At the end of March 2016, Tomáš Gardon, researcher from ESET, announced the discovery of a new malware that uses USB as an attack vector. The malware, called Win32 / PSW.Stealer.NAI, has self-protection features based on volume encryption using the AES128 algorithm, which also creates a single image that should prevent cloning the USB device. In addition, this malware has an anti-tampering mechanism that destroys all data if the USB device is removed from the targeted machine.
To get access to the operating system, PSW.Stealer.NAI is combined with a trojan (Win32 / TrojanDropper.Agent.RFT) that uses a sophisticated three-stage method of infection that encrypts data and checks for the existence of anti-virus before delivering the payload.
For the researchers involved in the study of this malware it is a consensus that this artifact has the necessary requirements to attack devices involved in the operation of critical processes that demand computer isolation. This system profile, called air-gap, has had its security strongly challenged in recent years.
The first significant event occurred in late-2013, when the researcher Dragos Ruiu discovered the activity of BadBIOS malware which, according to the researcher, infects computers’ BIOS and establishes connection between the infected machines through ultrasound — frequencies that are not normally noticeable by human hearing — using speakers and microphones.
The attack generated considerable controversy in the specialized media with many researchers questioning if Ruiu was telling the truth. Although Ruiu has not shared evidence that would make possible to catalogue the malware by antivirus industry, two German researchers published a paper in the Journal of Communications that describe how they adapted mechanisms and protocols of underwater data transmission into the air, proving that the alleged communication method of BadBIOS could, at least, be implemented.
The case of BadBIOS remembers Stuxnet and ignited the academic interest to find ways to get information from isolated computers. From 2014, the Cyber Security Research Center at Ben-Gurion University of the Negev started to play a central role in the field of air-gapped communication. In this year they developed AirHopper, an attack that uses a malware to send data through frequencies emitted by the video card and captured by a mobile FM radio. The portable device could act as a bridge to a command and control server located on the Internet.
In 2015, the same institute published two attacks: the first one, called BitWhisper, shares information between two isolated computers through heat sensors. The other one, named GSMem, was more sophisticated and its goal was to establish a connection between a mobile phone and a computer that emitted electromagnetic radiation signals in communication between CPU and RAM. These frequencies can be manipulated in order to transmit data via GSM using a mobile phone.
For the GSMem attack to work, it uses a rootkit that occupies only 4KB of memory — making its presence very difficult to be detected — and a cellphone with a modified firmware. The mobile device used in the tests had been built ten years ago.
Together, the tests proved that it was possible to send data over seven meters through AirHopper, four centimetres with BitWhisper and over thirty meters with GSMem.
More recently, another paper signed by Eyal Ronen and the renowned cryptographer Adi Shamir addresses another perspective of attacks on isolated environments: the use of devices classified as Internet of Things (IoT).
In this experiment Ronen and Shamir were able to extract more than 10KB per day from a distance of up to 100 meters using a telescope, a ‘light-to-frequency converter’ connected to an Arduino-based mobile device and a malware that blinked smart lamps (Philips HUE and LimitlessLED). The blinks are made in imperceptible frequencies to the human eye, but which could send data from one environment to another. The distance for a successful attack would be determined by the telescope’s capacity to focus the lamp.
All attacks described in this article are based on the collection of small amounts of information. They also depend on the attacker having physical access to the environment and most of them are considered as proof of concept. Nevertheless, they provide empirical evidence that the theoretical attacks are feasible and very likely can be deployed in real-world scenarios.
Although we are seeing leaks of large volumes of data, a lot of critical information for most organizations are small, such as encryption keys, hashes and passwords.
Scholars who develop attacks against air-gapped devices aim to draw attention to organizations which devote much of their efforts into creating isolated structures, but however let mobile devices be used in critical environments or do not monitor the use of removable media inside the security perimeter.
It is possible that these malware, such as PSW.Stealer.NAI-Win32 and TrojanDropper.Agent.RFT, represent a new threat model that can be used as a receptacle to any of those attacks described in this article. Its characteristics of tampering, uniqueness and concealment provide additional protection for the attacker who can not only leak information, but also inject commands into the targeted devices.