Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How cellphones steal from air-gapped computers

Patrick Nelson | Nov. 12, 2014
Sensitive data can be leaked from isolated, non-networked computers using radio waves, according to new security research.

The general consensus is that isolating a computer protects it, and the data contained within it, from leaking.

The idea is that by removing the external network, no one can attack the computer. This technique is referred to as air-gap security.

However, a couple of security experts from the Ben-Gurion University in Israel say they have developed phone-based decoder software that can read key-strokes from a compromised but air-gapped computer.

The mobile phone they use has no mobile network, Bluetooth or Wi-Fi enabled, and can receive the leaked data from up to seven meters away, they say.

AirHopper
They call their method AirHopper. It works by using the mobile phone's integrated FM radio receiver to pick up radio signals emitted from the screen of the air-gapped, malware-loaded computer.

Many phones have FM radio receivers hidden away in them. They are considered a public safety tool-something goes down and the phone owner can listen to a news broadcast. So, even if you don't use FM receiver, or even know it's there, that receiver isn't likely going away anytime soon. It's there.

Computer screens, along with other computer parts, like keyboards, can emit electro-magnetic signals, or radio waves. Some government agencies use hardened keyboards for this very reason, as is pointed out by Aqua man, in a comment on the university's project webpage. Indeed, the school's website, at Cyber Security Labs at Ben-Gurion University of the Negev, has attracted some interesting comments:

Ben P. says the problem isn't new and calls it a passive EM, or electro-magnetic, attack on a cellphone with FM hardware.

Details
In AirHopper's case, the researchers say that binary and textual data is extracted from a physically isolated computer with "hostile code" on it to phones located between one and seven meters away.

Bandwidth is 13-60 bytes per second. Slow, but enough to steal lines of text, like a password, they say.

Roughly speaking, the hack is dependent on the pixel clock, which is the frequency at which pixels are sent from the video card to the screen.

Solutions
Commenter Ben P. says a solution to this awkward problem is to put all the computers in a "SCIF-like room" with soundproofing, including ultrasound; filters on the cables; and passive and active EMSEC, or emission security, shielding.

SCIF, or Sensitive Compartmentalized Information Facility, is a special, secure enclosed area.

He says users should then use TEMPEST-like clients to connect. TEMPEST is an NSA and NATO certification for this kind of thing, and addresses unintentional radio leaks.

IEEE
Researchers Mordechai Guri and Professor Yuval Elovici, along with Dudu Mimran, CTO of the university's cyber security labs, presented their findings and resulting software at MALCON 2014, the IEEE's International Conference on Malicious and Unwanted Software, in order to start a discussion on how to mitigate the risk for this kind of siphon.

 

1  2  Next Page 

Sign up for Computerworld eNewsletters.