How to leak data via Wi-Fi when there's no Wi-Fi chip: Boffin turns memory bus into covert data transmitter Mordechai Guri, an Israeli cyber security researcher who focuses on covert side channel attacks, has devised yet another way to undermine air gapping – the practice of keeping computers disconnected from any external network for the sake of security. In a newly released working paper [PDF], "AIR-FI: Generating Covert Wi-Fi …
I wrote an EKG simulator for the company I was working for in the late 70's, written in Z80 assembler, it only had a 7-char display display to tell the user the waveform type that it was generating so I added code to wigle the RAM buss and transmit its status via 1300MHz to an AM radio so that I could monitor it.
It worked great!
1300 Mhz? do you mean 1.3Mhz or 1300Khz? (1300Mhz = 1.3Ghz, a bit fast for 1970's and Z80)
and of course 1300Khz would be audible on a standard U.S. AM band receiver.
This does bring up the point that it's not "wifi" per say that you'd communicate with by flipping RAM bus bits in the 2.4Ghz range. Modulation methods for wifi are far more complicated than amplitude or frequency modulation (think spread spectrum and QAM for 2 examples). So you'd definitely need a specialized receiver, although I expect any kind of "software radio" device would be capable of demodulating it.
That being said, there is a simple defense against this: Faraday cage. Old-style computers were metal boxen with the case relatively well grounded. Do this with a desktop computer [instead of cheapo plastic cases with metal frames] and you'll significantly impede RF transmission from the computer's motherboard. Additionally you could put metal tape and/or RF absorbing material on the inside of the case, for similar purposes. In any case, a properly designed enclosure would block RF transmissions of this nature, especially in the Ghz frequency range.
Although I agree that it is not really 'WiFi' for the reasons you cite and more, a Faraday cage is actually not what you need (there is often a misunderstanding of just what a Faraday cage actually is - it is often a mesh with the mesh size chosen to be too small for the energy to pass through).
Faraday cages are really good at containing the E (electric) field and in really old kit (think vacuum tubes) where high impedances abounded this was a good solution. In the cases where something is labelled a Faraday shield that has no openings it is really a magnetic shield.
The higher the impedance of a circuit, the more dominant the E field becomes the lower the impedance the more dominant the H (magnetic) field becomes.
Modern memory interfaces (and high speed serial links for that matter) are very low impedance (DDRx runs between 30 and 60 ohms single ended, comms interfaces are usually around 100 ohm differential with around 65 ohms on each one in the pair - the reason it is not 50 each usually is due to differential pair coupling).
In these interfaces, the H field is dominant and to contain it requires a magnetic shield; far harder to do than a Faraday cage (I know, I have had to do it to pass EMC on a few occasions).
A magnetic shield has to completely enclose the energy source and even then there will be some radiation due to imperfections in the housing.
A Faraday shield (conductive enclosure) confines high frequency magnetic as well as electric fields. Look up "skin effect", which shows how far an EM field can penetrate into a conductor. The higher the frequency, the thinner the skin. The magnetic shielding effect is due to alternating currents induced in the shield, which oppose the incident field. Actual magnetic shielding (high permeability sheet) is sometimes needed to screen low frequencies, such as audio, but I have not seen anything like that for many years.
The Sonifex broadcast "cart" machines I have languishing in the garage have mu-metal cans over their motors, and one of the sets of loudspeakers I have (probably the Wharfedales) has the driver magnets shielded in the same way to allow their use close to CRT televisions or monitors.
I seem to remember it was quite expensive stuff though, so not really suited to manufacturing a whole computer case :-)
M.
"A magnetic shield has to completely enclose the energy source and even then there will be some radiation due to imperfections in the housing."
Great explanation. It still points up the two major hurdles in the attack. One is getting the malware loaded and the second is getting a receiver close enough for good Signal/noise and bandwidth. The malware will need to be rather sophisticated too if the purpose is to exfiltrate data. Lots goes on behind the scenes of most computers that isn't of any interest. Not a problem if you have lots of bandwidth and can sift later, but a big issue if you don't.
Proper form is on the top right corner, with the speaker facing into the room. Top left corner if you're a southpaw.
I was at a meeting of the Homebrew Computer Club in 1977ish when someone (Steve Dompier?) demonstrated that trick with an Altair 8800. It took him about 30 minutes of toggling switches to get it to play "Fool on the Hill" or "Bicycle Built for Two". Someone watching (Roger Melen? There were several CROMEMCO folks there that day, if I remember correctly ...) was overheard to say that it was the most useful thing he'd ever seen a personal computer do. Kind of sad commentary on what was going on with computers in Silly Con Valley back in the day ... Still, onwards & upwards!
I have often wondered how the super-villains manage to employ so many men (and sometimes women, but mostly men) prepared to die fighting overwhelming national army style forces while their 'boss' jumps ship / plane / oil rig / satellite / whatever. They must inspire such loyalty.
That it was technically Flavor-aid if your being pedantic, and part of the rise of the phrase "drank the Kool-aid" can also be tied in part back to the Merry Pranksters.
Kool-Aid may have had stronger branding by the time Guyana happened, and the Pranksters had already caused Kool-aid to have "extra" associations in the counter culture. So the phrases and events seem to have gotten mixed together, as the two ideas collided in the popular consciousness and media. Without those mixed associations the phrase might have been a bit to grim to catch on the way it did, but since it has been fully co-opted it no longer carries the strong associations it's origins once carried.
Language changes, "Ring around the Rosies" directly addresses the symptoms of dying of the Black Plague. Since we can treat that with antibiotics now, it became a harmless and largely meaningless nursery rhyme. Once something becomes idiomatic, it can detach any cultural anchoring to it's origin.
Yes, the Jonestown folks used Flavor Aid. But the vernacular term has nonetheless been Kool-Aid ever since, much to the chagrin of Kraft Foods. (Hormel has similar issues with Spam and SPAM, both of which are the spiced ham product ... junk email (and other text messages) should be referred to as spam, no caps.)
The Pranksters weren't into Kool-Aid, they did Jello-shots. And it was an amusing diversion, nothing else. Not a lot of control issues with that crowd (unless you were playing poker with them in La Honda ... but those stories will have to wait for the book).
" "Ring around the Rosies" directly addresses the symptoms of dying of the Black Plague."
No. Mid-20th century myth.
I confess to having forgotten about Mr Cohen. However, he does seem to have changed his opinion of Mr Trump:
https://www.bbc.co.uk/news/world-us-canada-54060687
"Donald Trump behaves like a mobster and has "a low opinion of all black people", according to the US president's former lawyer Michael Cohen."
The case attenuates it down to a permissible level. A tuned receiver in close proximity could still pick up a deliberately modulated signal. You must also consider all the cables connecting to the PC can act as antennas through secondary emission. They pick up the modulated signal from inside the case and re-radiate it outside.
Sensitive networks are quite often optical fibre, airgapped and housed in a building shaped Faraday cage. And the power feeds are filtered. And the people are filtered for any sort of non-volatile storage media. :-) That gets you quite far along the way to mitigating this sort of thing.
"[A]ll the cables connecting to the PC can act as antennas through secondary emission."
Proper opto-isolation of all in/out contacts yields only a very short antenna trace at the ports themselves. The cables should only be carrying the intended traffic and not extra noise/data.
Plus, a shielded cable with proper contact at the connector shell going to chassis ground should also act as a Faraday cage in both directions: don't broadcast anything, don't allow noise to mess with the data flow inside.
With everyone using laptops for WFH rather than proper metallic-boxed towers, I think arguing about cases (and cables) may be moot. Not sure what's underneath the plastic shell, if anything.
"With everyone using laptops for WFH rather than proper metallic-boxed towers, I think arguing about cases (and cables) may be moot. Not sure what's underneath the plastic shell, if anything."
Doesn't really matter. Anyone using a laptop to work from home isn't trying to airgap said laptop, nor would they be taking any of the other security precautions that this is intended to get around. An attacker can attack that laptop as they use it to read emails or participate in meetings or just walk in and take it. Airgapping is useful for devices that need a lot more security than that, and usually the place that wants it airgapped will decide not to put it in an employee's house unless they very much trust that employee to keep it secure.
It's useful to keep in mind that this exploit only works if you meet three conditions: a) you can get to the airgapped machine in the first place to install malware on it, b) you can put another device near it to pick up the transmissions and relay them on, and c) you can't just steal what you want when you're installing the malware. If a machine is easier than that to attack, the attacker doesn't need something this complex to do it.
The physical security requirements for highly secure offices generally include locking away all mobile phones, electronic devices and non-secure laptops in secure storage before entering the office. In some cases the entire building is built from the ground up as a Faraday cage, has no windows, and a filtered mains electricity supply.
I don't know about the new* smart watches, though. They certainly communicate wirelessly, and can contain a reasonable amount of RAM (my Garmin sports watch that I got last year is still not 'full', although that may be due to me not running as much as I should). It would be interesting if the attack could be demonstrated using an Apple Watch or Samsung equivalent.
*I'm an old fogey, I know they've been around for years really.
That would work rather well as a listener. Even low-end devices can have enough storage to cache data sent to them over a workday. The open-source PineTime watch has 4.5 MB of flash, and the proof of concept can only transmit at 12.5 bytes/sec. That allows for four straight days of collection on a watch which can easily sync back as the attacker goes home. If you wanted to execute a plan like that, your idea is a good one.
However, it doesn't change the requirements. If you consistently work in the secure building and were able to install malware on the target computer, you can probably also go to the secure computer and make it do things. Especially so as you need to be very close to it for the transmission to be received by your sneaky watch. If you do have access, it might be easier just to make the computer disclose information a faster way, whether that's copying to media, converting to QR codes displayed on screen, or just bringing it up for you to peruse.
"However, it doesn't change the requirements. If you consistently work in the secure building and were able to install malware on the target computer, you can probably also go to the secure computer and make it do things."
Assuming the "attacker" needs to be a person working their so the smartwatch can act the receiver. Just how secure and locked down are smartwatches? Maybe you just need to get within bluetooth/WiFi range of a "target" who works there and compromise it remotely? (presuming you also found a way to compromise the airgapped device too)
That sounds nearly untenable. For one thing, a smartwatch that can be used for the attack needs to be thoroughly reprogrammed. The controlling firmware needs to control the wireless receiver, Bluetooth or WiFi, with sufficiently granular control to make it use a completely different protocol. That's much easier to do with a watch you control rather than someone else's. It's also not easy to replace firmware on a device you can't compromise yourself; firmware updates for nearly every brand of smartwatch are signed binaries uploaded through an encrypted BLE connection. While not inconceivable, actually finding someone, identifying their device, writing firmware which can use the hardware and leave the device functional enough to fool its user, and uploading it without controlling the device itself or the phone talking to it are rather difficult tasks.
The real problem though is that, if you succeeded in doing this, it might not help very much. Watches are really small, so their antennas are short and their batteries can't withstand much use. This means that the range to receive or transmit from a watch is quite low. Also, frequent use is going to kill that battery. An attacker who knows that the watch is supposed to listen to a machine can place it close to the machine and remember to charge it frequently. Someone who doesn't know that is likely to be out of range a lot of the time and become very annoyed when their fitness tracker's battery life suddenly drops (it would be very noticeable). Even if they do succeed in receiving the data, the attacker needs to get it back from the watch. Their only hope is to keep meeting the person with the compromised watch so they can get a daily download, but because of the range limitation, they will have to be physically close to the person with the watch quite frequently. That makes getting the data out hard if there's any information to get after the user unexpectedly went out of range for most of the day.
... that most (all?) of the so-called "exploits" demonstrated by these folks require that first the attacker has unsupervised access to the machine(s) and/or network in question?
I don't know where they went to security school, but back in my day such a scenario was considered game-over.
Have you ever encountered any form of computer that is completely unmolested by a potential adversary?
You must treat everything as already compromised by the time you receive it - manufacture, supply chain, or predecessor. So add defence-in-depth.
Ideally the hardware would be 100% pristine and bug-free, the OS would then be installed from scratch from a known-uncompromised source (yeah, good luck!), and the whole thing replaced anytime anybody else touches it (despite whatever clearances they possess). In reality you mitigate what you can and develop a strong sense of paranoia.
"Have you ever encountered any form of computer that is completely unmolested by a potential adversary?"
Sure. My Heath H11 in the corner, the DEC kit downstairs, the IBM 1401 next to it ... But even those are trivially exploitable if the adversary has unsupervised access to them. Which was my point.
When it comes to espionage getting access to the hardware is considered sine qua non and in most situations it will be possible at some point. There was a point where the spooks were worried about mobile phones because the hardware is harder to compromise and thus subvert but they seem to have found since.
While attacks like this are impressive and make for great films, low-fi tech is often the weapon of choice because it's so reliable. And when it's not possible, bribery is usually a good alternative.
True - but what they appear to be demonstrating is a method to ex-filtrate (if that's even a word) data from a machine that to the operator appears unable to do such a thing.
Is pretty cool, suspect such a thing could also be achieved by blinking a status light or something.
"Is pretty cool, suspect such a thing could also be achieved by blinking a status light or something."
Yep. Hard drive light - https://www.theregister.com/2017/02/23/hard_drive_light_used_to_exfiltrate_data/
Router light - https://www.theregister.com/2017/06/06/data_exfiltration_with_routers_leds/
Also monitor pixels, LCD brightness, drive noise, power cables, case temperature, and basically any property of a computer that can be in any way controlled or monitored. Every time you see a headline about getting data out of a computer in some seemingly insane way, you can pretty much guarantee Bu-Gurion University is involved.
As for the inevitable whining about these attacks not being practical because it requires access to the machine, that remains just as stupid as ever. Just because an attack requires physical access doesn't mean it's irrelevant because then an attacker could just do anything they want. We even have a variety of names to describe some of the circumstances where physical access is very relevant. It usually involves either compromise of something you trust, as in supply chain attacks, or access for a short time, as in evil maid attacks. In both cases, physical access provides the initial compromise, but the attacker still needs some way to actually do anything afterwards.
That's the entire point of this sort of research. The traditional approach to guarding against attacks like that is to air-gap machines - don't connect to the internet, block off the USB ports, and so on. Even if your supply chain is compromised, it doesn't matter because you never connect to the outside world anyway. What Ben-Gurion keep showing is that there are all kinds of ways to get data out that aren't normally protected against. It doesn't matter that the proof-of-concepts aren't usually especially practical or that most of them are fairly trivial to block once you know about them. If you're paranoid enough to worry about evil maids and supply chains, you also need to be paranoid enough to do more than assume that just because you haven't plugged an internet cable in everything must be secure.
Every time you see a headline about getting data out of a computer in some seemingly insane way, you can pretty much guarantee Bu-Gurion University is involved.
I knew it would be them before I even read the article. Pretty much one-trick ponies but it gets them a regular supply of free publicity.
Bit more than 3-4 sorry. 18 years ago I was involved with a dc build that had 47U cabs specified with solid front doors to stop the jabber light on switches exfiltration method and lots of other hoops because the end user had good cause to *REALLY* care about these things.
https://en.wikipedia.org/wiki/Van_Eck_phreaking
It never ceases to amaze me the ways people come up with to compromise stuff. And more so that, once they've been pointed out by someone else, most of them become pretty obvious and are simple in concept.
It must be a right fun job, thinking up these exploits and implementing them. I just don't have the imagination.
And certainly, as others have pointed out, the immediate practicality doesn't matter. It's the awareness of the possibilities that matters, because being aware of the possibility means you and others can mitigate against it. And to remember people who come up with these things don't all work for the good guys. If any of them can be called good guys.
I do find stuff like the fascinating, and I daresay it could be dangerous..
However, I question how useful it is. I have no problem believing that the various security services would be able to put it in place. After all, as one of the CIA analysts in the Zero Days documentary (excellent doc on Stuxnet) said they have decades of experience getting equipment into and out of places that are not supposed to be accessible.
The problem is that Wifi, even with dedicated hardware, has a very limited range. It's likely to be considerably more limited when using hardware not designed for the purpose. This isn't necessarily a problem, as depending on what you are doing, it may be feasible to leave an SBC (such as a Raspberry Pi or Arduino) in the vicinity controlling the device, logging data etc. If you need live access to the device being hacked, it's potentially a different story though. You would need some way of connecting to the SBC, which may or may not be feasible.
This exploit already requires that you can get access to the computer. While you can theoretically do that in the supply chain, it also requires that you can put a listener next to the computer, which requires you to be in the same place where that's used. If you have that level of access, you can also copy papers stored under similar levels of security. Theoretically, this is potentially useful if you can only get access once (but your listening device continues to work unnoticed while you're not there and get information out to you somehow), but it's not markedly different from stealing papers; you have to have physical and unsupervised access either way.
First, that's very hard to believe because the things had no memory storage. Second 98% of people had the mechanical ones anyway and electric typewriters were expensive and not portable at all, so is unlikely that journalists and or spies used them at all.
"the things had no memory storage."
You obviously never took a look at a used ribbon, or the platen after someone absentmindedly started typing without a sheet of paper properly inserted.
In the days when early computer terminals shared desk space with typewriters it was quite common for someone to accidentally type their computer login/password pair into the typewriter instead of the computer keyboard, thus leaving them neatly on the platen, available for anyone with half a cue to read.
With that said, here's an example of the KGB bugging IBM Selectrics ... There were others.
"Electric typewriters were not computers, they just let you edit one or two lines of text before pressing a key and typing them on paper, that's it."
Editing has nothing to do with clandestinely getting information from a device. If you fail to see how the ribbon and/or platen can act as machine writable, human readable device storage (to say nothing of the office trashcan full of used typewriter paper), I have an IBM Selectric with 25Kbytes of read/write tape for memory.
"My mother had two of them and they were really freaking big."
So I assume that you think am IBM S/360 was unhackable, because they were even bigger than really freaking big? Besides, my Smith Corona "Coronamatic" Portable electric typewriter is hardly what I would call massive.
Even a 90kHz clock can be useful:
https://www.youtube.com/watch?v=EPk8MVEmiTI
Now I have to modify the Radio Music program from that clip to send Bell 103 (or maybe baudot at 850Hz shift) AFSK data.
Yes, the side panel of that machine is missing, but I can attest that it works with the panel in place.
-----
Typewriters are themselves apparently less likely than the things typed on them to be securely stored when not in use:
https://www.schneier.com/blog/archives/2015/10/soviet_spying_o.html
-----
A friend who was a radio technician in USAF told me of a coworker who could claimed they could "read" the text being received by a Teletype(tm) machine by ear. A test was designed (and presumably bets were laid), and it was indeed true. (Note, IIRC, a Model 28, so _not_ distinguishing the sounds of individual type-bars)
"Typewriters are themselves apparently less likely than the things typed on them to be securely stored when not in use:"
Discarded typewriter ribbons were a good source of information - especially the daisy wheel printer "plastic" ones that could only be used once.
Apparently the latter could not be used to print legal documents. It is possible to lift printed characters off the paper and replace them with an amendment.
These types of exploits always strike me as requiring many steps to go right for them to be used. Also, I wonder exactly how close you have to be to receive the signal. This distance always seems to be not stated which makes me suspect it is may be 100 meters under ideal conditions and under more realistic conditions may be 10 meters or so. Distances that tend make someone try to snoop a bit obvious in many situations.
Back in the day (late 1970's, I worked at a military installation). Our new Dec VAX 11/780 was installed in a grounded Faraday cage with the incoming power lines filtered to keep RF from escaping. And yes, it was cold in there, in the middle of summer, we wore hats, ear-muffs, winter coats. We also wore gloves most of the time, except when having to type.
Oddly, one of the first uses of "AM Radio receiving RFI from computer" I ever encountered involved hanging out in the (not arctic) room next door to the "you could hang meat in here" computer room. The distinctive tone of the "Idle, waiting for next job" loop cued us to suit up and attend to the needs of the Frozen one. Other (thankfully less common) tones included "blocked on I/O", e.g. card jam.
REF: Etherify 1 "soft tempest" demo.
Distance is about 10m, through a concrete wall, located in an area with a lot of electromagnetic interference.Receiver is an rtl-sdr with a simple 1/4 wavelength wire antenna, fldigi used for decoding. "
https://www.youtube.com/watch?v=ueC4SLPrtNg
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
