
Air-Gapped Computers Can Be Compromised Using EM Side-Channel Attacks - infosecbuzz
http://www.tripwire.com/state-of-security/latest-security-news/air-gapped-computers-can-be-compromised-using-em-side-channel-attacks-says-researchers/#.VMuNXlwYNjE.hackernews
======
schoen
I found this summary of the paper disappointing. The paper that this is
reporting on is at

[http://users.ece.gatech.edu/~az30/Downloads/Micro14.pdf](http://users.ece.gatech.edu/~az30/Downloads/Micro14.pdf)

and describes a framework for measuring _how bad_ side channel risks are
(using custom software that tries to create a worst-case scenario by
intentionally signaling to the outside world). They then turn out to be pretty
bad, in the intentional case, but a big part of the researchers' contribution
is that perhaps this is quantifiable, for each particular kind of side channel
that one wants to examine.

This paper did not introduce any new kind of side channel, and extensively
cites literature in which other people introduced (and often demonstrated) the
side channel and emanations risks. These risks are often very bad, governments
have studied them intensively since at least the 1960s, and it's a great thing
that academic researchers are now helping make the public familiar with them.
Hopefully that will lead to some techniques for mitigating them in practice
other than living and working in a SCIF.

Indeed, for timing-channel attacks there are lots of important mitigations
that software developers are now learning about (having to do with performing
operations in constant-time). Maybe this research can point to ways of making
some operations (approximately) constant-power, so power and RF-related
information leakages will be attenuated.

~~~
tptacek
Power side channels are extensively studied. See, for instance, most smart
card research.

~~~
schoen
You're right. Maybe I should just say that this research provides a possible
way to measure how effective mitigations have been, if we believe that their
metric is meaningful.

------
rdl
Most of these attacks can be mitigated through physical separation; the
official standards specify allowable signal strengths at perimeter for
spurious emanations. (Obviously attackers can use directional/high gain
antennas, but there are RF limitations.) The stuff Cryptography Research does
vs. Android phones to extract keys from tens of feet is pretty terrifying.
[http://www.cryptography.com/technology/dpa/dpa-
qa.html](http://www.cryptography.com/technology/dpa/dpa-qa.html)

One interesting extension beyond the classical 1960s TEMPEST/Van Eck stuff is:
If you can run malware on the target computer, you can obviously increase the
effective gain through a variety of techniques.

What I'd be super interested in would be active RF attacks -- similar to the
NSA toolkit with the passive external-RF-powered transmitter for implants, but
ideally without modifications. Either causing specific errors or something
else. Forcing resets might be enough. It'd be sort of a crossover between EMP
and TEMPEST. Knowing, for instance, that the target security system controller
is the only device connected to an 18.2m long wire within a facility might
make it profitable to do a targeted attack on a certain frequency.

~~~
schoen
Cf. [https://spqr.eecs.umich.edu/emi/](https://spqr.eecs.umich.edu/emi/)

It would be very important to know if a digital equivalent is possible.

------
SEJeff
This type of attack is often mitigated by making the entire room a faraday
cage. I know that many SCIF[1] facilities where top secret information is kept
have more or less faraday cages as part of the walls to conform with the
TEMPEST standards.

[1]
[http://en.wikipedia.org/wiki/Sensitive_Compartmented_Informa...](http://en.wikipedia.org/wiki/Sensitive_Compartmented_Information_Facility)

[2]
[http://en.wikipedia.org/wiki/Tempest_%28codename%29](http://en.wikipedia.org/wiki/Tempest_%28codename%29)

~~~
eridius
Would it be practical to turn a computer case into a faraday cage, or are
there issues with the keyboard and screen as well?

~~~
Animats
Yes, and there was once a Tempest-qualified DEC VT100 terminal. Fine wire mesh
over the CRT face, an RF-tight metal case, and fiber optic I/O. It looked much
like a regular VT100.

The US military tests their gear for this. Their test facility:
([http://www.epg.army.mil/e3tf.aspx](http://www.epg.army.mil/e3tf.aspx)) has
RF anechoic chambers big enough for a tank. They're interested in both "can it
be eavesdropped upon" and "can it be interfered with".

Modern electronics is much RF-quieter than older stuff. This is because so
much of it has radios inside. If your device generates much RF hash, the WiFi,
Bluetooth, and cellular radios will all have much-reduced range. In the early
days of personal computing, some devices were very noisy. A Radio Shack TRS-80
and a Milton Bradly Big Trak toy would both crash if operated near each other.
We're way beyond that now.

The FCC's requirements on RF noise from electronics helped a lot. There was
much grumbling at the time from hobbyists about RFI compliance requirements
interfering with their freedom to tinker. The FCC was right, though. Today,
almost no consumer electronics interferes with other consumer electronics. You
can use a cell phone inside a data center and receive clear calls. Cell phones
themselves have several radios, all going at once.

This is a remarkable achievement in RF compatibility. For a sense of how bad
it once was, see the Marine Radio Society,
([http://www.radiomarine.org/](http://www.radiomarine.org/)), which has
restored an abandoned ship-to-shore radio station in Marin County, CA. All the
receivers are in one building. The transmitters are in another building,
several miles away, to keep them from interfering with the receivers.

~~~
noir_lord
> A Radio Shack TRS-80 and a Milton Bradly Big Trak toy would both crash if
> operated near each other. We're way beyond that now.

You just reminded me of something, back in the 80's I had a ZX Spectrum (I'm
in the UK) which the TRS-80 was similar to.

The HAM operator down the road eventually figured out it was me with the
computer, when I was using it, the RF bled across _everything_.

------
otakucode
A year or so ago there was a security researcher who claimed that he had
machines which were being compromised through some sort of side-channel attack
like this. It was reported on a couple times on Ars Technica I know, and there
was debate in the security community whether he was on to something or whether
he had simply snapped and was being paranoid. As I understood it he was a
well-respected guy in the field. What ever happened to him? After reading a
couple reports, and that he was going to be sending hard drives to some
colleagues to get a second opinion, I never saw any followup. Anybody know?

~~~
marssaxman
I would guess that you are thinking of Dragos Ruiu and the "BadBIOS" malware.

------
Animats
You have to have a program running on the computer under attack for this to
work, because it has to execute specific instruction patterns. It can only
send blind; it can't receive. The main situation in which this would be useful
is when attack software has been placed on a laptop, then used by then target.

RF attacks on serial connections (which includes not just serial ports but USB
and Ethernet) are much easier. All the bits you want are right there.
Historically, Teletypes generated RF which was easy to monitor, and the Friden
Flexowriter could be monitored from half a mile away.

------
miander
This sure seems like a problem for servers that are hosted in a Colocation
facility where all of the hardware belongs to datacenter customers. You could
easily outfit your server with equipment to pick up signals from nearby
servers. Makes me wonder if any spy agencies have used this technique.

~~~
isman
That's why you put your servers in cages.

~~~
Florin_Andrei
It depends on the size of the gaps in the wire mesh around the cage.

------
caseysoftware
This is also called Van Eck phreaking and is a long-understood concept:
[http://en.wikipedia.org/wiki/Van_Eck_phreaking](http://en.wikipedia.org/wiki/Van_Eck_phreaking)

------
mark-r
This explains how malware might get information out of an air-gapped computer,
but how do you infect the machine in the first place? That would seem to be
the harder problem.

~~~
infogulch
If it communicates electronically, you could extract encryption keys and
hijack communications.

------
thesz
Self-synchronous logic does not have this kind of RF patterns. Or, at least,
has it in a much more smoother way.

Self-synchronous logic does not have global clock and operations have
different timings.

As an example, in a synchronous logic one has to use carry-ahead variant of
adder to get _worst case time_ to O(logN). In a self-synchronous logic regular
ripple-carry adder will suffice and produce result in O(logN) time in average
case (yes, O(N) in worst case, which will met with probability p=1/2^N). Even
more, adding small integers of K bits will result in O(logK) operations.

This means that each operation will have different completion time in self-
synchronous logic. This is due to variance in inputs and/or temperature
variance.

This, in turn, means that radio emission from operation completion in self-
synchronous CPU will be much more smooth than for regular CPU.

------
Intermernet
I prefer this one: "RSA Key Extraction via Low-Bandwidth Acoustic
Cryptanalysis"

"The attack can extract full 4096-bit RSA decryption keys from laptop
computers (of various models), within an hour, using the sound generated by
the computer during the decryption of some chosen ciphertexts. We
experimentally demonstrate that such attacks can be carried out, using either
a plain mobile phone placed next to the computer, or a more sensitive
microphone placed 4 meters away."

[http://www.tau.ac.il/~tromer/acoustic/](http://www.tau.ac.il/~tromer/acoustic/)

Video: [http://youtu.be/DU-HruI7Q30](http://youtu.be/DU-HruI7Q30)

I'm pretty sure there's a better video of the attack being performed
somewhere, but I can't find it right now.

------
dguido
Welcome to (at least) 2004?

[http://eckbox.sourceforge.net/](http://eckbox.sourceforge.net/)

EDIT: Should have just linked to the paper instead. It looks like their
primary contribution was an ability to measure the susceptibility of a device
to these kinds of attacks.

------
sauere
Semi-related: [http://fileperms.org/high-frequency-malware-
communication.ht...](http://fileperms.org/high-frequency-malware-
communication.html)

------
chrischen
Can this be mitigated by shielding the CPU? And are aluminum macbooks already
shielded from this?

~~~
emeraldd
There are all kinds of exposed wires on a computer system that extend beyond
the case. Even shielded, you could still get RF/EM off of something. To
protect a system from this kind of an attack vector requires deliberate design
choices and testing. You're not going to get it "by accident"

------
ChuckMcM
Makes me want to put an Ettus Research SDR board and a steerable Yagi antenna
in my datcenter 😄

