ODINI: Escaping Sensitive Data From Faraday-Caged, Air-Gapped Computers via Magnetic Fields

Air-gapped computers are devices that are kept isolated from the Internet, because they store and process sensitive information. When highly sensitive data is involved, an air-gapped computer might also be kept secluded in a Faraday cage. The Faraday cage prevents the leakage of electromagnetic signals emanating from various computer parts, which may be picked up remotely by an eavesdropping adversary. The air-gap separation, coupled with the Faraday shield, provides a high level of isolation, preventing the potential leakage of sensitive data from the system. In this paper, we show how attackers can bypass Faraday cages and air-gaps in order to leak data from highly secure computers. Our method is based on exploitation of the magnetic field generated by the computer’s CPU. Unlike electromagnetic radiation (EMR), low frequency magnetic fields propagate through the air, penetrating metal shielding such as Faraday cages (e.g., a compass still works inside a Faraday cage). Since the CPU is an essential part of any computer, the magnetic covert channel is relevant to virtually any device with a CPU: desktop PCs, servers, laptops, embedded systems, and Internet of Things (IoT) devices. We introduce a malware codenamed ‘ODINI’ that can control the low frequency magnetic fields emitted from the infected computer by regulating the load of the CPU cores. Arbitrary data can be modulated and transmitted on top of the magnetic emission and received by a magnetic ‘bug’ located nearby. We implement a malware prototype and discuss the design considerations along with the implementation details. We also show that the malicious code does not require special privileges (e.g., root) and can successfully operate from within isolated virtual machines (VMs) as well. Finally, we propose different types of defensive countermeasures such as signal detection and signal jamming to cope with this type of threat (demonstration video: https://www.youtube.com/watch?v=h07iXD-aSCA).

[1]  Brent Carrara,et al.  Air-Gap Covert Channels , 2016 .

[2]  Carlisle M. Adams,et al.  Out-of-Band Covert Channels—A Survey , 2016, ACM Comput. Surv..

[3]  Steven J. Murdoch,et al.  Embedding Covert Channels into TCP/IP , 2005, Information Hiding.

[4]  Vincent H. Berk,et al.  Data exfiltration and covert channels , 2006, SPIE Defense + Commercial Sensing.

[5]  Markus G. Kuhn,et al.  Compromising Emanations , 2002, Encyclopedia of Cryptography and Security.

[6]  Mordechai Guri,et al.  LED-it-GO: Leaking (A Lot of) Data from Air-Gapped Computers via the (Small) Hard Drive LED , 2017, DIMVA.

[7]  Matthew N. O. Sadiku,et al.  Elements of Electromagnetics , 1989 .

[8]  Sebastian Zander,et al.  The New Threats of Information Hiding: The Road Ahead , 2018, IT Professional.

[9]  Stefan Katzenbeisser,et al.  Covert channels using mobile device's magnetic field sensors , 2016, 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC).

[10]  Sara Matzner,et al.  Analysis and Detection of Malicious Insiders , 2005 .

[11]  Mordechai Guri,et al.  BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[12]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[13]  Markus G. Kuhn,et al.  Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations , 1998, Information Hiding.

[14]  Diego F. Aranha,et al.  Platform-agnostic Low-intrusion Optical Data Exfiltration , 2017, ICISSP.

[15]  Werner Magnes,et al.  The THEMIS Fluxgate Magnetometer , 2008 .

[16]  Sebastian Zander,et al.  Information Hiding in Communication Networks: Fundamentals, Mechanisms, Applications, and Countermeasures , 2016 .

[17]  David A. Umphress,et al.  Information leakage from optical emanations , 2002, TSEC.

[18]  Carlisle M. Adams,et al.  On Acoustic Covert Channels Between Air-Gapped Systems , 2014, FPS.

[19]  InduShobha N. Chengalur-Smith,et al.  An overview of social engineering malware: Trends, tactics, and implications , 2010 .

[20]  Rajeev Bansal,et al.  Near-field magnetic communication , 2004 .

[21]  Ivan Martinovic,et al.  WiSec 2011 demo: RFReact---a real-time capable and channel-aware jamming platform , 2011, MOCO.

[22]  D. Hill,et al.  Radio wave propagation characteristics in lossy circular waveguides such as tunnels, mine shafts, and boreholes , 2000 .

[23]  H Rogalla,et al.  - Improvement of the performance of a p-metal magnetically shielded room by means of active compensation , 2022 .

[24]  Mordechai Guri,et al.  USBee: Air-gap covert-channel via electromagnetic emission from USB , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[25]  Mordechai Guri,et al.  GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies , 2015, USENIX Security Symposium.

[26]  Eric Byres The air gap: SCADA's enduring security myth , 2013, CACM.

[27]  John J. Sojdehei,et al.  Magneto-inductive (MI) communications , 2001, MTS/IEEE Oceans 2001. An Ocean Odyssey. Conference Proceedings (IEEE Cat. No.01CH37295).

[28]  Mark Galeotti,et al.  The cyber menace , 2012 .

[29]  R. Ilmoniemi,et al.  Design, construction, and performance of a large-volume magnetic shield , 1982 .

[30]  Shunji Yanase,et al.  Active magnetic shielding with magneto-impedance sensor , 2002 .

[31]  Mordechai Guri,et al.  Acoustic Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard-Drive Noise ('DiskFiltration') , 2017, ESORICS.

[32]  J. S. Hofstra,et al.  Measured electromagnetic shielding performance of commonly used cables and connectors , 1988 .

[33]  H.J.M. ter Brake,et al.  Improvement of the performance of a mu -metal magnetically shielded room by means of active compensation (biomagnetic applications) , 1991 .

[34]  D. Marr,et al.  Hyper-Threading Technology Architecture and MIcroarchitecture , 2002 .

[35]  Richard Sharp,et al.  Audio networking: the forgotten wireless technology , 2005, IEEE Pervasive Computing.

[36]  Mordechai Guri,et al.  xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs , 2017, ArXiv.

[37]  Razvan Craciunescu,et al.  Aspects of electromagnetic compatibility as a support for communication security based on TEMPEST evaluation , 2014, 2014 10th International Conference on Communications (COMM).

[38]  Wojciech Mazurczyk,et al.  Information Hiding as a Challenge for Malware Detection , 2015, IEEE Security & Privacy.

[39]  Mordechai Guri,et al.  An optical covert-channel to leak data through an air-gap , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[40]  Martin Vuagnoux,et al.  Compromising Electromagnetic Emanations of Wired and Wireless Keyboards , 2009, USENIX Security Symposium.

[41]  R. Stephenson A and V , 1962, The British journal of ophthalmology.

[42]  Nazar Abbas Saqib,et al.  Covert channel detection: A survey based analysis , 2012, High Capacity Optical Networks and Emerging/Enabling Technologies.

[43]  Michael Hanspach,et al.  On Covert Acoustical Mesh Networks in Air , 2014, J. Commun..

[44]  Sebastian Zander,et al.  A survey of covert channels and countermeasures in computer network protocols , 2007, IEEE Communications Surveys & Tutorials.

[45]  V. Prasad Kodali,et al.  Engineering Electromagnetic Compatibility: Principles, Measurements, and Technologies , 1996 .

[46]  Mordechai Guri,et al.  aIR-Jumper: Covert Air-Gap Exfiltration/Infiltration via Security Cameras & Infrared (IR) , 2017, Comput. Secur..

[47]  R. J. Potts Emission security , 1989 .

[48]  Mordechai Guri,et al.  Fansmitter: Acoustic Data Exfiltration from (Speakerless) Air-Gapped Computers , 2016, ArXiv.

[49]  Mordechai Guri,et al.  Bridging the Air Gap between Isolated Networks and Mobile Phones in a Practical Cyber-Attack , 2017, ACM Trans. Intell. Syst. Technol..

[50]  Mordechai Guri,et al.  AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies , 2014, 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE).

[51]  Samuel Kounev,et al.  Variations in CPU Power Consumption , 2016, ICPE.

[52]  E. Paperno,et al.  Optical Magnetometry: Magnetic shielding , 2013 .

[53]  David A. Koufaty,et al.  Hyperthreading Technology in the Netburst Microarchitecture , 2003, IEEE Micro.

[54]  Mordechai Guri,et al.  Bridgeware , 2018, Commun. ACM.

[55]  V. Prasad Kodali,et al.  Engineering Electromagnetic Compatibility: Principles, Measurements, Technologies, and Computer Models , 2001 .