Ready to Start Your Career?

Defeating the Air Gap - Exploring the USBee Attack Scenario

deleriumendless 's profile image

By: deleriumendless

January 6, 2017

james-bond-1015612_1920USBee - Q [aka Quartermaster] must have come up with this ...It really does sound like something from a James Bond scenario - A standard USB device can become a transmitter without ever having to be removed from the system. By modulating the communication stream between the system and the USB device, electromagnetic activity can be created and controlled. These EM signals can then be picked up by an appropriately equipped receiving system, allowing for data to be transmitted between the two systems. Unlike attacks such as Cottonmouth and Turnipschool, USBee can use any USB device attached to the system because the transmission is performed via the interaction of the bus and the device and isn't dependent on a particular function of the attached device.A formal paper has been released and can be found in PDF form here: doesn't sound like much of a threat, but it's one of a number of threats that have been designed to overcome the security provided by air-gapping computer systems. The security of such systems has always been a little more fragile than we would like to believe in any event. Van Eck 'freaking'  was explored in the mid-80's, for instance, and there have been attacks designed to cause computers to transmit data using fan speed modulation. Part of the problem, of course, is that binary is so darn simple. You only have to have two different signal types, for example, a high fan speed vs a low fan speed, to transmit data, and then design something that can differentiate between the two signals and read the binary. Most of these types of transmissions would be tediously slow, but EM transmission using the USBee attack is theorized to be able to reach 80 bytes per second.Typically, air-gap protected computers are those found in high-security facilities, such as military systems, government databanks, or critical resource control systems (think power plants and water distribution control systems). What this means is the potential threat impact could be very, very high, even though the actual likelihood of a successful data exfiltration attack is pretty low, which I'll talk about here also. In terms of risk-assessment, this means that some form of mitigation or detection should probably be considered for systems holding critical data.The attack itself is, however, difficult to perform successfully. The system must perforce be already compromised, as the control software performing the USB signal modulation has to be in place. It's a bit catch-22; you can only perform this compromise on a system that has already been compromised. The system you want to exfiltrate the data from must have the exploit software already running on it, and controlling the exploit software would be impossible as the compromised system doesn't provide a facility for sending signals back (remember, this is just a transmission of EM from a system with no ability to receive). You would need to already know exactly what was on the system that you wanted, where it was, etc., and program all that into the compromise before figuring out how to get it onto the computer in the first place.Then there's the problem of receiving the signal ... the receiving computer must be very close to the transmitter. Then there's the issue of getting such a receiver into the secure facility to pick up the transmission. Perhaps if you were a super-suave diplomatic spy, you could arrange a tour of the facility.
"Mr. Bond, is that a smartwatch with a software-defined radio receiver built in? How ingenious!"
Schedule Demo