Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Air-Gapped Computers. Show all posts

Korean University Disclosed a Potential Covert Channel Attack

The School of Cyber Security at the Korean University in Seoul has developed a novel covert channel attack called CASPER that may leak data from air-gapped computers to a nearby smartphone at a pace of 20 bits per second. 

What is CASPER?

Casper is a 'recognition tool,' built to characterize its targets and decide whether or not to keep tracking them. Prior to introducing more advanced persistent malware into the targeted systems for espionage, the Casper surveillance virus was employed as a starting point.

Data leak

The target needs to first be infected with malware by a rogue employee or a cunning attacker with physical access, which is the case with nearly all personal channel attacks that target network-isolated systems.

Attacks utilizing external speakers have been created in the past by researchers. External speakers are unlikely to be employed in air-gapped, network-isolated systems used in harsh settings like government networks, energy infrastructure, and weapon control systems.

The malicious software has the ability to search the target's filesystem on its own, find files or data formats that match a hardcoded list, and make an exfiltration attempt.

Keylogging is a more realistic option and is better suited for such a slow data transmission rate. The malware will use binary or Morse code to encrypt the information to be stolen from the target and then transmit it through the internal speaker utilizing frequency modulation to create an undetectable ultrasound between 17 kHz and 20 kHz.

The researchers tested the proposed model using a Samsung Galaxy Z Flip 3 as the receiver and an Ubuntu 20.04-based Linux computer as the target. Both were running a simple recorder application with a sampling frequency of up to 20 kHz.

In the Morse code study, the researchers employed 18 kHz for dots and 19 kHz for dashes, with a length per bit of 100 ms. The smartphone, which was 50 cm away, was able to interpret the word 'covert' that was sent. In the binary data study, each bit had a length of 50 ms and was transferred at a frequency of 18 kHz for zeros and 19 kHz for ones. Nonetheless, the overall experiment findings demonstrate that the length per bit impacts the bit error rate, and a max reliable transmitting bit rate of 20 bits/s is possible when the length per bit is 50 ms.

A standard 8-character password could be transmitted by the malware in around 3 seconds at this data transfer rate, while a 2048-bit RSA key could be transmitted in roughly 100 seconds. Even under ideal conditions and with no interruptions, anything larger than that, such as a little 10 KB file, would take longer than an hour to escape the air-gapped system.

"Because sound can only transmit data at a certain speed, our technology cannot transmit data as quickly as other covert channel technologies using optical or electromagnetic methods." – Korea University.

The attack is limited since internal speakers can only emit sound in a single frequency band. Changing the frequency band for several simultaneous transmissions would be a solution to the slow data rate. The simplest method of defense against the CASPER assault was to turn off the internal speakers in mission-critical computers, which was disclosed by the researchers. The defense team could also use a high-pass filter to keep all created frequencies inside the range of audible sound, preventing ultrasonic transmissions. 





This Novel Technique Can Siphon Offline PC Data Through Walls

 

The electromagnetic waves emitted by offline machines' power supplies are being used in a novel technique for stealing data from them. 

Experts have cautioned that someone using a smartphone or laptop equipped with a particular receiver may steal data from so-called "air-gapped" PCs, those disconnected from the public internet, at distances of over six feet and even through walls. 

The method was created by Mordechai Guri, a researcher at Ben-Gurion University in Beersheba, Israel. Guri gave it the name COVID-bit, possibly in reference to social distance norms that forbid people from being close to one another. 

This new approach is concerning since air-gapped systems are typically used in organizations that handle highly sensitive data and tasks, such as those related to energy, government, and military weaponry. 

First, specific malware must be pre-installed on the targeted system, which can only be done by physically accessing the machine. The CPU load and core frequencies are managed by this malware such that the power supply generates electromagnetic waves between 0 and 48 kHz. 

According to Guri, during the AC/DC conversion, the switching components inside these systems produce a square wave of electromagnetic radiation at particular frequencies as they turn on and off. The 3.5mm audio connector of a mobile device can be used to attach an antenna to this wave, which can transmit raw data that can be deciphered by someone far from the machine. The raw data can then be decoded using a noise filter by a program running on the device. 

Guri tried his technique on desktops, a laptop, and a Raspberry Pi 3, and discovered that laptops were the hardest to break into since they didn't produce a powerful enough electromagnetic signal due to their energy-saving features. 

The PCs, on the other hand, were able to send 500 bits per second (bps) with an error rate of between 0.01% and 0.8% and 1000 bps with an error rate of up to 1.78%, which is still accurate enough for efficient data harvesting. 

A 10KB file could be sent in less than 90 seconds at this pace, and raw data for an hour's worth of activity on the target system might be sent in as little as 20 seconds. Such keylogging might also be broadcast in real time, live. With the Pi 3, the receiver distances were constrained for successful data transfer due to the device's insufficient power supply. 

Mitigation Tips 

Guri suggests keeping an eye on CPU loads and frequencies for any suspicious or unusual activity to keep air-gapped computers secure. However, given that such values might vary greatly in typical usage settings, this may result in a lot of false positives. Such monitoring also raises the cost of processing, raising the possibility of decreased performance and increased energy use. 

To prevent data from being deciphered by the electromagnetic radiation associated with certain core frequencies, an alternative method is to lock the CPU to certain frequencies. The drawback with this approach is that, as previously noted, core frequency fluctuations are normal, therefore locking them will lead to poor performance at times and misuse at other times.