New Air-Gap Jumper Covertly Transmits Data in Hard-Drive Sounds (arstechnica.com)

← Back to Stories (view on slashdot.org)

New Air-Gap Jumper Covertly Transmits Data in Hard-Drive Sounds (arstechnica.com)

Posted by msmash on Friday August 12, 2016 @02:00AM from the no-escape dept.

Security researchers have found a new way to siphon data out of an infected computer even when it has been physically disconnected from the Internet -- otherwise known as "air-gap" computers -- to prevent the leakage of sensitive information it stores, reports ArsTechnica. From the article: The method has been dubbed "DiskFiltration" by its creators because it uses acoustic signals emitted from the hard drive of the air-gapped computer being targeted. It works by manipulating the movements of the hard drive's actuator, which is the mechanical arm that accesses specific parts of a disk platter so heads attached to the actuator can read or write data. By using so-called seek operations that move the actuator in very specific ways, it can generate sounds that transfer passwords, cryptographic keys, and other sensitive data stored on the computer to a nearby microphone. The technique has a range of six feet and a speed of 180 bits per minute, fast enough to steal a 4,096-bit key in about 25 minutes.

52 of 83 comments (clear)

Min score:

Reason:

Sort:

Considering that people play music by Z00L00K · 2016-08-12 02:02 · Score: 3, Interesting

Considering that people play music with floppy drives then the ability to transfer information acoustically with hard drives isn't really different.

--
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
1. Re:Considering that people play music by Anonymous Coward · 2016-08-12 02:28 · Score: 3, Insightful
  
  Considering that people play music with floppy drives then the ability to transfer information acoustically with hard drives isn't really different.
  I wasn't aware of that, thank you for the link. I find things like that fascinating even if they aren't particularly useful.
  A much bigger issue with this: if you can get this program onto the air-gapped machine in the first place, haven't you already compromised it? If I could load say, a flash drive, into the air-gapped system to run this program, why can't I just copy whatever data I was after?
  Unrelated side issue: you know what's really broken about Slashdot? An AC post containing GNAA or the N-word or something like that gets downmodded in seconds (which is desirable), but lots of sincere and really informative AC posts never get modded up (which is a loss for everyone). Why the double standard? Editors have infinite mod points, so why not use them constructively? After all, I can see how someone using a work computer really wouldn't want to browse at -1. An easily offended coworker walking by and seeing a GNAA post would be really hard to explain to HR. It's a classic "guilty unless proven innocent, and even then probably still guilty" situation.
2. Re:Considering that people play music by jeffmflanagan · 2016-08-12 02:45 · Score: 1
  
  A much bigger issue with this: if you can get this program onto the air-gapped machine in the first place, haven't you already compromised it? If I could load say, a flash drive, into the air-gapped system to run this program, why can't I just copy whatever data I was after?
  This does make these air-gapped hacks much less useful, but it could be used to exfiltrate data on an ongoing basis without having to touch the hacked air-gapped machine again after it's been compromised.
3. Re:Considering that people play music by Anonymous Coward · 2016-08-12 04:38 · Score: 1
  
  Isn't it amazing what math can do?
4. Re:Considering that people play music by Qzukk · 2016-08-12 05:39 · Score: 1
  
  if you can get this program onto the air-gapped machine in the first place, haven't you already compromised it?
  Yes, but now your compromise is stuck on a computer with no way off. You drop a handful of flash drives around the target's parking lot, someone plugs it in and gets the internal network pwned... then what? Put the data back on the flash drive and hope they put it back in the parking lot? But say you're a TLA and can track/activate cellphones on demand. Sure, people aren't supposed to carry their cellphone into the secure area, but they figure if they keep it in their pocket and don't whip it out and start taking pictures, they'll be fine. They might even turn it "off" so it's OK, right? Drop some flash drives there, and turn on the guy's cellphone and listen for the k-tka-tk-tk sound. Could be a failing drive, could be the secret weapon plans.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
5. Re:Considering that people play music by blindseer · 2016-08-12 10:40 · Score: 1
  
  A much bigger issue with this: if you can get this program onto the air-gapped machine in the first place, haven't you already compromised it?
  The rules on taking data into or out of a secured location is a bit like a roach motel, you can bring things in but taking anything out is difficult. For example, I set up an air gapped system and as I recall there was little I had to do to bring in the software and source code. All I had to do was run any media through a virus check. Taking anything out meant I had to log what was taken, when, and for what reason. It came down to me just making a mental note that I would take nothing off the system, I'd leave that to my superiors as I just did not want to bother.
  This was a logical way to handle the data, as well as a near necessity. We'd have to bring in a lot of data to do our work from source code, to test data, and so forth. If we had to take as much care as what went in as much as we did to the care on taking things out we'd be spending a lot of time writing logs and not getting our work done. Also, if nothing left the system then we can be quite certain no sensitive data had left. We'd spend months or years on a project where nothing left except at the very end where the finished project was written to a disk or tape, the project shut down, and the system re-tasked to some other project.
  
  --
  I am armed because I am free. I am free because I am armed.
Unusable by Anonymous Coward · 2016-08-12 02:03 · Score: 1

Nice theoretical attack, but in practise a HD that makes sounds like this is easy to spot. Just listen.
I remember fondly the drives for the C64 that made music, though.
1. Re:Unusable by Opportunist · 2016-08-12 02:22 · Score: 2
  
  Just pretend you're defragging and people won't question it.
  Most people don't even understand or know half of what's going on in their computer. If the HD suddenly starts to act up, most would probably just assume that Windows is "doing its thing".
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
April fools / bullshit? by BKDotCom · 2016-08-12 02:04 · Score: 1

This is some serious "Jason Bourne" hoop-jumping technology.
1. Re:April fools / bullshit? by Mr+D+from+63 · 2016-08-12 02:37 · Score: 1
  
  They should include an 'effort to success' ratio to rate these hypothetical attack vectors. In general, how hard is it vs. how likely you are to successfully apply it in a real world situation. I'd say the ES ratio here is quite high.
It's fucking air gapped. by Anonymous Coward · 2016-08-12 02:06 · Score: 1

Exactly how are you planning on getting the malware onto the machine genius? This shit is getting ridiculous.
1. Re:It's fucking air gapped. by Opportunist · 2016-08-12 02:24 · Score: 2
  
  USB Sticks"?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:It's fucking air gapped. by mSparks43 · 2016-08-12 02:38 · Score: 2
  
  Network booted usb reader that mounts the stick as an nfs share.
  problem solved.
3. Re:It's fucking air gapped. by Yvan256 · 2016-08-12 02:44 · Score: 1
  
  USB? You mean a connector that could be used for keyboards, mice, printers, scanners, hard drives?
  That sounds like science-fiction to me.
  Posted from 1986.
pointless stupidity by iggymanz · 2016-08-12 02:09 · Score: 3, Insightful

Of course, if I am allowed to install software on an "air-gapped" computer, I can make it transfer information by anything on it that makes noise or can be lit or even via power supply. Speakers, various fans, hard drive heads, retractable optical drive tray, locator blue LED, LCD display, even the power draw....I can manipulate all of those.
There is no point to these studies, they only belabor the obvious.
Any manager that makes some security policy based on such studies should be beaten.
1. Re:pointless stupidity by fustakrakich · 2016-08-12 02:15 · Score: 2
  
  Any manager that makes some security policy based on such studies should be beaten.
  What's wrong with building a windowless soundproof Faraday cage 500 feet underground? I'd like to see the seismographer that can read through that.
  
  --
  “He’s not deformed, he’s just drunk!”
2. Re:pointless stupidity by Opportunist · 2016-08-12 02:26 · Score: 1
  
  While true, it highlights a problem: Air-gaping a system is no silver bullet against spying. Managers who think it is should be beaten, too.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
3. Re:pointless stupidity by The-Ixian · 2016-08-12 02:33 · Score: 1
  
  Haven't you ever done something for the "cool" factor? How about because you wanted to know how something was done?
  To only read about other people doing stuff and choosing not to do it because it has already been done seems like a pretty boring way to live life...
  
  --
  My eyes reflect the stars and a smile lights up my face.
4. Re:pointless stupidity by Oswald+McWeany · 2016-08-12 02:47 · Score: 2
  
  No system is foolproof. The idea is to make it harder to crack than is worthwhile for most people to bother with.
  If you put a security system on your home, it's not because you think there aren't criminals out there who can disable them, it's because you're going to make yourself a difficult enough target that people are less likely to bother.
  Digital security is much the same. There is no system that can't be compromised, not even an air-gapped system; however you can make it ridiculously difficult that few people would bother putting in the resources to crack you.
  
  --
  "That's the way to do it" - Punch
5. Re:pointless stupidity by iggymanz · 2016-08-12 02:53 · Score: 1
  
  problem is this things are too trivial to code to even be "cool"
6. Re:pointless stupidity by iggymanz · 2016-08-12 02:55 · Score: 1
  
  you're confused, the problem here is allowing installation of malicious code. If that happens of course there is no security and all bets are off. Report for your beating.
7. Re:pointless stupidity by iggymanz · 2016-08-12 03:00 · Score: 1
  
  but the prerequisite for this particular waste of time exercise was allowing the installation of malicious code. You can secure all you want, and then if you allow someone to do that final step of putting in bad code, well guess what..
8. Re:pointless stupidity by iggymanz · 2016-08-12 03:08 · Score: 1
  
  it would need to have its own power supply, if malicious code installed beforehand the power draw can be used to communicate.
  By the way, what function does this isolated computer perform? how do people use it?
9. Re:pointless stupidity by Kjella · 2016-08-12 03:19 · Score: 1
  
  Of course, if I am allowed to install software on an "air-gapped" computer, I can make it transfer information by anything on it that makes noise or can be lit or even via power supply. Speakers, various fans, hard drive heads, retractable optical drive tray, locator blue LED, LCD display, even the power draw....I can manipulate all of those. There is no point to these studies, they only belabor the obvious.
  Where does the border between obvious and sci-fantasy (enhance, enhance, enhance) go? If my "airgap" server is next to my normal server in the same rack, can they communicate using power draw? Heat cycles, one server heating up the other? Vibration causing HDD read errors? Can I run the cables down the same canal or can you use crosstalk to steal information? Maybe I have an alarm system with motion detection and a microphone to detect movement/noise in my "top secret" room, despite the machine having no speakers could the keys be stolen from HDD noises out that way?
  How many people really need to be this paranoid? I'm not sure, it has to be serious military secrets/industrial espionage/core infrastructure to get this level of attention. But I think you need to have researchers working on whether this is actually feasible and how feasible it is, not just hand-waving it. Unless you want to say if they manage to install software we're screwed anyway but defense in depth and many layers of tripwires is better than one thick wall and free roaming on the inside.
  
  --
  Live today, because you never know what tomorrow brings
10. Re:pointless stupidity by fustakrakich · 2016-08-12 03:21 · Score: 1
  
  it would need to have its own power supply
  You're right, I forgot. Use geothermal from even deeper underground. TNX!
  By the way, what function does this isolated computer perform?
  Solitaire. What else is there?
  
  --
  “He’s not deformed, he’s just drunk!”
11. Re:pointless stupidity by iggymanz · 2016-08-12 03:32 · Score: 1
  
  as long as it plays solitaire with itself that's fine, if there's a human down there needing supplies from the surface that's a possible security hole
12. Re:pointless stupidity by MrVictor · 2016-08-12 03:53 · Score: 1
  
  Think about what we've all learned from the Snowden leaks. We now know the federal government will stoop to utterly insane levels of paranoia to spread their reach. I would not put it past them to do something like send Microsoft an NSL which forces them to include a DiskFiltration feature in all OS disk drivers just in case they ever encounter a difficult air-gapped target.
13. Re:pointless stupidity by The-Ixian · 2016-08-12 05:50 · Score: 1
  
  Glad you don't work in security.
  Joke's on you. He works in IoT security...
  
  --
  My eyes reflect the stars and a smile lights up my face.
14. Re:pointless stupidity by The-Ixian · 2016-08-12 05:58 · Score: 1
  
  How about, being able to figure out what is going on in another VM guest or on the host by paying close attention to how much guest resources are throttled/scheduled in the VM?
  
  --
  My eyes reflect the stars and a smile lights up my face.
15. Re:pointless stupidity by radarskiy · 2016-08-13 14:07 · Score: 1
  
  By that measure there is no such thing as an air gap, since it is impossible to construct a computer that contains no programming from some other source.
Step G: Whig is outraged by News-Paper Headline by Pseudonymous+Powers · 2016-08-12 02:11 · Score: 1

Speaking as someone who performs even the most simple everyday tasks by way of giant machines that invariably incorporate a bowling ball, a funnel, a teakettle, a feather duster, my uncle sleeping in an armchair, and a live hen, this attack vector seems very relevant and concerning to me.
Clicky-clacky white noise by Oswald+McWeany · 2016-08-12 02:22 · Score: 1

Play clicky-clacky-white noise in your server room to confuse any microphone.

--
"That's the way to do it" - Punch
Trivial to thwart. by Lumpy · 2016-08-12 02:23 · Score: 2

Wont work with my SSD. and honestly will not work at all on SAS drives. most places that are serious about their computing and security uses thin clients running SSD boot drives and the rack of servers are all the workstations. good luck recording the drive noises with all those fans and the libert unit running.
It may work if a target's cheap laptop is set on top of the microphone.

--
Do not look at laser with remaining good eye.
1. Re:Trivial to thwart. by Anne+Thwacks · 2016-08-12 09:41 · Score: 1
  
  libert
  Ah, yes - we have a Liebert in the bedroom to drown out our deaf neighbour watching QVC!
  
  --
  Sent from my ASR33 using ASCII
Much more stupid than that.. by thesupraman · 2016-08-12 02:24 · Score: 2

'Honest boss, I was sure the computer was secure! How was I to know the high sensitivity microphone pointed at it a few feet away, with a wire running out to the van outside and the stranger asking us to all be very VERY quiet for the next hour was a problem?'
Yes, this 'research' is pure stupidity because the methods are obvious as well as being easily mitigated if you really NEED security.
Although its not quite as stupid as the actually false and incorrect claim of using pixels to an infiltrated monitor was, which was basically all just a scam (there are NOT several x86 cpus in a monitor, the cpu that is sometimes there CANNOT read individual pixels, and you CANNOT infect them without a usb connection to the monitor).
Not to mention the obvious workaround, USE A SSD. sigh.
1. Re:Much more stupid than that.. by fustakrakich · 2016-08-12 02:34 · Score: 1
  
  Not to mention the obvious workaround, USE A SSD. sigh.
  :-) Oh no, don't do that. The RF emissions from that will have Jill Stein up in arms
  
  --
  “He’s not deformed, he’s just drunk!”
2. Re:Much more stupid than that.. by sconeu · 2016-08-12 04:38 · Score: 1
  
  'Honest boss, I was sure the computer was secure! How was I to know the high sensitivity microphone pointed at it a few feet away, with a wire running out to the van outside and the stranger asking us to all be very VERY quiet for the next hour was a problem?'
  And this goes back to rule 1 of computer security. If you don't have physical security on sensitive machines, you're screwed.
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Very interesting by turbidostato · 2016-08-12 02:29 · Score: 1

Well, very interesting were it not for the prevalence of solid-state disks with, oh, the horror, neither plates nor mechanical arms to produce sound with.
Score another point by liquid_schwartz · 2016-08-12 02:29 · Score: 1

for solid state drives. They are completely quiet.
1. Re:Score another point by EvilSS · 2016-08-12 03:09 · Score: 1
  
  for solid state drives. They are completely quiet.
  All SSDs whine to some extent. The one I have in my laptop sounds like a regular HDD in a quiet room, and it definitely varies as data is written.
  
  --
  I browse on +1 so AC's need not respond, I won't see it.
Re: faraday cage, SSD and blasting gwar soundtrack by slazzy · 2016-08-12 02:33 · Score: 1

You had me at gwar.

--
Website Just Down For Me? Find out
The Floppotron 2.0 by Yvan256 · 2016-08-12 02:38 · Score: 2

https://www.youtube.com/watch?...
Meh by JustAnotherOldGuy · 2016-08-12 02:42 · Score: 1

Interesting proof-of-concept, but ridiculously impractical in the real world.

--
Just cruising through this digital world at 33 1/3 rpm...
Is it that hard? by 140Mandak262Jamuna · 2016-08-12 02:43 · Score: 1

Penetrating networks airgapped from the internet is difficult, and this novel technique is interesting. But, in the real world, dropping a few thumb drives with malware in the parking lots or getting people to listen/watch music CD/movie DVDs with a malware payload seems to have been very effective. Bribing a janitor to plug in a thumbdrive in an exposed usb port of a computer is a lot easier.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
1. Re:Is it that hard? by Anonymous Coward · 2016-08-12 03:07 · Score: 1
  
  Yes, that's how you get the initial infection. Now assuming you want data from the airgapped system, you need a way to extract that data. Maybe improvise an open-air modem with some form of sound generation on the airgapped system and a microphone on a nearby internet accessible system that you have already compromised?
Re:Sounds overcomplicated by Oswald+McWeany · 2016-08-12 02:44 · Score: 1

I would suspect the vast majority of computers that would be targeted would not have speakers. They're not going to be playing music or youtube videos on an air-gapped computer. Playing on a speaker is pointless.
This method of listening to hard drive reminds me of old spy techniques I've read about such as:
a) recording the sound a printer makes and using it to determine what was printed.
b) by pointing a laser at a window you can "listen" to what is going on inside by tracking how much the window flexes with vibrations.

--
"That's the way to do it" - Punch
What about RAID? What about server room noise? by PeeAitchPee · 2016-08-12 03:19 · Score: 1

We have dozens of 3.5" drives running in multiple arrays at various RAID levels, in a noisy server room with fans continually blasting over 70 db in the background. This trick might work in a lab, but call me when they've got the same attack vector working in a real data center environment. And, oh yeah, and against near-silent SSDs.
Limited usability? by ScienceofSpock · 2016-08-12 04:25 · Score: 1

What if the target computer only has an SSD? What if it has multiple hard drives?
Ya but... by AndyKron · 2016-08-12 05:32 · Score: 1

Ya, but can it play Bohemian Rhapsody?
Not news by davidwr · 2016-08-12 05:50 · Score: 1

If you are air-gapped for security reasons, you are also aware of other ways to exfiltrate information through the environment and through personnel and are taking precautions appropriate for your situation.
If you aren't, you are doing it wrong.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Important Question... by avandesande · 2016-08-12 06:46 · Score: 1

If the computer has a RAID array will this work and will the throughput be faster ? ;-)

--
love is just extroverted narcissism
Re:What about RAID? What about server room noise? by im_thatoneguy · 2016-08-12 08:58 · Score: 1

Interestingly enough... we have one overloaded UPS so when we RDPed into it the UPS sounded its alarm. It would be really slow but you could definitely hear the UPS alarm over the 20 servers. Just increase the power draw on 10 servers you don't mind shortening the life of to overload a UPS. I bet people don't think to secure their UPS and leave it on "Default" to sound an audio alarm. One more attack vector.
That being said the best advice I ever read was that there are two kinds of attackers "Mossad and Not-Mossad" "If it's mossad, you're screwed no matter what they'll find a way in." All security is really to stop Not-Mossad. That's true of physical security, digital security, information security whatever... if Mossad wants you dead you'll die. If the CIA wants into your database they'll get in. All you can really hope to stop is a guy in Bulgaria acting alone.