Problems? See this thread at archive.org.
Hackers Can Now Steal Data Even From Faraday Cage Air-Gapped Computers
Thursday, February 08, 2018 Swati Khandelwal
![[IMG]](images/storyImages/airgap-computer-hacking.png)
A team of security researchers—which majorly focuses on finding clever ways to get into air-gapped computers by exploiting little-noticed emissions of a computer's components like light, sound and heat—have published another research showcasing that they can steal data not only from an air gap computer but also from a computer inside a Faraday cage.
Air-gapped computers are those that are isolated from the Internet and local networks and so, are believed to be the most secure devices that are difficult to infiltrate.
Whereas, Faraday cages are metallic enclosures that even blocks all electromagnetic signals, such as Wi-Fi, Bluetooth, cellular and other wireless communications, making any device kept inside the cage, even more, isolate from outside networks.
However, Cybersecurity Research Center at Israel's Ben Gurion University, directed by 38-year-old Mordechai Guri, has developed two techniques that helped them exfiltrate data from computers placed inside a Faraday cage.
Dubbed MAGNETO [ pdf] and ODINI [ pdf], both the techniques make use of proof-of-concept (PoC) malware installed on an air-gapped computer inside the Faraday cage to control the "magnetic fields emanating from the computer by regulating workloads on the CPU cores" and use it to transmit data stealthily.
"Everyone was talking about breaking the air gap to get in, but no one was talking about getting the information out," Guri says. "That opened the gate to all this research, to break the paradigm that there's a hermetic seal around air-gapped networks."According to the researcher, once a computer (no matter if it is air-gapped or inside a Faraday cage) has been infected, hackers can exfiltrate stolen data without needing to wait for another traditional connection to the infected machine.
How MAGNETO & ODINI Attacks Work:
Once a motivated attacker somehow succeeded in planting malware on an air-gapped computer, the malware then collects small pieces of information, like keylogging data, encryption keys, credential tokens, and passwords.
Also Read: CIA developed Malware for Hacking Air-Gapped Networks.
The PoC malware developed by the team then electrically generates a pattern of magnetic field frequencies by regulating CPU's workload, which can be achieved by overloading the CPU with calculations that increase power consumption and generate a stronger magnetic field.
These electromagnetic (acoustic, optical and thermal) emissions from the infected computer are powerful enough to carry a small stream of stolen data to a nearby device, a receiver planted by the hacker.
The process involves translating data first into binary, i.e. 0 and 1, and the transmitting it into morse-code-like patterns in accordance with electromagnetic emission.
"The transmitting program leaves only a small footprint in the memory, making its presence easier to hide from AVs. At the OS level, the transmitting program requires no special or elevated privileges (e.g., root or admin), and hence can be initiated from an ordinary userspace process," the paper reads."The transmitting code mainly consists of basic CPU operations such as busy loops, which do not expose malicious behaviors, making it highly evasive from automated analysis tools."Also Read: Stealing Data from Air-Gapped Computers Using CCTV Cameras
While both MAGNETO and ODINI attacks are designed to exfiltrate data from a secured computer using electromagnetic emissions, the only difference between the two is:
- MAGNETO is a short-distance attack where an Android app installed on the attacker's smartphone can receive stolen data with the help of phone's magnetometer— a magnetic sensor that can transmit data even if the smartphone is placed inside a Faraday bag or is set to airplane mode.
- ODINI attack enables attackers to capture electromagnetic signals from a slightly longer range using a dedicated magnetic sensor.
In case of MAGNETO, the team managed to achieve only up to 5 bits/sec over a distance of up to 12.5 cm (5 inches), while ODINI is quite more efficient with a maximum transfer rate of 40 bits/sec over a range of 100 to 150 cm (3-5 feet).
![[IMG]](images/storyImages/airgap-computer-hack.png)
Both ODINI and MAGNETO also work if the targeted air-gapped device is inside a Faraday cage, which is designed to block electromagnetic fields, including Bluetooth, Wi-Fi, cellular, and other wireless communications.
Researchers suggest three different approaches that can be used to prevent attackers from establishing a covert magnetic channel, i.e., shielding, jamming, and zoning.
Video Demonstration of MAGNETO And ODINI Attacks
The team published proof-of-concept video demonstrations for both MAGNETO and ODINI attacks, which shows both the attacks in action.
It's not the first time Ben-Gurion researchers came up with a covert technique to target air-gapped computers. Their previous research of hacking air-gap computers include:
- aIR-Jumper attack that steals sensitive information from air-gapped computers with the help of infrared-equipped CCTV cameras that are used for night vision.
- USBee attack that can be used steal data from air-gapped computers using radio frequency transmissions from USB connectors.
- DiskFiltration attack that can steal data using sound signals emitted from the hard disk drive (HDD) of the targeted air-gapped computer;
- BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys;
- AirHopper that turns a computer's video card into an FM transmitter to capture keystrokes;
- Fansmitter technique that uses noise emitted by a computer fan to transmit data; and
- GSMem attack that relies on cellular frequencies.
-
How to Steal Bitcoin Wallet Keys (Cold Storage) from Air-Gapped PCs
Monday, April 23, 2018 Wang Wei
![[IMG]](images/storyImages/steal-bitcoin-keys.png)
Dr. Mordechai Guri, the head of R&D team at Israel's Ben Gurion University, who previously demonstrated various methods to steal data from an air-gapped computer, has now published new research named "BeatCoin."
BeatCoin is not a new hacking technique; instead, it's an experiment wherein the researcher demonstrates how all previously discovered out-of-band communication methods can be used to steal private keys for a cryptocurrency wallet installed on cold storage, preferably an air-gapped computer or Raspberry Pi.
For those unaware, keeping your cryptocurrency protected in a wallet on a device which is entirely offline is called cold storage. Since online digital wallets carry different security risks, some people prefer keeping their private keys offline.
Air-gapped computers are those that are isolated from the Internet, local networks, Bluetooth and therefore, are believed to be the most secure devices and are difficult to infiltrate or exfiltrate.
If you are new to this topic, we recommend reading our previous articles, detailing how highly-motivated attackers can use specially designed malware to exfiltrate data from an air-gapped computer via light, sound, heat, electromagnetic, magnetic, infrared, and ultrasonic waves.
![[IMG]](images/storyImages/air-gapped-computer-hacking.png)
For BeatCoin experiment, Dr. Guri deployed malware on an air-gapped computer that runs a Bitcoin wallet application and then performed each attack vector one-by-one to transmit the wallet keys to a nearby device over covert channels.
"In the adversarial attack model, the attacker infiltrates the offline wallet, infecting it with malicious code," the paper [ PDF] reads. "The malware can be pre-installed or pushed in during the initial installation of the wallet, or it can infect the system when removable media (e.g., USB flash drive) is inserted into the wallet’s computer in order to sign a transaction. These attack vectors have repeatedly been proven feasible in the last decade."Results shown in the above chart suggests AirHopper, MOSQUITO, and Ultrasonic techniques are the fastest way to transmit a 256-bit private key to a remote receiver, whereas, Diskfiltration and Fansmitter methods take minutes.
Guri has also shared two videos. The first one demonstrates exfiltration of private keys from an air-gapped computer, which hardly took a few seconds to transmit data to a nearby smartphone using ultrasonic waves.
In the second video, the researcher transmitted private keys stored on a Raspberry Pi device to the nearby smartphone using the RadIoT attack—a technique to exfiltrate data from air-gapped internet-of-things (IoT) and embedded devices via radio signals.
"The radio signals - generated from various buses and general-purpose input/output (GPIO) pins of the embedded devices - can be modulated with binary data. In this case, the transmissions can be received by an AM or FM receiver located nearby the device."In the last research published earlier this month, Guri’s team also demonstrated how hackers could use power fluctuations in the current flow "propagated through the power lines" to covertly exfiltrate highly sensitive data out of an air gapped-computer.Maleko48 likes this.
Hackers Can Now Steal Data Even From Faraday Cage Air-Gapped Computers
Discussion in 'Security and Anti-Virus Software' started by Dr. AMK, Feb 9, 2018.
![[IMG]](https://1.bp.blogspot.com/-bkF71Lg1-0c/WnxOWwHCtXI/AAAAAAAAvvo/_XUcDaXccMcdHjk64iReUZCW7yFH9bwnQCLcBGAs/s1600-e20/airgap-computer-hacking.png)
![[IMG]](https://1.bp.blogspot.com/-rq6whrffLog/WnxOWWV6XPI/AAAAAAAAvvk/n1vDsS9PjrMoLJ8cWO_H0r0_qo_3HMBNwCLcBGAs/s1600-e20/airgap-computer-hack.png)
![[IMG]](https://1.bp.blogspot.com/-d5VoBEnyx3U/Wt5ez6W6xdI/AAAAAAAAwZY/fprLzp3pxK8Nsgg0BhhPxdjB9fPOZM_GQCLcBGAs/s1600-e20/steal-bitcoin-keys.png)
![[IMG]](https://1.bp.blogspot.com/-tQkkvLaYBx0/Wt5bp1EMr1I/AAAAAAAAwZM/EPF5BbDudRM1wRCa19rsWwBMbRwQg5CnQCLcBGAs/s1600-e20/air-gapped-computer-hacking.png)
