Andy Greenberg had an article with the title above, on WIRED.com’s website, February 22, 2017. Mr. Greenberg begins: “A few hours after dark earlier this month (Feb.), a small, quadropter drone lifted off from the parking lot of Ben Gurion University in Israel. It soon trained its built-in camera on its target, a desktop computer’s tiny blinking light inside a third-floor office nearby. The pinpoint flickers emitting from the LED hard drive indicator that lights up intermittently on practically every modern Windows machine, would hardly arouse the suspicions of anyone working in the office after hours. But, in fact,” Mr. Greenberg wrote, LED was silently winking out an optical stream of the computer’s secrets to the camera floating outside.”
“The data-stealing drone,” which is shown in a video included in Mr. Greenberg’s article, “works as a Mr. Roberts-style demonstration of a real espionage technique. A group of researchers at Ben Gurion’s cyber security lab has devised a method to defeat the protection known as “air-gap,” the safeguard of separating highly sensitive computer systems from the Internet — to quarantine them from hackers. If an attacker can plant malware on one of these systems — say, by paying an insider to infect it via a USB, or SD card — this approach offers a new way to rapidly pull secrets out of that isolated machine. Every blink of its hard drive LED indicator can spill sensitive information to any spy with a line of sight to the target computer, whether from a drone outside the window, or, a telescopic lens from the roof next door,” Mr. Greenberg wrote.
“If an attacker has a foothold in your air-gapped system, the malware can send [the highly protected] data out to the attacker,” says Ben Gurion researcher, Mordechai Guri, who Mr. Greenberg wrote, “has spent years on [perfecting] the techniques for ferreting data out of isolated [and thought to be secure] computer systems.” “We found that the small hard drive indicator LED can be controlled at up to 6,000 blinks per second. We ca transmit data in a very fast way, [and] at a very long distance,” Mr. Mordechai told WIRED.
Gap Attack
As Mr. Greenberg notes, “an air-gap, in computer security, is sometimes seen as an impenetrable defense,” though, as you might guess, that is no longer the case, and hasn’t been for a least five years, if not more. You build s better cyber mousetrap; and, the cyber thieves and others find a way to overcome the ‘impenetrable’ defense. Remember, there wasn’t a single Medieval castle in Europe that wasn’t eventually breached or fatally compromised. “Malware like Stuxnet and the Agent.btz worm that infected American military systems a decade ago, have proven that air-gapped systems can’t entirely keep motivated hackers [or a hostile intelligence organization] out of ultra-secret systems — even isolated systems need code updates, and new data, opening them to attackers with physical access. And, once an air-gapped system is infected, researchers have demonstrated a grab-bag of methods for extracting information from them — despite their lack of an Internet connection, from electromagnetic emanations to acoustic and heat signaling techniques — many developed by the new LED spying technique,” Mr, Greenberg wrote.
“But,” Mr. Greenberg warns, “exploiting the computer’s hard drive indicator LED, has the potential to be a stealthier, higher-bandwidth, and longer-distance form of air-gap-hopping communications. By transmitting data from a computer’s hard drive LED with a Morse Code-like patterns of on and off signals, the researchers found they could move data as fast as 4,000 bits a second, or close to a megabyte every half hour. Fast enough to steal encryption keys in seconds,” Mr. Greenberg warns, “And, the recipient could record those optical messages to decode them later; the malware can even replay its blinks on loop,” Guri says, “to ensure that no part of the [purloined] transmission goes unseen.” “The LED is always blinking as it’s doing searching, and indexing, so no one suspects, even in the night,” Mr. Guri added. “It’s very covert actually,” he warned.
Slow And Steady
“The researchers found that when their program read less than 4 kilobytes from the computer’s storage at a time, they could cause the LED indicator to blink for less than a fifth of a millisecond,” Mr., Greenberg wrote. “They then tried using those rapid fire blinks to send messages to a variety of cameras and light sensors from an “infected” computer, using a binary system of data encoding known as “on-off-keying,” or OOK. They found that a typical smartphone camera can, at most, receive around 600 bits per second — due to its lower frame rate, while a GoPro camera captured as much as 120 bits per second. A Siemens photodiode sensor was far better suited to their high-frequency light sensing needs, though, and allowed them to hit their 4,000 bits per second maximum transmission rate.”
“The malware could also make the hard drive LED blink so briefly, in fact, that it would be undetectable to human eyes, yet still registered by the light sensor,” Mr. Greenberg noted. “That means an attacker could even send invisible light signals to a faraway spy,” he warns,”albeit at a slower rate to avoid its covert blinks blurring into a visible signal.” “It’s possible for the attacker to do such fast blinking that a human never sees it,” Mr. Guri cautioned.
“The good news, however, for anyone security-sensitive enough to worry about,” this kind of attack/hack, “and anyone else who air-gaps their computers, the Ben Gurion researchers said that there are “clear countermeasures to block their hard drive LED exfiltration method,” Mr. Greenberg wrote. The Ben Gurion researchers “suggest keeping air-gapped machines in secure rooms and away from windows, or placing film over a building’s glass — in order to mask their machines LED light flashes. They also note that protective software on a target machine could randomly access the hard drive to create noise and jam any attempt to send a message from a computer’s LED,”
“But, the simplest countermeasure by far,” Mr. Greenberg wrote, “is simply to cover the computer’s LED itself. Once, a piece of tape over a laptop’s webcam was a sign of paranoia. Soon, a piece of tape obscuring a computer’s hard drive LED may be the real hallmark of someone who imagines a spy drone at every window.”
Some Observations/Parting Thoughts
When Willie Sutton was asked why he robbed banks, he — now famously said — “because that’s where the money is.” Cyber thieves, spy agencies, corporate espionage, and so on — have really stepped up their game in the past decade; and, put major emphasis on breaching/compromising stand-alone computers and machines — because that’s where the real secrets were kept. And, to a large degree, that’s still the case. And, the tactics, techniques, and tools that are being employed to breach stand-alone systems has matured, gotten more sophisticated, elegant, and unfortunately…..successful. Industrial grade stealth malware is no longer just for the ‘big boys.’ From stealing highly classified secrets such as the latest research and development on a weapon system, to getting highly lucrative and confidential mergers and acquisition intelligence and trading on that insider information on the various stock exchanges, cyber thieves have been successful in breaching stand-alone systems — and, in some cases making themselves rich on insider information; or, stealing highly classified R&D on various weapons systems. The Chinese being the poster-child for the later — and, often referred to as ‘The Great Steal Ahead.’
But, just as cyber thieves and hostile intelligence agencies have had some success penetrating or com;promising stand-alone machines, those charged with defending against a cyber breach have also gotten creative. I suspect there may even be a stand-alone ‘honeypot,’ — designed to lure the adversary into thinking they have a stand-alone machine in their site, only to be led into a fake stand-alone, that by all appearances is genuine/looks loaded with material that looks like the motherload but is really a Trojan Horse, or worse.
Are we at the stage yet where we can tag our data and follow the digital bread crumbs back to the point of origin? If not, are we on a path to be able to do something like that in the not too distant future? Like the exploding dye contained in money stolen in a robbery — can we yet; or, will we at some point in the near future — have exploding digital dye, that wreaks havoc on the adversary’s network when they return and download into their systems. I suppose you could make sure you download to a stand-alone machine in order to prevent any large-scale, cascading damage.
I also wonder if we, or anyone is at the cyber level where you can clandestinely exfiltrate the purloined data, and either leave no trace behind that you were ever there; or, leave behind clever digital clues that make it appear someone other than you, or your country/organization was responsible for the breach?
And, if you can extract/download data from a stand-alone, remote, isolated machine, could you also insert fake/damaging data into the stand-alone network that would be very difficult to discern? Clever, sophisticated, targeted, and deliberate corruption of highly sensitive data could cause a weapon to misfire; or, facilitate the adversary into doing something on the policy front — that you want them to do? Sort of reminds me of Elliott Carver in the James Bond film, “The World Is Not Enough.”
The bottom line to all of this is: Stand alone computers/machines/devices are no longer ‘safe’ from breach from outsiders — if they ever really were. But, there is no doubt that the number of ways and methods that a stand-alone machine can be compromised is growing — both in the number of ways, and the damage that can be inflicted. Maybe we are already, or soon will be, at a point where we have ‘armored clouds,’ and ‘armored stand-alone machines, as well as camouflage stand-alone machines, honeypot stand-alone machines, infected stand-alone machines, and so on. As Albert Einstein once said, “Imagination is more powerful than knowledge.” V/R, RCP
No comments:
Post a Comment