Smartphone gyroscopes threaten air-gapped systems, researcher finds An Israeli security researcher known for foiling air gap security measures has published a reminder of just how vulnerable the approaches are to both visual and ultrasonic threats. A pair of preprint papers from Mordechai Guri, head of R&D at Ben-Gurion University's Cyber Security Research Labs, detail new methods for …
Chrome is the only browser that supports something that stupid. Safari and Firefox have correctly refused to support that spec, and other stupidities like giving the browser direct access to connected USB devices, because they actually care about security a little bit.
Yeah but the airgapped system is not the phone. Ergo it is not going to be running ANY browser otherwise by definition it is not airgapped. Phones which run apps which have access to the gyroscope etc are the exfiltration device and as such are under the control of the baddy and can run any software said baddy desires, it doesn't have to be a browser. The tricky bit for all the exploits discussed in the article is getting software onto the secure computer which subverts network leds or makes the PSU "sing".
Read the article. Phones are the RECEIVER for the information from an air gapped device, but if you want to commit corporate espionage you probably can't bring any random phone into an area with an air gapped device. You might however be able to bring a corporate issued phone into that area. You can't install a random app on that phone, but the browser is already there so if it allows access to the MEMS hardware then bingo you have a receiver for the covert channel from the air gapped device.
The phone doesn't need to be networked at the time (i.e. if the air gapped device is in a Faraday cage) it would run a previously downloaded Javascript program to collect the data, which can be downloaded later.
All this stuff is very sci-fi but total nonsense no one is ever going to get a remote exec over Lan leds. Exfiltration of data via ll these funky tricks requires code on both devices and, being airgapped, it's pretty hard to get code on, and if it isn't that's the security issue.
Most computers have a monitor which works fine for this.
You could invent a new channel every day, IMHO we should stop dedicating column inches to this guys latest. It too easy for dumb folk to misinterpret the risk when reading articles.
Most users don't even have root on their own device with gyroscopes, they have no idea at all what code is running or if the camera and mic are on and streaming data to Apple or Google.
"Read the article. Phones are the RECEIVER for the information"
I did read the article. The point I was making that no matter who is carrying the "receiver" as you call it, It makes no difference what the baddies are carrying if they haven't had prior access to the air-gapped computer from which they are trying to exfiltrate information. The air-gapped computer will not have any browser and its leds are not going to start spontaneously leaking any information of any description, never mind what software it is running.
> if they haven't had prior access to the air-gapped computer from which they are trying to exfiltrate information
Remember, of course, that that prior access may have been in the factory - or the supplier's premises - before it went into its air-gapped location. The Ethernet port LEDs just need to blink convincingly to look normal while it is being installed.
(And yes, I'm well aware that if someone has access to the PC while at the supplier's then there are any number of other bugs that could be installed with far higher data transfer rates, but this story is about misuse of Ethernet port LEDs.)
Read up on "The Thing" in the US embassy in Moscow. An elaborate wooden carving given to the ambassador as a gift from the Soviets which concealed a passive radiator that changed characteristics in line with the ambient sound, and modified a radio carrier transmitted from outside the premises. Once you have infiltrated the system by supplying its components, all you need to to sit passively outside and listen.
Weirder still: I don't even have a smartphone, and I still seem to get ads on my desktop for things I've talked about in an open park while sitting on a bench inconspicuously feeding the ducks while wearing a trenchcoat, dark glasses, and a trilby. Surely they should know I've already bought the microfilm so I don't need another one.
This post has been deleted by its author
.....an Android gyro detects some typing less than eight metres away.....
.....and this is described as "an attack".......
Please!!! The attackee sees some unknown someone with a smartphone less than twenty five feet away....when the attackee is typing something VERY SENSITIVE...
Air-gapped....Yes!
Eight bits per second (or in other language, one byte per second).....so a megabyte in say 2000 hours!!!
Plausible....I'll let you decide....
Bulk data exfiltration isn't much of a threat with this one, but it is one of many ways to extend a trigger or C&C to a compromised but isolated system.
Say you used a supply chain attack to install a modified Gas Chromatograph or Mass Spec in your targets lab. It's coded to flag certain traces (something something Hexaflouride perhaps?) and try to exfiltrate it's alert. That is where ultra low bitrate channels come into play. Perhaps that alert then trips another isolated system, say to remove speed limiting safeties, or hard dump power to gear that has a poor reaction to mid-process outages...
You can do plenty with a few bits even when you can't shift copies of war and peace around.
Most of this research(which I love for the lateral thinking involved) is exploiting the idea that the air gapped system isn't well isolated. This is why actual high security air gapped systems end to be behind security checkpoints, in access controled rooms, etc. The Gov had setup guides and rulebooks for physical security for several human generations, and handle much stealthier and higher tech attacks than these. If you didn't perform the physical hardening and isolation, you have an air-gap in name only.
While these attacks are an entertaining novelty, they aren't getting out of a properly configured SCIF. They do help highlight the multitude of ways generic PC and phone hardware make that process a nightmare. But using the pc speaker is old hat, and people have already done stuff over similar ranges using the ultrasonic whine of the transistors on the logic boards. People did TEMPEST attacks in the pre-cell phone era. They figured out a long time ago that if you wanted to keep a computer secure you should probably start by parking it in a sealed and windowless room, with access controls, behind a security checkpoint.
"They figured out a long time ago that if you wanted to keep a computer secure you should probably start by parking it in a sealed and windowless room"....
Yet you still find ultra top secret docs in leather cases in a Mar a Largo catering supplies closet, under the control of a Russia asset....
Security is only as good as the tainted people who run it.
You see how Republicans started out defending "a few momentos, a few press clippings Trump took" and the story changed and changed and got worse and worse. Each time, they simply shifted their position to defend it, digging themselves a little deeper into the Trump butt hole. In a few weeks it will be clear, that he stole the most critical secrets of the US, and was hawking them to American adverseries, and Republicans will be so deep down that hole already, they have to defend even that.
SCIF, guards, secure, air gap.....
Becomes Masterlock, secret cubbyhole, basement....
Why plant a gyroscope based surveillance device, when you can donate a few million and your puppet will simply declassify and hand you the documents you seek?
The also found top secret documents in Sandy Berger's pants and Hillary Clinton's private server yet none of those people went to jail!
BTW: The President does not pack up his stuff when leaving the white house, that is done by the GSA!
Nice try though!
I'm pretty sure the exfiltration of data via das blinkenlights (NIC LEDs) has been known for at least two decades despite the author and researcher claiming they "not been studied before, theoretically or technically."
I knew about that attack vector 2 decades ago so I'd hope security people knew about it at least a decade before that.
Blinkenlights exfiltration has been done - a lot. The twist on this is NIC blinkenlights, which haven't been bothered with, because the NIC is usually at the back of the machine, and hard to surreptitiously monitor; also, you have actual network traffic that will pollute the data stream, or the machine is unplugged (actual air-gap, not just an air-gapped network), so no lights to blink.
Upvoted, but I think the point is the trickle down effect. Previously, esoteric hacking or data exfiltration of highly secured and air-gapped systems was something for government agencies to worry about or apply themselves.
But it's becoming easier for less sophisticated hackers to use in less suspecting environments so people or organisations that previously weren't valuable enough to invest in that supa-sekrit high level of effort to hack are now starting to become worthwhile targets in terms of time/money investment.
Gyroscopes can be "used by many types of applications ... and users may approve their access without suspicion"
So, the scenario is; you need to not only trick the attacked into installing something which covertly emits sound but you also need to trick someone into becoming the attacker to covertly pick up those sounds, and then have them both in the same room.
I'm not sure how long they can keep flogging this one-trick pony until it is completely dead.
"So, the scenario is; you need to not only trick the attacked into installing something which covertly emits sound but you also need to trick someone into becoming the attacker to covertly pick up those sounds, and then have them both in the same room."
Amazon shopping App on phone
Amazon Alexa in your living room
Done.
If you want to defend you need to understand the value of what you are defending, the potential attackers and the weaknesses.
Just because the attacks you need to defend from do not include (or you are unimaginative enough to miss) a friendly person/device in the same room having been corrupted (knowingly or unknowingly) does not make research on that scenario unnecessary.
In addition, it is vital to understand what are the constraints attackers will suffer - if you need to protect something where the value is a large amount of data then you might choose to ignore attacks with extremely low data rates. But you need to be able to document and explain why you are ignoring them and this sort of research is vital for that. Someone else, where the attack is not in the data itself but in choosing when something happens, say, may need to defend against exactly the attack you have the luxury of ignoring.
A while back, an engineer friend was designing some data communications gear for the military. He was showing me the schematics and asking for my opinion on his design. My "day" job is in cybersecurity, but he farms out the occasional side project to me when he gets really busy.
I looked at the part of the circuit where he had a few LEDs. I asked about them, and he said that the client wanted some LEDs to show data activity. He just connected the LEDs through a buffer, directly to the transmit and receive data signals. I told him "wow, all someone needs to eavesdrop on the communications is a simple phototransistor". I went on "with a telephoto lens, it could even be done from a distance". That's when the oh, sh** moment hit him. I told him to at least put a one-shot device on the LED signal with long on-time. Engineers don't often think like an attacker.
When asked why the Intelligence Agencies were unable to locate such a well-known suspect, the spokesman replied, and I quote, "We wuzz all mellow, the joint wuzz jumping, the sounds wuzz pumping" before blowing a whistle loudly in my ear. Later, a Ministry Aide threw shapes during PM's Question Time.
Yes they do raise the question how said computer is exploited in the first place.
If data can't be exfiltrated by conventional means (e.g. no data ports, no external drives, no CD/DVD drive, no network card, locked computer chassis etc.) then even if the attacker is physically stood in front of the thing, how do they get the exploit onto it?
Many "air-gapped" systems have some of: data ports, external drives, CD/DVD drive, network card, unlocked computer chassis. All that is meant by "air gapped" is that remote access is not possible, not that the systems can never be connected to anything else by people on site.
IIRC the Stuxnet intrusion was believed to have happened through service engineers systems being compromised (back at base) and then brought into the secure area and connected to the airgapped control computers for maintenance activity.
Presumably Stuxnet has led to many improvements in security, but I still think it is unlikely SCADA systems are never connected to other devices for maintenance purposes.
USA-centric, but I've not been in a facility dedicated to intelligence (military) where cell phones were permitted. Things may have changed as I'm old and it's been a couple of years. We had research facilities with access to TS, but typically in their dedicated SCIF(s).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2022
