Researchers submit PoC for AirHopper malware to steal data from a computer without internet connection
A proof-of-concept idea, which allows a person to send and receive data from a machine that has been kept completely isolated from the internet has been developed by researchers at the Ben Gurion University in Israel. This technique sends information from the machine to a mobile device, specially set up for this activity and later transfers that data to the outside world using normal modes of communications like internet/sms etc.
Getting such a malware onto the machine can be done in multiple ways as demonstrated by the spread of Stuxnet malware. If data has to be stored on such a machine, it has to be transferred onto the device somehow. By taking advantage of this, an attacker can get their malware onto the system. This can be via hard drives, or third party software for example. the hard part is, getting the data out from the system as the system is ‘offline’.
Ben Gurion researchers demonstrated sending this data using radio signals.
The proof-of-concept malware they have created, dubbed “AirHopper,” uses the infected computer’s graphics card to emit electromagnetic signals to a nearby mobile phone that’s set up to capture the data.
“With appropriate software, compatible radio signals can be produced by a compromised computer, utilizing the electromagnetic radiation associated with the video display adapter. This combination, of a transmitter with a widely used mobile receiver, creates a potential covert channel that is not being monitored by ordinary security instrumentation,” the experts wrote in a paper published on Wednesday.
How does it work ?
The entire process can be broken down as follows:
- Get the malware onto the target machine
- Get malware onto one or more mobile devices(which will be used as a medium to send the data)
- Set up a channel of communication with the infected mobile device(s)
- Transmit signals sent by the target machine to the attacker
Once the devices are infected, the attacker utilises the mobile device’s FM radio to receive the radio signals being sent out by the targeted machine. Once the data reaches the mobile, it can be transmitted to the outside world normally via internet or an SMS text message.
The fact that makes this technique dangerous is the tendency of companies to follow the Bring-your-own-device policy. This opens up a huge number of devices to infection by such malware and being used as a potential channel for an attack.
Research carried out shows that this technique can be effectively utilise over a distance of upto 7 meters or 23 feet. Which means the attacker does not necessarily have to be in the same room as the isolated machine. Just being in the corridor outside the room is enough. It may sound a difficult threat to carry out in reality, but its not out far reach of modern hackers.
At the recently concluded Black Hat security conference in Amsterdam, Adi Shamir, professor of Applied Mathematics at the Weizmann Institute of Science and one of the inventors of the RSA algorithm, presented a different technique that can be used to bypass air gap security. His technique used light as a medium.
His technique involves flashing a laser light at the lid of a scanner connected to a computer. And this attack can be used over longer distances, upto a kilometer approximately. Even this technique has proved very effective in transmitting data from an isolated computer.
The potential target needs no internet connection to disseminate the data it hold however the bigger problem remains to get AirHopper aboard such a potential target.
Resource : PoC of AirHopper (Downloadable PDF)