4

Ethernet Cable Turned Into Antenna To Exploit Air-Gapped Computers

 2 years ago
source link: https://hackaday.com/2021/10/27/ethernet-cable-turned-into-antenna-to-exploit-air-gapped-computers/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Ethernet Cable Turned Into Antenna To Exploit Air-Gapped Computers

Good news, everyone! Security researcher [Mordechai Guri] has given us yet another reason to look askance at our computers and wonder who might be sniffing in our private doings.

This time, your suspicious gaze will settle on the lowly Ethernet cable, which he has used to exfiltrate data across an air gap. The exploit requires almost nothing in the way of fancy hardware — he used both an RTL-SDR dongle and a HackRF to receive the exfiltrated data, and didn’t exactly splurge on the receiving antenna, which was just a random chunk of wire. The attack, dubbed “LANtenna”, does require some software running on the target machine, which modulates the desired data and transmits it over the Ethernet cable using one of two methods: by toggling the speed of the network connection, or by sending raw UDP packets. Either way, an RF signal is radiated by the Ethernet cable, which was easily received and decoded over a distance of at least two meters. The bit rate is low — only a few bits per second — but that may be all a malicious actor needs to achieve their goal.

To be sure, this exploit is quite contrived, and fairly optimized for demonstration purposes. But it’s a pretty effective demonstration, but along with the previously demonstrated hard drive activity lights, power supply fans, and even networked security cameras, it adds another seemingly innocuous element to the list of potential vectors for side-channel attacks.

[via The Register]

Posted in Security HacksTagged air gap, Cat6, ethernet, exfiltration, exploit, HackRF, RF, RTL-SDR

Post navigation

14 thoughts on “Ethernet Cable Turned Into Antenna To Exploit Air-Gapped Computers”

  1. Gravis says:

    Very cool. Also, I’m pretty sure that if you air gapping your systems then you are at the very least going to be using shielded LAN cable. I would hope you would use fiber to at least make tapping in difficult but there’s always cheapskates.

    1. Marcus says:

      I don’t know. Defense folks typically go foremost for certification. So, an airgapped workspace where you can sit close to network infrastructure with unchecked equipment – not gonna happen.

  2. Marcus says:

    OK, I’m going to be the nay-sayer here: can we stop quoting Mordechai Guri? That guy runs a paper mill on the same idea for the last ~7 years.

    There’s nothing novel about “modulating the current in some computer peripheral, causing EMI”. The same “oh we have an airgapped computer, but for some reason we have an attacker that’s allowed to sit behind a plaster wall there and point a directive antenna at an “air-gapped” computer” boilerplate is attached, a photo is taken – and we have another paper. (or, we have an air-gapped computer and an unrestricted smartphone nearby. I’ll let you ponder what exactly “air gapped” might be in that case.)

    Then, because it sounds flashy, we use GSM frequencies (after we already wrote a paper that does exact the same, but didn’t mention GSM frequencies).

    There’s another variant, where they blink LEDs of switches, monitors, keyboards… guess what:

    When there is an airgapped computer, there will be someone who will check on you when you start pointing a camera at the monitor; your keyboard, or a switch.

    I’m not making this up: https://scholar.google.com/citations?user=F8gvBUkAAAAJ&hl=en

    1. Rotopenguin says:

      No. We’re going to keep on falling for the same junk over and over again.

    2. Greg A says:

      haha i had the same feeling but i didn’t realize one person is behind so many of these stories.

      if you can run whatever software you want on the airgapped computer and freely carry hardware to it, just bring a usb stick

  3. Steven Naslund says:

    You are not really air-gapped if you are connected to a copper cable without filtering or optical isolators. In military computers they even have filters and isolation on the AC power inputs. The facilities themselves are often shielded and they use fiber extensively.

  4. Steven Naslund says:

    I have some concerns about how practical this is :

    1. If you require software on the compromised system, how are you getting that in place across the air gap? I know you could use USB sticks or another insider to get them there but not too practical unless you are a three letter agency.

    2. I would think that most people that air gap their systems would be doing some sort of network surveillance and would have no problem detecting your strange transmissions.

    3. My experience with secure networks tells me that if you mess with your ethernet speed and such very much you are going to get your ethernet port shutdown pretty fast.

    4. How well and at what range are you able to pick up these signals in an electronically rich environment?

    I have experience with a very secure network environment that was tested for exactly this kind of EMI type of transmission. It turned out that the facility was so heavy in various electronic noise (lighting, motors, computers, monitors, radars, motion sensors, etc) that it was decided that the facility was self jamming when monitored from outside the building. They did not worry about threats inside the building very much (armed guards, dogs, biometric entry systems).

    1. abjq says:

      I have pondered this too.

      But if you were an employee who is a bad actor you could install the software and let it sit until it find something it wants to send, maybe after a time delay (after the employee has moved on)

      For the transmission in amongst a load of noise, you can use correlation techniques where you transmit either 1’s or 0’s with long orthogonal strings per bit. The strings being agreed with the receiver. This would also increase the range of transmission as it helps give a correlation gain over the receiver noise. This trades off against bandwidth obviously but is still useful if the thing being stolen is relatively small, e.g. a private key.

    2. bluecat57 says:

      Hackers and spies don’t care about practical.

  5. Steven Naslund says:

    This is what I am referring to. This is not something new or revolutionary. It has been known and defended against for a long time.

    https://en.wikipedia.org/wiki/Tempest_(codename)

  6. rasz_pl says:

    last years ccc:

  7. bluecat57 says:

    Nothing new under the sun. Ecc.1:9
    Security briefing at Northrop B-2 plant covered many bizarre ways to access computers inside the secure plant.
    The question is, how much easier is it to get a Democrat to just give it to you?

  8. nebk says:

    Another related paper that is a small amount more practical (they were able to transmit through a cinder-block wall).
    https://zhenkai-zhang.github.io/papers/bitjabber.pdf

Leave a Reply Cancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.


About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK