PowerPoint Presentation

Bridging Air-Gapped NetworksPrimary Author: Mordechai GuriPresenter co-author: Yisroel MirskySupervisor: Prof. Yuval Elovici

What is an Air-Gapped Network?

The Typical Approach to Securing a Network

The Air-Gap ApproachDefinitionAn air-gap is a cyber security measure for securing a computer network by physically isolating it from other networks, such as the public Internet or another unsecured local area network.

Air-Gapped NetworkThe InternetAir Gap

Examples of networks or systems that may be air-gappedMilitary defense systemsFinancial Systems (stock exchange)Industrial control (SCADA)Critical InfrastructurePower PlantsRefineriesTraffic Control AirportsCommand and Control CentersComputerized medical equipmentetc

Air-Gapped NetworksNot a perfect solution

The Adversarial Attack ModelInitial InfectionPerform Action

Initial InfectionMalicious / Deceived InsiderInfected MediaSupply Chain Attack

Perform ActionSteal Sensitive DataManipulate Control SystemsDelete RecordsDeactivate SubsystemDDoSSelf-Destruct

What to do about the air-gap after the initial infection?Air-gapped NetworkThe InternetAir GapOutboundInbound

Usage of the In/Outbound ChannelsInboundSend CommandsFlexibility in controlling the attackWhen actUpdate MalwareNew ModulesFixesChange encryption keyOutboundExfiltrationReceive recorded informationReportsAcks on commandsProgress of lateral movement

Methods of Bridging Air-Gapped NetworksThermal ChannelsRadio ChannelsAcoustic ChannelsOptical Channels

Thermal Channels

Introduction to HVACKerModern PCs have embedded thermal sensors.These sensors can be used to detect temp. changes in the environment.By manipulating the room temperature of the isolated network, we can communicate with the PC.

Q: How do you remotely change the room temperature?A: Hack the HVAC!Insecure networks may overlap the same space as an air-gapped network.One such network is the HVAC (heating ventilation and Air Conditioning) system.

Many HVACs provide an internet portal for remote managementE.g. Tridium Niagara AX platformThere are36,287 Niagara web portals exposedOnly 269 of them protected wuith HTTPS

The Attack ModelInboundIsolated NetworkInternetReceivers(s)Air Gap

Communication Protocol L1/L2

Example High level Protocol

Experimental ResultsSmall office scenario40 bits/hourWhat about internal interference?

What about internal interference?

HVACKER - CountermeasuresDisable / Secure HVAC Web portalsMonitor environmental temperatureMalware signatures

Introduction to BitwhisperComputers emit heat into their environmentComputers can detect changes in the env.s templets make a bidirectional channel between neighboring computers!

But why?...In some cases, air-gapped machines are placed in close proximity with connected ones Example: leased computing spaceA thermal channel between two end-points would provide the attacker the ability both send commands and receive informationCan be achieved from within a VM

The Attack ModelIsolated NetworkInternetAir GapInboundOutbound

The Heat Transfer Process

The Possible Setups We Examined

The Thermal Line Encodings Tested

BitWhisper - CountermeasuresPhysically distancing air-gapped computers from other networksStrong ACMalware Signature (API calls)Environment sensing

Video Demo

Methods of Bridging Air-Gapped NetworksThermal ChannelsRadio ChannelsAcoustic ChannelsOptical Channels

Acoustic Channels

OverviewCovert Acoustic Mesh NetworksTransmitter: speaker ultra sonicReceiver: microphone (laptop, smartphone)

Attack ModelAir GapInboundOutbound

Acoustic Mesh - CountermeasuresUltra sonic noise emittersStrict zoning policies

Acoustic Channels

OverviewFansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped ComputersTransmitter: PC Cooling fan (power supply, CPU, chassis, )Receiver: Microphone (laptop, smartphone)

Why is Fansmitter Interesting?Speakerless machines can now be exploited as acoustic transmitters!

Attack ModelOutboundAir Gap

ModulationCapability:15 bits per minute at a distance of 8 meters

Carrier frequency is dependent on two factors:Fan speed (rpm)Blas pass frequency (bpf)

RPM-BPF relationship for a standard 7-blade fan

Programmatically SpeakingBios level RootkitDriver / OS API (more plausible) e.g., WMI Windows management interface

Fansmitter - Countermeasures

Acoustic Channels

OverviewData Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive NoiseTransmitter: Hard Drive Receiver: Microphone (laptop, smartphone etc)

Attack ModelOutboundAir Gap

How is it Done?Acoustic SourcesMotorActuator

SpectogramsThe write and seek operations generate the best signal

ModulationRate: 180 bits/minDistance: 2 meters

Diskfiltrator - Countermeasures

Acoustic Channels

Methods of Bridging Air-Gapped NetworksThermal ChannelsRadio ChannelsAcoustic ChannelsOptical Channels

Optical Channels

OverviewIndicator lights leak information!Transmitter: Device LEDReceiver: Camera, sensor,Information Leakage from Optical EmanationsJOE LOUGHRY, and DAVID A. UMPHRESSWhat if these LEDs where used to actively exfiltrate data?

Attack ModelAir GapOutbound

Open CV for image tracking

Tempest - CountermeasuresZoning policiesMalware signature (if via OS API)A piece of tape!

Optical Channels

OverviewBridging the Airgap with a scannerOffice scanners can receive and transmit light how can we exploit that?

Attack ModelAir Gap

Optical Channels

OverviewAn Optical Covert-Channel to Leak Data through an Air-GapTransmitter: LCD/LED ScreenReceiver: Video Recorder: Phone, Google Glass

Attack ScenariosORORORORAir GapOutbound

Experimental Results40 Volunteers found the invisibility thresholdVideo Devices:Simple DSLRPro DSLRGoProWebcamSmartphoneGoogle Glass

VisiSploit - CountermeasuresZoning Policies (who and what devices can go where)Malware signatures (detect that DLL!)

Methods of Bridging Air-Gapped NetworksThermal ChannelsRadio ChannelsAcoustic ChannelsOptical Channels

Radio Channels

AirHopper - IntroductionMany workplaces have a BYOD policySmartphones can be used to receive radio signalsIf we can get ordinary PCs to emit radio signals, then we have an outbound channel

The Attack ModelAir GapOutbound

The Big Question

How do antennas work?Antennas emit radio waves (EMR) by oscillating current through their TerminalsRadio waves are characterized by their frequency (oscillation in Hz) and amplitude (strength in dBm)

One way to emit EMRis to get the display to send specific signals over the cable

The Modulation of Binary Data over Analog FM

Experimental Results

AirHopper - CountermeasuresStrict zoning: No smartphones within a proximity of 20 meters of an air gapped computer with a screen.Insulation: Shield the display cables better.Jamming: Emit noise in the 87.5-108 MHz bandSignature: Scan for related graphics manipulations

GSMem - IntroductionFeature phones (mobiles with no wifi, Bluetooth) are allowed into restricted zones.Feature phones can be used to receive other transmissions broadcasted over cellular frequencies.The CPU-Memory BUS of an ordinary computer can be exploited to transmit signals over cellular frequencies.

How GSMem WorksTransmitterReceiver

Emitting a SignalObservation 1: A large CPU-RAM transfer builds up oscillating current in the configuration. bypass the cacheObservation 2: The BUS transfers bits at the FSB speed, emitting the energy around that frequency (e.g. 800 MHz)

Sending a Bit (modulation)To send a bit,We use a variant of B-ASK:

Send(0):Do nothing for T secondsSend(1):Raise amplitude for T secondsWe then place all the bits into frames

Transmitter PropertiesOnly has a 4KB memory footprintNo root/admin requiredNo APIs are used

Affects Intel and AMD architecturesWorks on Windows/Linux

Receiving the SignalTo read the raw signals (our modulation), one must modify the firmware of the baseband chip.

This will not deter highly motivated, and resourceful threats as weve seen in the past.

In our tests we used an open source baseband software (OsmocomBB) and a compatibleMotorola C123 GSM phone.

We also used a Universal Software Radio Peripheral (USRP B210) for a higher quality analysis

Receiving a bit, and some moreA Very Simplistic Approach:Listen on best frequencySearch for the 1010 preamble (each bit T seconds long)Threshold based (dynamically changed)Extract 12 bit payload if preamble found

Experimental ResultsMore channels = more power!Orientation effects results

GSMem - CountermeasuresInterferenceShieldingStricter zoningSignatures

OverviewAir-Gap Covert-Chanel via Electromagnetic Emissions from USB2014: Edward Snowden leaks the NSAs COTTONMOUTH

USBee: Covert USB transmissions without additional hardware

The Attack ModelAir GapOutbound

A sequence of 0 bits to a USB device generates a detectable emission between 240MHz and 480MHz (The USB 2.0 clock speed)USBee uses B-FSK encoding to modulate data:Binary w.r.t. the NRZI encoding is written to the USB device accordinglyThe malware on the Host does not require any special permissions to write to the USB!

Experimental ResultsDistance: with cable 9mwithout cable 4mData rate: 80 Bytes/second

USBee - CountermeasuresEMR ShieldingDistancing PoliciesJammingMalware detection : /

Methods of Bridging Air-Gapped NetworksThermal ChannelsRadio ChannelsAcoustic ChannelsOptical Channels

Who should be worries about these CREATIVE attacks?Desperate times call for desperate measuresIf your air-gapped network isA plausible target for an APTLimited with regards to insider activityPart of a restricted zone that allows visitors

The Most Plausible AttacksExfiltration by EMR: GSMem, AirHopper, USBeeStealthy, while being easy and practical for an attacker to implement and execute.

ConclusionSummary:We reviewed the 4 types of channels that can bridge air-gaps.Reminder: the assumption is that the target network has been infected prior!Take-aways:Air-gapping a network does not provide a guaranteed disconnect.Not everybody is a target!If you are a target, consider precautions (e.g. zoning) depending on the sensitivity of your network

Thank you for listening!Questions?