Air-gap Limitations and Bypass Techniques: “Command and Control” using Smart Electromagnetic Interferences
AbstractAir gaps are generally considered to be a very efficient information security protection. However, this technique also showed limitations, involving finding covert channels for bridging the air gap. Interestingly, recent publications have pointed out that a smart use of the intentional electromagnetic interferences introduced new threats for information security. In this paper, an innovative way for remotely communicating with a malware already installed on a computer by involving the induced perturbations is discussed leading to the design of a new air gap bridging covert channel.
NIST, National Supply Chain Risk Management Practices for Federal Information Systems, 2014.
CERT-UK, Cyber-security risks in the supply chain, 2015.
H. Okhravi, S. Bak, S. T. King, “Design, Implementation and Evaluation of Covert Channel Attacks”, IEEE International Conference on Technologies for Homeland Security, 2010.
B. W. Lampson, “A Note on the Confinement Problem”, Communications of the ACM, pp 613-615, 1973.
USB Implementers Forum, USB Device Class Definition for Human Interface Devices (HID), 2001.
Video Electronics Standards Association, VESA Enhanced Display Data Channel Standard, 2004.
Video Electronics Standards Association, VESA Monitor Control Command Set Standard Version 3, 2006.
A. Davis, “HDMI – Hacking Displays Made Interesting”, BlackHat USA 2012.
A. Kaufmann, B. Smus, “Tone: An experimental Chrome extension for instant sharing over audio”, Google Research Blog, 2015, http://googleresearch.blogspot.fr/2015/05/tone-experimental-chrome-extension-for.html.
S. J. O'Malley, K. K. R. Choo, “Bridging the Air Gap: Inaudible Data Exfiltration by Insiders”, 20th Americas Conference on Information Systems, 2014.
P. M. Ricordel, P. Capillon, Rump Session, Symposium sur la Sécurité des Technologies de l’Information et des Communications, 2014.
D. Goodin, “Meet "badBIOS", the mysterious Mac and PC malware that jumps airgaps”, Arstechnica, 2013, http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps.
D. Genkin, A. Shamir, E. Tromer, “RSA Key Extraction via Low-Bandwith Acoustic Cryptanalysis”, Advances in Cryptology – CRYPTO 2014.
Y. Michalevsky, G. Nakibly, D. Boneh, “Gyrophone: Recognizing Speech from Gyroscope Signals”, RSA Conference 2015, 2015.
M. Guri, G. Kedma, A. Kachlon, Y. Elovici, “AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones using Radio Frequencies”, 9th IEEE International Conference on Malicious and Unwanted Software, 2014.
A. Cui, M. Costello, “Hacking Cisco Phones”, CCC conference 29C3, Hamburg, Germany, 2012.
M. Guri, M. Monitz, Y. Mirski, Y. Elovici: “BitWhisper: Covert Signaling Channel between Air-Gapped Computers using Thermal Manipulations”, online: http://dblp.uni-trier.de/rec/bib/journals/corr/GuriMME15, 2015.
R. Hoad, N. J. Carter, D. Herke et al., “Trends in EM susceptibility of IT equipment”, Electromagnetic Compatibility, IEEE Transactions on, vol.46, no.3, pp.390-395, Aug. 2004.
M. G. Bäckström, K. G. Lövstrand, “Susceptibility of electronic systems to high-power microwaves: Summary of test experience,” IEEE Trans. Electromagn. Compat., vol. 46, no. 3, 2004.
L. Palisek, L. Suchy, “High Power Microwave effects on computer networks” Electromagnetic Compatibility (EMC EUROPE), 2011 International Symposium on, vol., no., pp.18-21, 26-30 Sept. 2011.
J. S. Choi, J. Lee, J. Ryu, et al. “Evaluation of Effects of Electronic Equipments in Actual Environments”. In Proc. of AMEREM 2014, Albuquerque, USA, July, 2014.
M. Seaborn, with contributions by T. Dullien, “Exploiting the DRAM rowhammer bug to gain kernel privileges”, online: http://googleprojectzero.blogspot.fr/2015/03/exploiting-dram-rowhammer-bug-to-gain.html, March 9, 2015.
C. Kasmi, J. Lopes Esteves, “You don’t hear me but your phone voice interface does”, Hack In Paris 2015, Paris, France, 2015.
C. Kasmi, J. Lopes Esteves, M. Renard, “Automation of the Immunity testing of COTS computers by the instrumentation of the internal sensors and involving the operating system logs – Technical report “, System Design and Assessment Note SDAN 044, November 2014.
GNU Radio is a free & open-source software development toolkit, online: http://gnuradio.org/redmine/projects/gnuradio/wiki, 2015.
V. Houchouas, C. Kasmi, J. Lopes Esteves, D. Coiffard, “Experimental comparison of mode-stirrer geometries for EMC”, In Proc. of ASIAEM 2015, Jeju, South Korea, 2015.
N. Mora, F. Vega, G. Lugrin, F. Rachidi, “Study and classification of Potential IEMI sources”, System Design and Assessment Note SDAN 041, July 2014.
R. H. Barker, "Group Synchronizing of Binary Digital Sequences". pp. 273–287, Communication Theory. London: Butterworth, 1953.
Bluetooth SIG, Bluetooth Specification Version 4.0, 2010.
Agence Nationale de la Sécurité des Systèmes d’Information, Instruction Interministérielle N°300 relative à la Protection contre les Signaux Compromettants, online : www.ssi.gouv.fr, 2014.
C. Kasmi, J. Lopes Esteves, “Automated Analysis of the Effects induced by Radio-Frequency Pulses on Embedded Systems for EMC Functional Safety”, URSI AT-RASC Conference, Spain, May 2015.
Copyright (c) 2015 Chaouki Kasmi, José Lopes Esteves, Philippe Valembois
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.