New air-gap jumper covertly transmits data in hard-drive sounds
"DiskFiltration" siphons data even when computers are disconnected from the Internet.
Researchers have devised a new way to siphon data out of an infected
computer even when it has been physically disconnected from the Internet
to prevent the leakage of sensitive information it stores.
The method has been dubbed "DiskFiltration" by its creators because
it uses acoustic signals emitted from the hard drive of the air-gapped
computer being targeted. It works by manipulating the movements of the
hard drive's actuator,
which is the mechanical arm that accesses specific parts of a disk
platter so heads attached to the actuator can read or write data. By
using so-called seek operations that move the actuator in very specific
ways, it can generate sounds that transfer passwords, cryptographic
keys, and other sensitive data stored on the computer to a nearby
microphone. The technique has a range of six feet and a speed of 180
bits per minute, fast enough to steal a 4,096-bit key in about 25
minutes.
"An air-gap isolation is considered to be a hermetic security measure
which can prevent data leakage," Mordechai Guri, a security researcher
and the head of research and development in the cyber security labs at
Israel's Ben-Gurion University, told Ars. "Confidential data, personal
information, financial records and other type of sensitive information
is stored within isolated networks. We show that despite the degree of
isolation, the data can be exfiltrated (for example, to a nearby smart
phone)."
Besides working against air-gapped computers, the covert channel can
also be used to steal data from Internet-connected machines whose
network traffic is intensively monitored by intrusion prevention
devices, data loss prevention systems, and similar security measures.
The technique is documented in a technical paper titled DiskFiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive Noise,
which was published Thursday night. Guri and the other Ben-Gurion
University researchers who devised the covert channel created the video
demonstration below.
DiskFiltration is only the latest method devised by Ben-Gurion
University researchers to bridge air gaps. Other techniques include AirHopper,
which turns a computer's video card into an FM transmitter; BitWhisper,
which relies on the exchange of heat-induced "thermal pings"; GSMem,
which relies on cellular frequencies; and Fansmitter, which uses noise
emitted by a computer fan to transmit data. In 2013, researchers with
Germany's Fraunhofer Institute for Communication, Information
Processing, and Ergonomics devised a technique that used inaudible audio signals to covertly transmit keystrokes and other sensitive data from air-gapped machines.
The techniques are effective, but their utility in real-world
situations is limited. That's because the computers they target still
must be infected by malware. If the computers aren't connected to the
Internet, the compromise is likely to be extremely difficult and would
require the help of a malicious insider, who very well may have easier
ways to obtain data stored on the machine. Still, the air-gap jumpers
could provide a crucial means to bypass otherwise insurmountable
defenses when combined with other techniques in a targeted attack.
Receiving data transmitted by sound generated from a hard drive is generally not efficient. DiskFiltration improves the signal-to-noise ratio by focusing on a narrow range of acoustic frequencies, a feature that effectively strips out background noise. DiskFiltration works even when a hard drive's automatic acoustic management, which reduces acoustic noise, is at its default setting. Still, casual noise emissions from other running processes can sometimes interfere or interrupt the DiskFiltration transmissions.
The most effective way to prevent DiskFiltration-style data exfiltration is to replace hard drives with solid-state drives, since the latter aren't mechanical and generate virtually no noise. Using particularly quiet types of hard drives or installing special types of hard drive enclosures that muffle sound can also be an effective countermeasure. It may also be possible to jam hard-drive signals by generating static noise. Intrusion prevention systems may also be programmed to detect suspicious hard-drive seek patterns used to create the transmissions. Yet another solution is to isolate air-gapped computers from smart phones and other devices with a microphone.
Receiving data transmitted by sound generated from a hard drive is generally not efficient. DiskFiltration improves the signal-to-noise ratio by focusing on a narrow range of acoustic frequencies, a feature that effectively strips out background noise. DiskFiltration works even when a hard drive's automatic acoustic management, which reduces acoustic noise, is at its default setting. Still, casual noise emissions from other running processes can sometimes interfere or interrupt the DiskFiltration transmissions.
The most effective way to prevent DiskFiltration-style data exfiltration is to replace hard drives with solid-state drives, since the latter aren't mechanical and generate virtually no noise. Using particularly quiet types of hard drives or installing special types of hard drive enclosures that muffle sound can also be an effective countermeasure. It may also be possible to jam hard-drive signals by generating static noise. Intrusion prevention systems may also be programmed to detect suspicious hard-drive seek patterns used to create the transmissions. Yet another solution is to isolate air-gapped computers from smart phones and other devices with a microphone.
0 comments:
Post a Comment