Defeating the Air Gap – Exploring the USBee Attack Scenario

January 6, 2017 | Views: 4347

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

USBee – Q [aka Quartermaster] must have come up with this …

It really does sound like something from a James Bond scenario – A standard USB device can become a transmitter without ever having to be removed from the system. By modulating the communication stream between the system and the USB device, electromagnetic activity can be created and controlled. These EM signals can then be picked up by an appropriately equipped receiving system, allowing for data to be transmitted between the two systems. Unlike attacks such as Cottonmouth and Turnipschool, USBee can use any USB device attached to the system because the transmission is performed via the interaction of the bus and the device and isn’t dependent on a particular function of the attached device.

A formal paper has been released and can be found in PDF form here: http://cyber.bgu.ac.il/t/USBee.pdf

This doesn’t sound like much of a threat, but it’s one of a number of threats that have been designed to overcome the security provided by air-gapping computer systems. The security of such systems has always been a little more fragile than we would like to believe in any event. Van Eck ‘freaking’  was explored in the mid-80’s, for instance, and there have been attacks designed to cause computers to transmit data using fan speed modulation. Part of the problem, of course, is that binary is so darn simple. You only have to have two different signal types, for example, a high fan speed vs a low fan speed, to transmit data, and then design something that can differentiate between the two signals and read the binary. Most of these types of transmissions would be tediously slow, but EM transmission using the USBee attack is theorized to be able to reach 80 bytes per second.

Typically, air-gap protected computers are those found in high-security facilities, such as military systems, government databanks, or critical resource control systems (think power plants and water distribution control systems). What this means is the potential threat impact could be very, very high, even though the actual likelihood of a successful data exfiltration attack is pretty low, which I’ll talk about here also. In terms of risk-assessment, this means that some form of mitigation or detection should probably be considered for systems holding critical data.

The attack itself is, however, difficult to perform successfully. The system must perforce be already compromised, as the control software performing the USB signal modulation has to be in place. It’s a bit catch-22; you can only perform this compromise on a system that has already been compromised. The system you want to exfiltrate the data from must have the exploit software already running on it, and controlling the exploit software would be impossible as the compromised system doesn’t provide a facility for sending signals back (remember, this is just a transmission of EM from a system with no ability to receive). You would need to already know exactly what was on the system that you wanted, where it was, etc., and program all that into the compromise before figuring out how to get it onto the computer in the first place.

Then there’s the problem of receiving the signal … the receiving computer must be very close to the transmitter. Then there’s the issue of getting such a receiver into the secure facility to pick up the transmission. Perhaps if you were a super-suave diplomatic spy, you could arrange a tour of the facility.

“Mr. Bond, is that a smartwatch with a software-defined radio receiver built in? How ingenious!”

 

 

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
2 Comments
  1. Comedic and entertaining. Turned a somewhat dry and technical topic into an interesting read. Thanks!

  2. Good read, thank you for the post!

    I for one tend to forget the enormous lengths people will go to in order to create vulnerability.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel