Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security IT

Academics Turn RAM Into Wi-Fi Cards To Steal Data From Air-Gapped Systems (zdnet.com) 105

Academics from an Israeli university have published new research today detailing a technique to convert a RAM card into an impromptu wireless emitter and transmit sensitive data from inside a non-networked air-gapped computer that has no Wi-Fi card. From a report: Named AIR-FI, the technique is the work of Mordechai Guri, the head of R&D at the Ben-Gurion University of the Negev, in Israel. Over the last half-decade, Guri has led tens of research projects that investigated stealing data through unconventional methods from air-gapped systems. [...] At the core of the AIR-FI technique is the fact that any electronic component generates electromagnetic waves as electric current passes through. Since Wi-Fi signals are radio waves and radio is basically electromagnetic waves, Guri argues that malicious code planted on an air-gapped system by attackers could manipulate the electrical current inside the RAM card in order to generate electromagnetic waves with the frequency consistent with the normal Wi-Fi signal spectrum (2,400 GHz). In his research paper, titled "AIR-FI: Generating Covert WiFi Signals from Air-Gapped Computers," Guri shows that perfectly timed read-write operations to a computer's RAM card can make the card's memory bus emit electromagnetic waves consistent with a weak Wi-Fi signal. This signal can then be picked up by anything with a Wi-Fi antenna in the proximity of an air-gapped system, such as smartphones, laptops, IoT devices, smartwatches, and more. Guri says he tested the technique with different air-gapped computer rigs where the Wi-Fi card was removed and was able to leak data at speeds of up to 100 b/s to devices up to several meters away.
This discussion has been archived. No new comments can be posted.

Academics Turn RAM Into Wi-Fi Cards To Steal Data From Air-Gapped Systems

Comments Filter:
  • If you can get at the Air gapped system to install the software, what is the point of the exercise? Just copy the data, or even photograph the screen.

    • by JoshuaZ ( 1134087 ) on Tuesday December 15, 2020 @05:14PM (#60835070) Homepage
      You could in this scenario maybe have access only once. And once you have, you can keep getting new data even as it is air gapped. Or consider the situation where one modifies the software even before it is sold, so it activates this if it detects being air gapped and finding specific data on the machine. A major part of the point of being airgapped is that even if the software is compromised in some way, data cannot leak from the machine itself. This shows that is not the case.
      • The best scenario would probably a spy breaking in to plant something. Getting in many times is not sensible. Getting in once is feasible.

      • Stuxnet (Score:5, Insightful)

        by aberglas ( 991072 ) on Tuesday December 15, 2020 @05:43PM (#60835210)

        The Iranian nuclear system was hacked by corrupted USBs used to cross the Air Gap. Air Gaps are never 100%, you need to get some data in and out.

        This would have worked very well in such a situation if the attacked machines contained important secret data.

        Memories are short.

        • Thats why when security at that sort of level is needed you fill the unused ports with epoxy. hard to plug in unapproved hardware when the ports are filled with resin

          • It's been demonstrated that monitoring nearly-imperceptible changes in LED brightness can exfiltrate data from air-gapped machines.

            If there's I/O, there's a way to abuse it.

          • That only forces your adversary to go further up the food chain. If the USB drives hadn't worked against Iran, do you think the attackers would have given up? They would have compromised an operating system vendor if they had to. At some point, you have to take software into the air-gapped system and, when you do, there's an attack vector. Now you might think why not develop all software in the SCIF including operating system. Well because now you have to develop your own operating system and such. Ev
            • ... which is why no country which is in economic competition with the USA can take the risk of using US-designed hardware or software.

              They came for Huawei, and Microsoft died. Good result!

              • That's a fair point and you very well may see that we end up in a situation where mission-critical operating systems become somewhat of a national endeavor and smaller countries that can't build there own adopt whichever is offered by an allied country. I don't think Windows is used in such scenarios, though, is it? It may be used in some SCIFs but only where the risk is acceptable. Probably not in mission-critical control systems, though?
                • I would doubt it too. Which would be why each country is going to need to "clean-room" their own tool-chain and OS. As Stallman has been politicking for at least 3 decades that I've been watching.

                  smaller countries that can't build there own adopt whichever is offered by an allied country.

                  Which will imply a 3-way division of hegemonies in the foreseeable future, until the next major war. Possibly a 4-way division.

      • by Rhipf ( 525263 )

        I think it would become obvious that something is amiss when you are sitting within the "several meters away" from the air gapped computer waiting for the data to download at 100 b/s. 8^)

        • by sjames ( 1099 )

          That's why you don't actually sit there. You use a small inexpensive device as a relay.

          • by Entrope ( 68843 )

            If someone is serious enough to really want an air gap, they should be serious enough to screen or closely monitor people with physical access to the area. The screened people, and the escorts for unscreened-but-monitored people, need to be trained about the risks of allowing random devices in the vicinity of the air-gapped equipment.

            If you let random strangers leave arbitrary devices near your high-assurance equipment, you have a bunch of security risks beyond "attackers might use a cheap device as an exf

            • by sjames ( 1099 )

              If someone is serious enough to really want an air gap, they SHOULD be serious enough to screen or closely monitor people with physical access to the area.

              Emphasis mine. In theory, security can be perfect and nobody screws up...

              • by Entrope ( 68843 )

                That is why serious people usually adopt defense in depth. You don't need each security control to be perfect -- you just need each to be reliable enough that the whole assembly protects against relevant threats. Studies like this one almost universally ignore those other layers, which is fine, but it's not fine for discussions (like on Slashdot) to also ignore layered defenses.

                Risk assessment: It's what's for breakfast.

                • by sjames ( 1099 )

                  It is helpful since it identifies a non-obvious but relevant threat. It can be defended against, but that requires understanding that it and other similar threats exist.

                  What isn't helpful is dismissing this as a real possibility that must be considered when designing secure systems.

                  • by Entrope ( 68843 )

                    Except people who design secure systems already do have rules that defend against this kind of attack: Security zones (including a minimum distance of secure computers and work space from uncontrolled perimeters). Identification and mitigation of other potential EMI paths, up to potentially building a Faraday cage. Wireless devices being banned in secure areas. Passive spectrum surveillance. Third-party or not thoroughly supervised devices being checked before being admitted. Supervision for unscreened

                    • by sjames ( 1099 )

                      The most secure facilities do, but there are many places that assume no network cable = secure air gap.

                      This isn't advice for the NSA, it's advice for things like credit card processing.

          • by Rhipf ( 525263 )

            Then it would be rather obvious when there is a new piece of unknown equipment sitting within "several meters" of the air gapped computer. If you aren't able to control what is within a few meters of your air gapped computer then I don't think having the system air gapped is really securing much.

            • by sjames ( 1099 )

              Keep in mind, the device could be the size of a pack of gum and may not look like an electronic device.

      • Keep the air-gapped system air-gapped and in a Faraday cage? The cage should be as tightly formed around the system.

        Or get a case with a Faraday cage built-in? That would keep tricks like this in check, I would assume.

    • +1 Insightful Just what I was going to say "malicious code planted on an air-gapped system" you have a lot bigger problems here than how data is moved off a system.
      • Sure it lowers it's usefulness, but it's not useless.

      • +1 Insightful Just what I was going to say "malicious code planted on an air-gapped system" you have a lot bigger problems here than how data is moved off a system.

        I am reminded of the story of a pen testing team that pretended to be the fire marshal on a inspection, popped down behind a desk to "check and see if it was far enough from the heat register" an plugged in a usb R.A.T.

    • I can't say it's particularly useful, but still, cool technique.

    • Yeah, the real genius move wouls be a sjaped radio signal that can flip bits in the target system to spread itself.
      I think quantum physics puts a hard limit on that though.

      • Just to clarify.

      • Yeah, if RAM can transmit, it can also receive.

        Every speaker is also a microphone

        • by tkotz ( 3646593 )

          Every speaker is a microphone as a isolated electrical component, but the way the sampling and amplification circuits are connected highly bias the directionality. RAM is designed to read the signal levels of the RAM cells while reducing sensitivity to EM radiation. you really wouldn't want to try to write software that could run out of RAM that was more influenced by EM than its contents.
          On the transmit side the ram is already amplyfing signals in order to set cell levels and is not overly concerned with

    • Backdoor. They're useful.

    • by tlhIngan ( 30335 ) <slashdot&worf,net> on Tuesday December 15, 2020 @06:52PM (#60835498)

      The problem isn't getting stuff ONTO the airgapped network - that is usually embarassingly easy.

      The problem is how to exfiltrate the information on the air-gapped network.

      Remember, it is believed the best defense against getting hacked and your information stolen is to not connect that computer to the Internet. I.e., you put it on an airgapped network with no connection to the main LAN and such. Many networks are set up this way, including the DoD secure network. Other networks are to isolate the control network from the corporate network so a virus or something can't shut down the production machines or violate safety protocols. These latter networks aren't generally the target of exfiltration attacks as they don't have information to exfiltrate.

      Often there is a simple process to get data or other information onto the network but exceedingly hard to get it off.

      And there have been dozens of ways to exfiltrate the information - the basic ones used the monitor which lead to TEMPEST protection (must less needed these days - CRTs had very distinct EM signatures that pretty much gave away the data, while modern LCD displays make it much harder).

      Sure, the extraction speed isn't quick - many methods only push bits per second across the airgap, but they're undetectable and easy.

      Stuxnet was a great example of crossing the airgap and there had to be a lot of information esfiltrated in order to get it to be so well targeted.

    • by znrt ( 2424692 )

      look at it this way: if you can't get in, what's the point in air-gapping a system.

      different problems. this is about sending data out in a stealthy way once you're in.

    • I have to admit that the technique sounds very impressive.

      Install the malware once, go by the compromised computer fairly frequently acting as if you are doing your normal day to day tasks.

      This is useful for employees doing corporate espionage on the down low.

    • Itâ(TM)s often relatively easy to get data onto a system once - social engineering and a usb stick. Doing it reliably, and getting the data back? Much harder.

    • I take it you've never been into a SCIF. You will not be successful bringing in copying, photographing, or recording devices. You *can* bring in read-only media (i.e. pressed, not burned CD). And you will have zero success taking just about anything *out*. The way you would get this into the SCIF is you would compromise a software vendor (either via technical or social means) and have the malware included in the software distribution that the target receives. The hard part of this exploit would be gett
      • Yep. Standard site security staff (gorillas in a uniform, carrying a gun in some countries/ organisations) would get as far as "You beeped on going through the metal detector. Go to the side room and strip." Then they examine whatever devices you were carrying which didn't appear on "the list" next to your name. The report goes up to their supervisors ("Sorry, guv, it's not worth my job. Got to go by the book. Bend over.") who speak to your supervisors to find out why you were trying to take not-permitted e
        • The point of this article is that, by using the RAM chips to generate the signal, there is one less piece of equipment involved. You don't need to bring any equipment into the facility to get data out. You still have other (nearly insurmountable) hurdles. But this could slightly alter counter-measures or it could be decided that existing counter-measures are sufficient. The golden days of "blowing a hole" in security through simple means are over. Progress both offense and defense is now slow and delib
  • by enriquevagu ( 1026480 ) on Tuesday December 15, 2020 @05:09PM (#60835048)

    Repeat with me:
    Wireless is not WiFi
    Wireless is not WiFi
    Wireless is not WiFi
    Wireless is not WiFi
    Wireless is not WiFi
    Wireless is not WiFi ...

    • But, but, but.... WiFi is the Internet! /s

      • No, the WWW is the Internet!

        Says it right here under my wife's new phone's browser icon: Samsung Internet.

        Oh and screens are computers.
        Not just since the iMac.

        • If you can generate digital radio signals, you can generate WiFi signals that comply with the protocol. Not easy, but certainly doable.

          • by enriquevagu ( 1026480 ) on Tuesday December 15, 2020 @05:55PM (#60835282)

            The WiFi protocol requires many many things including a CSMA/CA medium access control, which is impossible to implement with a transmit-only mechanism (thus no carrier-sense) and specific modulation and coding schemes (MCS), all of them resulting into transmisiÃn speeds well above the 100's bps reported in the paper.

            Please, repeat with me:
            Wireless is not WiFi
            Wireless is not WiFi
            Wireless is not WiFi ...

            • The WiFi protocol requires many many things ...

              Many many things you don't grasp and which you only believe that it does.

              The signal that was produced was received on a WiFi receiver and it conformed to parts of the WiFi protocol. It was all that was needed to prove the concept of leaking data over WiFi. It doesn't need to implement the entire protocol or an access point. It can be as simple as the broadcast signal of a WiFi network's name (SID) or even less.

              Perhaps repeat the following:
              WiFi is not WiFi
              WiFi is not WiFi
              WiFi is not WiFi ...

              • by subreality ( 157447 ) on Tuesday December 15, 2020 @07:45PM (#60835634)

                The signal that was produced was received on a WiFi receiver and it conformed to parts of the WiFi protocol.

                It's using low-level WiFi hardware as a spectrum analyzer. The signal does not conform to any WiFi protocol, and no WiFi card will recognize it as data. It's just keying a carrier at very low frequency, far slower and more primitive than any WiFi modulation scheme.

                Many many things you don't grasp and which you only believe that it does.

                Indeed.

                • The signal that was produced was received on a WiFi receiver and it conformed to parts of the WiFi protocol.

                  Who said it's implementing the entire protocol?

                  You keep using the word WiFi as if you knew more about it than others, but say which WiFi protocol are you talking about? Let me guess, you're just using the term WiFi in general, the same way they do in the article. Only difference here is you're too dumb to grasp it.

                  Go ahead, and repeat it:
                  WiFi is not WiFi.
                  WiFi is not WiFi.
                  WiFi is not WiFi. ...

                  • by subreality ( 157447 ) on Wednesday December 16, 2020 @05:18AM (#60836622)

                    Who said it's implementing the entire protocol?

                    Nobody. You're the one who thinks it implements some part of a WiFi protocol:

                    it conformed to parts of the WiFi protocol. [...] It can be as simple as the broadcast signal of a WiFi network's name (SID) or even less.

                    It implements ZERO parts of ANY WiFi protocol.

                    It cannot broadcast an SSID.

                    Let me guess, you're just using the term WiFi in general, the same way they do in the article. Only difference here is you're too dumb to grasp it.

                    I read the paper. I'm guessing you haven't.

                    • No, I didn't say it implemented the protocol either and you even quoted me. I've said or even less.

                      The point is quite intentionally that it doesn't have to. The use of the word WiFi or just calling it a WiFi signal doesn't require for it to conform to any of the existing standards. It is merely the fact that it is a signal within the WiFi frequency band that allows them to describe it as such.

                    • The use of the word WiFi or just calling it a WiFi signal doesn't require for it to conform to any of the existing standards. It is merely the fact that it is a signal within the WiFi frequency band that allows them to describe it as such.

                      By your made-up definition, anything operating in the 2.4G ISM band is WiFi, including microwave ovens and baby monitors.

                      If you want to have a conversation, we have to agree that words have meanings. WiFi actually means something. It's a family of protocols specified by the WiFi Alliance.

                    • By your made-up definition, ...

                      It isn't my definition it is their and nobody has got a problem with grasping it.

                      Why is this so hard to comprehend for you?

                      They did say that they've turned RAM modules into WiFi cards, or, according to you into wireless cards. Well, did they really or are these actually still memory cards? Why did this not upset you, but only their use of the word WiFi? So if you want to have a conversation, let's start there.

    • Re: (Score:1, Informative)

      by Joe2020 ( 6760092 )

      No, thanks. I've chosen to follow the link and it turns out in this case the term wireless does indeed refer to Wi-Fi and whatever you thought they had said isn't the case. They've produced not only electromagnetic signals, not just any wireless signals, they did in fact produce a WiFi signal and caught it with a conventional WiFi USB dongle on another computer. So yes, they are perfectly in their right to call it a wireless emitter or a WiFi emitter.

      • by anarcobra ( 1551067 ) on Tuesday December 15, 2020 @08:35PM (#60835782)
        Maybe actually read the paper and you will find out he is quite correct:

        > As shown in Section V, the electromagnetic emissions generated by the data bus are around the 2.4 GHz frequency range and overlap the Wi-Fi channels. In Wi-Fi transceiver chips, the baseband processor handles the radio, PHY and MAC layers.The Internet, transport, and application layers are processed by the software protocol stack, usually in the kernel drivers. In order to measure the interference generated, the attacker has to access the low-level radio measurement information from the PHY layer. This can be done by compromising the firmware of the Wi-Fi chips and passing the required radio measurements to the software stack

        So no WiFi signals were generated. They are using the PHY to measure interference in the WiFi spectrum, and this interference is then decoded. Using your definition a microwave emits WiFi signals.
        • So no WiFi signals were generated.

          ... the electromagnetic emissions generated by the data bus are around the 2.4 GHz frequency range and overlap the Wi-Fi channels ...

          So they did generate WiFi signals. Nobody said they were implementing a specific IEEE standard nor did anybody say which version of it they're implementing. Just because you don't get this doesn't make others wrong. Only you insisting they were makes you retarded. You yourself use the word WiFi loosely.

          WiFi is not WiFi ...
          WiFi signal is not WiFi signal ...
          WiFi protocol is not WiFi protocol ...

          • by enriquevagu ( 1026480 ) on Wednesday December 16, 2020 @04:37AM (#60836560)

            Joe2020, you are wrong.

            A device receives the WiFi certification from the WiFi Alliance [wikipedia.org] if it passes multiple tests, including conformance to critical aspects of the 802.11 standard. 802.11 IS a specific IEEE standard, and the WiFi logo is applied ONLY to 802.11 devices that have passed a compatibility certification process.

            You are confusing a specific protocol with the frequency bands it is using. For your information, Bluetooth, WiFi (i.e. 802.11), some cordless phones and baby monitors, and even microwaves employ the 2.45 GHz frequency band (note that microwaves transmit power, not signals, but they leak and generate interference). So, while they are different protocols (only 802.11 is WiFi), they interfere to each other, since they employ the same band. You have even claimed that they are using the term WiFi "in general", which is clearly incorrect: the general term is wireless, whereas WiFi is one specific wireless protocol. So, yes, wireless is not WiFi (please, repeat with me), but WiFi is wireless.

            I have explained in other comment that WiFI (i.e. 802.11) requires CSMA/CA [wikipedia.org] medium access control; this is impossible to implement with the transmit-only mechanism they are building leveraging the memory bus. Additionally, WiFi (i.e. 802.11) does not allow any transmission speed, it specifies certain Modulation and Coding Schemes that result in very specific transmission speeds, way higher than the 100 bps reported in the paper [arxiv.org]. You can find the specific MCS values for 802.11ac here [wikipedia.org], for example; they are all in the Mbps range. Finally, other people have explained to you that, while they are employing WiFi hardware to receive the signal, it is not a WiFi signal and according to the paper [arxiv.org] they are using WiFi devices to detect low-level radio measurement information from the PHY layer. You could employ the same hack to try to detect other signals in the same frequency band. There are a ton other details (such as frame format, modulation, error detection mechanism, control frames, acknowledgements, etc.) that make their mechanism NOT WiFi. They misuse the term in the paper, and you are wrong defending it with incorrect arguments.

            Not only you are wrong, but you are insulting other people who are correctly explaining why it is not WiFi. You have labelled me or other people as dumb, retard, nerds and full retard.

            Joe2020, you behave like an asshole.

  • Shielding (Score:3, Informative)

    by Anonymous Coward on Tuesday December 15, 2020 @05:23PM (#60835112)

    I am a HAM and I have sensitive RF instruments in close proximity to PCs I build. When I build machines I struggle to find all-metal, RF tight cases. The low power of transmitting RAM devices will not get through a decent steel case with proper RF fingers. Sadly you can write off 99% of all cases you might otherwise use; the low end is lots of plastic, the high end is lots of glass and RF fingers or metal filter screens are almost nonexistent.

    Good, prebuild systems from major manufactures do still make some effort to manage RF, but the homebrew case manufactures are utterly oblivious.

    • As a radio noob: What are RF fingers?
      I only know fish fingers. The ones you can get at the harbor from one of the ladies..

      Also, would a layer aluminimum ('lumnum in AE) foil foil it or foil foiling foiling it?

      • rf fingers are contacts that create electrical continuity with the goal of making a sealed farrady cage.

        back when you'd find real workstations (sun, sgi, etc) the top slide-off metal sheet would have fingers that would press against adjacent metal walls.

        doing it right and passing fcc was a bit of effort. they don't even bother for home systems anymore.

  • Or is that just the picture we are getting here?

    (The other half is obviously hummus... or Hamas, depending on your pronounciation. [Tasty! Try it with pork!] ;)

  • Where i work, we don't have access to install or even copy software onto the machines. So you need to find a corrupt technician. Then you need to find a corrupt employee with access to bring an authorized device/receiver into these highly restricted areas. Neither is impossible, but a lot of holes in the Swiss cheese have to line up to make all these novel attacks work.
    • Where i work, we don't have access to install or even copy software onto the machines. So you need to find a corrupt technician. Then you need to find a corrupt employee with access to bring an authorized device/receiver into these highly restricted areas. Neither is impossible, but a lot of holes in the Swiss cheese have to line up to make all these novel attacks work.

      This is the issue that sometimes happens with these security flaw "exposes" Yes, possible, but it's a hella lot easier to find that corrupt employee than go through all of that as in step one or two.

      No doubt at some point, the esearchers will figure out how to reconstruct data via brainwaves, and suggest anyone with access to a computer has to wear a faraday cage around their heads.

    • You could replace "corrupt" with a) disgruntled or b) horny

  • Ingenious (Score:5, Interesting)

    by xlsior ( 524145 ) on Tuesday December 15, 2020 @05:34PM (#60835168)
    ...But not the first method to escape from air gapped systems -- for example, there's this article from 2013 about using high-frequency audio, inautible to humans but detectable by any microphone in close proximity:

    https://arstechnica.com/inform... [arstechnica.com]
  • What they actually did was use ram to create intentional EMI in the 2.4Ghz spectrum. It happens to be shared with WiFi but in no way does it share anything with the Wifi standard. The article title is grossly wrong and highly misrepresentative but I guess thats the kind of trash that passes for tech journalism nowadays.

  • ref (Score:5, Interesting)

    by fulldecent ( 598482 ) on Tuesday December 15, 2020 @06:09PM (#60835362) Homepage

    Related project previously posted on Slashdot:

    https://github.com/fulldecent/... [github.com]

    This allows to transmit radio from your computer by opening a web page or running a program.

    I haven't tested it yet with the M1 Macs and they may have a different physical characteristic so it might not work there.

    • This has two implementations, the first being specific to sse on x86 based processors, the other being high precession pointer increments. The x86 version specifically uses a call that prevents caching while the pointer increment is just writing to the stack and hoping for the best. It's that later one that could only work on the new M1.

  • To use this exploit, you need to be near the computer in question. If you are able to get physical access, why bother with this technique?

    Solution waiting for a problem.

    • When you have physical access, the attack surface is every component and subsystem in the machine. With an attack surface that large, plugging a vulnerability is a losing proposition. Have better physical security and none of these nifty tricks work.
    • "If you are able to get physical access, why bother with this technique?"

      a) The physical access may separated in time from the data you wish to exfiltrate.
      b) While I supposed somebody has an entire supply chain starting from silicon ingots, in the overwhelming majority of cases every computer was once in the phyical possession of someone else, e.g. before purchase.

      • a) That doesn't change anything. There are better, proven methods to overcome this problem, all of which are better than the offered method
        b) Is this is support, or contrary to my point? I can't tell.

        My point stands. This is an interesting application of a new exploit, that has no practical purpose and is also harder to implement than other methods.

  • Just stop using non RF shielded cases, especially in situations where air-gaping is required. There's a reason cases used to be made out of metal, had covers for all expansion slots and RF shielding over the MB connector panel.
    • by DigitAl56K ( 805623 ) on Tuesday December 15, 2020 @07:22PM (#60835576)

      Even easier, just install ROM instead.

    • We had lots of plastic computers back when, but they did have the RF shielding. But [practically] nobody was doing it for security reasons. They just didn't want to cause or experience interference.

      • by bjwest ( 14070 )

        We had lots of plastic computers back when, but they did have the RF shielding. But [practically] nobody was doing it for security reasons. They just didn't want to cause or experience interference.

        That was the purpose back then. RF interference was a big deal, and could wreck havoc on nearby systems. I really don't know when it started being a non-issue, but still I make sure my systems are shielded if for no other reason than this type of shit right here.

  • This trend started when Bobby Brady's braces started receiving radio signals.

    Actually, I thought the plot was silly until we moved into a house roughly a mile from an AM radio station. Almost anything with wires acted like a radio if you listened close enough. It gummed up reception on real radios and phones, though.

  • We've been able to do this for some time using different emission techniques though this is still interesting. Both FM an AM frequency bands can also be used as well as EMF.

    Remember, it is sometimes useful to simply egress the data in a compromised system.

  • slot machine seem like an good place to plant this.

    Just need to know when the random seed will give an big payoff so Know when to push the button and small range is not an issue.

  • Drop the politics dudes, this is really a neat piece of programming. Go back to getting audio by bouncing a laser off a window, reading a CRT by reading the amplitude of itd scan, this is cool. Easy to shield so this info means it's now easy to defeat.
    • When you have physical access, anything is possible. This is just resorting to first principles. It's not rocket science unless you skipped the electromagnetism classes in Physics.
      • Nice troll.
        FLAME>
        Is that your name on the POC?? Any POC? Gosh no. Of course I'm just resorting to first principles... Sorry about your failures in applied "anything".
        Oh, I missed the A+ in "Applied Trolling". My apologies sir.
        \FLAME
      • These hacks seem reasonably practical to do from afar, if you're deep enough into someone's systems, and they don't air gap.

        • Sigh, I mean, if they don't fully air gap. Failed to preview again.

          I still don't think we need editing.

          The premise is false anyway, though. You can have physical access, but it can be limited, and you can therefore not be able to do "anything".

  • Seriously, the idea of TEMPEST shielding is decades old. It is quite well known that you can use a lot of things in a PC to beam out RF or light. You can even modulate power consumption.

    • Mod up. Graphics cards contain lots of memory, lots of cpus, a better solution. Also the drivers have secret DMA access that is poorly secured, as well as secret GPU diagnostic instructions. In a VM environment, you can run hard loops to morse code a message to another VM. Intels Management engine has its own cpu, own memory, own bus - what could possibly go wrong. Many printers have wifi cards and insecure drivers. So nice to co-op a printer or photocopier to push data out. I think a Diablo daisywheel pri
  • Apple polishing (Score:5, Informative)

    by Orrin Bloquy ( 898571 ) on Wednesday December 16, 2020 @02:43AM (#60836406) Journal

    Giant Nerd Repeats Same Experiment Endlessly for Academic Points

    I had a chem prof in college who used to publish entire spreadsheets of tabular data about benzoic acid to scientific journals until they finally told him "We know you're seventy, already tenured and we don't care about this any more, we aren't satisfying your ego on meaningless research." Mordo here is functionally stating "Consumer electronics give off readable RF energy" over and over as though tomorrow he'll be invited for his Nobel Prize and lifetime Mossad award, and everything will switch overnight to fiber optics.

    This was cutting edge info a decade ago. Now he's just fluffing himself because seriously most national security agencies must have extrapolated the implications on their own long since.

  • They probably only made it work with a specific very simple model of ram and it is probably non-replicable with other model or at least would take a lot of effort for each specific model? I doubt for example they can make this work if itâ(TM)s the only ram module in the system, as the system would be using it.
  • Umm, sans me go search .. some IDS can look at code doing odd stuff, then take action?
    I recall some such something or other ..
  • by drolli ( 522659 ) on Wednesday December 16, 2020 @07:06AM (#60836796) Journal

    If you read the original paper:

    * This kind of attack (using peripherals/system components as antennas) is not new
    * What is funny is that they use a the receiver unit of a wifi card to receive it (this, in itself is also not so new)
    * What should be clearly stated is that they do not convert it into a "Wi-Fi" Card. They turn it into a "Transmitter in the ISM Band with bandwidths compatible with wifi cards input filters"
    * As such, it is not sufficient to have access to a nearby device with a wifi card, but actually it needs to be a device where you manipulate the DSP frontend of the receiver card in a low-level way.

    So the while the attack is cool in the hacking sense it's practical worth not much, as their figures show:

    * Virtualize, and it's getting less effective
    * Have RAM with another timing: does not work
    * Run anything else on the other CPU cores: strongly reduces effectiveness
    * Maximum distance: 800cm, more likely 100cm
    * (Probably: live in a polluted 2.4GHz region, e.g. city: probably does not work)
    * Every Receiver HW must be individually manupilated
    * Receiver Fronted most likely looks like it's failing to the normal user.
    * Unclear: Material impact of case (since no power unit is indicated)
    * Unclear: Impact of not being in Line of Sight.

  • One day some engineers are going to load up a super intelligent AI on an air-gapped machine and it'll use the same concept to connect to the outside world.

  • If the air-gapped system is TEMPEST compliant, it would not matter if the RAM card is transmitting anything.

    TEMPEST [wikipedia.org]

"Pok pok pok, P'kok!" -- Superchicken

Working...