back to article Israel develops wireless-malware-injection-by-smartmobe tool

It's not the next Daniel Suarez plot; Israeli academics have developed software they say can use your mobile phone to detect electrical impulses, and foist malware to computers physically disconnected from any internet facing network. Ben Gurion University professor Yuval Elovici told The Times of Israel that his team …

COMMENTS

This topic is closed for new posts.
  1. Paul Crawford Silver badge

    I see no feasible way of pushing malware on to an air-gapped computer. The sort of RF power needed to flip bits is simply going to crash it. Unless it has something like wi-fi or bluetooth operating of course!

    Getting data off an already infected but now air-gapped computer is within the bounds of belief, but unless you are looking at very special hardware (i.e. not a mobile phone) then the data rate would be very low as it is not so easy to get most hardware to generate a wanted modulated signal that won't be drowned by the usual chatter of data and address bus activity of both the PC and the phone (along with the usual spread-spectrum clock typically used to help meet EMC requirements).

    1. RobHib

      Agreed -- @ Paul Crawford

      Agreed, if you have a detector sniffing the RF leakage from keyboards, screens etc. then you can sniff that. Years ago, PGP had a secure view (video) mode to overcome that problem.

      Infecting a machine that doesn't have 'sensors' [receivers] to detect a RF data stream is another matter altogether. Even if theoretically possible, doing so from a low powered cell phone that already has a severely limited range of transmitter frequencies (~1GHz or so plus the usual wireless and Bluetooth stuff) is highly unlikely (and you'd have to know a reasonable amount about the internal electronics etc. to have a sporting chance). Even with a reasonably high powered transmitter with a theoretical DC-to-daylight frequency output range then you'd still have a problem.

      Seems to me Suxnet could only get onto the centrifuge via exciting hardware ports: wireless, LAN, USB, floppy disk etc., lots of stray RF near computers usually crashes them.

      1. RobHib

        Re: Agreed -- @ Paul Crawford

        BTW, whilst eliminating mobile phones from workers today might me nigh on impossible, a secure environment could easily ensure the cell phones were only ones without an internet connection (and that was the condition of entry/employment etc. I'd not think this not unreasonable in a nuclear research establishment and such ).

        Such phones do still exit. My own cell phone is an LG (model A-190) which has no internet connection (only phone and text). This is deliberate, I prefer to use a laptop or netbook.

        1. Anonymous Coward
          Anonymous Coward

          Re: Agreed -- @ Paul Crawford

          You can manage without mobile phones in a secure military environment, I have had to!

          Banning mobiles and having detectors to sniff the airwaves looking for the presence of people flouting the ban is a definite possibility.

          One place I worked at, anyone caught with a bluetooth phone was immediately kicked off site, and they used to go round with bluetooth sniffers to catch people.

      2. Charles Manning

        Re: Agreed -- @ Paul Crawford

        Stuxnet did not get onto the centrifuge PLC. It infected the computer that programmed the PLCs.

        The PLC programming tools on the PC uses various DLLs in the back-end compiler that generates & minipulates the PLC code that is downloaded into the PLC.

        Stuxnet switched the DLLs for malicious DLLs that generated bad code.

        Regardless, crossing airgaps in anything but a contrived lab environment is quite likely close to impossible. Basically you'd need to use some EM interference to flip specific bits to specific values. Not going to be easy at all.

      3. RobHib
        Boffin

        @ RobHib -- Boot Note -- Re: Agreed -- @ Paul Crawford [Two weeks on]

        BOOT NOTE -- TWO WEEKS ON

        ---------------------------------------------

        Just read an article in New Scientist, 21 June 2014, No. 2974, p20 about this matter titled: Opening a can of bugs -- NSA spy gadgets built using info leaked by Edward Snowden.

        It says radio hackers have reversed engineered NSA gadgets on info supplied by Snowden (based on the NSA's Advanced Network Technology). Article is brief and non-technical and refers to software-defined radio (RF generated presumably developing Fourier/DSP transients etc. (equiv filters) to generate RF frequencies without coils and inductors. Can be mounted in USB etc.

        There's essentially two types: sniffers that collect the 'coherent' noise from keyboards, video cables etc. and ones that inject signals.

        The vagueness and non-technical nature of the article doesn't help. But on the info supplied, this tech doesn't seem to violate RF engineering: RF leakage from non-message-producing devices (in the RF sense as opposed to leakage from a computer (which is 'partially coherent')).

        Essentially, the key issues remain the same, there's RF sniffers that detect switching 'noise' and send it off for further processing and systems that generate RF which can be implanted thus allow info to escape by RF. The 'breakthrough'--if you can call it that--is the SDR, software defined radio, which allows transmissions on a very large band of frequencies (not being limited by tuned oscillators etc.) [heaven help the harmonics/interference to other RF devices!]

        The SDR in this schema is somewhat functionally equivalent to the hypothetical DC-to-Daylight transmitter that I proposed in my earlier post. Basically, SDR allows any old TX frequency to be dialled up in software (over a large but not definitively announced band of frequencies). It states that these frequencies can cover AM, FM, GSM and Bluetooth, which implies a range from about 0.5MHZ to 2GHz or more, which is very wide (as it covers all wireless technology old and new, domestic and industrial/commercial, and perhaps up to the 5GHz band or even higher. (Very handy, I'd like several to distribute FM/AM/TV broadcasts to small portable devices around my house, methinks.)

        In summary, watch out for spider like things attached to or hanging off your keyboard and video cables with 2cm of wire (antenna) attached; araldite your PC closed and bootstrap it with anti-tamper seals; and don't let USB devices, stray monitors, keyboards etc. that don't have a proper security 'lineage' (guaranteed free from tampering) anywhere near your PC.

        Nothing much has changed, but the ante has been considerably upped (and it'll be surprisingly sophisticated in its delivery and miniaturised packing and such), as the money thrown at it by the NSA et al will essentially be limitless.

        The good news is that the article also points out that hackers are working all-out to reverse engineer this stuff and to provide suitable antidotes.

    2. knarf

      DisAgree --

      Has you PC Speakers never chattered with Mobile phone interference ? This is the phone inferring with a subsystem within the PC (TV or radio) most likely the sound card. Now if you could develop this so it developed a buffer overrun on the sound system you might be able to inject data or code into the computer its self.

      You also have to remember that Mobile phones are computers with a very broad RF broadcast range; so if you can find a common or range of common subsystems that can be targeted that chances are that they use the same chipsets such as USB, BlueTooth, Wifi, Ethernet. Just because they is no configuration of a sub system (eg network, wifi, IR) does not mean it is not powered, working and more importantly service by the OS.

      Also think of other attack vectors such as a picture on a web site can inject code in to the client OS (very common).

      1. Paul Crawford Silver badge

        @knarf

        Do you know anything about what you are talking about?

        Buffer overruns and similar attacks (e.g. mal-formed pictures) require you to actually get the have the PC do something with the data that is subject to a lack of validation. That is simply not possible with a sound system bar, perhaps, voice-to-text-to-command conversion which is hardly likely.

        Same for other routes, to actually inject data to a system that is not expecting it (wired network, USB cable, etc) needs a LOT of energy, not something that is going to go unnoticed and not something you will get from a mobile phone meters away.

        First time I got an ESD test gun I did the obvious - ignored the instructions, wound it up to maximum (above 18kV) and tried it on my PC. It was fine, but I crashed an old (pre-EMC regulations) PC in the adjacent office.

        To do so took a lot of peak power, and it is virtually impossible to induce such a crash in a controlled manner to exploit it. It is not like a buffer overrun where you can inject code in a specific place, you induce data/address corruption in a GHz clocked PC and you have no idea of just where it is going to bork at.

      2. Anonymous Coward
        Anonymous Coward

        >"This is the phone inferring with a subsystem within the PC [...] most likely the sound card"

        No it isn't. That interference is being picked up by the (antenna-like) cable between the sound card and the speakers, or perhaps in the final output transistors of the audio amp. It's entirely on the analog side of the hardware. There are no buffers to overrun, no executable code, no memory and no CPU where that's going on. I don't think your speculation is based on any actual knowledge of hardware design, is it?

      3. TkH11

        The physics around it

        There are only two ways to get a program (a virus, malware or anything else) into a system:

        1) You have a program running which reads input data from somewhere, and you inject into that input data stream the malicious software. You rely on vulnerabilities such as buffer overruns to get the malicious software into the ROM, RAM, disk storage where it is held and then subsequently executed.

        2) You force data bits into the RAM, ROM, onto the disk using either a magnetic coupling technique - magnetic induction - or capacitative coupling using an electric field.

        Those data bits represent the malware. That's how you get the malware in, but then how does it get executed by the processor. That's another question. A program, malware, firmware does nothing unless it can be executed by the processor.

        To get the malware data bits in via these means, you will need either a strong enough magnetic field to induce a high enough current or a strong enough electric field to induce a voltage, of sufficient strength to write databits directly into the storage medium. If it's a RAM chip, possibly 3V, ROM, probably higher.

        Physical separation matters here, the further the injecting device is from the storage medium the greater the electric or magnetic field needs to be.

        You would need strong fields (of either electric or magnetic) to be able to change the bits in the storage medium, which probably can't be induced by a mobile phone.

        The interference people here when a mobile phone interferes with microphones or with the speakers of a computer is caused by those aforementioned techniques, but the signal levels in use by the microphone and speakers are very low, and current levels are also low (active speakers use amplifiers).

        Let's suppose you could generate a high enough magnetic or electric field to change bits in the storage medium, how the flipping heck could you control which bits you flip and where your malware actually goes, bit by bit, byte after byte in sequence! A near impossibility!

  2. Buzzword

    Sowing confusion

    In WWII, the Brits had radar and the Germans didn't. Allegedly the Brits told the Germans that they had better eyesight because they are lots of carrots.

    This story is similar smoke & mirrors. It draws your attention away from the real vector of infection, which as other commenters state was most likely plain old USB sticks and a brown envelope stuffed with banknotes to gain access.

    1. Tony W

      Re: Sowing confusion

      yes, but ... If smoke and mirrors, who is it aimed at? The people who are trying to protect systems against Israeli attack would presumably know enough to realise that attacking a system without a radio receiver via a mobile phone isn't feasible. A system with a radio receiver might be vulnerable to attack via a mobile phone, but that wouldn't be astonishing, even though it might be "air-gapped" in the most literal sense.

      I always wonder what it's about when I see technical terms that are actually meaningless in the context. In this case "FM frequencies". Does this mean the frequencies that are used for FM domestic radio transmissions (around 100 MHz), which would need a large aerial to radiate with useful efficiency? Seems unlikely but if not, what? This phrase is really just words devoid of any useful information.

      1. Matt Bryant Silver badge
        Pirate

        Re: Tony W Re: Sowing confusion

        ".....If smoke and mirrors, who is it aimed at?...." Friend and foe. The Israelis have an history of duping their Arab enemies into thinking they have almost superhuman powers. And it never hurts to make your own populace believe you have a massive technological edge over enemies that outnumber you. As long as you're not caught out lying (as Iran has been numerous times with their claims of rocket and science 'break-throughs') you can even avoid conflict by making the enemy (in this case Iran) waste their time and resources looking for (probably) non-existent security threats. I'll bet you, even though they may not actually believe the Israeli story, that the Iranians will be banning all mobes from top secret facilities.

        In Cairo in 1996, I was told by otherwise quite clever and technically-literate Egyptians that the Israelis had perfected X-Ray specs, allowing their spies to see right into Egyptian buildings and read documents locked in safes. The story was even repeated as fact in Egyptian newspapers. I have no idea if the Israelis started the rumour but there was no doubting the effect - people were being stopped in the street so the local police could examine their sunglasses, just in case. Attempts to discuss the physical impossibilities of such kit were often disregarded with the line 'it's the Israelis, who knows what those devils can do?'

        1. Matt Bryant Silver badge
          Mushroom

          Re: Tony W Sowing confusion

          ".....the Iranians will be banning all mobes from top secret facilities....." If you think about it, this could actually be used by the Israelis to spot which buildings hide top secrets. If they are following the movements of an Iranian scientist or general, and every time he goes into building A he now switches off his mobe, it points to building A being worthy of more attention.

    2. emmanuel goldstein

      Re: Sowing confusion

      well said. another example, closer to the source of this story, is the web of lies built around uri geller. lies that certain powers found quite useful, and certainly encouraged.

    3. CAPS LOCK

      Re: Sowing confusion

      Err, no,radar was invented by a German, Hulsmeyer, based on the work of Hertz of Hertz fame.

    4. Matt Bryant Silver badge
      Boffin

      Re: Buzzword Re: Sowing confusion

      "In WWII, the Brits had radar and the Germans didn't....." Not quite. The Imperial German Navy was experimenting with ranging radar in 1918 and the British and Germans were in a race to get radar in use in an effective manner long before WW2 kicked off. The difference was the Brits in 1940 were the first to build radar into an effective air defence system, the first to employ a system using different types of radar to guide nightfighters into a point where they could pick up a target bomber on their own radar sets, and the first to make effective sets small enough to be carried in nightfighters. In some ways the Germans were ahead in radar tech, especially long-range radar, but lagged in effective employment of the technology.

      ".....Allegedly, the Brits told the Germans that they had better eyesight because they are lots of carrots." Needing to keep their success with radar a secret, the Government told the British population and foreign (especially American) journalists the story that their night fighter pilots were on a special diet, including lots of carrots, to boost their night vision. As expected, the story got back to the Germans, who therefore didn't realise the advances the Brits had made for another two years.

      The Brits were masters of the art of deception throughout the War. Amusing examples include the German belief that the Brits had the ability to pipe petrol in quantity into the sea at any point on the Channel coast, allowing them to 'set the Channel ablaze'. This particular wheeze was courtesy of the inventive Petroleum Warfare Department, set up by Churchill to prey on the psychological horror soldiers have of being burnt to death. In reality, due to the immense cost in steel and oil, only a tiny section of the Margate cliffs had such kit installed, though it was demonstrated to foreign press with the claim of being 'all along the coast'. Other examples include the mythical 7th Division (Cyprus), where British Military Intelligence faked radio traffic, postal mail, supply and transfer requests, disciplinary hearing records and even medical records for a whole imaginary division (about 10,000 men) in Cyprus for three years, to hide the truth that the island was virtually undefended.

  3. Richard Boyce

    Vulnerability in Bluetooth?

    I agree that it seems unlikely that a computer is vulnerable if it has no active hardware designed to listen to radio signals. A computer communicating with others on a LAN via wireless networking may not be connected to the Internet, and thus be "air-gapped" as far as the author is concerned. Pus, this all could just be a professional windup aimed at certain people.

    However, the short range mentioned is indicative of an attack using Bluetooth which is often enabled by default in laptops and other devices. if you don't need it, turn it off and prevent it being turned on behind your back. The same applies to other sensors such as those using infrared.

  4. Pierson
    Black Helicopters

    EMI on a LAN connection?

    The linked article in the Times of Israel is so vague as to be nonsensical, and references the installation of malware on both the phone and the target computer, which then cooperate to form a covert channel over the air-gap - so far so conventional.

    The article then suggests that the malware on the PC jumps the air gap during installation by some kind of EMI magic, also, but is painfully vague on the mechanism used.

    One possibility, if the phone malware can access the baseband features of the phone's radio, is the injection of packets onto a wired LAN by inducing a current in the network cable - Phone radios can certainly operate in the high MHz / low GHz bands required, are quite powerful within the 6m range stipulated, and are well known as sources of induced EMI.

    Whether this is feasable is extremely debateable, but, it approximately fits the hand-waving in the original article.

    1. Anonymous Coward
      Anonymous Coward

      >"inducing a current in the network cable"

      Excuse me, but don't ethernet cables use balanced lines?

  5. Version 1.0 Silver badge

    This is quite credible

    I can see a couple of ways of doing this - at least ways to approach the problem of bridging the air-gap. I suspect the real vulnerability here is an EMI attack on peripheral support chips in the PC which would provide an easy access to system memory and resources.

    1. Bloakey1

      Re: This is quite credible

      Exactly.

      EMI would be the way to do it as a computer is effectively a giant receiver / transmitter in its own right as are quite a lot of complex electronic devices (that were not specifically designed as such). They are prone to picking up all sorts of RF such as mobile phone chatter etc. I have quite often seen a computer picking up RF in the FM range, the last time it was an FM music channell. I have also seen other devices doing the same and I am told that hearing aids etc. suffer from the same pecuilarities.

      A simple radio receiver can be built as follows:

      Low impedance headphones.

      Variable capacitor.

      Therminonic diode.

      A few wires.

      I built one like that 40 years ago.

      The time of Tempest and the Faraday cage are back.

      1. Paul Crawford Silver badge

        Re: This is quite credible

        Er, no. A typical PC is pretty immune to mobile phone signals, otherwise it simply crashes. What you are thinking of is interference to the audio systems, but that counts for nothing really (bar spoiling your YouTube videos, etc).

        As already stated, it is easy with lots of power to crash a PC but much harder, to the point of being virtually impossible, to crash selective sections. And the PC is already in a Faraday cage, called its box.

        An attack based on bluetooth/wifi is much, much more likely as a large number of PCs have those enabled by default and mobile phones can communicate with them. Even if logically "off" it is quite likely that the protocol stack has vulnerabilities that can be exploited to access the PC.

        Hell, I once managed to wipe the boot sector of an XP PC when developing a USB peripheral while using MS' own stack and drivers. So if it can be done there, I have no doubt it is at least theoretically possible with wifi/bluetooth if the hardware is on and listening, even if not supposedly used.

        1. Bloakey1

          Re: This is quite credible

          "Er, no. A typical PC is pretty immune to mobile phone signals, otherwise it simply crashes. What you are thinking of is interference to the audio systems, but that counts for nothing really (bar spoiling your YouTube videos, etc)."

          <snip>

          I would class the audio system as part of the computer. I also know how one can induce patterns into power input. the step down part of a transformer etc.

          In the past I have run slow scan over non standard means such as power lines, Infra red comms networks etc. I stronly suspect that a sequenced powe puls could spoof a computer into doing all sorts and it could be induced in many ways from direct input, induction e.g. into the stepdown coil in the transformer etc.

      2. TkH11

        Re: This is quite credible

        It's a high impedance ear phones which are used - to draw as little current as possible from the radio receiver. In that way, the radio doesn't even need a power supply, the enercy in the received radio signal is enough to make the whole thing work. The ear phones were called 'Crystal Earphones' if memory service me right. Your parts list is almost complete..but missing the ferrite rod aerial which in conjunction with the variable tuning capacitor acted as frequency selective bandpass filter to 'tune in' the required radio station.

        I built one too, not quite 40 years ago..but must be close-ish to that!

        1. Bloakey1

          Re: This is quite credible

          "It's a high impedance ear phones which are used"

          <snip>

          Ooops you are right it is high impedance headphones. I found that an earpiece from an old phone was great, they also made good microphones.

          Ferrite rod good but I did not have access to such luxuries wire wound around a bog roll was good enough.

          1. Martin-73 Silver badge

            Re: This is quite credible

            Hmm most phone earpieces are quite low impedance, circa 60Ohm DC resistance and an impedance at voice frequencies of a few hundred ohms, max (at least back in the days of when phones were real phones, men were real men, women were real women, and small furry creatures from Alpha Centauri were real small furry creatures from Alpha Centauri)

  6. DrGoon

    Occam's Round

    This article was probably not intended as disinformation, and is simply the product of technologically illiterate journos who are unable to comprehend what is being 'researched'. Since Professor Elovici recently published "Exploiting simultaneous usage of different wireless interfaces for security and mobility" it seems likely that a cellular network was used to compromise the mobile phone which then executed code that used a WiFi or Bluetooth network to compromise a computer that was not connected to the Internet. The hungover hack dreamed up some crazy nonsense and asked a few questions, got a few nerd-speak repies that they didn't understand and made up a load of tosh that they thought that the boffins had confirmed. The copy was emailed to the editor and our content farmer was down at the pub in time for opening.

  7. Robin Bradshaw

    Not sure about infection

    Dunno about getting malware onto the machine but slurping data off an infected machine by FM radio seems like it would be doable, since there is basically a proof of concept for the Raspberry PI already:

    http://makezine.com/projects/make-38-cameras-and-av/raspberry-pirate-radio/

    1. YetAnotherLocksmith Silver badge

      Re: Not sure about infection

      Damn, you beat me to it!

      There's a lot of ill informed "this isn't possible" comment on this thread, considering there is a home brew FM transmitter for an actual computer already, which you can do with a few lines of code and a few inches of wire - and the wire is optional!

  8. Anonymous Coward
    Anonymous Coward

    >"BadBIOS which saw malware apparently flung over air gaps "

    No it didn't. It could communicate across air gaps to exfiltrate data from non-networked computers, but that required the malware to already be running on the far side of the air gap, having previously crossed it by some other means.

    I also note that since the initial claims about its discovery, there have been no follow-ups, no samples, no evidence or proof of any kind.

    Finally, to address this current report: the Times of Israel story is garbled and unclear, having been written by a tech-illiterate journalist, but my bet is that what it's describing is malware that - once already installed on the far side of an air-gap - can create a covert channel by modulating RF emissions that can be received by TEMPEST-alike scanning done by software on a mobile. I don't expect when the details come out that there will be any means of installing the initial malware through this channel.

    1. TkH11

      Re: >"BadBIOS which saw malware apparently flung over air gaps "

      This is the best explanation I have seen on this site. Let me add to it.

      A key element of this approach is that as the malware (already installed on the target computer) reads the data to be lifted from the system and transmitted off the system, there will be changes in the extraneous RF emissions from the PC, to a human being listening in via an FM radio (on 88-108MHz) broadcast band, the noise heard will sound like garbage, there won't be any apparent pattern and it would seem incredible that individual byte values being accessed could be discerned from those RF emissions, but I recall reading an article some time ago, where it has been done, where those small changes in the RF signal can be decoded into actual byte values!

      Decades ago, one technique used by the security services to spy on embassies, where they couldn't tap the data communication lines going in and out of the building, sometimes they could hook up microphones placed into small holes in the wall, and listen to the sound of the keys being typed on a teleprinter or other such communications device. From the sound alone they could determine what the message text was that was being typed! It turns out each key sounded slightly different.

      1. Bloakey1

        Re: >"BadBIOS which saw malware apparently flung over air gaps "

        <snip>

        "Decades ago, one technique used by the security services to spy on embassies, where they couldn't tap the data communication lines going in and out of the building, sometimes they could hook up microphones placed into small holes in the wall, and listen to the sound of the keys being typed on a teleprinter or other such communications device. From the sound alone they could determine what the message text was that was being typed! It turns out each key sounded slightly different."

        Not only key input but also the sound of the print heads striking the paper. In one instance they compromised a tellephone that was sat beside a teletype machine and they could listen away during the Suez crisis so it was even possible then.

        The US embassy in Moscow was compromised for 8 years by the Russians who slurped the sounds and data, compressed it and then sent it out via burst transmissions.

This topic is closed for new posts.

Other stories you might like