back to article Smartphone gyroscopes threaten air-gapped systems, researcher finds

An Israeli security researcher known for foiling air gap security measures has published a reminder of just how vulnerable the approaches are to both visual and ultrasonic threats.  A pair of preprint papers from Mordechai Guri, head of R&D at Ben-Gurion University's Cyber Security Research Labs, detail new methods for …

  1. DS999 Silver badge

    Accessing gyroscope from a browser

    Chrome is the only browser that supports something that stupid. Safari and Firefox have correctly refused to support that spec, and other stupidities like giving the browser direct access to connected USB devices, because they actually care about security a little bit.

    1. JassMan

      Re: Accessing gyroscope from a browser

      Yeah but the airgapped system is not the phone. Ergo it is not going to be running ANY browser otherwise by definition it is not airgapped. Phones which run apps which have access to the gyroscope etc are the exfiltration device and as such are under the control of the baddy and can run any software said baddy desires, it doesn't have to be a browser. The tricky bit for all the exploits discussed in the article is getting software onto the secure computer which subverts network leds or makes the PSU "sing".

      1. DS999 Silver badge

        Re: Accessing gyroscope from a browser

        Read the article. Phones are the RECEIVER for the information from an air gapped device, but if you want to commit corporate espionage you probably can't bring any random phone into an area with an air gapped device. You might however be able to bring a corporate issued phone into that area. You can't install a random app on that phone, but the browser is already there so if it allows access to the MEMS hardware then bingo you have a receiver for the covert channel from the air gapped device.

        The phone doesn't need to be networked at the time (i.e. if the air gapped device is in a Faraday cage) it would run a previously downloaded Javascript program to collect the data, which can be downloaded later.

        1. teknopaul

          Re: Accessing gyroscope from a browser

          All this stuff is very sci-fi but total nonsense no one is ever going to get a remote exec over Lan leds. Exfiltration of data via ll these funky tricks requires code on both devices and, being airgapped, it's pretty hard to get code on, and if it isn't that's the security issue.

          Most computers have a monitor which works fine for this.

          You could invent a new channel every day, IMHO we should stop dedicating column inches to this guys latest. It too easy for dumb folk to misinterpret the risk when reading articles.

          Most users don't even have root on their own device with gyroscopes, they have no idea at all what code is running or if the camera and mic are on and streaming data to Apple or Google.

          1. Jimmy2Cows Silver badge

            Re: Accessing gyroscope from a browser

            Wow, who pee'd on your cornflakes this morning?

        2. JassMan

          Re: Accessing gyroscope from a browser @ds999

          "Read the article. Phones are the RECEIVER for the information"

          I did read the article. The point I was making that no matter who is carrying the "receiver" as you call it, It makes no difference what the baddies are carrying if they haven't had prior access to the air-gapped computer from which they are trying to exfiltrate information. The air-gapped computer will not have any browser and its leds are not going to start spontaneously leaking any information of any description, never mind what software it is running.

          1. Anonymous Coward
            Anonymous Coward

            Re: Accessing gyroscope from a browser @ds999

            > if they haven't had prior access to the air-gapped computer from which they are trying to exfiltrate information

            Remember, of course, that that prior access may have been in the factory - or the supplier's premises - before it went into its air-gapped location. The Ethernet port LEDs just need to blink convincingly to look normal while it is being installed.

            (And yes, I'm well aware that if someone has access to the PC while at the supplier's then there are any number of other bugs that could be installed with far higher data transfer rates, but this story is about misuse of Ethernet port LEDs.)

            1. J.G.Harston Silver badge

              Re: Accessing gyroscope from a browser @ds999

              Read up on "The Thing" in the US embassy in Moscow. An elaborate wooden carving given to the ambassador as a gift from the Soviets which concealed a passive radiator that changed characteristics in line with the ambient sound, and modified a radio carrier transmitted from outside the premises. Once you have infiltrated the system by supplying its components, all you need to to sit passively outside and listen.

  2. anthonyhegedus Silver badge

    Maybe that's how my phone can hear me talk about something and then give me adverts about it.

    1. druck Silver badge

      No, that will be the microphone, its far easier.

      Review your app permissions!

      1. elsergiovolador Silver badge

        Permissions are for the apps...

    2. Hubert Cumberdale Silver badge
      Black Helicopters

      Weirder still: I don't even have a smartphone, and I still seem to get ads on my desktop for things I've talked about in an open park while sitting on a bench inconspicuously feeding the ducks while wearing a trenchcoat, dark glasses, and a trilby. Surely they should know I've already bought the microfilm so I don't need another one.

      1. iron Silver badge

        You see ads on your desktop? What are those like? Do they still do hit the monkey?

        Seriously dude get an ad blocker.

        1. Hubert Cumberdale Silver badge

          (I'm not sure if you noticed, but there was just a hint of humour involved in that post.)

      2. Emir Al Weeq

        Isn't it obvious?

        That spa weekend you did? You were hypnotised and now your secrets are encoded into the rate at which you throw the bread.

        1. EVP

          It’s the ducks

          The ducks, not the throwing rate. They code it into their eating rate, little variances in it. Very efficient.

          Evil informants them ducks are. Haven’t you ever noticed the mean look in their eyes? I think they coming for me soon.

      3. This post has been deleted by its author

  3. Anonymous Coward
    Anonymous Coward

    Let me see.... Android gyro detects some typing less than eight metres away.....

    .....and this is described as "an attack".......

    Please!!! The attackee sees some unknown someone with a smartphone less than twenty five feet away....when the attackee is typing something VERY SENSITIVE...


    Eight bits per second (or in other language, one byte per second) a megabyte in say 2000 hours!!!

    Plausible....I'll let you decide....

    1. druck Silver badge

      Re: Let me see....

      Many attachers infiltrate a system and remain undetected for months, during which significant amount of data can be exfiltrated by slow methods.

      1. Anonymous Coward
        Anonymous Coward

        Re: Let me see....

        Bulk data exfiltration isn't much of a threat with this one, but it is one of many ways to extend a trigger or C&C to a compromised but isolated system.

        Say you used a supply chain attack to install a modified Gas Chromatograph or Mass Spec in your targets lab. It's coded to flag certain traces (something something Hexaflouride perhaps?) and try to exfiltrate it's alert. That is where ultra low bitrate channels come into play. Perhaps that alert then trips another isolated system, say to remove speed limiting safeties, or hard dump power to gear that has a poor reaction to mid-process outages...

        You can do plenty with a few bits even when you can't shift copies of war and peace around.

      2. stiine Silver badge

        Re: Let me see....

        Why would they need to continue using the slow exfiltration method once they had enough information to use one faster?

      3. Dagg Silver badge

        Re: Let me see....

        Morse code used in the 2nd world war was about 10 words per minute but it was the quality of the information NOT the volume that was important.

    2. elsergiovolador Silver badge

      Re: Let me see....

      Sometimes all you need to know is a safe word.

      1. Hubert Cumberdale Silver badge

        Re: Let me see....

        I can tell you from experience that remembering the safeword is very important.

  4. Anonymous Coward
    Anonymous Coward

    > someone needs to test the most improbable of attacks to see if they work before someone less scrupulous figures them out

    From the examples given in the article both parties work for the same side though.

  5. Anonymous Coward
    Anonymous Coward

    Air gaps are all about physical security

    Most of this research(which I love for the lateral thinking involved) is exploiting the idea that the air gapped system isn't well isolated. This is why actual high security air gapped systems end to be behind security checkpoints, in access controled rooms, etc. The Gov had setup guides and rulebooks for physical security for several human generations, and handle much stealthier and higher tech attacks than these. If you didn't perform the physical hardening and isolation, you have an air-gap in name only.

    While these attacks are an entertaining novelty, they aren't getting out of a properly configured SCIF. They do help highlight the multitude of ways generic PC and phone hardware make that process a nightmare. But using the pc speaker is old hat, and people have already done stuff over similar ranges using the ultrasonic whine of the transistors on the logic boards. People did TEMPEST attacks in the pre-cell phone era. They figured out a long time ago that if you wanted to keep a computer secure you should probably start by parking it in a sealed and windowless room, with access controls, behind a security checkpoint.

    1. elsergiovolador Silver badge

      Re: Air gaps are all about physical security

      If the most secure system is accessed by a human, then all you really need is to know by whom and a £5 wrench.

      1. Zarno

        Re: Air gaps are all about physical security

        Other options you could go with:

        ~2m of 16mm heater hose

        A wet beach towel

        A sack of oranges

        Old C-SPAN footage of a filibuster, played at 2X and looped

        A particularly cheesed off cat

        1. Fruit and Nutcase Silver badge

          Re: Air gaps are all about physical security

          What about...

          Wet celery

          A Flying Helmet

          An Egg whisk

          icon --> Michelle gets her coat

      2. Hubert Cumberdale Silver badge

        Re: Air gaps are all about physical security

        (someone's bound to post this, it might as well be me)

        1. Allan George Dyer

          Re: Air gaps are all about physical security

          You beat me to it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Air gaps are all about physical security

      "They figured out a long time ago that if you wanted to keep a computer secure you should probably start by parking it in a sealed and windowless room"....

      Yet you still find ultra top secret docs in leather cases in a Mar a Largo catering supplies closet, under the control of a Russia asset....

      Security is only as good as the tainted people who run it.

      You see how Republicans started out defending "a few momentos, a few press clippings Trump took" and the story changed and changed and got worse and worse. Each time, they simply shifted their position to defend it, digging themselves a little deeper into the Trump butt hole. In a few weeks it will be clear, that he stole the most critical secrets of the US, and was hawking them to American adverseries, and Republicans will be so deep down that hole already, they have to defend even that.

      SCIF, guards, secure, air gap.....

      Becomes Masterlock, secret cubbyhole, basement....

      Why plant a gyroscope based surveillance device, when you can donate a few million and your puppet will simply declassify and hand you the documents you seek?

      1. Cliffwilliams44 Silver badge

        Re: Air gaps are all about physical security

        The also found top secret documents in Sandy Berger's pants and Hillary Clinton's private server yet none of those people went to jail!

        BTW: The President does not pack up his stuff when leaving the white house, that is done by the GSA!

        Nice try though!

      2. SammyB

        Re: Air gaps are all about physical security

        Your TDS is showing.

    3. iron Silver badge

      Re: Air gaps are all about physical security

      I'm pretty sure the exfiltration of data via das blinkenlights (NIC LEDs) has been known for at least two decades despite the author and researcher claiming they "not been studied before, theoretically or technically."

      I knew about that attack vector 2 decades ago so I'd hope security people knew about it at least a decade before that.

      1. Swarthy

        Re: Air gaps are all about physical security

        Blinkenlights exfiltration has been done - a lot. The twist on this is NIC blinkenlights, which haven't been bothered with, because the NIC is usually at the back of the machine, and hard to surreptitiously monitor; also, you have actual network traffic that will pollute the data stream, or the machine is unplugged (actual air-gap, not just an air-gapped network), so no lights to blink.

    4. John Brown (no body) Silver badge

      Re: Air gaps are all about physical security

      Upvoted, but I think the point is the trickle down effect. Previously, esoteric hacking or data exfiltration of highly secured and air-gapped systems was something for government agencies to worry about or apply themselves.

      But it's becoming easier for less sophisticated hackers to use in less suspecting environments so people or organisations that previously weren't valuable enough to invest in that supa-sekrit high level of effort to hack are now starting to become worthwhile targets in terms of time/money investment.

  6. Jason Bloomberg Silver badge

    Gyroscopes can be "used by many types of applications ... and users may approve their access without suspicion"

    So, the scenario is; you need to not only trick the attacked into installing something which covertly emits sound but you also need to trick someone into becoming the attacker to covertly pick up those sounds, and then have them both in the same room.

    I'm not sure how long they can keep flogging this one-trick pony until it is completely dead.

    1. NoneSuch Silver badge

      Think it through.

      "So, the scenario is; you need to not only trick the attacked into installing something which covertly emits sound but you also need to trick someone into becoming the attacker to covertly pick up those sounds, and then have them both in the same room."

      Amazon shopping App on phone

      Amazon Alexa in your living room


      1. Paul Crawford Silver badge

        Re: Think it through.

        If you have Amazon products in or near any secure system you are completely fscked...

        1. TRT Silver badge

          Re: Think it through.

          Delicious thoughts of Amazon eavesdropping on themselves and not realising it; eventually the snake swallows itself whole from the tail upwards.

    2. Graham Cobb Silver badge

      If you want to defend you need to understand the value of what you are defending, the potential attackers and the weaknesses.

      Just because the attacks you need to defend from do not include (or you are unimaginative enough to miss) a friendly person/device in the same room having been corrupted (knowingly or unknowingly) does not make research on that scenario unnecessary.

      In addition, it is vital to understand what are the constraints attackers will suffer - if you need to protect something where the value is a large amount of data then you might choose to ignore attacks with extremely low data rates. But you need to be able to document and explain why you are ignoring them and this sort of research is vital for that. Someone else, where the attack is not in the data itself but in choosing when something happens, say, may need to defend against exactly the attack you have the luxury of ignoring.

  7. Anonymous Coward
    Anonymous Coward

    A while back, an engineer friend was designing some data communications gear for the military. He was showing me the schematics and asking for my opinion on his design. My "day" job is in cybersecurity, but he farms out the occasional side project to me when he gets really busy.

    I looked at the part of the circuit where he had a few LEDs. I asked about them, and he said that the client wanted some LEDs to show data activity. He just connected the LEDs through a buffer, directly to the transmit and receive data signals. I told him "wow, all someone needs to eavesdrop on the communications is a simple phototransistor". I went on "with a telephoto lens, it could even be done from a distance". That's when the oh, sh** moment hit him. I told him to at least put a one-shot device on the LED signal with long on-time. Engineers don't often think like an attacker.

    1. Doctor Syntax Silver badge

      "Engineers don't often think like an attacker."

      Neither do clients: "the client wanted some LEDs to show data activity".

    2. John D'oh!

      I'm pretty sure I read about this very thing on the reg over 20 years ago. I thought it was well known and that is why the LEDs just blink on and off and aren't driven by the actual data signal.

    3. Totally not a Cylon

      That is why when a client requests 'blinking lights' you use flashing LEDs, see BigClive supercomputer projects.....

      The real status LEDs are hidden and only enabled by a keyswitch.

      1. TRT Silver badge
  8. Natalie Gritpants Jr

    Here's how to overwhelm the receiver

    Garage rock from the noughties

    Flashing lights and laser beams

    People dancing like a robot from 1984

    Think I'm in my happy place.

    1. that one in the corner Silver badge

      Re: Here's how to overwhelm the receiver

      When asked why the Intelligence Agencies were unable to locate such a well-known suspect, the spokesman replied, and I quote, "We wuzz all mellow, the joint wuzz jumping, the sounds wuzz pumping" before blowing a whistle loudly in my ear. Later, a Ministry Aide threw shapes during PM's Question Time.

  9. Mike 137 Silver badge

    The elephant in the air gap

    The common factor is that the exfiltration relies on the data source (the 'air gapped' computer) being already compromised. That seems to me to be a rather fundamental issue.

    1. Jimmy2Cows Silver badge

      Re: The elephant in the air gap

      Yes they do raise the question how said computer is exploited in the first place.

      If data can't be exfiltrated by conventional means (e.g. no data ports, no external drives, no CD/DVD drive, no network card, locked computer chassis etc.) then even if the attacker is physically stood in front of the thing, how do they get the exploit onto it?

      1. Graham Cobb Silver badge

        Re: The elephant in the air gap

        Many "air-gapped" systems have some of: data ports, external drives, CD/DVD drive, network card, unlocked computer chassis. All that is meant by "air gapped" is that remote access is not possible, not that the systems can never be connected to anything else by people on site.

        IIRC the Stuxnet intrusion was believed to have happened through service engineers systems being compromised (back at base) and then brought into the secure area and connected to the airgapped control computers for maintenance activity.

        Presumably Stuxnet has led to many improvements in security, but I still think it is unlikely SCADA systems are never connected to other devices for maintenance purposes.

  10. Flyover Country

    This PROBABLY applies (primarily) to corporate and not DoD facilities

    USA-centric, but I've not been in a facility dedicated to intelligence (military) where cell phones were permitted. Things may have changed as I'm old and it's been a couple of years. We had research facilities with access to TS, but typically in their dedicated SCIF(s).

  11. henryd

    Stuxnet. Israel

    Why is the stuxnet virus reported as being US/Israeli as a matter of fact? Nothing has been proved and so far is just a wild guess.

    While I would like to be true that doesn’t make it so.

    Very shoddy writing.

  12. xtam667

    If one cares enough to airgap their systems surely they put those systems in places from which neither sound or light leaks. Who saw airgapped systems in real life against which threats like this were plausible?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like