
Escaping Data from Faraday-Caged, Air-Gapped Computers via Magnetic Fields - air7
https://arxiv.org/abs/1802.02700
======
myrandomcomment
Did you ever think when stuff like this come out there is some guy at the NSA
going "Damn it, there goes another one" as they have know about this and been
using if for years :)

~~~
jloughry
I have first-hand experience:

Around 1999, I wrote a paper about information leakage from blinking LEDs on
devices (one DES link encryption box, used by banks, for example, was sending
out plaintext on the LEDs).

I was working for a defense contractor at the time on a classified project,
and so, following procedures, we submitted the paper to NSA for approval to
publish.

It took a year and a half to approve. [1]

Eventually NSA wrote back and said, "No problem! Go ahead and publish." I kind
of wonder what they spent all that time doing.

[1] Actually, it didn't quite happen that way. Our paper was approved for
publication very quickly, in only a few weeks; we submitted it to the USENIX
Security Symposium, where it was immediately accepted. Later, NSA called us
back, and in a panic, demanded we withdraw the paper from the conference. I
had to apologize to the conference committee; it was terribly embarrassing,
and the delay in publishing was two years.

~~~
jey
> one DES link encryption box [...] was sending out plaintext on the LEDs

What? Care to elaborate? Did they just set the LED brightness based on the
current octet being encoded or something? But that seems like it's too high
frequency to work.

~~~
jloughry
In the early 1990s when we did this research, it was mostly RS-232 devices;
the designers did in fact often connect LEDs directly to the serial TXD and
RXD lines, which are relatively high voltage and have plenty of drive
capability. Garden variety LEDs are plenty fast enough to reproduce bit
transitions in the nanosecond range; we measured intelligible signals in the
lab well into megabits per second; on real devices in the field, hundreds of
kilobits per second.

You're right, the trick wouldn't work so well with modern LVDS levels and
speeds, but we examined (at the time) lots of Ethernet NICs with LEDs on them
and found no indication there of useful data in the optical region. (It was a
different story on the _back_ panel of enterprise Cisco routers....)

Ethernet PHY chips invariably, so far as I've seen, implement a pulse
stretcher on the LED output pins for exactly the reason you noted. We found no
intelligible optical emanations from any of the—admittedly low-cost—Ethernet
devices we tested. But since then, two things have happened: USB and HFT.

There are definite opportunities for the same thing to happen again. I've seen
indications of it in a few USB devices.

High Frequency Trading, though, is a whole other can of worms. There, you have
FPGAs and ASICs being used to shave nanoseconds off latency, and I wouldn't be
a bit surprised to see off-the-shelf gigabit Ethernet PHY chips spurned by
fintech specialists designing an extremely specialised piece of hardware to do
one job and do it as fast as physics allows.

There's a window of opportunity there (sorry!) for rival HFT firms with a
telescope and very high speed photodetector to exploit any incautiously wired-
up LEDs connected directly to ASIC signals....

Hint: use a photomultiplier; PIN photodiodes are fast but the transimpedance
amplifiers they need are s-l-o-w.

------
crankylinuxuser
That's neat. It does remind me a few things. They're only related by this
topic.

1\. A buddy was experimenting with 3d printers, and was measuring the spin on
a magnet superglued on the back of a NEMA 17 shaft. He had weird interference
going on. We eventually figured out the sensor was sensitive enough to measure
the magnetic field in the stepper itself. Our solution was to take a spinning
rust HD case, and cut/wrap it around the stepper.

Spinning rust cases are made out of MU-Metal. Think of them as magnetic
shielding. And in our case, it worked with nothing more than scrap we had
around.

2\. There was a company I ran across a year ago that was selling chips that
could communicate over a personal magnetic area network. They didn't give hard
numbers, but claimed they could transmit audio and video within a 2m bubble.
They also worked through stuff like water (which kills most radio). I asked
for some samples, but fell on deaf ears. I'd still __love __to have /purchase
a few chips to experiment with.

~~~
skykooler
Huh. I didn't know mu-metal was a real thing; I always assumed it was
something Guardians of Ga'Hoole made up.

~~~
crankylinuxuser
Yep, sure is legit stuff. There's quite a few things made out of mu-metal, but
spinning rust hard drive cases are the most readily accessible.

[https://en.wikipedia.org/wiki/Mu-metal](https://en.wikipedia.org/wiki/Mu-
metal)

------
rdtsc
This is brilliant - magnetic TEMPEST.

Though magnetic field intensity drops off with an inverse cute law, they
mention that in the paper, which restricts the distance. It seems they got up
to 100cm but it's 1bps at that point. For 10bps need to be only about 10cm
way. Seems hard to exploit but imagine server being next to a wall/floor and
someone placing a bug right next to the wall on the other side.

Seems just leaving enough space around the server would be enough. Put it 1m
away from floor and walls and it should mitigate it.

I knew about the light and ultrasound before, but also learned from the paper
there is apparently a thermal TEMPEST attack as well.

~~~
cperciva
I realize it was a typo, but I love the idea of an "inverse cute law".

~~~
schoen
Same here, but I expect it's the wrong law for magnetism. People's magnetism
is roughly proportional to the logarithm of their cuteness, isn't it?

------
arcaster
As obnoxious as randomly pulsating RGB led's are, it seems like a great way to
defeat data exfiltration with status LED's of any kind. I'm also curious why
air-gapped data centers don't blast the air-waves both inside and outside of
the faraday cages with randomized signal noise.

~~~
AndrewKemendo
I can only speak for the DoD/IC but we do blast the air-waves with randomized
noise in the form of white/pink noise or radios in and around our SCIFs. It's
not really cost effective or critical to add further EM radiative sources to
that, as the intention is primarily to reduce risk of voice bugs.

~~~
arcaster
Cool! I can't wait to see data centers that are pulsating with RGB light in a
seizure inducing "Linus Tech Tips - THE MOST INSANE RGB DATA CENTER EVER" kind
of way. With all the lights there for "security reasons"

------
asterius
The real benefit from this work is not exfiltrating from airgapped computers,
but from code running inside Intel SGX or similar isolated computation modes.

------
stcredzero
If we extrapolate this into the future, we'll eventually have, "Escaping data
from Computers through an Event Horizon."

------
oxymoran
Wow. This is pretty mind blowing to someone that is not an engineer.

My take away from this is that if the information is valuable enough and if
someone wants the data enough, there is no way to truly make anything 100%
secure. There will always be something to exploit. Is this accurate? Can we
ever make something that is “invincible “?

------
mchahn
> We introduce a malware

How do you get malware onto one of these things? I guess social-hacking could
be used but if you have that then no technical solution is needed.

------
ridgeguy
It seems this data leakage mode could be dealt with by combining the Faraday
cage material (which blocks EM radiation) with a high magnetic permeability
material (blocks B-fields, as discussed in the paper's ref [50] (paywalled)).

Mu-metal screen is a thing, so maybe copper plating over the mu-metal to
combine both shielding mechanisms?

~~~
foobarian
I did a project once where I needed to block RF interference from a battery-
powered Raspberry Pi board. I thought back to physics classes and Faraday
cages when we learned that no electric fields can come in or out, so I went
and put the board into a metal box thinking it would completely block all RF.
Boy was I wrong. The box was only enough to attenuate about -10 or -15dB of
the WiFi signal! I figured the box had seams so it was behaving as a repeater
from outside to inside. I wonder if a perfect seamless box would have done
better.

~~~
nearbuy
You forgot an important detail from your physics classes: the electric field
inside a Faraday cage is only zero when it's exposed to static electric
fields. Changing electric fields, like radio waves, can pass through, although
they'll be attenuated.

Also, if you place an electric charge inside a Faraday cage, it will cause an
electric field outside the cage, and the electric field inside the cage will
still be zero.

------
jaclaz
As often happens, very nice, but of no practical use whatever, I mean first
thing you have to BOTH infect the PC AND place a "magnetic receiver" within
100 cm, but the "magnetic receiver" needs anyway to transmit the data, and
that is IMHO the unresolved problem, as this method of transmission would be
easily detected (if electromagnetic/radio) or impossible to deploy
(cable/wire) in 99.9999% of the "secure sites" where actually an air-gapped
computer is used inside a faraday cage.

~~~
djtriptych
This sort of exploit is attractive to state actors with virtually unlimited
budgets. For them, it might be quite practical. The CIA has been toying with
insect-sized remote controllable flying vehicles for decades. Stick a USB
stick and magnetic receiver on one of them and you've basically got your
exploit.

You and I wouldn't spend 20 man-years and $50 million to do that, but our
government definitely would if there were a chance to, say, disrupt Iran's
nuclear ambitions for a few months.

~~~
conbandit
easier to just write stuxnet

------
ac2u
40bits/s from 100cm away, cool hack.

~~~
dralley
Why would they say 100cm instead of just... 1 meter...

~~~
funcSoulBrother
The unit indicates the precision at which the scale is represented. So for
this, the distribution is probably not very useful at a resolution of 0m, 1m,
and 2m and is normalized between the 0 and 1XXcm range.

------
nisten
So what, do I just set on the bios to run my CPU at 100% all the time now?

------
empath75
I guess we need to upgrade our tinfoil hats.

