If you’re a Naked Security Podcast listener (and if you aren’t, please give it a try and subscribe if you like it!), you may remember a humorous remark about ‘sideband’ attacks and sneaky data exfiltration tricks that Sophos expert Chester Wisniewski made in a recent episode.
We were talking about how to stop cybercriminals from stealing cryptocurrency wallets, and I noted that the modest size of wallet files made them not only easier to identify but also quicker to sneak out of a network once they’d been located.
Chester’s quip at this point was:
As soon as you said that, my mind went to those researchers at Ben Gurion University who are always doing some sort of sideband attack… [for example,] they vary the frequency of the light bulbs to leak 11 bytes of data from the computer. I’m just waiting for them to leak a Bitcoin wallet by playing music through the speakers, or something like that!
Well, Chester’s wait might be over. (In theory, at least.)OTHERS STOP AT NOTIFICATION. WE TAKE ACTIONGet 24/7 managed threat hunting, detection, and response delivered by Sophos expertsLearn more
BGU on the case
Mordechai Guri from the abovementioned Ben Gurion University of the Negev (BGU) in Israel has recently published a new ‘data exfiltration’ paper detailing an unexpectedly effective way of sneaking very small amounts of data out of a cabled network without using any obvious sort of interconnection.
This one is entitled LANTENNA: Exfiltrating Data from Air-Gapped Networks via Ethernet Cables, and it’s the latest of many BGU publications in recent years dealing with a tricky problem in cybersecurity, namely…
…how to split a network into two parts, running at different security levels, that can nevertheless co-operate and even exchange data when needed, but only in strictly controlled and well-monitored ways.
Cut the cords!
Physically disconnecting the two networks so that human intervention is needed to move data between them seems like an obvious solution, creating the proverbial “airgap” mentioned in the title of Guri’s paper.
Typically, this also means disallowing “free air” communications protocols such as Bluetooth and Wi-Fi, at least on the more secure side of the network, so that any interconnection points genuinely require some sort of physical interaction.
You might, however, allow (possibly limited) wireless technologies on the less secure side of the network, as long as no emanations from the insecure side can be received, whether by accident or design, on the secure side, and as long as there aren’t any detectable emanations at all from the secure side that could be picked up on the insecure side.
At one time, physical airgaps such as plugging a network cable into a special socket, or using a carefully vetted USB device in a specific USB port, were considered a good solution to this problem, although even USB-based airgaps can sometimes be breached, as anyone who has studied the infamous Stuxnet virus will know.
USB considered harmful
Stuxnet was programmed to damage a specific piece of industrial control equipment if ever it found itself running on a computer that was hooked up in the right way to the right sort of device.
For the longest time, no one could work out what the “right” (or wrong) sort of equipment was, because the virus didn’t identify the hardware by name but merely by some arbitrary characteristics that needed to match.
The puzzle was a bit like trying to find a single person on earth based only on a partial fingerprint and their approximate age.
Eventually, a device was tracked down that matched the “does it look like the one we want?” rule coded into Stuxnet, and it turned out to be a type of industrial centrifuge (used for separating tricky substances with nearly-but-not-quite-identical characteristics, such as different isotopes of uranium) known to be used in Iran.
You can probably extrapolate the rest of the Stuxnet saga for yourself if you aren’t familiar with it already.
Airgaps in a post-Stuxnet world
But what about data exfiltration across an airgap in a post-Stuxnet world, where the operators of airgapped networks have become much stricter about the “border controls” between the two sides of the network?
What covert channels could be used, even if they offered only the most modest data rates?
How could you detect and prevent the abuse of these channels if they were indeed exploitable by corrupt insiders (perhaps with the innocent help of unknowingly co-opted colleagues), if the tricks used were abstruse enough not to arouse suspicion in the first place?
BGU’s previous research has warned of low-bandwith data leakage tricks that can be orchestrated using techniques as varied as:
- Turning PC capacitors into ultrasonic “loudspeakers”, creating apparently innocent sound waves that a co-operating computer can detect but the human ear cannot hear.
- Coding hidden messages via the miniature LED light in the Caps Lock key, or other programmable lights on the keyboard that humans don’t expect to be used to convey more than a single bit of somewhat unimportant data at ay time.
- Tweaking the speed of the CPU cooling fan, which in many computers can be done programmatically, or by deliberately increasing the processing load.
- Using a steganographic trick involving the amount of red tint in the screen. Steganography is the “art” of hidden data: apparently, a digital camera can reliably detect a 3% change in screen “redness” that the human eye will simply filter out and ignore.
LANtenna in plain English
LANtenna is more of the same, this time abusing the staple of any so-called secure network: the LAN cables themselves.
With Wi-Fi off the menu for the simple reason that you can’t see (or easily control) where it’s going, because it is an electromagnetic broadcast medium using an invisible part of the radio spectrum, most secure networks rely on visible runs of traditional network cabling and switches.
In cabled networks, which mostly use so-called shielded twisted pair cables such as CAT5e, CAT6 and higher specifications, a suspicious connector can be physically traced to its source or destination (assuming it’s noticed, of course).
Making each conductor in the cable from a pair of wires twisted around each other along their length reduces electromagnetic leakage, and thus interference, a property first discovered and exploited in the earliest days of the telephone industry. Additional shielding around each conductor pair and around the entire cable, plus tighter twists using more wire, improve performance and reduce stray emissions even further.
Additionally, any device or segment of a cabled network can be quickly, reliably and visibly disconnected by unplugging either end of a cable.
But just how shielded are those twisted-pair cables?
More importantly, if their shielding isn’t perfect, just how big and expensive and obvious would the equipment be that you’d need to detect it?
In other words, if a collaborator on the secure side of the network could arrange for innocent-looking data with a hidden meaning to be sent on the network…
…how surreptitously and uncontroversially could you (and you might be your own collaborator, of course) pick up the steganographically encoded data with an innocent-looking device on the insecure side?
If you’d need a two-metre long Uda-Yagi antenna to pick up the stray emissions, and specialised detection hardware in a case the size of one of Spinal Tap’s sound cabinets, you’d be unlikely to get away with it.
LANtenna in practice
Guri found that he was able to emit encoded data, via the LANtenna attack, using two different techniques:
- Send innocent data while toggling the network speed of the sending LAN card. If the network is under light load, then flipping the LAN speed between (say) 100Mbit/sec and 1Gbit/sec probably won’t attract attention by causing network jobs to slow down noticeably. But the spectrum of electromagnetic emissions varies with the encoding speed of the LAN card, and these emission changes themselves can be used to encode data for detection by someone who knows what to look out for.
- Send innocent data packets of a fixed format in timed bursts. Guri used predetermined UDP packets, which can be broadcast harmlessly if no other device on the network is listening out for them, because unwanted UDP packets are, by design, generally ignored. Again, the electromagnetic emissions from a nearby network cable varied in a detectable way depending on whether the known “throwaway” UDP packets were part of the overall network signal or not. This technique is a bit like listening out for a specific motorcycle with a distinctive exhaust note going past at specific times in the midst of the noise of an an otherwise busy freeway.
Guri discovered that he could detect these stray emissions reliably from up to three metres away using commodity “software radio” hardware that is available in the form of cheap and modestly-sized USB dongles that are easy to conceal, or to disguise as more innocent-looking hardware devices.
The first technique was much more reliable and gave faster exfiltration rates, but generally requires root (sysadmin) access on the computer used to leak the data.
Speed toggling is also likely to get spotted and routinely logged by network monitoring hardware, not least because network cards that keep switching speed suggest hardware problems as well as being suspicious from a security perspective.
This trick is also unlikely to work in a virtual machine environment, because the guest operating system generally works with a virtual network card that simply pretends to switch its speed, while the physical interaction with the network itself is handled by the host computer, which combines all the virtual machine traffic and sends it at a constant speed.
So, the second method was easier to exploit, even in virtual computers…
…but the data rates that Guri was able to achieve were modest to say the very least.
We’re talking about just one bit per second (that’s about 400 bytes an hour, or about one movie per millennium) using the “innocent data packets” technique, with a reliable range of 2m using a PC, from which emissions were stronger, or just 1m using a laptop.
But that’s still enough to leak numerous typical symmetric cryptographic keys, or several cryptocurrency private keys, within a single working day, so Chester’s remark in S3 Ep46 of the podcast may have come true after all.
What to do?
Guri has several recommendations for countermeasures, of which the most obvious and easiest to implement are:
- Treat the insecure side of the network more securely. Don’t allow anyone to bring wireless devices of any sort, including mobile phones, headsets, keyboards or or unverified “hardware dongles” into the shared security area at all.
- Improve your cable shielding. Upgrading older network cabling to newer specifications, even if the more expensive cabling is not strictly necessary, can help. CAT8 cables, for example, are rated up to 40GBit/sec and are built to much higher shielding standards than CAT5e or CAT6.
- Monitor network interfaces for unexpected and unwanted speed changes. A modern network card that shuttles speed frequently should be a cause for suspicion, even if only on reliability grounds.
Guri also suggests that you could consider emitting your own counter-surveillance jamming signals in the bandwidth ranges he monitored with his software radio dongles (typically 125MHz and above), and emitting randomised, background UDP traffic of your own to confuse anyone using the “innocent data packet” signalling technique.
These last two countermeasures are, of course, specific to the LANtenna attack as described in the paper, so a variation on Guri’s theme might bypass them.
(If you’re a secure area Blue Teamer, it’s a great excuse for budget to purchase some Software Defined Radio gear!)