New air-gap jumper covertly transmits data in hard-drive sounds
Source: Arstechnica
Researchers have devised a new way to siphon data out of an infected computer even when it has been physically disconnected from the Internet to prevent the leakage of sensitive information it stores.
The method has been dubbed "DiskFiltration" by its creators because it uses acoustic signals emitted from the hard drive of the air-gapped computer being targeted. It works by manipulating the movements of the hard drive's actuator, which is the mechanical arm that accesses specific parts of a disk platter so heads attached to the actuator can read or write data. By using so-called seek operations that move the actuator in very specific ways, it can generate sounds that transfer passwords, cryptographic keys, and other sensitive data stored on the computer to a nearby microphone. The technique has a range of six feet and a speed of 180 bits per minute, fast enough to steal a 4,096-bit key in about 25 minutes.
"An air-gap isolation is considered to be a hermetic security measure which can prevent data leakage," Mordechai Guri, a security researcher and the head of research and development in the cyber security labs at Israel's Ben-Gurion University, told Ars. "Confidential data, personal information, financial records and other type of sensitive information is stored within isolated networks. We show that despite the degree of isolation, the data can be exfiltrated (for example, to a nearby smart phone)."
Besides working against air-gapped computers, the covert channel can also be used to steal data from Internet-connected machines whose network traffic is intensively monitored by intrusion prevention devices, data loss prevention systems, and similar security measures. The technique is documented in a technical paper titled DiskFiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive Noise, which was published Thursday night. Guri and the other Ben-Gurion University researchers who devised the covert channel created the video demonstration below.
Read more: http://arstechnica.com/security/2016/08/new-air-gap-jumper-covertly-transmits-data-in-hard-drive-sounds/
Scalded Nun
(1,236 posts)I wonder if SSDs are vulnerable to the same threat.
Mika
(17,751 posts)e/m - electro/magnetic.
IR- infrared
William Seger
(10,778 posts)William Seger
(10,778 posts)Many years ago, Russian hackers hacked Canon point-and-shoot cameras by injecting a small piece of code that could read the firmware binary from memory and blink the camera's status light to reflect the 1s and 0s, one at a time, which could then be read by a photo sensor. (They used that information to reverse-engineer the firmware to create a very cool version of it, called CHDK, which can run user scripts to extend the functionality of the camera.) DiskFiltration, AirHopper, and Fansmitter are just a variation on the same idea but using different ways to indicate 1s and 0s, and there are lots of similar techniques. For such techniques to work, of course, the challenge is to first inject that reader code and then to get some kind of monitor in the vicinity, which is presumably very hard (but not impossible) for an air-gapped computer in a secure location.
Mika
(17,751 posts)It's not about hacking nor reading disc data.
NWCorona
(8,541 posts)neohippie
(1,142 posts)Interesting theoretical demonstration, but my guess is that in ultra secure environments that require air gapped systems such as say department of defense or similar places, employees are most likely also not able to bring a smart phone into the environment either, so while this sounds scary and is interesting, it's probably not likely to be used to steal anything super sensitive
NWCorona
(8,541 posts)I
Statistical
(19,264 posts)Any microphone could be used to receive the acoustic signal from the drive. Spy agencies routinely use laser microphones to record conversations from a km away by measuring the movement (vibration) of windows caused by the sound waves inside.
PersonNumber503602
(1,134 posts)I'm sure there is or will be some situation where someone will find this to be a valid method of doing whatever it is they are doing.
jmowreader
(50,557 posts)If I were an Evil Secret Agent I could break into a secure office building, infect a computer with some specialized malware, install a microphone within six feet of it and pick off sensitive data at 4800 baud by listening to the Morse Code this malware makes the hard drive heads tap out (assuming, naturally, that the computer I'm trying to attack doesn't have solid state drives, which are immune to this exploit because they have no heads)...or I could pay a maintenance crew to attach an antenna to the outside of the building and pick off, from 200 to 300 meters distance and at the full speed of your computer, the signals flowing through the plastic case on your computer and emanating from those cheap-ass USB and Ethernet cables you bought from OfficeMax four or five years ago.
NWCorona
(8,541 posts)jmowreader
(50,557 posts)Your computer throws off electromagnetic energy all the time it's running, and those "compromising emanations" are detectable from a long ways off. It's far more trouble to try exploiting hard drive acoustics than to intercept the trash coming off your cables.
Oh...the biggest security risk is your monitor - they can't be shielded from the front, and they CAN be intercepted.
NWCorona
(8,541 posts)Just like the tech that reads the vibrations of the potato chip bag to hear what's being said in the vicinity. I find it interesting but not sure of the real world use.
Excellent point about the monitor!
Cicada
(4,533 posts)I thought it was odd that so many Fed govt offices have the Cars song "You Might Think I'm Crazy" playing lately. I guess they play it to block air-gap hacking.
csziggy
(34,136 posts)Xithras
(16,191 posts)There was a virus back in the 1980's that hijacked the PC speaker to do the same thing. Once the virus was installed (inside job), a tape recorder was hidden underneath a nearby floor panel to record the transmissions from the computer. As I recall, the hack was used to gain access to thousands of bank accounts in once incident (a smallish hack by todays standards, but huge back then).
According to lore, a similar concept was once used by Soviet agents to get data from another air gapped computer system. After an insider installed the virus, the computer would "pulse" power to various internal devices. The pulsing would cause a measurable difference in the electrical load the computer was pulling. The Soviet spies were able to measure the buildings electrical load from outside (trivial to do) and detect the pulses. The result was a very low rate data transmission via the buildings own power grid.
While it's an interesting trick nowadays, it's not particularly useful. 180 bits per minute works out to just under four days per megabyte. A moderately sized 1Gb dataset, downloadable in minutes on any computer with modern broadband, would take 10.5 YEARS to download via hard drive acoustics.
I'm not terribly worried.
recentevents
(93 posts)As I was told in one of my first computer security classes, the only way to make absolutely sure you computer isn't hacked is to turn it off, never use it, and lock it in a safe.
Little Tich
(6,171 posts)It's an interesting approach, though.
eppur_se_muova
(36,261 posts)no actuator, no noise, no problem.