GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies

Air-gapped networks are isolated, separated both logically and physically from public networks. Although the feasibility of invading such systems has been demonstrated in recent years, exfiltration of data from air-gapped networks is still a challenging task. In this paper we present GSMem, a malware that can exfiltrate data through an air-gap over cellular frequencies. Rogue software on an infected target computer modulates and transmits electromagnetic signals at cellular frequencies by invoking specific memory-related instructions and utilizing the multichannel memory architecture to amplify the transmission. Furthermore, we show that the transmitted signals can be received and demodulated by a rootkit placed in the baseband firmware of a nearby cellular phone. We present crucial design issues such as signal generation and reception, data modulation, and transmission detection. We implement a prototype of GSMem consisting of a transmitter and a receiver and evaluate its performance and limitations. Our current results demonstrate its efficacy and feasibility, achieving an effective transmission distance of 1 - 5.5 meters with a standard mobile phone. When using a dedicated, yet affordable hardware receiver, the effective distance reached over 30 meters.

[1]  Wim van Eck,et al.  Electromagnetic radiation from video display units: An eavesdropping risk? , 1985, Comput. Secur..

[2]  R. J. Potts Emission security , 1989 .

[3]  Markus G. Kuhn,et al.  Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations , 1998, Information Hiding.

[4]  Township Hall,et al.  Important information , 1998 .

[5]  George L Stefanek Anatomy of an attack , 2002 .

[6]  Markus G. Kuhn,et al.  Compromising Emanations , 2002, Encyclopedia of Cryptography and Security.

[7]  Susan Young,et al.  Anatomy of an Attack , 2003 .

[8]  Harald Welte Anatomy of contemporary GSM cellphone hardware , 2010 .

[9]  Nitesh Saxena,et al.  A closer look at keyboard acoustic emanations: random passwords, typing styles and decoding techniques , 2012, ASIACCS '12.

[10]  Ralf-Philipp Weinmann,et al.  Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks , 2012, WOOT.

[11]  Muhammad Shiraz,et al.  A Study on Anatomy of Smartphone , 2013 .

[12]  Quanyan Zhu,et al.  An impact-aware defense against Stuxnet , 2013, 2013 American Control Conference.

[13]  Michael Hanspach,et al.  On Covert Acoustical Mesh Networks in Air , 2014, J. Commun..

[14]  Wenyuan Xu,et al.  WattsUpDoc: Power Side Channels to Nonintrusively Discover Untargeted Malware on Embedded Medical Devices , 2013, HealthTech.

[15]  Wenyuan Xu,et al.  Current Events: Identifying Webpages by Tapping the Electrical Outlet , 2013, ESORICS.

[16]  Aurélien Francillon,et al.  Implementation and implications of a stealth hard-drive backdoor , 2013, ACSAC.

[17]  Jan Sölter,et al.  Efficient Power and Timing Side Channels for Physical Unclonable Functions , 2014, CHES.

[18]  Mordechai Guri,et al.  Trusted Detection of Sensitive Activities on Mobile Phones Using Power Consumption Measurements , 2014, 2014 IEEE Joint Intelligence and Security Informatics Conference.

[19]  Michael Hanspach,et al.  Recent Developments in Covert Acoustical Communications , 2014, Sicherheit.

[20]  Milos Prvulovic,et al.  A Practical Methodology for Measuring the Side-Channel Signal Available to the Attacker for Instruction-Level Events , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[21]  Mordechai Guri,et al.  AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies , 2014, 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE).

[22]  Mordechai Guri,et al.  BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.