back to article LAN traffic can be wirelessly sniffed from cables with $30 setup, says researcher

An Israeli researcher has demonstrated that LAN cables' radio frequency emissions can be read by using a $30 off-the-shelf setup, potentially opening the door to fully developed cable-sniffing attacks. Mordechai Guri of Israel's Ben Gurion University of the Negev described the disarmingly simple technique to The Register, …

  1. Pascal Monett Silver badge

    I thought LAN cables were shielded

    Okay, I agree that nothing is perfect, but it seems a bit of a stretch to say that you could detect LAN traffic from tens of meters away by "listening" to a shielded cable.

    You might be able to do it from the other side of a wall, but if you want to target a specific cable, good luck.

    I accept this could work if you can set it up in the server room, but then we're back to the Primary Rule : if you have access, security is gone.

    1. cyberdemon Silver badge
      Holmes

      Re: I thought LAN cables were shielded

      If the cable happens to be running through the middle of a completely shielded RF anechoic chamber that also happens to house your SDR (i.e. in RF terms you are in the middle of nowhere - just you and the ethernet cable) then this might be plausible. I bet the software on the SDR didn't cost $30 to develop and I bet it can't cope with more noise than a statically-charged mosquito.

      1. HildyJ Silver badge
        Facepalm

        Re: I thought LAN cables were shielded

        I can picture Lucy Liu doing this in Charlie's Angels.

        In real life, not so much.

      2. Anonymous Coward
        Anonymous Coward

        Re: I thought LAN cables were shielded

        The HackRF in general isn't cheap. However, cost is relative with these things.

        If it costs you say $10000 to swipe credentials and keys to access millions of dollars of R&D...is $10k expensive?

    2. Chris G Silver badge

      Re: I thought LAN cables were shielded

      I was also under the impression that shielding was grounded, in yhis case that would help to eliminate induced current in the shielding which I guess may be readable with the right gear.

      I was also under the impression that an air gap was no connection to anything that could communicate with external comms, or is this exploit referring to lan on internal networks?

      1. Anonymous Coward
        Anonymous Coward

        Re: I thought LAN cables were shielded

        Isn't a local area network by definition internal?

    3. katrinab Silver badge
      Meh

      Re: I thought LAN cables were shielded

      Your server room will have lots of cables, and lots of data traffic going over them. Trying to separate out an individual signal from all the electrical noise is going to be very difficult.

      1. Aitor 1 Silver badge

        Re: I thought LAN cables were shielded

        The evil maid could put an specialized clamp that only reads from a single cable.

        1. Julz Silver badge

          Re: I thought LAN cables were shielded

          The evil Maid might as well just plug in a 'special' cable.

          1. ChrisC Silver badge

            Re: I thought LAN cables were shielded

            That could be detectable as a brief disconnection though, whereas wrapping a pickup antenna around the existing cable isn't likely to trigger any sorts of fault/tamper alerts.

            1. Trigonoceps occipitalis Silver badge

              Re: I thought LAN cables were shielded

              If you want to snoop on an aeroplane - TEMPEST FUGIT!

            2. doublelayer Silver badge

              Re: I thought LAN cables were shielded

              Putting electronics around a cable would be detectable to someone walking in and going "What's that", though. What could work is to take the original cable, add the compromised cable, but only plug in one end and ensure the other is slightly disconnected. When someone notices that the device isn't connected, they connect it themselves or ask you to do it.

              1. Anonymous Coward
                Anonymous Coward

                Re: I thought LAN cables were shielded

                What it it looks like one of those plastic tags?

                re: TEMPEST

                A 1988 Compaq desktop, 4 screws in the case....45 screws holding the radiation sheld in place. Electric screwdrivers to the rescue.

                1. doublelayer Silver badge

                  Re: I thought LAN cables were shielded

                  If by "one of those plastic tags" you mean a label on the cable, then they've managed some very compact designs. A listener needs not only an antenna of sufficient length to receive the signal, but also a processor to decode the signals, a mechanism to send that data to the attacker, likely wireless if this mechanism is useful, and a power source to run all of those. That's going to make for a very thick tag.

          2. JimboSmith Silver badge

            Re: I thought LAN cables were shielded

            The evil Maid might as well just plug in a 'special' cable.

            During the cold war during a war exercise a facility in the UK was buttoned up tight. A team was sent to infiltrate it and got through various security doors by offering the cleaner cash. They then went from room to room tossing a tennis ball into each one with "grenade" written on them. They'd step into the room and say bang you're dead.

    4. b0llchit Silver badge
      Boffin

      Re: I thought LAN cables were shielded

      Yes, that would be STP (Shielded Twisted Pair) cabling. However, driven by cost, many installations use UTP (Unshielded Twisted Pair) cabling.

      Most of STP is used in static installations and patches in "expensive" data centers. Proper use of STP is difficult because you must be sure that the shield is actually acting as a shield, not as a re-transmittor of the cable's internals. This is expensive.

      Most cabling, especially home-installs and PC stuff are UTP. You know, like that exceptionally cheapo cable you got with that router. And then, most consumer grade installations have no grounding to connect the shield to. Home-installations are a light-fire of EMI from many gadgets and computers. Nobody cares about adding a bit of cable noise to the spectrum when they can save a few cents on each sale.

      1. Anonymous Coward Silver badge
        Boffin

        Re: I thought LAN cables were shielded

        Plus, the twists in each twisted pair help too. Basically anything emitted will have a matching inverse within the adjacent centimetre (and vice versa for picking up interference) which broadly cancels it out.

        It's not perfectly balanced and it's somewhat frequency dependant, but it's pretty effective. Unless the pairs haven't been connected correctly (which happens when electricians dabble in networking).

        1. John Brown (no body) Silver badge

          Re: I thought LAN cables were shielded

          "Unless the pairs haven't been connected correctly (which happens when electricians dabble in networking)."

          Got a call to a site. "Network never seems to reach full speed, can you take a look please?" It took a while, but then we tested the wall points. Seemed a little odd. Pulled the faceplate off and the wires were in the wrong connections. The entire building was wired that way. Clearly it was sparkies who installed it and came up with their own idea of which wire goes where and then stuck to that plan. The cost involved in re-doing it all was a little prohibitive and as far as I know, is still running like that now.

          1. Arbuthnot the Magnificent

            Re: I thought LAN cables were shielded

            I saw this before, elechickens would wire up CAT5 whichever way they thought the colours were pretty. I've had to re-terminate an awful lot of panels and sockets.

            1. Acme Tech Support

              Re: I thought LAN cables were shielded

              Used to work with access control systems. Rather than call in proper security installers, they would call in a sparkie - who would then be on the phone to us.....

              Part of the software (originally for Win3.1x) made use of the tab key. If I told him to press the tab key, there was a stoney silence, wait a few seconds then "it's the big key upper left next to the Q", I would recline the chair, feet up on my desk and just take it easy for a bit.....

            2. Anonymous Coward
              Anonymous Coward

              Re: I thought LAN cables were shielded

              Maybe it's the same sort of user mentality that IT have to deal with.

              If the equipment uses electricity - it's an IT issue (jammed paper shredder, and a fire alarm system comes to mind)

              If it's cables - must be a sparkie thing?

            3. J. Cook Silver badge

              Re: I thought LAN cables were shielded

              Ah, yes. they were using TIA-568-D (for "dumbarse") for termination.

              (I don't mind if it's 568-A or 568-B, or even if something stupid, as long as it's consistent.)

          2. Steve Davies 3 Silver badge
            Facepalm

            Re: Unless the pairs haven't been connected correctly

            Doh! That's what Ethernet Testers are for.

            If the sparkies didn't test the installation then they need taking out and made to suck on 240V.

            1. the spectacularly refined chap

              Re: Unless the pairs haven't been connected correctly

              You can usually expect even the most unenlightened sparky to get a straight through connection so basic ethernet testers will show all is OK. The problem tends to be split pairs which needs either a visual inspection or a TDR to detect.

            2. SImon Hobson Silver badge

              Re: Unless the pairs haven't been connected correctly

              And it's not at all uncommon to find that zero testing took place.

              One job I went to was to test the network cabling in a couple of offices that had been used by the same tenant but were now to be let separately. The outgoing tenant had got someone in to pull the cabling for one of the rooms back into that room and re-terminate it into a new panel in a new rack.

              It took me a while to figure out exactly what they'd done. Every point tested half-OK - two pairs were connected, two weren't, and the two connected pairs weren't always wired 1-1. Then it twigged - they'd split the pairs because the panel had each socket connected to 4 terminals top, 4 terminals bottom, and they'd wired it 8 wires top for one cable, 8 wires bottom for the next (or it could have been the other way round, sockets wired to 8 terminals top or 8 terminals bottom).

              And for good measure, a few were just in the wrong place because they'd misread the almost hand written numbers that were almost visible on the cables.

          3. Man inna barrel Bronze badge

            Re: I thought LAN cables were shielded

            I read a bit about the earliest days of telephony. The earliest setups just had a single wire, and relied on on a return circuit path via the ground, or earth. It pretty soon became evident that this attenuated the signal, and allowed in interference from electrical power wiring, particularly from trams. Twisted pair wiring eliminated both problems.

            My home internet suffered a performance degradation after Openreach fiddled with some wiring outside the flat. I ended up with just one wire of the twisted pair connected. I am amazed I got any internet at all.

        2. John Miles

          Re: I thought LAN cables were shielded

          When you come to commission the link one of the things you don't want to hear is the guy wiring it up didn't understand twisted pair so didn't worry where to put the black wires from each pair, fortuantely the team lead got it sorted quickly - this was a single circuit site to site V11/RS-422 link so not large and sometime ago

      2. ChrisC Silver badge

        Re: I thought LAN cables were shielded

        "Nobody cares about adding a bit of cable noise to the spectrum when they can save a few cents on each sale."

        Everybody cares about how *much* RF noise their products generate in use, because that determines whether or not they're legally able to supply them. Far fewer people care about how *little* RF noise their products generate however, because once you've managed to get your product below the all important pass/fail limit line on the emissions plot, you aren't obliged to continue driving it down any further than that.

    5. steelpillow Silver badge
      Boffin

      Re: I thought LAN cables were shielded

      Speaking as a time-served electromagnetic compatibility (EMC) troubleshooter, shielded cables merely reduce the stray field, they do not eliminate them. Moreover, the whole system acts as an integrated antenna network; it obeys basic 19th century physics, not systems designer's diagrams. The signal will in practice be leaking out from half a dozen different places for different reasons.

    6. Wormy

      Re: I thought LAN cables were shielded

      "LAN Cable" is rather ambiguous, but assuming CAT6/CAT6A, most people use UTP - Unshielded Twisted Pair. Dealing with STP (Shielded Twisted Pair) is a pain - you have to then get shielded connectors, deal with the foil when terminating them, and the cable itself is quite a bit more expensive, and probably heavier and larger diameter.

      Generally STP is only used where it's really needed - it's recommended for a lot of outdoor runs, for example, so the shield can be tied to ground and help provide some lightning protection (and even then, a lot of outdoor-rated UTP is available).

    7. arachnoid2 Bronze badge

      Re: I thought LAN cables were shielded

      Maybe a variation on a Hak5 OMG cable https://hak5.org/collections/mischief-gadgets

    8. Matthew 25

      Re: I thought LAN cables were shielded

      Most LAN cables are UTP or Unshielded Twisted Pair

      1. Man inna barrel Bronze badge

        Re: I thought LAN cables were shielded

        Unshielded twisted pairs are very good at preventing interference. The physical principle is that balanced signals over a twisted pair cancel out the external magnetic field, with alternating loops producing opposite far field magnetic effects.

        Professional audio uses twisted pairs. Domestic hi-fi suffers from using unbalanced connections. Cables can make a difference to the sound, because there are unknown routes for signal degradation, when connecting up audio components. Part of your signal return path goes via the safety earth connection, or maybe not, depending on the kit.

    9. Stuart Castle Silver badge

      Re: I thought LAN cables were shielded

      This was my first thought. Take my building. We have, just in this building, over 200 PCs, various MFDs, several Wifi access points, hundreds of IP phones and various other devices (such as cameras, door swipe card readers and network switches) hooked up via ethernet. Most of these devices are left on, or in standby, 24/7.

      The structure of the building itself makes radio transmission/reception difficult (hence we have a need for a lot of Wifi access points). This isn't by design. the building is hundreds of years old, so radio wasn't invented when the building was designed.

      But assuming you can get a strong enough signal to read, you are going to need some processing power to sort out the thousands of signals to get the one you want. Assuming you have enough fast storage, you could dump the data to it, then process it off line, but even that's a hell of a lot of effort (and expense) for something that may not yield any useful data.

      Even under a best case scenario, you would probably need physical access to at least the building, and if you have that, there are a number of far quicker ways you can get access to the data on the network, even if it's just hooking up a single board computer somewhere in a rack with a suitably large SD, using that to sniff the network links and sending the data out wirelessly in bursts to someone elsewhere with a laptop connected to the SBC via Wifi. Most companies, a suitably talented person could just go in and change the SBC's storage device every few days. No one would think the question someone who appears to be a cleaner or security guard checking the room.

  2. Alister

    Good luck trying to sort out a single coherent stream of data from the bundles of cables shown in the rack in the header photo. If they had to artificially slow down UDP packets and transmit a single letter at a time on a single cable, I think it's going to be a while before we need worry about this in the real world.

    1. Trygve Henriksen

      I think this is imagine used on an airgapped computer sitting somewhere by itself in an otherwise secure facility. And then it's a means for malware that's already on it to use the patch cable someone were considerate enough to leave hanging on it to transmit the stolen data.

      1. IGotOut Silver badge

        I'd think someone would notice a link running a 1 baud pretty quickly. Heck even a keep alive is more than that.

        1. Anonymous Coward
          Anonymous Coward

          I'd think someone would notice a link running a 1 baud pretty quickly.

          So, you're familiar with Virgin broadband then?

          1. Anonymous Coward
            Anonymous Coward

            Actually, I've found Virgin to be pretty good.

            So, you're familiar with Virgin broadband then?

            I can only speak for myself but Virgin broadband is the fastest broadband I've ever had at 350Mbit download. And dealing with customer service was surprisingly straightforward unlike talktalk who lost the contract due to their inflexibility and slowness at fixing a fault.

            1. Anonymous Coward
              Anonymous Coward

              Re: Actually, I've found Virgin to be pretty good.

              Wow! You found someone at Vermin who didn't speak with a heavy Indian accent...

              I had them for years but their service got so bad that I gave up on them.

              Then there was the performance. Every man and their dog on my street got sold on the network back in the days of NTL (remember them?) We are still running on the NTL crapiness. At say, 7pm, if you got a 5mB download you were lucky.

              I moved to A&A and have not looked back.

              1. Matthew 25

                Re: Actually, I've found Virgin to be pretty good.

                Mine was Eruobell then Telewest vefore it became Virgin. I just have the slow connection so that 100Mbits Down 10Mbits Up. It usually exceeds this. I have never had a problem I needed to call them about so can't comment on customer service. The price is a bit steep though.

              2. Dave314159ggggdffsdds Silver badge

                Re: Actually, I've found Virgin to be pretty good.

                IME the Indian call centre was the one that would help. The sneery Scots apparently take great joy in being deliberately unhelpful and incomprehensible. Never had any trouble with contention ratios, even though I was in a block where most flats had Virgin.

                I mean, they're a consumer ISP, so pretty rubbish. But a lot less rubbish than most consumer ISPs. New place doesn't have Virgin available, so we're paying more for less speed, and the customer service with three different ISPs so far is noticeably worse.

        2. tj0001

          Malware transmitting data doesn't need to take over the entire connection (at 1 baud for instance).

          It can simply send out ethernet traffic (UDP packets in this case) amongst all the other full speed ethernet traffic on the wire. If they do it at a slow pace and with a certain pattern, the receiver can filter out all the other traffic to read what was being sent out.

          Obviously this is still theoretical and difficult to do, but in theory it should work, as stated in the article.

          1. doublelayer Silver badge

            If that wire goes to something else, it probably logs traffic and would notice UDP packets going to a closed port or address that isn't routable. This counts on the receiving machine just dropping the unusual UDP packets, which is what most consumer-level equipment would probably do, but if you're using two airgapped machines with a wire connecting them, you probably want to inspect traffic for an attack and give warnings about unusual packets coming along.

            1. the spectacularly refined chap

              That would generally be easily avoided on ethernet, originally designed as a broadcast medium and where even in fully switched environments misdirected packets are part of normal operation due to e.g. port flooding.

              In normal operation an ethernet NIC will inspect each incoming packet. Not addressed to this node? Throw it away. The host machine never even sees it. You can work around this by putting the NIC into promiscuous mode but that is not normal operation and does incur a performance penalty.

    2. DS999 Silver badge

      Worrying in the real world

      I agree we shouldn't worry about a researcher with a $30 SDR kit. How about the NSA or similar state sponsored attackers with unlimited resources? Still think it isn't a practical attack?

      Granted you or I aren't going to have the NSA trying to snoop our home LAN, but if a researcher can do it at uselessly slow data rates I don't think we can assume it is not possible to do at full speed if someone devotes say $300,000,000 to it instead of $30.

      1. hammarbtyp Silver badge

        Re: Worrying in the real world

        I agree we shouldn't worry about a researcher with a $30 SDR kit. How about the NSA or similar state sponsored attackers with unlimited resources? Still think it isn't a practical attack?

        Granted you or I aren't going to have the NSA trying to snoop our home LAN, but if a researcher can do it at uselessly slow data rates I don't think we can assume it is not possible to do at full speed if someone devotes say $300,000,000 to it instead of $30.

        Practical? Maybe. Useful, probably not.

        The NSA has far better resources to snoop data, from router backdoors to actually tapping the fibre networks. Even if they could capture the data from a reasonable distance and manage pick out a single message stream, assuming the data was encrypted it would not get you very far. I think even with NSA resources this proof of concept is a long way from being usable in the real world

        Saying that I did hear a story of a government department who were told that they were going to tested by the NSA to see if their systems were TEMPEST secure. They expected cloak and dagger infiltration. Instead the NSA parked a couple of black HGV's outside the building. Yes, the NSA have a lot of resources, but subtle they ain't

        1. DS999 Silver badge

          Re: Worrying in the real world

          The NSA/CIA want to have a full toolkit to handle all situations. If they can hack in, subvert an insider, pretend to be a delivery guy and plant a bug, etc. they'll do that.

          In a situation where none of that is possible but there are LAN cables running inside an exterior wall maybe they have a "window cleaner" who hides a detector in his bag of cleaning supplies and gets the information that way.

      2. Our Lord and Savior Rahl

        Re: Worrying in the real world

        I can't remember the last time i saw an airgapped network with one machine and a single cable...

        Or one that sent any network traffic in the clear for that matter.

        Or one that wasn't actively monitored.

        Or one that wasn't in a secure site.

        Any of the above would make this challenging. All of the above make it largely irrelevant. Because if you can overcome all the above you don't need to sniff data one character at time. You've already identified the target machine and are within "10s of meters" of it, you've broken the hardware encryption on the data, sidestepped all the monitoring and broken into the secure site. You may as well just put the PC in the back of your helicopter on your way out.

    3. John Brown (no body) Silver badge

      "I think it's going to be a while before we need worry about this in the real world."

      If you have an effectively unlimited budget and the motivation, almost anything is possible for a TLA. If no one is already exploiting this opportunity, you can bet at least some TLAs are at least assessing it and possibly working on developing it.

    4. Anonymous Coward
      Anonymous Coward

      It isn't the rack though is it?

      Access to the "rack" means the proposed technique is pointless.

      If you have proxim access to a 100m solitary stretch of cable there is far more value.

    5. veti Silver badge

      "A while" starting from when? If this is hitting the public domain now, how long do you think GCHQ have been working on it?

  3. Binraider Silver badge

    Use fibre-optic. Problem solved? (Apart from RFI coming off the computers themselves of course).

    The reports of users being able to detect the contents of a CRT with some accuracy at very long ranges are not exaggerated.

    1. herman Silver badge

      Hmm, fibres also leak around a bend. So there are ways to non-destructively sniff a fibre.

      1. Kernel

        "Hmm, fibres also leak around a bend. So there are ways to non-destructively sniff a fibre."

        True - standard tools in the fibre trade are splicing machines that inject and extract light either side of a newly made splice to test its quality, 'fibre phones' that bend the fibre to inject/extract an optically carried analogue phone signal so that jointers can communicate between jointing chambers and fibre tracers which inject a visible laser so that a specific fibre can be identified further downstream. These all work by bending the fibre and are effective with single-mode fibres as well as multi-mode.

        That said, modern DWDM systems can also monitor each lambda and alarm for sudden small (< 1dB) level changes that might be caused by the fibre being tapped by bending it.

    2. Disgusted Of Tunbridge Wells Silver badge

      Or STP cable instead of UTP in air-gapped applications.

    3. John Brown (no body) Silver badge

      "The reports of users being able to detect the contents of a CRT with some accuracy at very long ranges are not exaggerated."

      I think I saw that demonstrated on Tomorrows World many years ago.

      1. Disgusted Of Tunbridge Wells Silver badge
        Holmes

        Did Tomorrows World cover the invention of the binoculars?

        1. jake Silver badge

          Monoculars ...

          ... or, rather, their big brother, the spotting scope.

          Make mine a Kowa 883.

  4. jake Silver badge

    How did I know from the headline alone ...

    ... where this "researcher" was located?

  5. steelpillow Silver badge
    Boffin

    New? Bwahaha!

    Aww, c'm on, reality check here. This kind of leakage was common knowledge in the 1980s, during my EMC Test Engineer incarnation. I usually fiddled with a twist of wire from my toolbox until it picked up a good enough signal. GCHQ offered TEMPEST courses even back then, but it was all a bit secret and I was not cleared to go on one.

    I can say that TEMPEST is more about the installation than the individual boxen; lining a whole room with turkey foil is not unknown. If you haven't TEMPESTED the whole thing properly, LAN cables included, then you don't have an air gap, you have a WiFi transmitter.

    I should imagine the field has moved on, on both sides, over the last 30-40 years.

    1. batfink Silver badge

      Re: New? Bwahaha!

      Agreed. The line about "having the potential to leak information which sysadmins may have believed were secure" gave me a laugh. What (proper) sysadmins in charge of sensitive data don't know about this kind of RF leakage?

      So this whole report is "if you have RF leakage then someone can pick it up". Yes, we know that.

      1. Anonymous Coward
        Anonymous Coward

        Re: New? Bwahaha!

        Yes but this one is from a "security theatre researcher" therefore it must be IMPORTANT.

        1. chuBb. Silver badge

          Re: New? Bwahaha!

          Next headline, "using a cheap clamp multimeter energy consumption can be sniffed from a smart meter (lets ignore thats how smart meters monitor the supply but hey...)"

          Or

          "Security researcher reads and understands a Primer on RF Principles"

          I wonder if his head would literally explode when standing waves and back emf are introduced in a few chapters time, "ZOMG, with 6" of tin foil strategically placed you can blow up a transceiver, think of the power lines!!!!!111!!!!111!!!!!!!"

          In all seriousness so what, there is no reason at all to ever send anything over a digital network of any description without good enough* encryption

          Also i bet the kit is much fiddlier to install than to strip an inch or so of outer sheathing and just IDC a tap onto the cable, if your good, reckon you could install in under a min, and be able to super glue the sheathing back together again to make it pass a glance test, when you remove the tap...

          *Even the weakest SSL1 ciphers would frustrate casual observers enough to make the decryption much more onerous than the capture, and for say a stream of data for a hobby weather station would be sufficient as the data is pretty low value

          1. J. Cook Silver badge
            Boffin

            Re: New? Bwahaha!

            THIS, seriously. easier to find an out of the way place where the line goes, 'accidently' cut it and 'temporarily repair' it by using termination kits to put ends on it and then putting something like a packet squirrel or some other pass-through data capture device on it. And then when you are done, take the squirrel back and put in a more normal coupler on it to put a more normal coupler on it...

    2. Anonymous Coward
      Anonymous Coward

      Re: New? Bwahaha!

      My workplace moved location some years back. Where we moved to was completely refurbished, and that included new dry lining on the walls with metal mesh in the gap for RF shielding. Whenever data cables pass out of this environment, the data must be encrypted.

      The shielding plays hell with mobile phone signals. Originally, mobile phones weren't allowed, but that rule was relaxed some time back. And now some of the (less restricted) data is actually held in the slightly less public parts of the cloud.

      I'm actually very surprised about the reduced security, but the end client who issues their own rules about location physical security are the people driving these changes...

      1. FIA Silver badge

        Re: New? Bwahaha!

        There’s probably a triangle somewhere with ‘Security’ on one point, ‘Convenience’ on another.

        The third is just someone crying.

    3. Julz Silver badge

      Re: New? Bwahaha!

      Having worked in a secret squirrel site, in what feels like a different lifetime ago, our TEMPEST teams were most concerned about the terminating connector as that was were most of the leakage came from. They were only really bothered about individual terminals as that where the most coherent data might be leaking into the world and not the data centres. They considered it nigh on impossible to get any meaningful data over the air from there as there was so much chatter from all of the various pieces of equipment. That and the fact that they were in Faraday shielded bunkers.

      1. Anonymous Coward
        Anonymous Coward

        Re: New? Bwahaha!

        They considered it nigh on impossible to get any meaningful data over the air as the Enigma designer said to Admiral Doenitz.....

        1. doublelayer Silver badge

          Re: New? Bwahaha!

          Oh no, they knew exactly where their risk was, namely the capture of codebooks. They just didn't find out when the allies succeeded in getting some. They didn't know about the computer research either, but without the codebook theft, it would have taken a lot longer.

      2. Anonymous Coward
        Anonymous Coward

        Re: New? Bwahaha!

        Back in the late 80s my dad was in the local equivalent of of GCHQ and did some work on this. I clearly remember him coming home excited because he'd been sitting in a van outside his office for the afternoon testing, and had managed to successfully see what was on someones monitor.

        So it definitely worked - how well it would work in a crowded office we'll never know as within a few years everyone that could started switching to flat-screen monitors.

      3. steelpillow Silver badge

        Re: New? Bwahaha!

        One thing infosec folks tent to forget is that observational physicists are massively capable at screwing significant data out of noise which appears to have totally swamped the signal. It's amazing what you can do with a little bit of mathematical ingenuity and some top-flight number crunching. Think Higgs boson or gravity waves. And if they can do it...

      4. Citizen99

        Re: New? Bwahaha!

        Yet in a large screened room, when mobile phones came in, it was found that they worked inside. Not that they were allowed when operational of course, but it just shows ...

    4. Deanamore

      Re: New? Bwahaha!

      I remember reading about TEMPEST well over a decade ago with regards to detecting key strokes from a distant keyboard allowing the operative to know what was being typed whilst outside the building. Seems like that attack would still be far more useful than this one since it assumes plaintext or Noddy grade encryption for it to be any use.

      1. William1940

        Re: New? Bwahaha!

        I've a friend who "worked" on the original TEMPEST project. He can't say much except that Russian trawlers would follow naval ships and pick up what was being typed on electric typewriters.

        1. Bitsminer Bronze badge

          Re: New? Bwahaha!

          The soviets compromised a number of IBM Selectric typewriters at the US Embassy in Moscow.

          https://www.cryptomuseum.com/covert/bugs/selectric/

          Modifications were invisible and could not be detected without x-rays. The transmitted data was slightly ambiguous but all of a document could be read or inferred.

          Presumably any IBM Selectric in use by US armed forces or intelligence or diplomatic groups was at risk of compromise.

    5. ChrisC Silver badge
      Coat

      Re: New? Bwahaha!

      "I should imagine the field has moved on"

      If it's moved on, does that mean it's no longer a near field...

      1. steelpillow Silver badge
        Pint

        If it's moved on, does that mean it's no longer a near field...

        Icon.

        No doubt the one they show off to politicians is circularly polarised.

  6. Paul Crawford Silver badge

    I guess it depends on the application as well. Given the use of https/ssh to secure most links even internally a lot of radiated data might well be impractical to decode.

    1. Anonymous Coward
      Anonymous Coward

      I'm a PM implementing applications in the public sector and the use of HTTPS as the default connection to apps is rapidly becoming ubiquitous and is mandatory for any apps handling personally sensitive data.

      1. herman Silver badge

        "HTTPS as the default connection to apps" - HTTPS protects data against casual observation, but not against a serious adversary.

        1. doublelayer Silver badge

          A serious adversary with what access? Because if they control your endpoint or if you're sent to HTTPS through plain HTTP, you're right. A lot of adversaries don't have that on either end though, so HTTPS and HSTS policies are pretty good.

      2. John Brown (no body) Silver badge

        "I'm a PM "

        Is that you Boris? I never realised you were so multi-skilled!

    2. The Basis of everything is...

      "Given the theoretical use of https/ssh to secure most links"

      I have lost count of the number of customers I've dealt with who claim they encrypt everything and yet it comes as a great surprise during pre-migration discovery that they find that although they might have TLS for end-user browsers, none of the GUI or inter-system connections and interfaces are encrypted.

      And given that we don't muck with encryption during migration (unless specifically requested and charged for) the usual result is comms stays unencrypted afterwards 'cos nobody wants to pay for the config changes, interface retesting and downtime, or more likely they don't want to explain to their own management why there's going to be a charge for stuff they've been saying for the last few years has already been taken care of.

  7. Bartholomew Bronze badge

    arxiv.org is currently offline (workaround)

    The website with the paper is down, oh well waybackmachine to the rescue: https://web.archive.org/web/20211012151924/https://arxiv.org/pdf/2110.00104.pdf

  8. Pseudononymous Coward
    Windows

    Network problem

    I am getting a "Secure Connection Failed" message when I try to open the URL to the paper.

    Or is my browser just giving me a summary of the paper's findings?

    1. Bartholomew Bronze badge

      Re: Network problem

      There appears to have been a web hosting change on 2021-10-01 ( https://sitereport.netcraft.com/?url=arxiv.org ). I am going to guess that this website outage is totally unrelated to that.

  9. Wanting more

    HTTPS etc.

    Most traffic will have some sort of encryption applied to it now? Most traffic on my network would be HTTPS web traffic, or SMB 3.0 traffic. I also upload backups to AWS and Azure and both those will be encrypted. I'm sure GCHQ and NSA could snoop on it if they wanted though.

  10. jollyboyspecial

    Well in most buildings if you're four metres away from on LAN cable you're less than four metres away from lots of other LAN cables too. Good luck listening in to multiple LAN cables at once and managing to pull out the conversations on a single cable.

    Reminds me of the story years ago that you could point a microphone at a window from outside a building and be able to tell what somebody was typing by listening in on their keystrokes. Yes, possible in theory. Yes, possible to achieve under lab conditions. But to achieve reliable and repeatable degree of success in the real world? I'm not holding my breath.

    1. Anonymous Coward
      Anonymous Coward

      It might with a shotgun mic with an adjustable elliptical curve. A little-known geometric trick is that any ray that passes through one focus of an ellipse and reflects off the arc must pass through the other focus.

    2. Stoneshop Silver badge
      Black Helicopters

      Not with a microphone

      Reminds me of the story years ago that you could point a microphone at a window from outside a building and be able to tell what somebody was typing by listening in on their keystrokes.

      Point a laser at the window and the reflected beam will be modulated with the keystrokes.

  11. Mike 137 Silver badge

    Important point from the abstract

    "Malicious code in airgapped computers gathers sensitive data and then encodes it over radio waves emanating from the Ethernet cables, using them as antennas."

    The first two words say it all. This is not a way to read normal traffic at speed. It requires the 'air gap' to have been compromised already. Consequently, to any electronics engineer, this is not really news.

    1. adam 40 Silver badge

      Re: Important point from the abstract

      With my electronics engineering hat on, maybe it's not great "news", but if you couple this technique with other techniques to reduce interference on RF transmission paths, this is quite significant.

      If the installed malware (for example) uses a correlation code to transmit its bits, then the receiver, which uses the same correlation code, can pull the signal out of the noise generated by all the other cables and/or the receiver front end.

      Of course, the correlation code slows down the transmitted speed by a significant factor, but if all you want to steal is an encryption key or two, this could be acceptable.

  12. Natalie Gritpants Jr Silver badge

    "even an unplugged Ethernet cable can radiate energy which is detectable"

    Highly unlikely that an unplugged Ethernet cable is going to do anything. Even if one end is plugged in to something, it will not do anything until the other end is plugged into another thing and those things negotiate a connection.

    While I'm having a moan, there seems to be a confusion between "airgap" and security. In this situation the transmitting cable is literally airgapped from the receiver, because there is an air-filled gap between them. "airgap" has never meant secure, it just means secure from network based attacks.

    1. Anonymous Coward Silver badge
      Boffin

      Re: "even an unplugged Ethernet cable can radiate energy which is detectable"

      In a normal network yes. But this research is looking at exfiltrating data from an air-gapped computer which has already been compromised.

      That means that there's a possibility that they've installed a custom driver for the network card, which could cause it to transmit even with the other end unplugged.

      Hell, it could even be modulating the negotiation signal that reveals to the NIC when something has been plugged in.

      No, I don't think it's a practical method; I do find it interesting though.

      1. batfink Silver badge

        Re: "even an unplugged Ethernet cable can radiate energy which is detectable"

        They've installed a custom driver for the network card => they've got physical access => you're already fucked.

  13. W.S.Gosset Silver badge

    Slowing the network down externally

    > [not able to] sniffing information over network cables at their full operational speeds

    You could force the speed down.

    If the cable's leaky enough to transmit, it's leaky enough to receive. Point a very narrow focus transmitter and shout noise at it. Interference intra-cable will cause a lot of dropped packets and tcpip will automatically stepdown the speed until the config'd min. quality is reached. Step up the noise till the stepdown reaches a speed you can read. Then you sniff.

    Example application: you spot TargetChap entering the building, you fire up the transmitter until the desired packet rate is reached, TargetChap sits down and logs in, you sniff his credentials. Switch off the transmitter -- the computer won't care about the transient oddity on network speed on one port, and he's not going to notice a subsecond delay on his login (or will chalk it up to common startup/initialisation delays). Job done.

    Or am I missing something obvious?

    1. Paul Crawford Silver badge

      Re: Slowing the network down externally

      Or am I missing something obvious?

      Power. Lots of it.

      I have not seen the paper, but if they are picking up a couple of microvolt at the receiver from a couple of volts Ethernet signal, to reverse it and inject the same signal you would be at the megavolt level on the transmitter side.

      Someone will notice that! In fact, most folk for miles around trying to use any radio service at all...

    2. IGotOut Silver badge

      Re: Slowing the network down externally

      It's so slow the link you be utterly unusable.

      The tcp chatter trying to work out what's going on would drown this out instantly.

    3. the spectacularly refined chap

      Re: Slowing the network down externally

      Nor does it actually slow down anything in a manner relevant to this kind of intercept. The link on the wire continues to operate at full speed. What TCP will do is reduce the window size, which when combined with network latency has the effect of reducing average speed. However that adopts the form of sending packets less frequently - each one is still full speed and thus no easier to decode, there are just gaps in-between them.

  14. Ian Johnston Silver badge

    Meh. They did this in Ocean's Eleven.

  15. Bogbody

    Black Helicopters

    An ex-coworker was doing this sort of thing 20+ years ago with a shortwave radio. He could sniff RS232 with ease. The same basic technique would work for ethernet (better radio/decoding needed of course).

    I'll bet the Black Helicopters have a much better way of doing it and have been using the method for decades.

    1. Phil O'Sophical Silver badge

      Re: Black Helicopters

      RS232 signalling is unbalanced, and easy to sniff. Properly-terminated twisted pair carries balanced signals and should have minimal leakage from the cable itself, most of the limited leakage with be from connectors or the patch panel.

  16. DwarfPants
    Coat

    I Knew it

    "What this shows is that even an unplugged Ethernet cable can radiate energy which is detectable." when a network cable is unplugged all the packets fall out of the end on to the floor, I have warned people.

    1. b0llchit Silver badge
      Joke

      Re: I Knew it

      The fallen packets have a slow decay-rate because the RTT goes to infinity. That is why you need a gold-plated vacuum cleaner with electronic control circuitry. Additionally, highly compressed and crystalline carbon may also be useful to add along the tube to curb re-emission.

    2. Anonymous Coward
      Anonymous Coward

      Re: I Knew it

      At least the 1s tend to stay put on the floor. The 0s bounce and roll around everywhere.

      1. John Brown (no body) Silver badge

        Re: I Knew it

        That's why there should be a bit bucket by every desk! Unfortunately, due to recycling and waste reduction policies, most facilities managers seem to think there will be less waste if the bins are 30 feet or more from the desk in a central location so most people let the spare bits pile up on the floor.

    3. Fruit and Nutcase Silver badge

      Re: I Knew it WAS Mordechai !!!

      Or had a fair guess this originated from him when I saw the summary on the home page.

    4. Aussie Doc Bronze badge
      Joke

      Re: I Knew it

      That's why I used to tell my customers if the cable becomes unplugged, make sure you hold the end up higher than the desk or all the data falls out.

      You can see the data if you look closely - they come in their own little packets to help stop the spillage.

  17. Ceyarrecks

    Easy Fix,...

    Just drape a few hundred feet/meters of (unshielded)UTP around walls of server room with a dummy PC continuously transferring/playing a superfluous file (Never Going to Give You Up?) to another dummy PC, both connected to a isolated switch. Thus one has misdirection, and built-in offense for anyone who would go through the effort. ALL other cables remain [SHIELDED]STP. For extra credit, if in pre-planning for server room, how about aluminum-dust-imbued paint?

  18. martinusher Silver badge

    Its not just the cables

    From the measurements I've done typical RJ45 connectors are also a weak link.

    I should ask the Israeli researcher whether they've heard of 'TEMPEST'. Information leakage through informal device emissions has been known about for decades and there numerous products and techniques to help reduce the problem. Its really a matter of trading off how important the information is to you versus how much money and effort you want to spend on preventing its leakage.

  19. FordPrefect

    So an attacker would have to get physical access to your environment, locate the actual cable(and I'm guessing isolate it enough from other cables so there wouldn't be too much interference) then slow your traffic to a crawl, and force you to use unencrypted UDP traffic. Given that pretty much everyone secures there locations these days anyway and if they hadn't you could easily slip in a network tap, and if you had physical access there is a whole load of other things you could do that would be far more efficient and effective I wont lose much sleep over this one. Its kinda cool and its very novel but I can't see it overtaking ransomware as the top threat for CIOs and being added to the CISSP/CISM course material anytime soon.

    Oh and realistically how much traffic these days actually flows over a network unencrypted anyway? Even browsing static web pages has moved over to TLS secured now for the most part.

  20. Drone Pilot

    I've been securing against this for years!

    I practice a security technique called STOCC or Security Through Outstanding Cable Chaos in my server room.

    My boss called my messy server room cabling untidy but I knew all along it was one of my many security layers

  21. Marco van Beek

    Not exactly rocket science..

    Not sure why this is news. The MI5 building has special window tinting to prevent electronic snooping and grounded copper piping so that the water cannot be used to rebroadcast signals.

    Point is we should be using transport level encryption everywhere already.

    On a second note, while an Ethernet cable with nothing plugged in to to it does make an excellent aerial, any decent switch should have turned the port off so while you might get some low level noise leaking on to it, there is unlikely to be much readable traffic.

    As far as sticking something around a cable, you do it behind the patch panel, right by where the shielding has been cut short. That way you can wrap it around just the cable you want. I personally would build a device with two inductive loops, one for transmit and one for receive. You also only stick it around one of the cables of the loop as otherwise the signal will be largely cancelled out.

    1. arachnoid2 Bronze badge

      Re: Not exactly rocket science..

      Replace the cable termination with one specially built with internal electronics that sniff the data.

      1. Marco van Beek

        Re: Not exactly rocket science..

        Or make it look like a POE injector box, and then you can get away with powering it as well.

        The key bit is getting the data you want, and not the cable to the coffee pot monitoring device.

        Enough broad spectrum noise and any useful signal is swamped.

        Maybe set up a welding station in the server room just in case…

  22. Auntie Dix

    What's Old is New

    More than 30 years ago (back in the days of 10Mbps networks), a coworker tuned a radio to 10MHz and then used FTP to send audio files (music) across the network. The radio was able to pick up the packets and play the music.

  23. A random security guy Bronze badge

    Shielded ethernet cables are rare except in factories and other similar environments

    I think I have come across only one instance where shielded cables were used. Otherwise it is all twisted pairs. For shielding to work properly, you have to ground it. The plastic RJ-45 connectors are not grounds.

    And yes, I do make my own cables to length and have for more than 20 years. You need special connectors to help ground the shield, if present.

  24. OculusMentis

    Time to switch to fiber…

    Who wants copper anymore.

  25. Lorribot Silver badge

    to all those naysayers.....

    This has been a thing since as long as I can remember and why many MoD establishments had fibre to the desktop even when 10Mb was the norm.

    You only need to attach this to one desktop lead in to a floorbox and get one person's credential, you can then connect to corporate WiFi using a device of your choice if the company does enforce certificates or a desktop if one is laying around and elevate and move laterally through systems.

    Planting this just requires physical access, a cleaner could easily do it on a suitable desktop without raising suspicion.

    This just shows how cheap surveillence has become and how easy it is to hack in to stuff.

    1. Anonymous Coward
      Anonymous Coward

      Re: to all those naysayers.....

      If they can go that far, why not just attack the endpoint, which should be able to work even on fiber?

  26. Clausewitz 4.0
    Devil

    Concrete

    That's why serious organizations are made of thick concrete walls with heavy-guys-grade jammers around it.

  27. Sparkus Bronze badge

    so-called security researcher...

    recycles all too common security and EE knowledge from 40 years ago, claims originality, convinces ill-educated media and press to run his research, gains profit.

    Next week, the re-discovery of the wheel and fire.

  28. heyrick Silver badge

    "His experimental technique consisted of slowing UDP packet transmissions over the target cable to a very low speed and then transmitting single letters of the alphabet."

    Ah, in other words it's demonstrating what every child knows - that electricity though a bit of wire radiates a (small) signal.

    Now let's see how effective it is with a broadband router, one person sending secret messages while his kids watch Netflix on two separate devices all with gigabit Ethernet.

    [bonus points if his daughter is using a tablet, that's already spewing everything at a known frequency]

  29. fredesmite2
    Mushroom

    a wire with energy running through it

    ..

    sounds like an antenna to me !!!

  30. fredesmite2

    If you want a secure computer

    unplug all the network connections ..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021