Security Experts:

Unmodified USB Devices Allow Data Theft From Air-Gapped Systems

USBee malware shows new way to abuse USB devices

Researchers have demonstrated how an unmodified USB device can be turned into a radio frequency (RF) transmitter and leveraged to exfiltrate potentially sensitive data from air-gapped computers.

In the past years, experts from the Cyber Security Research Center at Ben-Gurion University of the Negev in Israel analyzed methods for exfiltrating data using cellular frequencies, noise from fans and hard drives, electromagnetic signals from graphics cards, and heat emitted by the CPU and GPU.

Now they have come up with a new method that involves an unmodified USB device and an experimental piece of malware dubbed “USBee.”

Using USB devices to exfiltrate data from secure systems over RF is not unheard of. NSA documents leaked in 2013 showed that the agency’s toolset included such capabilities. Inspired by the NSA, white hat hackers later created a hardware implant with similar capabilities. However, these tools rely on modified USB connectors, whereas researchers have found a way to exfiltrate data using unmodified devices.

USBee is designed to leverage the USB data bus to create electromagnetic emissions from a connected device. The malware can modulate binary data over the electromagnetic waves and send it to a nearby receiver.

Experts determined that sending a sequence of “0” bits to a USB device, such as a flash drive or an external hard drive, generates electromagnetic radiation. By intentionally sending a certain sequence of “0” bits from the targeted computer to the connected USB device, the malware can generate electromagnetic radiation at specific frequencies, which can represent either a “1” bit or a “0” bit.

The data can then be captured by a nearby receiver. In their experiments, researchers used a $30 RTL-SDR software-defined radio connected to a laptop and managed to transfer data at rates of up to 80 bytes per second. This is a fairly high transfer rate that can allow the malware to transfer strong passwords and encryption keys within seconds.

The data can be transferred over a considerable distance, as shown in this video made by Ben-Gurion University researchers:

Researchers have proposed several countermeasures, such as banning electronic equipment near sensitive computers, using antiviruses and intrusion detection systems, and shielding components to prevent electromagnetic emissions. However, experts noted that these methods might not always be very efficient or feasible. For instance, in the case of intrusion detection systems set up to detect certain patterns, they could result in a high rate of false positives.

Related: Air Gap or Not, Why ICS/SCADA Networks Are at Risk

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.