Upload
code-blue
View
101
Download
2
Embed Size (px)
Citation preview
PowerPoint Presentation
Bridging Air-Gapped NetworksPrimary Author: Mordechai GuriPresenter co-author: Yisroel MirskySupervisor: Prof. Yuval Elovici
What is an Air-Gapped Network?
The Typical Approach to Securing a Network
The Air-Gap ApproachDefinitionAn air-gap is a cyber security measure for securing a computer network by physically isolating it from other networks, such as the public Internet or another unsecured local area network.
Air-Gapped NetworkThe InternetAir Gap
Examples of networks or systems that may be air-gappedMilitary defense systemsFinancial Systems (stock exchange)Industrial control (SCADA)Critical InfrastructurePower PlantsRefineriesTraffic Control AirportsCommand and Control CentersComputerized medical equipmentetc
Air-Gapped NetworksNot a perfect solution
The Adversarial Attack ModelInitial InfectionPerform Action
Initial InfectionMalicious / Deceived InsiderInfected MediaSupply Chain Attack
Perform ActionSteal Sensitive DataManipulate Control SystemsDelete RecordsDeactivate SubsystemDDoSSelf-Destruct
What to do about the air-gap after the initial infection?Air-gapped NetworkThe InternetAir GapOutboundInbound
Usage of the In/Outbound ChannelsInboundSend CommandsFlexibility in controlling the attackWhen actUpdate MalwareNew ModulesFixesChange encryption keyOutboundExfiltrationReceive recorded informationReportsAcks on commandsProgress of lateral movement
Methods of Bridging Air-Gapped NetworksThermal ChannelsRadio ChannelsAcoustic ChannelsOptical Channels
Thermal Channels
Introduction to HVACKerModern PCs have embedded thermal sensors.These sensors can be used to detect temp. changes in the environment.By manipulating the room temperature of the isolated network, we can communicate with the PC.
Q: How do you remotely change the room temperature?A: Hack the HVAC!Insecure networks may overlap the same space as an air-gapped network.One such network is the HVAC (heating ventilation and Air Conditioning) system.
Many HVACs provide an internet portal for remote managementE.g. Tridium Niagara AX platformThere are36,287 Niagara web portals exposedOnly 269 of them protected wuith HTTPS
The Attack ModelInboundIsolated NetworkInternetReceivers(s)Air Gap
Communication Protocol L1/L2
Example High level Protocol
Experimental ResultsSmall office scenario40 bits/hourWhat about internal interference?
What about internal interference?
HVACKER - CountermeasuresDisable / Secure HVAC Web portalsMonitor environmental temperatureMalware signatures
Introduction to BitwhisperComputers emit heat into their environmentComputers can detect changes in the env.s templets make a bidirectional channel between neighboring computers!
But why?...In some cases, air-gapped machines are placed in close proximity with connected ones Example: leased computing spaceA thermal channel between two end-points would provide the attacker the ability both send commands and receive informationCan be achieved from within a VM
The Attack ModelIsolated NetworkInternetAir GapInboundOutbound
The Heat Transfer Process
The Possible Setups We Examined
The Thermal Line Encodings Tested
BitWhisper - CountermeasuresPhysically distancing air-gapped computers from other networksStrong ACMalware Signature (API calls)Environment sensing
Video Demo
Methods of Bridging Air-Gapped NetworksThermal ChannelsRadio ChannelsAcoustic ChannelsOptical Channels
Acoustic Channels
OverviewCovert Acoustic Mesh NetworksTransmitter: speaker ultra sonicReceiver: microphone (laptop, smartphone)
Attack ModelAir GapInboundOutbound
Acoustic Mesh - CountermeasuresUltra sonic noise emittersStrict zoning policies
Acoustic Channels
OverviewFansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped ComputersTransmitter: PC Cooling fan (power supply, CPU, chassis, )Receiver: Microphone (laptop, smartphone)
Why is Fansmitter Interesting?Speakerless machines can now be exploited as acoustic transmitters!
Attack ModelOutboundAir Gap
ModulationCapability:15 bits per minute at a distance of 8 meters
Carrier frequency is dependent on two factors:Fan speed (rpm)Blas pass frequency (bpf)
RPM-BPF relationship for a standard 7-blade fan
Programmatically SpeakingBios level RootkitDriver / OS API (more plausible) e.g., WMI Windows management interface
Fansmitter - Countermeasures
Acoustic Channels
OverviewData Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive NoiseTransmitter: Hard Drive Receiver: Microphone (laptop, smartphone etc)
Attack ModelOutboundAir Gap
How is it Done?Acoustic SourcesMotorActuator
SpectogramsThe write and seek operations generate the best signal
ModulationRate: 180 bits/minDistance: 2 meters
Diskfiltrator - Countermeasures
Acoustic Channels
Methods of Bridging Air-Gapped NetworksThermal ChannelsRadio ChannelsAcoustic ChannelsOptical Channels
Optical Channels
OverviewIndicator lights leak information!Transmitter: Device LEDReceiver: Camera, sensor,Information Leakage from Optical EmanationsJOE LOUGHRY, and DAVID A. UMPHRESSWhat if these LEDs where used to actively exfiltrate data?
Attack ModelAir GapOutbound
Open CV for image tracking
Tempest - CountermeasuresZoning policiesMalware signature (if via OS API)A piece of tape!
Optical Channels
OverviewBridging the Airgap with a scannerOffice scanners can receive and transmit light how can we exploit that?
Attack ModelAir Gap
Optical Channels
OverviewAn Optical Covert-Channel to Leak Data through an Air-GapTransmitter: LCD/LED ScreenReceiver: Video Recorder: Phone, Google Glass
Attack ScenariosORORORORAir GapOutbound
Experimental Results40 Volunteers found the invisibility thresholdVideo Devices:Simple DSLRPro DSLRGoProWebcamSmartphoneGoogle Glass
VisiSploit - CountermeasuresZoning Policies (who and what devices can go where)Malware signatures (detect that DLL!)
Methods of Bridging Air-Gapped NetworksThermal ChannelsRadio ChannelsAcoustic ChannelsOptical Channels
Radio Channels
AirHopper - IntroductionMany workplaces have a BYOD policySmartphones can be used to receive radio signalsIf we can get ordinary PCs to emit radio signals, then we have an outbound channel
The Attack ModelAir GapOutbound
The Big Question
How do antennas work?Antennas emit radio waves (EMR) by oscillating current through their TerminalsRadio waves are characterized by their frequency (oscillation in Hz) and amplitude (strength in dBm)
One way to emit EMRis to get the display to send specific signals over the cable
The Modulation of Binary Data over Analog FM
Experimental Results
AirHopper - CountermeasuresStrict zoning: No smartphones within a proximity of 20 meters of an air gapped computer with a screen.Insulation: Shield the display cables better.Jamming: Emit noise in the 87.5-108 MHz bandSignature: Scan for related graphics manipulations
GSMem - IntroductionFeature phones (mobiles with no wifi, Bluetooth) are allowed into restricted zones.Feature phones can be used to receive other transmissions broadcasted over cellular frequencies.The CPU-Memory BUS of an ordinary computer can be exploited to transmit signals over cellular frequencies.
How GSMem WorksTransmitterReceiver
Emitting a SignalObservation 1: A large CPU-RAM transfer builds up oscillating current in the configuration. bypass the cacheObservation 2: The BUS transfers bits at the FSB speed, emitting the energy around that frequency (e.g. 800 MHz)
Sending a Bit (modulation)To send a bit,We use a variant of B-ASK:
Send(0):Do nothing for T secondsSend(1):Raise amplitude for T secondsWe then place all the bits into frames
Transmitter PropertiesOnly has a 4KB memory footprintNo root/admin requiredNo APIs are used
Affects Intel and AMD architecturesWorks on Windows/Linux
Receiving the SignalTo read the raw signals (our modulation), one must modify the firmware of the baseband chip.
This will not deter highly motivated, and resourceful threats as weve seen in the past.
In our tests we used an open source baseband software (OsmocomBB) and a compatibleMotorola C123 GSM phone.
We also used a Universal Software Radio Peripheral (USRP B210) for a higher quality analysis
Receiving a bit, and some moreA Very Simplistic Approach:Listen on best frequencySearch for the 1010 preamble (each bit T seconds long)Threshold based (dynamically changed)Extract 12 bit payload if preamble found
Experimental ResultsMore channels = more power!Orientation effects results
GSMem - CountermeasuresInterferenceShieldingStricter zoningSignatures
OverviewAir-Gap Covert-Chanel via Electromagnetic Emissions from USB2014: Edward Snowden leaks the NSAs COTTONMOUTH
USBee: Covert USB transmissions without additional hardware
The Attack ModelAir GapOutbound
A sequence of 0 bits to a USB device generates a detectable emission between 240MHz and 480MHz (The USB 2.0 clock speed)USBee uses B-FSK encoding to modulate data:Binary w.r.t. the NRZI encoding is written to the USB device accordinglyThe malware on the Host does not require any special permissions to write to the USB!
Experimental ResultsDistance: with cable 9mwithout cable 4mData rate: 80 Bytes/second
USBee - CountermeasuresEMR ShieldingDistancing PoliciesJammingMalware detection : /
Methods of Bridging Air-Gapped NetworksThermal ChannelsRadio ChannelsAcoustic ChannelsOptical Channels
Who should be worries about these CREATIVE attacks?Desperate times call for desperate measuresIf your air-gapped network isA plausible target for an APTLimited with regards to insider activityPart of a restricted zone that allows visitors
The Most Plausible AttacksExfiltration by EMR: GSMem, AirHopper, USBeeStealthy, while being easy and practical for an attacker to implement and execute.
ConclusionSummary:We reviewed the 4 types of channels that can bridge air-gaps.Reminder: the assumption is that the target network has been infected prior!Take-aways:Air-gapping a network does not provide a guaranteed disconnect.Not everybody is a target!If you are a target, consider precautions (e.g. zoning) depending on the sensitivity of your network
Thank you for listening!Questions?