Air gap breached by disk drive noise Researchers from Israel's Ben-Gurion University of the Negev Cyber Security Research Center have found a way to exfiltrate information from a PC using the noise created by hard disk drives. In work detailed here (PDF) at ArXiv, the researchers explain how they've created malware that “can generate acoustic emissions at …
I remember a program called "floppy music", that played the William Tell Overture on a 5.25" drive on the Apple ][ Plus.
Very different frequencies, and different drives, but the same principle. New applications for old ideas! Technology and sneaky thinking!
What was that saying about youth & intelligence always falling before old age and treachery? :-p
... I read recently about a 64-disk setup playing the Star Wars Imperial March, but this 8-disk version is pretty good...
"But still, I wouldn't really start worrying until someone found a way to make an airgapped computer exfiltrate data without installing anything in it first, allowing it to work on a pristine or even read-only boot image."
You mean like compromised BIOS firmware with secret partitions on them, or remote HP ILO features with zero day exploits, or hidden instruction sets in Processors....
Just because it doesn't have an o/s installed, doesn't mean it can't be compromised.....
Air gapped doesn't mean that no data goes in. It's normally the case that your interested simply stopping stuff leaking back out. So if one can smuggle some malware like this in through one of the user's regular uploads, or free USB stick given out at a trade show, etc.
I have to say that it's ridiculous how many such things seem to place the low and high side of an air gapped system in the same room, or in the same rack, or even in the same chassis even. Rule 101 - they go in different rooms, one of them preferably RF screened..
"they go in different rooms, one of them preferably RF screened" -- AC
And I think there's probably a good argument for making sure they are on different power supplies. I haven't heard of any malware manipulating the power consumption of a server but I would think that you could probably transmit a low bit rate signal on this channel if you tried hard enough.
The good news is that there are simple countermeasures that can stop this attack. The first is to use solid state disks. Another is to tweak AAM settings. Or you could ban smartphones from getting anywhere near air-gapped PCs, which is standard practice in lots of secure areas.
You could also just add a noise generator - even opening the windows and letting in traffic noise is enough to screw up data collection.
"You could also just add a noise generator - even opening the windows and letting in traffic noise is enough to screw up data collection."
No, because they can record the traffic itself and mix it back in out of phase to filter it out. Meanwhile, you're allowing the very thing you want to avoid: an opening just waiting for a microphone. You can't have any windows whatsoever (besides that scenario, the window's an ideal surface for a shotgun mic); indeed, the walls should be anechoic so they don't vibrate. The power needs to be isolated so that noise from the mains gets filtered before going outside. Doors need to be airlock style with a guard and a metal detector in between so there's visual or aural access (if you have a metal plate, then I think we have a problem). I mean, doesn't TEMPEST cover a lot of these bases?
No, because they can record the traffic itself and mix it back in out of phase to filter it out
That only works if you record dual microphone and assumes you have enough microphone resolution to pick up the weak HDD sounds despite a membrane saturated with far louder signals. To do that right needs a very expensive set of mikes, and they tend to be a tad too big to install covertly.
You can also just push pink noise near the harddisks themselves, or play back hard disk sounds recorded earlier at the same time - it's unlikely you'll be able to separate them out.
That said, I think you're wasting your time being worried about that sort of stuff - that sort of research will be used to foist some stupidly expensive sound proofing on a company that has more money than sense, I can't see this being practical.
If an accelerometer can pick up vibrations from typing, I suspect that in some conditions it could pick up vibrations from a hard drive, fan, etc. Sound and vibrations are funny things; indeed, yelling at an array of hard drives is enough to interfere with operations.
... one of the guys taught the disk drives on a PDP-10 to play music on SA-10 attached IBM Winchesters[0]. Change the input data, and add a non-human listening device and a modem/phone line (or current loop), and presto, same thing as this "new" hack ... from a couple dozen feet away and 1200+ bits per second. In 1979ish.
Is nobody teaching kids the past anymore? That would be sad, in the old meaning of the word.
[0] Then he learned to make the washing machine sized disk drives "walk" across the floor ... I had to fire him when he did it in front of Ken Olsen, who was visiting our lab. Was very hard on the hardware ...
Feh. The problem with our CDC washtub hard drives wasn't to make them walk across the raised floor in the computer room, it was to get the damn things to not walk. If their little feet weren't set just right they'd go walkies. And it was, indeed, very bad for the hardware. We ended up sticking bits of plywood under them to keep them in place. The boys from Harris (the system vendors) and CDC said that they'd never seen anything like it before. Being unique was an honor we'd rather not have had.
Similar problem at SAIL. Got the answer from SLAC: First, ban floor wax[0] from the glass room (that wasn't glass). Pull the floor tiles a few at a time and take them outside. Scuff the Formica with 120 grit on an orbital sander. Dust off tiles with a tack-cloth. Reinstall. No more walkies.
[0] Yes, kiddies, janitorial staff had the keys to the data center. The stories of cleaning staff unplugging servers (and other critical kit) either on purpose or accidentally aren't apocryphal.
You can still infect an air gapped machine. One way is if you managed to compromise a USB device that will be plugged into it - that's how the US/Israwel got malware into Natantz in Iran to break their centrifuges.
Another way would be to compromise software they know will be installed on that machine. If you know the air gapped machine is going to run some particular CAD package, you compromise the CAD vendor's build system to include malware and wait for the air gapped system to get updated. The malware would look for certain things to determine if it is on the right machine so it wouldn't trip malware triggers for the masses but only for your air gapped target.
Obviously this is well beyond the level of a typical hacker, but well within the realm of what a state level actor like the CIA/NSA or China and Russia's equivalents could handle.
Well I didn't want to bother to list them all, as it would also include not only those but North Korea, GCHQ, and probably France, Germany, Australia, South Africa, South Korea, Japan, and I imagine some others who have well developed targeted hacking abilities who stay under the radar.
This isn't "light speed" people. For a minimum password (lets say 8 characters), you will need at least 21 seconds assuming no error correction. Add in a user name (another 8 characters) and you get another 21 seconds. So, you need to have your "object" computer doing its thing for a good portion of a minute (assuming no framing marks) to get a simple username/password pair. This means you need to stand around waiting for it to happen somehow, or have a recording device that can be left behind (undetected I assume) that will be able to pick up the sounds.
Seems highly unlikely to me. Of course I'm not in that kind of business. Sometimes when there is a will, there is a way. Sometimes things can take years to develop, so anything is possible.
Then again, it might already have been done. We'll never know!!
I'm sure lots of things can be achieved in a test environment. If not sound, then blinking lights, or generate RF signals by introducing the appropriate instructions that toggle memory or peripheral signals in a suitable manner.
It is however a far cry from being able to install something that both works and remains undetected in a real-World working system. AFAICS the threat is orders of magnitude less than simply bunging an employee sufficient £££ and getting them to plug in a USB stick, hardware keyboard recorder or install a video bug etc.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
