyone else knowing.

Re:

[bloodhawk]

most places that require airgap's also have strict rules around what is allowed through the door let alone near a computer. e.g. one of the places I work at you must check ALL electronic devices into a locker before even getting past the front desk. USB ports on terminals are disabled and they don't have optical drives, all data enters and leaves through a controlled point. The USB in the parking lot trick is really only effective in lower security areas, not places with air gaps, air gaps have a lot higher

Motorola C123 = almost SDR

[citizenr]

Phone shown in the video is a variant of Motorola C123, Calypso Chipset design with leaked firmware source and semi documented dsp
http://bb.osmocom.org/trac/wik... [osmocom.org]

it isnt some dumb phone, its an SDR platform capable of running primitive GSM base station, or sniffing GSM traffic.

how is this a hack?

[Anonymous Coward]

So for this "hack" to work, you need to have access to the target machine to install malware.

Umm, ok, then I just hacked my companies corporate network by using remote desktop to access a server from home.

About the same level of hack, no?

Re:how is this a hack? Could be Skimmers Gen II

[Demonoid-Penguin]

So for this "hack" to work, you need to have access to the target machine to install malware.

Umm, ok, then I just hacked my companies corporate network by using remote desktop to access a server from home.

About the same level of hack, no?

No. Because you're just using an existing network connection. They're creating one. A covert channel.
And not even close to the same level.

Other posters have constructed scenario based on the most secure conditions to demonstrate the hack is worthless - while conveniently overlooking the fact that many companies have an air gapped computer with little tight security. In which case the evil maid scenario would work just fine.

Is it a hack, or a crack? It's both. The hack is used to crack the air gap security.

I

Missing the point here......

[dablow]

...what happens if that "malware" comes installed by default on closed source OS like Windows, OS X, iOS?

It's been documented that the NSA (could have been another agency) intercepting IT hardware (like Cisco switches) and installing their own custom firmware. Also hard disks have some code running on them curtsey of the NSA.

Does nobody else see the inherit danger here?

Re:

[Overzeetop]

Why does the malware need to be closed source. Can you not write and hide malware in open source software? It's not as if an end user is typically going to be able to audit the entire OS codebase even if it is available. And anyone involved in the setup of the machine would have the opportunity to easily slip in the malware, while the OS appeared to be stock.

Re:

[dablow]

You are correct that the average Joe, including myself, does not review 99.99999% of open sourced software. Quite simply I do not have the time to do so. However when it's open sourced, it is much much harder to sneak in malware because most popular releases do get reviewed by whatever community runs/develops it. If the release in question is ignored, it generally means that there is a lack of interest and/or user base at which point the problem becomes moot.

However it is much much harder to review a closed

"I/O gapped" is the new "Air gapped"

[davidwr]

If it's not "I/O gapped" - that is, if state changes aren't completely undetectable outside of the "secure environment" - then for all practical purposes it's not what we used to mean when we said something was "air-gapped."

In today's standards, it needs to be in an EMF-shielded room with an independent power supply (probably batteries), and it needs to be powered down completely when the shielded room's doors are open.

that's not what airgapping is

[ihtoit]

Airgapping the the complete physical isolation of a computer from ANY network. A computer in a closed Faraday cage with its own power generation inside the cage (like say a battery in a laptop) is the ONLY situation in which a system lacking ANY type of wireless or wired network connection including but not limited to Bluetooth, Wifi, Infrared, Serial, Modem or Cat5, can be in any way considered airgapped.