Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Data Theft From Air-Gapped Computers Possible via Cellular Frequencies

A piece of malware and a basic cell phone are all you need in order to steal data from an air-gapped computer, according to researchers.

Air-gap security is often used by organizations to protect their most valuable assets. The technique involves isolating computers that store sensitive information from the Internet and even from the organization’s internal network.

A piece of malware and a basic cell phone are all you need in order to steal data from an air-gapped computer, according to researchers.

Air-gap security is often used by organizations to protect their most valuable assets. The technique involves isolating computers that store sensitive information from the Internet and even from the organization’s internal network.

While it’s less likely for isolated computers to become infected with malware, it’s not impossible, as demonstrated by the case of the notorious Stuxnet worm which made its way onto air-gapped systems controlling the centrifuges at an Iranian nuclear facility via USB flash drives.

Researchers at ESET reported last year that the cyber espionage group Pawn Storm (also known as APT28, Tsar Team, Sednit and Fancy Bear) also used USB malware to steal data from air-gapped computers. Due to such threats, many organizations have banned workers from inserting USB sticks into computers.

A team of researchers from the Ben-Gurion University in Israel led by Mordechai Guri will demonstrate at the upcoming USENIX Security Symposium that there is a far more sophisticated method of exfiltrating data from air-gapped systems.

The experts have developed GSMem, a proof-of-concept (PoC) malware capable of sending data from an infected computer to a nearby mobile phone over GSM frequencies. The data is emitted through electromagnetic signals by a piece of malware installed on the computer, and it’s received and demodulated by a rootkit placed in the baseband firmware of a basic cell phone.

In their experiments, the researchers installed the malware on a Motorola C123. The phone doesn’t have a camera, Wi-Fi, Bluetooth or other connectivity capabilities, and during the tests it didn’t even have a SIM card.

This makes the attack method potentially dangerous because basic phones are allowed even by security-aware organizations that prohibit the use of phones with a camera and Wi-Fi on their premises.

Advertisement. Scroll to continue reading.

Air-gap malware experiment

The experts have pointed out that only the malware is needed to transmit the data from the air-gapped computer. The attack doesn’t require the installation of any additional components on the targeted workstation because the malware can modulate and transmit electromagnetic signals by using memory-related instructions. The transmission is then amplified by using the multi-channel memory architecture.

Researchers managed to transmit data from the infected computer to the cell phone over a distance of 1 – 1.5 meters (roughly 3-5 feet). However, if the phone is replaced with a dedicated hardware receiver the distance can increase to 30 meters (100 feet).

The signals transmitted by the malware can also be intercepted by an application running on an unmodified Android smartphone, but the distance is reduced to 10 centimeters (4 inches), which makes the attack less practical.

Three different workstations have been used to transmit data over cellular frequencies and researchers determined that the most efficient device was the one with quad-channel RAM because it employs wider data paths.

While transfer rates are low, experts say it’s enough to exfiltrate sensitive information such as passwords and encryption keys within several minutes.

Researchers have proposed a series of countermeasures to prevent potential attacks. The measures include defining zones where mobile phones (even basic devices) are prohibited, and the insulation of walls for mitigating attacks that might use more efficient hardware receivers.

This is not the first time Ben-Gurion University researchers defeat air-gap security. In October 2014, they presented a piece of malware (AirHopper) capable of stealing data from isolated computers using the electromagnetic signals emitted by the device’s graphics card.

More recently, experts unveiled BitWhisper, an attack method that relies on the fact that computers in close proximity to each other can communicate using heat emissions and built-in thermal sensors.

The complete research paper on GSMem is currently only available to USENIX attendees. The paper will be made generally available after the event.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.