back to article USBee stings air-gapped PCs: Wirelessly leak secrets with a file write

Mordechai Guri, the Israeli researcher who has something of a knack for extracting information from air-gapped PCs, has done it again – this time using radio frequency transmissions from USB 2 connections. Dubbed USBee, the technique turns a computer's USB ports into mini RF transmitters by modulating the data fed at high …

  1. JeffyPoooh
    Pint

    There's another way...

    Use the screen. Write it down.

    Far more practical than this nonsense.

    1. cuthbertj

      Re: There's another way...

      Were you planning on standing over the shoulder of the person you were spying on? There's no way they could possibly notice you. "Excuse me while I watch you type in your password, no? well could I just borrow your laptop for a sec while I extract your crypto keys."

      1. Doctor Syntax Silver badge

        Re: There's another way...

        ""Excuse me while I watch you type in your password, no? well could I just borrow your laptop for a sec while I extract your crypto keys.""

        "Could I borrow your laptop to install this code which will enable me to extract data when you have a USB storage device plugged in."

        1. Will Godfrey Silver badge
          Unhappy

          Re: There's another way...

          I would like to laugh, but actually know people daft enough to agree to that.

    2. Anonymous Coward
      Anonymous Coward

      Re: There's another way...

      Yeah, yeah, why not swap high and low system loads and thus send Morse code via the power lead?

      I hate stories like this because it makes people afraid of their own bloody shadow whereas there are more real things to worry about. I guess someone wants to sell a new range of Tempest kit.

      What happened to mentioning the actual likelihood of this happening (you know, that other part of risk)?

      1. Lord Elpuss Silver badge

        Re: There's another way...

        "What happened to mentioning the actual likelihood of this happening (you know, that other part of risk)?"

        If you're in the kind of business where you work with intentionally air-gapped PCs, this kind of article is likely of very great interest to you. If not, you probably don't care (and techniques such as this won't affect your risk analysis in any meaningful fashion) - so don't worry.

  2. Nuno trancoso
    Coat

    Missing piece...

    So, you have an air-gapped pc, let's assume for either security, confidentiality, or both. But it has exposed USB ports. Seriously?

    Ok, so let's assume you will be allowed and/or forced to use some USB storage, for say, backup storage, in case internal storage goes titsup, or because internal storage is read only and nobody wanted to put a secondary r/w medium in it. Whatever. Now you have transmission capabilities.

    And all that security/confidentiality issues that lead to an air-gapped pc, didn't lead to a (modestly) secured space. So much so, a fellow bad person can be just in range to pick up said transmission.

    And of course, you need someone else to plant the code for the tool that you'll use. Someone that has unchecked access and permissions to the box so he can just drop in a tool that will be allowed to run.

    Interesting from an academic point of view, but if this gives you any loss of sleep, you are already doing it so wrong it will be the least of your problems.

    Think i'll write a paper about using a large mallet and leaking data by bit banging it (literally) on the wall while someone else picks it up with a seismograph. Devs are known to be weirdos so pretty sure no one will question the odd behavior. Coat. Mallet. Door.

    1. MacroRodent
      Black Helicopters

      Re: Missing piece...

      But it has exposed USB ports. Seriously?

      I wonder if the attack could be extended to work with other attached devices, like a mouse: you can send configuration and status request commands to it. Or if the PC or laptop has earphones, you could send very high-pitched modulated sound, which would turn into very low-frequencey radio. Sound cards can often output up to 20khz, it does not matter if the earphone does not reproduce it, and most adults cannot hear it anyway, so the hidden carrier would be undetectable.

    2. Justin S.

      Re: Missing piece...

      But it has exposed USB ports. Seriously?

      Even air-gapped systems need software updates, as well as data-in/data-out. Different amounts and types of security are used for different systems/classification levels/etc.

      This is just another chink in the proverbial armor: those who thought they were sufficiently secure will again (as though they ever [or should have] stopped) reconsider their arrangements and make the necessary adjustments. Or they won't, in which case there's another opportunity for ex-filtration.

      Also, it should be noted that while a system may be secure against this particular attack-- perhaps because they have disabled or epoxied closed their USB ports-- another researcher or villain may use it as a starting point for another attack vector, or adapt it to work with other USB devices (keyboards, perhaps).

      Security is not a static thing: the white and black hats both work to reveal the weaknesses of existing (and sometimes future) systems, spurring changes in the relevant industries.

  3. Steve Knox
    Paris Hilton

    Air-gapped...

    and USB-enabled?

    Someone doesn't know how to security.

    1. Charles 9

      Re: Air-gapped...

      Oh? How do you transmit information back and forth that's not well-suited for a brain, then, like a large data table?

      1. Version 1.0 Silver badge

        Re: Air-gapped...

        Oh? How do you transmit information back and forth that's not well-suited for a brain, then, like a large data table?

        Floppy disk, mag tape, paper tape, CDROM, punch cards ...

        But that's not the point - the point here is that ANY device can be compromised given enough effort by an individual or group with the desire (need) to do so. For most of us the chances of this happening are infinitesimal - but, in some instances, this is a real concern.

    2. Voland's right hand Silver badge

      Re: Air-gapped...

      SCADA - airgapped for security and USB enabled because the moron manufacturer requires a USB license "plug" for the software to work.

    3. MrDamage Silver badge

      Re: Air-gapped...

      Apart from the obvious question raised above about data transfer, what is your answer to the question of "how to control the air gapped system"?

      I'm sure all of these "incompetant" sysadmins leave old PS2 keyboards and mice permanently connected to the machines in question.

      In case you weren't aware, unplugging and replugging PS2 devices whilst the machine is operational has a decent chance of blowing out the PS2 port.

      So it's either leave old hardware permanently connected, or use USB.

      1. Anonymous Coward
        Anonymous Coward

        Re: Air-gapped...

        Apart from the obvious question raised above about data transfer, what is your answer to the question of "how to control the air gapped system"?

        Laptop. Also prevents keyboard recording. If you use a MacBook it's even all soldered down, add FileVault and a boot password and there's nothing you can do with it until it's properly booted up (but they won't wipe after X tries AFAIK, which is IMHO an omission).

        1. Stoneshop
          FAIL

          Re: Air-gapped...

          Laptop.

          Known for being well-suited for sticking industrial interface cards in (SCADA).

          Also prevents keyboard recording.

          They do not.

  4. Oengus

    Kickstarter idea

    I am seeing more and more of a market for a portable Faraday cage(™)... maybe with an inbuilt noise (aubible and ultrasonic) cancellation circuit...

    Most of these hacks seem to require an actor to install the hack onto the air-gapped device so more education of the users may be the simple answer.

    1. Anonymous Coward
      Anonymous Coward

      Re: Kickstarter idea

      I am seeing more and more of a market for a portable Faraday cage(™)... maybe with an inbuilt noise (aubible and ultrasonic) cancellation circuit...

      AFAIK, tin foil hats are noisy enough for that purpose..

    2. W4YBO

      Re: Kickstarter idea

      "portable Faraday cage(™)..."

      Michael's trademark has lapsed by now, so you're home free!

  5. quxinot

    I'd wonder if you could just use a small white noise generator of a sort that broadcasts low RF energy to block all of these (faintly ridiculously involved) "attacks".

    1. Jon 37

      That's a radio jammer, which is illegal (unless you're the government)

      1. Doctor Syntax Silver badge

        "That's a radio jammer, which is illegal"

        No, it's a hair dryer. Also blocks attempts to get information out via sound waves.

        1. allthecoolshortnamesweretaken

          So putting the data centre in a haidresser's basement should do the trick...

  6. Charles 9

    Call us when someone can jump an air gap or escape a TEMPEST room without installing anything first.

    1. Ed_UK

      "Call us when someone can jump an air gap or escape a TEMPEST room without installing anything first."

      So, you never saw the film Scanners?

      1. Charles 9

        I don't recall Scanners posting the legally-required tagline: "This is a true story."

  7. Fruit and Nutcase Silver badge
    Alert

    Infra-sound?

    Depending upon the hardware capabilities, what about a modulated infra-sound signal? The malware could monitor the use of the sound system and transmit at "quiet" periods. The listening device could even be laser microphone picking up vibrations from a nearby window. Do some signal processing to extract the data. Probably been done already.

    1. Mage Silver badge

      Re: Infra-sound?

      Been done already.

      One version modulates fan noise.

      Another version can to an extent monitor variations in system noise without any malware pre-loaded.

  8. Ralph the Wonder Llama
    Meh

    Not a bee

    That is not a picture of a bee. Pfft.

    1. John 110

      Re: Not a bee

      Oh I think it is, what kind of IT expert are you...

  9. Starace

    Not even news 30 years ago

    Seriously. This is hardly some great revelation that a machine can leak noise of whatever sort that may include information.

    It's also not much of a challenge when you have physical access, can install and run arbitrary code and maybe even plug something in, and the installation environment allows you to get some sort of detector close and then let that in turn get information outside.

    A five year old could probably achieve the same 'research' and maybe get someone to write about it.

    Proper air gapped systems - as opposed to something that doesn't just have Internet access unplugged - are slightly harder to crack and the ways of protecting them have been much the same for decades and would have prevented this sort of amateur nonsense right from the start.

    In further news I can get information off an air gapped system by pointing a camera at the screen through your office window. This is a new and exciting technique as I use an IP camera so I can 'hack an air gapped system remotely'...

  10. Michael Kean

    HDD LED?

    Hmmm.

    I guess you could flash the hard drive LED and watch for that, but that'd take longer.

    Or throttle up the CPU fan and listen to the speed changes.

    Or play modulated audio over an 18KHz and hope there are no teenagers working there.

    Or embed a hub inside the mouse and hide a doohickey in there...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like