New From Duo Labs: Finding Leaky Radio-Frequency Side-Channels
Have you ever listened to a photocopier or a car engine to infer what it’s doing? If so, you already have all the fundamentals you need to study emission security. Be it the audible click of a relay, a whine of a capacitor, or the flickering of the lights when the heat comes on, these behaviors all have one thing in common: they leak information about some internal state and reveal what is happening inside to an outside observer. When viewed through the lens of information security, these types of electrical and mechanical side-effects form the field of emission security.
This Duo Labs research article aims to make barely acceptable analogies about how radios work and show that you really don’t need that much in terms of know-how and equipment to find and take advantage of leaky radio signals. Towards the end, we will apply what we have learned to find a signal that can exfiltrate GPU data out of a radio-less and air-gapped desktop workstation through a wall and 50ft away.
The Field of Emission Security
The field was formalized around the end of the second world war when, after being told to put up or shut up, Bell Labs technicians scared the living daylights out of the United States Signal Corps. Over the years, defensive requirements and certifications have been codified under the standards titled, “Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions,” or more simply put, TEMPEST.
These days a lot of attention has been going into speculative execution side-channel attacks such as Meltdown and Spectre that can be used to perform privilege escalation attacks. They function by measuring the timing of side-effects produced by executing specially-crafted instruction sequences to reveal some privileged internal state such as the contents of kernel memory.
Read-focused side-channel attacks generally aim to leak privileged information across a well-defined security barrier. With Spectre and Meltdown that barrier was the memory management unit and the side-channel was timing-based.
Malware in Air-Gapped Networks
However, there are many other physical, cyber, and yes, even CyBeR-pHySiCaL barriers out there. Attackers can, and [do], implant malware into air-gapped networks. If the malware’s purpose isn’t to have some kind of effect within the air-gapped network but instead to get data back out, the options for the attacker are fairly limited. They can either rely on a willing or unknowing party to facilitate the exfiltration, or they have to find a way around the air gap. Finding ways around air gaps involves either exploiting nodes that are not actually air-gapped or, as shown in the latest Duo Labs research article, leveraging some other physical property to transmit a radio-frequency signal to a semi-local receiver or other existing attacker-accessible infrastructure.
The article aims to acquaint you with the core concepts behind side-channel analysis, introduce the world of electromagnetic radiation, and enable you to go hunting for radio-frequency side-channels that can be leveraged for data-exfiltration from air-gapped systems.
In it we will examine a run-of-the-mill desktop workstation that has no built-in radios and show how we can abuse its GPU in a novel way and, with a little shell script, turn it into a tunable radio transmitter that can transmit data through a wall to a receiver 50 feet away.
You can read the full Duo Labs research article here.
https://duo.com/labs/research/finding-radio-sidechannels
Try Duo For Free.
With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.
