
GSMem: Data Exfiltration from Air-Gapped Computers Over GSM Frequencies [pdf] - tptacek
https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-guri-update.pdf
======
tptacek
This team used patterns of memory access instructions to modulate a memory bus
to generate GSM-band signals that can be read from a hacked baseband. That is
a thing that happened.

~~~
carapace
Van Eck, of course, but still.

------
hyperion2010
Somehow this reminds me of the various "floppy drive plays the Imperial March"
hacks only this time it is "system RAM plays the arbitrary-bits-of-information
fugue in C major on the electromagnetic spectrum." The research needed to get
this to work is stunning.

~~~
peterfirefly
Toccata and fugue in 101010 minor on a DRAM harp.

------
bri3d
Could the SSE2 non-temporal instructions used in this (genius) strategy be
used to exploit RowHammer in DDR2, avoiding the known "dangerous" CLFLUSH?

This seems like an obvious approach but the only reference to it I can find is
in this Google Native Client issue, with no indication of whether or not it's
successful:
[https://code.google.com/p/nativeclient/issues/detail?id=3970](https://code.google.com/p/nativeclient/issues/detail?id=3970)

~~~
pbsd
The recent Rowhammer.js paper showed that you don't even need non-temporal
instructions to achieve faults---regular accesses, with a clever eviction
strategy, will do:
[http://arxiv.org/abs/1507.06955](http://arxiv.org/abs/1507.06955)

~~~
mjevans
This type of news reminds me of that scene from the first (live action)
Transformers movie where the girl hacker is telling the three-letter suit
types that they need to be thinking in a whole other level of technology in
order to understand their adversary.

I suppose though, that this means if you have /critical/ security things it
really just means you need to have the kind of physical security you hear
about in scifi and fictional spy game settings. Not just plain airgaps, but
proper Faraday cages, and even vibration dampening (for servers too, not just
'meeting rooms'). Probably even thermal regulation so that there's always
/consistent/ output.

------
themodelplumber
Just to clarify: They're talking about going into an air-gapped network (i.e.
cut off from the outside world as far as network transmission of data goes)
and using a conveniently-placed (and hacked) cell phone to read signals,
convert them into useful data, and transmit that to the attacker? So the cell
phone works as a sort of spigot that pours that data into outside networks?
Let me know if I'm not reading this right.

~~~
motoboi
You can, by several means, infect computers on the way to the air-gapped
facility.

People will use it to store sensitive information, and now you have access to
it. You just solved half of the problem.

Now, how to get this data? Internet? No. air-gapped. Send someone to retrieve
the machine by force? Too risk and will alert the enemy. Solution: infect the
cell phones of the people working there.

Your machine will be continuously broadcasting the information you want and
when the infected phone come close to it, communication will occur.

Totally feasible.

~~~
nickpsecurity
Definitely. Most sophisticated hacking involves multiple steps and sometimes
boxes (esp w/ C&C). People should expect the same in EMSEC attacks. And
wireless, reprogrammable devices are _always_ a threat that even NSA et al
haven't mapped all specifics on. It's why any installation allowing them is
insecure to EMSEC by default in my book.

------
mschuster91
Only a bit related: does anyone know a) why it is standard in scientific
papers to be written in 2-col layout and b) how to convert said 2-col layout
to a READABLE 1-col layout?!

Man, this is driving me nuts on desktop and mobile.

~~~
jacobwil
In the case of this specific paper from this specific conference, you're in a
lot of luck. USENIX put out the full proceedings as a giant PDF, an ePub, and
a Mobi ([1]).

If you want to reflow arbitrary pdfs, then you should check out k2pdfopt
([2]). It's how I read academic papers on my Kindle. It does lots of tricks to
slice out a useful format from pdfs of many different formats and make them
pretty solid on a different screen size.

[1]:
[https://www.usenix.org/conference/usenixsecurity15/technical...](https://www.usenix.org/conference/usenixsecurity15/technical-
sessions)

[2]: [http://willus.com/k2pdfopt/](http://willus.com/k2pdfopt/)

------
ikeboy
Previous discussion (of an article about this)
[https://news.ycombinator.com/item?id=9955180](https://news.ycombinator.com/item?id=9955180)

------
arboroia
Ridiculously impressive and extremely hard to shield against, baring using
your computer in a faraday cage.

Thinking about it, is there any way to vary the electricity consumption of the
computer as to transmit that way if it was in such a cage?

~~~
9wzYQbTYsAIc
Computer enclosure and server rack manufacturers might have a new market for
built-in Faraday cages.

~~~
brohee
TEMPEST hardened computer certainly isn't a new market, see e.g.
[http://apitech.com/products/sn6730tf-tempest-laptop-
notebook...](http://apitech.com/products/sn6730tf-tempest-laptop-notebook-
computer)

It is however a very niche market. For server rooms, it's much cheaper to
harden the room, which limits the market to desktop and notebooks...

~~~
nickpsecurity
Old is New Again meme. ;) True: rooms or safe's are best route. There's also
more suppliers for that and more willing to work with non-defense customers.
However, you've always been limited on desktop and notebooks in high security
assessment given all the functionality (esp wireless) in them. There's just
way too much risk. So, I recommended hardened thin-
clients/monitor/keyboard/mouse plus key servers in a shielded room, no
wireless anything, shielding of building from external signals where possible,
and of course a lot of distance around the building. Costs quickly become an
issue and most just don't do TEMPEST/EMSEC at all. Open season when the
attacks get democratized. ;)

------
jds375
This is amazing, I don't think I would have ever thought of that. Of course,
it's efficacy is a bit mitigated in that if you could manage to get malware
onto such a computer, then there are likely easier ways to exfiltrate the data
than presented in this paper. The POC model is nonetheless impressive.

This would be a great side project to play around with on an Arduino or
something.

~~~
nine_k
I wonder what easier ways to exfiltrate data do you see?

An air-gapped computer is likely devoid of any special radio-frequency
hardware (no wi-fi or BT). Acoustic signals (via speaker or mechanical moving
parts) and visible light signals (via the screen or various LEDs) are easy to
notice.

OTOH a GSM frequency signal is not readily visible and also does not look like
coming from a computer unless you look pretty hard; a signal at this frequency
can be coming from a mobile device of a passer-by across the street.

~~~
jds375
I mean something simple, such as just using the usb itself or through social
engineering to take data. If you can manage to load malware onto the computer,
you can probably steal the data in a much easier way.

It's also much more efficient given the communication rate in the article is
on the order of just bits/s. Of course, if you're looking for a steady stream
of data over time, then this is probably the optimal solution.

~~~
a3n
The supply chain for the computer and the phones of nearby personnel is
hackable, given a sufficiently resourced and un-savory-agency. Which gives you
a nice datastream that didn't depend on anyone having done anything obviously
stupid, and doesn't depend on social engineering to get usb sticks out of the
facility.

------
vvanders
Pretty impressive stuff.

Here I thought it was going to be related to the power-spike decryption that's
been show before(and can be hardened against by balancing bits flipped).

------
nickpsecurity
Ben Gurion is on a win streak in emanation attacks. Neat example with a common
culprit: writings on TEMPEST said cellphones within meters of a STU-III
telephone compromised it immediately with inadvertant, active attack. This is
going in opposite direction with a known attack vector. A nice example of a
"known unknown." That wireless devices, cellphones or SOC's, greatly increase
risk in EMSEC is even more evident with this. Gotta stay banned in high-
security organizations and that presents very tough tradeoffs along with
supply chain issues in terms of SOC's. Identifying the hidden functions of
SOC's (including analog/RF) is a cat-and-mouse game that rivals the brains
that go into software attack and defense from what examples insiders gave me.

Far as EMSEC, I've pushed people in INFOSEC to consider it for a decade. I
argued we should because (a) U.S. used such attacks since 1914 w/ Russia using
them wisely in Cold War, (b) there's a sizeable industry on defense (TEMPEST)
side, (c) most commercial/personal systems were massively vulnerable, and (d)
research in possibly hostile countries continued. Supported even more by
leaked NSA TAO catalog that features emanation attacks, including one
(RAGEMASTER) that looks like my past work. All outside high-security said it
was theoretical (despite use by Russia), no evidence/detection of any attacks
(how would they lol?), or so rare as to be not important (again, measured
how?). Took a while for it to really hit mainstream attention and I'm glad to
see people in recent years are finally worrying about a 101-year old attack
strategy (emanations).

Ben Gurion's results, past and present, support my case: a new cat-and-mouse
game could form on pro side for stealing classified or trade secret
information with emanation attacks. Declassified documents on TEMPEST history
showed defenders had a _hard_ time for first decade even for passive attacks.
The likes of NSA, Russia, Israel, and _maybe_ China are decades ahead of
defenders with Israeli researchers innovating the most on attacks. NSA valued
it so much, even against allies, that it once diluted its capabilities when
sharing with UK and (IIRC) Canada to keep them behind (read: vulnerable).

My recommendation is that research-funding organizations in as many countries
as possible start dropping money on their best E.E.'s to recreate those
decades of research. Reducing the signal, shielding, masking... all of it for
each component that's common in systems. Another easy route, which I used to
recommend, was EMSEC safes or rooms with filters on cabling plus the myriad
other leaks that crop up (even toilets lol). Seemed to be easier, but not
easy, as there were more companies doing it than securing arbitrary equipment
operating in the open. We do a ton of research until even our undergrads and
amateurs can apply given techniques to solve the problems for boxes, safes, or
rooms they own. Maybe. It's quite complicated...

Regardless, these attacks will only get better and for more parties. NSA et al
long figured out it was best attack albeit required specialists and sometimes
physical presence. Demanded they save it for high priority targets. Attacks
with cellphones and interdiction, along with radios in COTS stuff, mean
physical presence might not be an issue in future attacks. The game's heating
up and defenders got a lot of catch-up to do. I suggest they start by studying
the field of electromagnetic compatibility (EMC) [1], books on TEMPEST
shielding [2], commercial sector [3], and declassified military documents on
similar subjects (some in [4], esp Red-Black).

[1]
[https://en.wikipedia.org/wiki/Electromagnetic_compatibility](https://en.wikipedia.org/wiki/Electromagnetic_compatibility)

[2] [http://www.amazon.com/Design-Shielded-Enclosures-Cost-
Effect...](http://www.amazon.com/Design-Shielded-Enclosures-Cost-Effective-
Methods/dp/0750672706) (An example. Generally, you want author to be TEMPEST
certified or have strong background in EMC.)

Free book I just accidentally found on architectural shielding:
[http://nashville.dyndns.org:800/YourFreeLibrary/Shielding/Ar...](http://nashville.dyndns.org:800/YourFreeLibrary/Shielding/ArchitecturalEMIshielding.pdf)

[3] [http://www.tempest-inc.com/](http://www.tempest-inc.com/) (Found this in
my bookmarks. Think they were good and helped with self-tests, too. Been too
long time, though, so memory is fuzzy & many firms are gone.)

[4]
[http://www.jammed.com/~jwa/tempest.html](http://www.jammed.com/~jwa/tempest.html)

------
logicallee
Are we that surprised? I remember being blown away to read that a program
could modulate a CPU to play music over an FM radio -- though whenever I
google I'm not able to find that reference.

But are we that surprised that a cell phone has software-defined radio, or is
extremely sensitive in the gigahertz frequency range? Or that a hacked
baseband can listen to the cues from a memory bus in that range, and isolate
some predefined pattern that is extremely distinguishable? Or that a memory
bus can emit noise at those frequencies? Or that this can be controlled via
software?

I mean, this isn't - "this web site can send a text message from any airgapped
computer without a sim card, by modulating its CPU to broadcast to all cell
phone towers. Using pure CSS."

If that were in javascript, if it didn't require a hacked or modified anything
- now _that_ is the realm of science fiction :)

~~~
revelation
Well, of course none of these things are all particularly noteworthy _in
isolation_. But it takes someone to put them all together into a working PoC.

On the Javascript part, they might very well be able to port this. Since any
modern browser now JITs Javascript, it just becomes a matter of sculpting the
JS to get the desired native code from the JIT.

~~~
logicallee
I would be _extremely_ impressed with a javascript solution. The reader part
of it boils down to: "Hacked baseband can discern two special PC memory access
patterns from each other" \- which, if you're willing to transmit for long
enough, is all it takes to exfiltrate.

