Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Unmodified USB Devices Allow Data Theft From Air-Gapped Systems

USBee malware shows new way to abuse USB devices

USBee malware shows new way to abuse USB devices

Researchers have demonstrated how an unmodified USB device can be turned into a radio frequency (RF) transmitter and leveraged to exfiltrate potentially sensitive data from air-gapped computers.

In the past years, experts from the Cyber Security Research Center at Ben-Gurion University of the Negev in Israel analyzed methods for exfiltrating data using cellular frequencies, noise from fans and hard drives, electromagnetic signals from graphics cards, and heat emitted by the CPU and GPU.

Now they have come up with a new method that involves an unmodified USB device and an experimental piece of malware dubbed “USBee.”

Using USB devices to exfiltrate data from secure systems over RF is not unheard of. NSA documents leaked in 2013 showed that the agency’s toolset included such capabilities. Inspired by the NSA, white hat hackers later created a hardware implant with similar capabilities. However, these tools rely on modified USB connectors, whereas researchers have found a way to exfiltrate data using unmodified devices.

USBee is designed to leverage the USB data bus to create electromagnetic emissions from a connected device. The malware can modulate binary data over the electromagnetic waves and send it to a nearby receiver.

Experts determined that sending a sequence of “0” bits to a USB device, such as a flash drive or an external hard drive, generates electromagnetic radiation. By intentionally sending a certain sequence of “0” bits from the targeted computer to the connected USB device, the malware can generate electromagnetic radiation at specific frequencies, which can represent either a “1” bit or a “0” bit.

The data can then be captured by a nearby receiver. In their experiments, researchers used a $30 RTL-SDR software-defined radio connected to a laptop and managed to transfer data at rates of up to 80 bytes per second. This is a fairly high transfer rate that can allow the malware to transfer strong passwords and encryption keys within seconds.

The data can be transferred over a considerable distance, as shown in this video made by Ben-Gurion University researchers:

Researchers have proposed several countermeasures, such as banning electronic equipment near sensitive computers, using antiviruses and intrusion detection systems, and shielding components to prevent electromagnetic emissions. However, experts noted that these methods might not always be very efficient or feasible. For instance, in the case of intrusion detection systems set up to detect certain patterns, they could result in a high rate of false positives.

Related: Air Gap or Not, Why ICS/SCADA Networks Are at Risk

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.