Stealing data from airgapped computers by using power fluctuations as a covert channel


#1

Originally published at: https://boingboing.net/2018/04/13/bridgeware-vs-airgaps.html


#2

Obv now that we know it’s feasible, someone else will exploit it… :black_flag:


#3

I have not read the entire paper yet.

But what I’ve read so far seems to presume the computer is plugged directly into the mains.

Am I missing something?

Does anyone still do that?


#4

I think you’d have to have some pretty gigantic capacitors involved if you were going to smooth out the power draw fluctuations to the point that they couldn’t be decoded. It would be interesting to know how different types of UPSes would interfere with the waveforms!


#5

My thoughts exactly :slight_smile:


#6

The main reason for air gapped security is to stop people getting dodgy software onto them in the first place.

So if someone can tell me how to get dodgy software onto an air gapped pc then Ill be impressed.


#7

It’s not enough just to modulate the power to send data, you need a full network stack built around this which needs to be bidirectional, because it’s impractical to just back up the whole computer that way. This would take you approximately 2.2 hours per megabyte. Months for a typical modern computer–even just my minimalist home directory is 2GB, or 4400 hours (6 months!).

I believe you can compromise the computer.

I believe you can send data off the computer with power modulation.

I have a lot harder time believing 1kbps is enough to get anything useful. You’d have to find it first. In order to find it, you need a way to inspect a process that’s running in the compromised space, for example a bash shell so you can explore and poke interesting-looking files. Once you find the exact data you want, sure, give yourself a few days and offload that data.

But before you can even get there you have to be able to run that shell, which implies a bidirectional network stack.


#8

@Papasan is probably doing it right now. /s


#9

It’s pretty trivial, unfortunately. You just catapult USB sticks with malware on them over the parking lot fence in the night. If you label them “funny cats” in blue sharpie people will find a way to plug them in to something no matter how hard you try to stop them.


#10

Epoxy. The only way to he sure.


#11

No kidding, but this raises a broader question. How does an airgapped system receive data? How does it output… whatever it outputs? It could just sit there playing the Game of Life endlessly, but that’s not terribly useful.


#12

has been doing it for years…


#13

Well, that’s not too far from what Infotrol systems do, running nuclear reactors for example. Just a 5 second infinite loop.


#14

But wouldn’t it be easy to build a system to stop this? Have one battery powering your computer and another battery charging?

Off the top of my head, 1kbps is way more than enough to get every keystroke typed into a computer. I’m not saying you can back up an entire hard drive, but you can certainly get something useful.


#15

Sure, I could do that with stuff I have in my basement. :slight_smile: @davide405 and I were just wondering what existing UPSes would do. My music server, which draws only a tiny amount of juice in normal operation, is on a 3000VA UPS (I have four of them, salvaged from corporate dumpsters) which has pretty big capacitors in it.

Human typed data is nearly always exponentially more valuable than stored data. For one thing, it typically contains what you need to get access to the storage.


#16

Fair enough. Not so much a question of whether the attack can be foiled when you know it might happen.

Well normally a key logger is great at grabbing passwords, but those aren’t really of much use if you are trying to get data from an airgapped system.

Still, I wanted to point out that 1kbps is lots of information even if it seems really small by today’s standards (we used to log into BBS’s on a 1200 baud modem from a Commodore 64 and we liked it (we loved it)). If systems are sensitive enough to be airgapped then even the 10 bits/s speed is something to consider a threat.


#17

That’s pretty damn sneaky, regardless of how practical it is.


#18

Way back when, I had to test digital phones that were destined for US Congress to make sure you couldn’t extract audio from power fluctuations (the microphones were always powered, even when on-hook, just not connected to the output, IIR). Test consisted of blasting dangerous levels of audio at the phone and looking at the power with a spectrum analyser. Test was mandated by the FBI. The sets passed, but I think they added a mercury switch that shorted out the microphone when the phone was on-hook.


#19

If you had a 1kb connection, bidirectional, and had a camera that could see the monitor… That would be enough to send keystrokes both ways…


#20

So, they could determine what you’re listening to from monitoring levels on whatever line you amp is on and using some sort of listening tool combined with Kazaa (I meant Shazam)?