A group of Israeli researchers have improved on a way to steal data from air-gapped computers, thought to be safer from attack due to their isolation from the Internet.
They’ve figured out how to turn the computer into a cellular transmitter, leaking bits of data that can be picked up by a nearby low-end mobile phone.
While other research has shown it possible to steal data this way, some of those methods required some hardware modifications to the computer. This attack uses ordinary computer hardware to send out the cellular signals.
Their research, which will be featured next week at the 24th USENIX Security Symposium in Washington, D.C., is the first to show it’s possible to steal data using just specialized malware on the computer and the mobile phone.
“If somebody wanted to get access to somebody’s computer at home—let’s say the computer at home wasn’t per se connected to the Internet—you could possibly receive the signal from outside the person’s house,” said Yisroel Mirsky, a doctoral student at Ben-Gurion University and study co-author.
Air-gapped computer needs to have malware installed
The air-gapped computer that is targeted does need to have a malware program developed by the researchers installed. That could be accomplished by creating a type of worm that infects a machine when a removable drive is connected. It’s believed this method was used to deliver Stuxnet, the malware that sabotaged Iran’s uranium centrifuges.
The malware, called GSMem, acts as a transmitter on an infected computer. It creates specific, memory-related instructions that are transmitted between a computer’s CPU and memory, generating radio waves at GSM, UMTS and LTE frequencies that can be picked up by a nearby mobile device.
The GSMem component that runs on a computer is tiny. “Because our malware has such a small footprint in the memory, it would be very difficult and can easily evade detection,” said Mordechai Guri, also a doctoral student at Ben-Gurion.
Their receiver was a nine-year-old Motorola C123 so-called “feature” phone, which looks downright ancient compared to mobile phones today. But there are a couple of reasons why they chose it.
Most embassies and many companies ban smartphones from being taken inside their premises, to prevent signals intelligence collection. But some companies, including Intel and defense contractor Lockheed Martin, still allow devices that are not smartphones into sensitive areas, Guri said.
The Motorola C123 was also picked because it uses a digital baseband chip that runs the open-source software OsmocomBB (Open Source Mobile Communications — Baseband). Most of the firmware that runs on baseband chips is closed-source and difficult to modify, and the researchers needed to be able to tamper with it.
The GSMem malware component that runs on the Motorola phone samples the amplitude of the frequency coming off the targeted computer, Mirsky said.
Just a few bits of data are enough
Once both malware components are in place, the data harvesting can begin. The Motorola phone, which can be up to five meters away from the computer, can collect one or two bits per second. That’s just a tiny amount, but enough to pilfer data such as passwords or encryption keys.
Using a smartphone with a more powerful antenna and processor could tick up the data transfer speeds and increase the distance from which the attack could be conducted.
Building an even more powerful kind of receiver, such as a software-defined radio, could increase the transfer speeds to as much as 1,000 bits per second and increase the range up to 30 meters. But that kind of device would negate the stealthy benefit of using an older feature phone, particularly when infiltrating an organization, Mirsky said.
Some of the defenses are easy: ban all phones, smartphones or not, from sensitive areas. Other options would be to jam cellular signals or use Faraday cages—which are enclosures that use metal to dissipate electronic signals—in certain areas, Mirsky said.
The research paper was also co-authored by Assaf Kachlon, Ofer Hasson, Gabi Kedma, and the project was overseen by Yuval Elovici, head of the cyber labs at Ben-Gurion.