
Data Exfiltration from Speakerless Air-Gapped Computers via Hard Drive Noise - sohkamyung
https://arxiv.org/abs/1608.03431
======
JulianMorrison
Simple general extrapolation: if your device contains any software actuated
part whose emissions of any form can be detected via passive sensing, or whose
operation can be detected via active sensing, then the device cannot be air
gapped.

~~~
nickpsecurity
Clive Robinson on Schneier's blog came up with a thorough notion years ago:
energy leaks plus "energy gapping" systems. He said if any form of energy or
matter could transfer from one system toward anothet device then it should be
considered a potential leak. So, you have to physically isolate them then
block the whole spectrum practically.

Each new story supports his model. Energy gapping for the win.

~~~
xgbi
Yeah, you could probably modulate some CPU load and emit noise from the
capacitors that are sitting on the power stage of the CPU.

Scary stuff...

~~~
pbsd
[https://www.tau.ac.il/~tromer/acoustic/](https://www.tau.ac.il/~tromer/acoustic/)

------
sandworm101
So this isn't a thing on SSDs?

In all seriousness, this is nothing new. People have been exfiltrating data
from the moving parts of drives for years. Even humble floppy drives can send
messages at a great distance. Here some vids of them transmitting sound files
to external receivers.

[https://www.youtube.com/watch?v=bGSTYvx5c78](https://www.youtube.com/watch?v=bGSTYvx5c78)

[https://www.youtube.com/watch?v=G081hD0nwWE](https://www.youtube.com/watch?v=G081hD0nwWE)

And this guy is does the same with a single HDD.

[https://www.youtube.com/watch?v=_kYlZC7hSV0](https://www.youtube.com/watch?v=_kYlZC7hSV0)

If you have control of any moving part you can tap out messages to either a
microphone or someone watching your power consumption.

------
sfifs
If someone has sufficient physical access to an airgapped computer to both
install malware and place detection devices around it, wouldn't there be far
simpler ways to exfiltrate data?

~~~
kossae
I believe the point here is you don't need to be able to physically touch the
computer. You can be 6 ft away from a server locked from physical access (via
lock or other mechanism), although I'm not sure how containers around the
airgapped computers affect this data transmission.

------
sytse
A few years ago I thought air gapping was foolproof. Now we've seen so many
different attacks:

\- HDD noise

\- Ultrasound via speakers

\- Electric capacitor sounds

\- Power supply analysis

\- USB file system

\- LED blinking

\- EM radiation (CPU, monitor)

\- Wireless mouse/keyboard

~~~
reitanqild
Anything that is interesting at a bank, health or national security level
should already be fairly well protected:

* underground or otherwise well shielded facilities

* dedicated server rooms, switch rooms, comms rooms etc etc

* manned 2 stage gates for entry into facility + (electronic) access going into any department inside.

* strict regulations on what kind of equipment goes into the facility. (Wireless anything has been taboo since it came I think.)

What this doesn't handle is mostly:

* hostile sysadmins. You can only do so much about hostile insiders. Pair work, swapping peers, only allow updates once they have been vetted by a second crew etc can reduce the risk as can something as simple as being nice.

* hostile contractors that makes it through despite your extensive vetting. They must also be cold enough to bring fancy surveillance gear despite the risk of getting caught.

* stuxnet-levels of effort from a resourceful and determined opponent, piercing your firewall carefully from the inside. Still then it would take time to get anything meaningful from electronic noise (and at this point the attacker can likely just read the data from memory, Target Credit Card style.

~~~
treebeard901
All of this equipment needs power so that could be another attack vector. For
example, we already have powerline networking. In theory you could include
something like that in a power supply, after all it does connect to the
motherboard and expansion cards. Of course it would require collusion among
many different companies but it may not be out of the realm of a nation state
attack.

~~~
SEJeff
No it wouldn't, it would just require intercepting the computer / parts en-
route:

[http://arstechnica.com/tech-policy/2014/05/photos-of-an-
nsa-...](http://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-
factory-show-cisco-router-getting-implant/)

~~~
reitanqild
I remember reading about this.

You are right. But to our defense: at this point we are again beyond the
passive eavesdropping scenario I think we discussed above.

When you own the networking gear it is more or less game over for the victim
anyway, isn't it?

------
showerst
Awesome!

Could this attack be defeated by pumping white noise into a space, or would it
have to be too loud to be practical?

~~~
LinuxBender
Perhaps. I would just put the equipment in the "Band Room". i.e. Sound proof,
you can't even hear the drummer. Power conditioners will stop most signal
leakage. There are no windows in the band room, so LED's aren't an issue.

Not enough? Have folks play heavy metal with 12 4kw amps. Anyone trying to
monitor will have their ears bleed.

~~~
ktta
Unless the hard drive holds data in the petabyte area, I think it just might
be more cost effective today to use SSD. Although the SSD route might exceed
the cost for the options you mentioned, SSD has other advantages including
being future proof.

------
Practicality
So, this is the practical version of using your hardware to play music?

(Example) :)
[https://www.youtube.com/watch?v=w68qZ8JvBds](https://www.youtube.com/watch?v=w68qZ8JvBds)

------
jakobegger
Yet another reason to move to SSDs...

~~~
williamscales
"Data Exfiltration from Speakerless Air-Gapped Computers with SSDs via CPU Fan
Noise"

~~~
sohkamyung
The inertia of the fan blades rotating probably limits the data rates you can
get with this method, assuming rotation speed correlates with sound frequency
(to distinguish between 1 and 0). I would guess it might be a few bits/minute.

};-)

~~~
Hydraulix989
And the hysteresis of the cooling policy.

~~~
teekert
"Data Exfiltration from Speakerless Air-Gapped fanless Computers with SSDs via
screen brightness variation."

"Data Exfiltration from Speakerless Air-Gapped fanless Computers with SSDs via
subtle screen color-temperature variation."

~~~
ricksplat
I remember reading, in a computer magazine about 15 years ago about a
technology, or else an area of research that claimed to do just this. To infer
what is being typed on-screen from subtle variations in radiation emitted from
the monitors. Apparently some degree of success was possible even outside a
building. It probably related more to the CRTs of the day, and the less noisy
UIs.

~~~
shalmanese
Van Eck Phreaking:
[https://en.wikipedia.org/wiki/Van_Eck_phreaking](https://en.wikipedia.org/wiki/Van_Eck_phreaking)

------
w8rbt
Flashing LEDs is a possibility too. Like Morse Code, you could flash a dit and
a dah (1 and 0) to represents bits. More advanced techniques using proper
timing and spacing to form letters and words may allow for more data
extraction. I bet you could get about 60 characters (bytes) per minute. Maybe
more. Would need a smart phone or camera to read it.

~~~
Gracana
LEDs can be pretty darn quick. My friend was able to use a status LED on his
FPGA board as a toslink transmitter.

------
cstross
You know where this is going?

iPads. Kept in a Faraday cage and provisioned with apps over a cable from a
neutered host (read-only drive, maybe? Anyway: locked down and firewalled to
prevent unapproved software updates).

Alternatively: the market for refurbed LSI-11s is booming.

~~~
cpach
I don’t get it… What is it about LSI-11 is that makes it useful in this
context?

~~~
cstross
... It pre-dates TCP/IP (not to mention most of the bells and whistles malware
can get its hooks into, not to mention not generally having any audio i/o at
all, or a bunch of other surplus doodads people expect these days that expand
the threat surface of the machine).

~~~
cpach
Ah, I see :)

------
codeddesign
Given that stuxnet was probably delivered through USB, the only way forward is
not going to be prevention but detection by having both automated gaurds and
"physical" guards.

------
cagey_vet
a white or pink noise generator may overcome this, seems strange to consider,
but then again, the vector even sounds trange.

------
mxuribe
That's just crazy! Such cleverness!

