
Malware that uses USB drives to covertly jump airgaps - k__
http://arstechnica.com/security/2016/08/meet-usbee-the-malware-that-uses-usb-drives-to-covertly-jump-airgaps/
======
rthille
My use for an air-gapped machine is for a personal CA (certificate authority).
I'm using a RPi2 for this (no wifi). Proceedure: 1\. Download all the software
needed for the CA (possibly getting compromised packages). 2\. Disconnect from
the network, setup the CA. 3\. Setup an intermediate CA on a YubiKey. 4\. Turn
off RPi2 and store micro-SD card with CA secrets in a safe. 5\. If CA needed
in the future, only plug in "CA" micro-SD when RPi is not connected to the
network. 6\. Since the CA is never in a machine connected to a network, even
if the RPi2 is compromised (assuming it's not the secret generation) the
secrets aren't leaked.

However, with this attack, or a similar one, maybe my laptop is also
compromised and the RPi2 can exfiltrate to the laptop (which is nearby and
connected to the network). Perhaps via toggling the caps-lock LED on the
keyboard (at a high rate with low duty cycle so it's invisible to the eye) or
via the monitor cable. Security is "fun"

------
pjc50
An interesting new variant of what you might call "active TEMPEST": a program
running on the target machine that changes its EM emission spectrum. Of
course, if you can plug a thumbdrive into an airgapped machine and get a radio
reciever within a few feet of it I really wouldn't call it "airgapped" enough.
You might as well just write to the USB drive.

Maybe could be made to work with mice and keyboards, which have nice long
cable antennas. They're supposed to be shielded but are often poor.

Play along at home:
[http://www.icrobotics.co.uk/wiki/index.php/Turning_the_Raspb...](http://www.icrobotics.co.uk/wiki/index.php/Turning_the_Raspberry_Pi_Into_an_FM_Transmitter)

~~~
AstralStorm
Replace "few feet" with "up to about 100 m" for a properly designed EM signal
and high sensitivity directional antennas.

------
colinbartlett
> As Ars has noted in previous coverage, the techniques are theoretically
> effective, but their utility in real-world situations is limited. That's
> because the computers they target still must be infected by malware. If the
> computers aren't connected to the Internet, the compromise is likely to be
> extremely difficult and would most likely require the help of a malicious
> insider, who very well may have easier ways to obtain data stored on the
> machine.

Nonetheless, an interesting technique. Is it even possible to have a useful
workstation these days without _any_ USB devices?

~~~
kalleboo
> Is it even possible to have a useful workstation these days without any USB
> devices

All my gear is on the network these days. The only USB device I regularly plug
is in a dumb 5V fan from the dollar store... I imagine these days it's more
possible than ever.

Air-gapped computers (which is what this seems to be targeting) on the other
hand are surely going to do all their data transfer over USB.

~~~
tcoppi
You have a networked keyboard/mouse?

~~~
csydas
Well, it's possible they have something like Synergy installed to control
multiple machines, maybe.

Or else, perhaps they're talking about headless machines where it's just a box
with power and ethernet.

~~~
tcoppi
I could see Synergy for a workstation, but eventually one of the turtles on
the way down will most likely have a keyboard/mouse connected to USB. Headless
for servers certainly.

~~~
djrogers
Bluetooth - that's a network. Not to mention, my laptop has no external KB or
mouse.

~~~
shabble
A lot of laptops present the keyboard and touchpad/whatever as internally
connected USB devices.

So, if you want to disable USB by epoxying the externally facing connectors,
that might work, but it means you can't do things like completely disable
support at the BIOS or kernel level if you want those things to still work.

------
anonbanker
9 foot range, 26 feet if you have a hard drive with a USB cable plugged in.

Doesn't work with thumbdrives.

More importantly, the airgapped computer _needs to be already compromised_
before the attack can occur, and you must have write access to the drive.

While they show an Ubuntu machine next to the compromised machine, there is no
signs that the malware works under ubuntu.

Neat research, but limited utility.

~~~
xigency
Also, the transfer rate is 80 bytes per second.

~~~
AstralStorm
Plenty for sending out a password. For extra ownage, exploit the OHCI DMA to
get memory access to anything.

Heck, it is easier to just connect a prepared radio with hardware exploit.

~~~
xigency
Right, but you won't be pulling down classified PDF's in any reasonable time.
If you have access to the machine to run code, I don't see why you need "a
password" particularly.

I thought the purpose was extracting information.

------
breitling
This isn't any new research. It is believed this (air gap) is one of the ways
Stuxnet spread many years ago [1]

[1] [https://www.wired.com/2014/12/hacker-lexicon-air-
gap/](https://www.wired.com/2014/12/hacker-lexicon-air-gap/)

~~~
underwater
The article says that Stuxnet spread to target machines by using files on
infected USB drives. This is different, data is transmitted from an off-the-
shelf drive via electromagnetic interference.

