[HN Gopher] SATAn: Air-Gap Exfiltration Attack via Radio Signals... ___________________________________________________________________ SATAn: Air-Gap Exfiltration Attack via Radio Signals from SATA Cables Author : PaulHoule Score : 232 points Date : 2022-07-18 16:00 UTC (6 hours ago) (HTM) web link (arxiv.org) (TXT) w3m dump (arxiv.org) | system2 wrote: | I wish there was a nice YouTube video of this attack being | explained. | aasasd wrote: | Happy to see that vulnerability names keep going deeper into the | metal space: they seem to be making small steps from dad-heavy- | metal into the territory of black and doom, corresponding to | sometime in the 1970s. | | I, of course, will continue to advocate for full-on grindcore. | "Putrid Air Carries Pestilent Waves of Betrayal and Decay" or | gtfo. | [deleted] | [deleted] | [deleted] | seiferteric wrote: | Whats stopping us from using optical phy more often for | interconnects? Just cost? | advisedwang wrote: | Cost yes, but also inflexible cables, more space required for | transducers, harder to have a bus where multiple devices access | the same transmission medium, can't include power in the same | connector etc. | IshKebab wrote: | You can use optical for ethernet but it's expensive and mostly | for long distances as I understand it. There's no need for that | with SATA. | infogulch wrote: | How do you protect against these kinds of attacks? Layers of | shielding/faraday cages? | detaro wrote: | Don't let an attacker run code on your system in the first | place. (yes, shielding would of course help against this | specific attack, but you have a long list of things to worry | about before this kind of thing even becomes relevant) | ngneer wrote: | Same as with all attacks, you protect against them by making | the return lower than the cost... | tracker1 wrote: | It wouldn't take much shielding at all for this specific one... | you could line a case with a faraday mesh material which would | probably me enough for most similar attacks. | | That said, for most of these kinds of things, you have to get a | malicious payload on such a system. The stuxnet approach is one | way, if you have specific targets. Aside from that, you pretty | much need phyxical access and be able to load a malicious | software. At that point, you may as well stick a small usb | bluetooth/wireless dongle, depending on the situation... | assuming it's a standard desktop, there's a good chance of | unused USB 2 header you could piggy back on. | | At that point, an actual faraday cage or mesh on the room in | question would be the next practical vector. Some secure | buildings are up to 6' thick walls, no communications out | except through known devices on wired ports with software | checking in place (seen this in finance). | zaarn wrote: | Even a faraday cage would be insufficient if I can get a | powermeter into a power outlet on the same circuit. Or if | we're talking about a datacenter, I just need a good | electrical measurement device (Voltage, Amperage, Frequency, | PF) on the cable outside. | | I can, in this example, just have the computer use more power | to signal a 1 and less power to signal a 0. For a DC I just | ramp up the entire DC load. Do that over the span of a week | or so to make it less noticable. | mindcrime wrote: | _At that point, you may as well stick a small usb bluetooth | /wireless dongle, depending on the situation..._ | | Right, but there are places where if you stick an unapproved | USB device into a computer's USB port, a nice person from | security taps you on the shoulder 10 minutes later. In those | cases, you may well have the ability to run code on the | computer, but no ability to attach removable storage. It's at | least plausible (if not exactly probable) that something like | this could come into play for somebody looking to exfiltrate | a small amount of data from a system they have access to. | | I'm thinking something closer to (but perhaps not exactly) | like the Edward Snowden kind of scenario. Something where you | access to the computer, but can't use the other common place | means of getting data off of the machine and out the door. | Yeah, it's a stretch, but it's not beyond the bounds of | imagination. | tracker1 wrote: | How do you get your malware payload on the computer in the | first place? | mindcrime wrote: | Download it from the Internet? Key in the source by hand | and compile it locally? Type in the bytes with a hex | editor? I mean, there's a lot of possible ways. Note | "possible", perhaps even "plausible", but maybe not | "probable". And a lot of it would come down to the | details of the local situation. | | And if you're wondering, I can confirm that I've | definitely worked at places where you were not allowed to | plug in a USB device (I literally saw a co-worker get the | "tap on the shoulder" from Security for doing that), but | yet many (most?) Internet downloads were allowed. Does | that make sense? Arguably not. Does it happen in the real | world? Absolutely yes. | eigenvalue wrote: | This isn't the first security software to be called Satan-- I | remember reading about one back in the 90s for breaking into | networks. I guess it's been long enough that it wouldn't cause | any confusion. | [deleted] | rnd0 wrote: | Ironically, I was thrown off (briefly) because I remember | reading about the original SATAN back in the day. I may be | wrong, but I think it was a precursor to nmap? I haven't looked | it up and this was in the late 90's. | eigenvalue wrote: | Yup, this is it: | | https://en.m.wikipedia.org/wiki/Security_Administrator_Tool_. | .. | rnd0 wrote: | Thanks! I followed through to the home page and the "SATAN | updates" link: | | >http://www.porcupine.org/satan/release-2-plan.html | | >Release 2 is currently in the works - the original plan | was to update SATAN on its first birthday, but that | schedule has slipped. | | sensiblechuckle.jpg | noname120 wrote: | Previously: GSMem, BitWhisper, AirHopper, ODINI, PowerHammer, | LED-it-GO, USBee, Bridgeware, MAGNETO, etc etc. | | See the other [?]50 copycat papers of the author: | https://www.semanticscholar.org/author/Mordechai-Guri/226003... | | At some point the author is going to run out of clever puns... | blobbers wrote: | What do you mean by copycat? As in he takes someone else's | paper and gives it a clever name? Or do you just mean he is | using lots of silly methods of doing data exfil? | bcook wrote: | I think they mean lots of people are copying the mentioned | author. | spullara wrote: | Nope, that same author has tons of papers about | exfiltrating data from air gapped systems using many | different mechanisms. Copycat is the wrong way of thinking | about it. All different but do the same kind of thing. | RF_Savage wrote: | A new day and a "new" air-gap exfiltration from this dude. What | ENI generating buses and peripherals are left now that he's done | sata, dram, cpu, fanspeed and ethernet? | kortex wrote: | Hard drive access LED, optical disk servo, and the | piezoelectric discharge due to thermal rise/fall of the GPU. | | I'm only half joking. | detaro wrote: | > _Hard drive access LED_ | | He's done that one: https://arxiv.org/abs/1702.06715 | klysm wrote: | > the piezoelectric discharge due to thermal rise/fall of the | GPU | | now this is something id like to see! | maicro wrote: | I don't remember which rule of the internet claims that | there's always a relevant XKCD, but - relevant XKCD: | https://xkcd.com/1172/ | badrabbit wrote: | Ben-Gurion seems to generate a lot of papers like this. Makes | me wonder about the secret spy stuff that doesn't get | published. | nibbleshifter wrote: | Its one guys lab there (Mordecai). They basically churn out a | metric fuckload of the same thing, different bus. | | None of it makes for a practical attack. | ivraatiems wrote: | This feels like one of those classic things, though, where | you read this and go "ha ha, that'll never be valuable or | even work in real life", and then in ten years you read an | article that's something like "Hackers Steal Ugandan | President's Credit Card Data by Reading a Single Bit". | | Identifying attack vectors is just building up an arsenal | of tools that can potentially be used depending on the | circumstance. | tbihl wrote: | The standardization of protocols and physical components | on computers, paired with the accessibility of global | wealth from computers, means that the payout is always | there for obscure attacks. They just may have to be | incorporated into large toolsets with significant | automation to know when it's the right tool for the job. | TedDoesntTalk wrote: | Theft of Bitcoin wallet private key from a well-known | Bitcoin billionaire seems applicable. | thrashh wrote: | These are all practical attacks. Most of us are just not | the right customer for them | | For most people, if you are trying to exfiltrate some | customer data to sell on the black market, are you going to | spend a bunch of development time blinking a LED and | setting up a receiver? Nah you'd just move to some other | victim because you are trying to make a profit, not waste | more money | | But someone like a government trying to spy on another | country... the cost of spies is pretty high... but pay some | engineers to spend all day trying to make a LED blink some | data is relatively cheap | | That said, I think a lot of these attacks are kind of | boring even if they were unpublished. If anyone here was | paid 6 figures to do nothing all day but figure out some | obscure variables in your computers to flip to exfiltrate | some data, I'd be disappointed if you couldn't figure | anything out. I think most of these attacks are kind of | obvious. | goodpoint wrote: | They are all very practical, just not often needed. | duskwuff wrote: | > They basically churn out a metric fuckload of the same | thing, different bus. | | Notably, most of the attacks from Mordechai's lab describe | low-bandwidth channels for _deliberate_ data exfiltration. | These attacks would only apply in unusual situations where | an attacker can run arbitrary code on a machine, but the | machine is isolated from the outside world. (Scenarios like | Iranian nuclear facilities come to mind.) | badrabbit wrote: | You say that but I am actively dealing with a chinese | malware(public info) I won't name that does just that but | with USB. It sideloads a dll when a shortcut opens a | legit app on a USB (shortcut is tricky in that it looke | like a folder and opens a folder also when you click on | it) it then collecte all kinds of documents and exfils to | the internet but if there is no internet it archives it | back to the USB so next time it runs with internet access | it will also exfil any docs on the USB from the airgapped | machines, fortunately just a spillover infection for us | but these tricks in the paper would enable to not wait | for a USB or internet access, it would be more realtime. | Like if it is an ICS system for nuclear centrifuges it | will send back what ir found and accept destructive | tasks. | userbinator wrote: | You still need a receiver within range in order to do | this. | rtev wrote: | Someone attacking a nuclear facility can get a receiver | within range | happyopossum wrote: | > accept destructive tasks. | | Not with this - it's a one way channel | woevdbz wrote: | Well but that is exactly the point of air-gapping. It's | meant to give the institution a guarantee that, no matter | how badly the box might be owned, no matter if the user | themselves is compromised, stuff won't get out. If a user | with admin rights on the machine can get it to | communicate with the external world, that's an air gap | failure. | duskwuff wrote: | Right, my point is that this is a class of attacks which | are only relevant to a specific, small class of users. | It's irrelevant to users who have intentionally enabled | any kind of network communications on their computer, and | it's also irrelevant to users who have robust controls on | what code is executing on their system, or who run | untrusted code in an environment which isolates it from | hardware (like a virtual machine). | | So, in short, it only affects ineptly managed secure | environments. | PeterCorless wrote: | Not that there are any of those... | woevdbz wrote: | > this is a class of attacks which are only relevant to a | specific, small class of users | | Yes. | | > It's irrelevant to users who have intentionally enabled | any kind of network communications on their computer | | No, there are lots of use-cases at least for LAN | communications. | | > it's also irrelevant to users who have robust controls | on what code is executing on their system, or who run | untrusted code in an environment which isolates it from | hardware (like a virtual machine). | | No, it's relevant in those cases too, as part of a | defense in depth strategy. | IncRnd wrote: | They are practical, just not widespread. There is no reason | for them to be widespread. One use-case is to obtain data | from air-gapped machines that do not connect to the | Internet. More broadly, these are for targeted attacks not | for dumping JS onto everyone who visits wikipedia. | koshkaqt wrote: | Would this still work if full-disk encryption were enabled on the | victim machine? | infinityio wrote: | To my understanding (haven't yet read the paper, just the | abstract) - most full-disk encryption schemes are implemented | in OS as opposed to in-hardware, so if the attacker has deep | access to the system they could probably find a way to write | unencrypted data to disk? That may not work inside a VM though | LaputanMachine wrote: | It probably does. In the code example on page 5, disk activity | is only generated to send a "1", while a "0" is encoded as a | time with no disk activity. | jwilk wrote: | They write only random data and discard any data they read, so | FDE should not have any effect. | tracker1 wrote: | While incredibly cool... wouldn't you have to have physically | accessed and exploited the system for this type of attack? | | I'm not sure what kind of practical implementation this could | really have. | lallysingh wrote: | You don't need physical access, but you can't do it via | Internet. An intercepted/faked software CD/USB would probably | be a good vector. They have to install software somehow. | [deleted] | detaro wrote: | That's what "exfiltration" generally means, yes | PeterisP wrote: | There are various ways how you can push in malware to isolated | systems (compromised USB drives used to be common, and still | seem to work in some penetration tests; but in general, you | might succeed in getting someone to deliver a malicious | document file to such a system with some zero-day in it. Also, | compromised hardware - e.g. ship them a USB mouse that 12 hours | after plugging in technically becomes also a USB storage device | and a USB keyboard to send commands to install stuff), but then | you have the trouble of what that malware should do once on | those systems - being able to establish a communications | channel is useful in such a scenario. So there's definitely a | role for such tools, only these scenarios are relevant only to | quite expensive targeted attacks, essentially spycraft by state | actors, not for e.g. commercial ransomware operators. | babypuncher wrote: | Gain physical access to a machine, install malware that gathers | data and transmits it using this vulnerability. Only works if | you can set up a listening post within range of the PC. | | Certainly very limited utility, and definitely not something | any of us should actually be worried about. But it probably is | something to be aware of if you run IT for an embassy or any | other entity that could be targeted by a highly motivated state | sponsored actor. | jjeaff wrote: | I love these extreme air gap exploits. Detecting keyboard entry | by analyzing the sound of the typing and reading CRT monitor | radiation to mirror the screen from a distance come to mind. | | But have any of these extreme exploits ever been used in the | wild? They all seem impossible to pull off in anything but lab | controlled conditions. | evan_ wrote: | Not exactly the same thing, because it required modifying the | devices in question, but during the Cold War the Soviets | managed to implant some really fascinating bugs into | typewriters used inside the US Embassy: | | https://www.cryptomuseum.com/covert/bugs/selectric/ | jerf wrote: | Yeah... it's hard to know what exactly they get up to in that | world, but the floor put under their capabilities by what has | been publicly exposed doesn't exactly support the "nah, it's | all too hard and nobody would ever bother" argument at _all_. | Even if we assume without real reason to do so that we 've | heard the most impressive stuff from them, but it's just a | small sampling of the number of times they've used it, if | your adversary is a state-level actor, you should assume the | very, very worst. If you're wrong, it won't be by much. | | Read Google's Project Zero blog, too: | https://googleprojectzero.blogspot.com/ We don't know that | these exploits in particular are used, but consider that | Project Zero is the moral equivalent of a hobby for Google. | What would it look like to have _hundreds_ of people at that | rough skill level, training each other, practicing all the | time, and building software support for each other? | | The capabilities of attackers are not bounded by your | imagination. | dylan604 wrote: | I think Tom Cruise did this once in "Mission:Impossible 32" | AdamJacobMuller wrote: | > But have any of these extreme exploits ever been used in the | wild? | | I suspect you're going to find out in 50 years when government | documents (not inherently US gov) are declassified. | | State level spying is the only thing I can think of where the | value of the information is so high (making the effort of this | kind of attack is worth it) and where there are many scenarios | where the volume of highly valuable information is | comparatively tiny. | | Just as some very off the cuff examples of what I mean by the | latter. We don't need to exfiltrate satellite photos of things | (gigabytes of data), but, it could be very valuable to | exfiltrate the metadata of what they are looking at | (coordinates and time) | | Also, exfiltrating information like names of sources or meeting | points or other methods can be trivial amounts of data but | finding even a single compromised person on our side would be | immensely valuable! | | I'm reminded of "The Thing": | https://en.wikipedia.org/wiki/The_Thing_%28listening_device%... | moltude wrote: | didn't stuxnet jump into an air gaped system? I'm curious if | there is significant difference between egress and ingress | into air gaped systems. | legalcorrection wrote: | I thought a thumbdrive was the attack vector for stuxnet. | TedDoesntTalk wrote: | Correct: | | https://www.theverge.com/2012/4/12/2944329/stuxnet- | computer-... | SketchySeaBeast wrote: | > I'm curious if there is significant difference between | egress and ingress into air gaped systems. | | I would expect so. I'm fairly certain there's a big | difference between pulling fuzzy data out and figuring out | what it means as opposed to trying to electromagnetically | fling fuzzy data into a system that's not supposed to have | information flung at it and having the system accept what | you mean. | Tostino wrote: | We'll eventually find out when the latest iteration of | something like Stuxnet is found in the wild...if it still | leaves enough of a trace to be found. | Schroedingersat wrote: | Don't worry. The latest iteration will be running on the psp | via the private key and will have ring -1 access. | serf wrote: | van eck phreaking has been used successfully against electronic | ballot machines.[0] | | apparently it was demonstrated practically during the Korean | War; but I can't find anything much about that. | | [0]: https://yro.slashdot.org/story/09/11/22/027229/Brazilian- | Bre... | NovemberWhiskey wrote: | This is not exactly that - this is the use of a SATA bus as an | RF radiator to do a (very slow) covert exfiltration channel | from an air-gapped computer. | cogman10 wrote: | Yeah... but I mean, if the computer is in a steel/aluminum | box (likely) then both the distances and locations you can be | to be able to intercept that 6ghz signal are pretty limited. | | It's a neat attack, but to pull it off you pretty much need | both physical access AND the ability to install virused | software on the target. Perhaps something the CIA/NSA pull | off such as stuxnet? Even then, the point of an air-gapped | computer is that installing such software would be pretty | difficult in the first place. | thrashh wrote: | I mean if the stakes were high enough | | If I told you that you could make 500 million dollars | (after taxes) if you figured this out, suddenly you would | be on top of this. | | The stakes of Stuxnet was probably "the safety of the free | world" in the eyes of the people who paid for the work | cogman10 wrote: | I don't mean that the attack isn't possible/wouldn't | necessarily work. I'm saying it's impractical given that | one of the steps to execute it is "have physical access | to the machine, the ability to install software, and time | to sit around and record the outbound data (or to be able | to revisit the site and collect a recording device)." | | With each of those requirements, there are easier and | faster ways to get data off a machine. If you can install | software you can likely download data that software would | access. If you can access the machine twice and install | software that runs in the background between visits, you | can install your keylogger/data collectors and simply | record the data on the device. | | Stuxnet wasn't about getting data out of the machine, it | was about breaking machines. It worked well because it | didn't require physical access to the machines. It spread | as a virus through the regular updates that Iran was | doing for their machines. | | If you had such a stuxnet virus in your back pocket, then | you can likely steal the data and record it back on the | USB device (or any plugged in USB device) on the system. | thrashh wrote: | I was more referring to Stuxnet as an example of someone | who is willing to spend the money on people to figure out | some obscure techniques | | Spy agencies have definitely used obscure data | exfiltration techniques and they can afford spies. | jagger27 wrote: | I'd say it's a solid "no", and the author says as much in the | paper. | | > We transmitted the data with a bit rate of 1 bit/sec, which | is shown to be the minimal time to generate a signal which is | strong enough for modulation. The BER for PC-1 is presented in | Table VI. As can be seen, the BER of 1% - 5% is maintained | between 0 - 90 cm. With a greater distance of 120 cm, the BER | is significantly higher and reaches 15%. With PC-2 and PC-3, | the bit error rates (BER) are less than 5% only in short | proximity up to 30 cm, and hence the attack is relevant only | for short ranges in these computers. | | This particular attack is a weak 6 GHz signal that can exfil | about 1 bit/s from a metre away. It's neat, but impractical. | lallysingh wrote: | Enough for cryptographic key material, but not much else. | | Still, publishing which methods are a risk, and which ones | aren't, is quite useful. | leeter wrote: | Pretty sure a ferrite beads can shut this down anyway. But | this seems like a more practical question of "If they can get | that close do they really need this?" They've already had USB | or software access in some form already. | cogman10 wrote: | Yup, that's the part that makes this attack completely | impractical. You are trying to leak information but first | you have to install a virus on the computer? Neat concept, | wildly impractical. | PeterisP wrote: | I mean, Stuxnet is an illustrative example that has been | seen in the wild (and the rare exception of one that | became public - in general, if you'd be the target of | something like this and found out, the results of that | analysis would be classified and unpublishable), and | there have been almost 20 years to do improvements since | Stuxnet was first developed, so there definitely are real | attacks aiming to do stuff and/or exfiltrate data from | air-gapped computers after "installing a virus on the | computer" - and it's quite clear that Stuxnet did achieve | a significant practical effect. | nonrandomstring wrote: | > But have any of these extreme exploits ever been used in the | wild? They all seem impossible to pull off in anything but lab | controlled conditions. | | Not at all. I've seen clearly with my own eyes the image of one | persons VT100 CRT tube appearing on another across the room | because the ground shielding had disconnected. If you have a | high gain YAGI antenna, digital RF buffers and some fancy | modern DSP lord only knows what you can snoop through the | walls. | | Most of this is solved by having a simple metal (steel) PC case | and grounding the PSU though. Use good quality cables with | FCC/IEC badges not the bargain bucket Chinese ones. | ConstantVigil wrote: | I used to see this happen with our old TV's at an old house | with really bad grounding. I always wondered why it did that. | | We could be playing a video game or movie, and set all the | other tv's to channel 2 or something like that, while we | played on channel 1. You could see the action on each of | them. Almost 1:1 on the reaction times, albeit a little | fuzzy. | fortran77 wrote: | "Yagi" isn't an acronym. | orangepurple wrote: | Soviet agents secretly installed tiny sensing devices in about | a dozen embassy typewriters. The devices picked up the contents | of documents typed by embassy secretaries and transmitted them | by antennas hidden in the embassy walls. The antennas, in turn, | relayed the signals to a listening post outside the embassy. | "Depending on the location of the bugged typewriters, the | Soviets were able to receive copies of everything from routine | administrative memos to highly classified documents. "One | intelligence officer said the potential compromise of sensitive | information should be viewed with 'considerable seriousness.' | "Another intelligence expert said no one knows for sure how | many or what secrets were compromised. A third official called | the entire affair a fiasco. | | https://media.defense.gov/2021/Jul/13/2002761779/-1/-1/0/LEA... | badrabbit wrote: | Yeah, Snowden mentioned in his experience at NSA they did use | tricks like this and this was late 2000's. There is an | interview he gives where he goes under a blanket to type his | password on a laptop to avoid the crt reader thingy. | ekianjo wrote: | there is no crt on a laptop | glenstein wrote: | Is there any source that it was the crt reading thing | specifically? I remember that part of the documentary but I | am still wondering if he had a specific attack in mind when | he did that. | FreakLegion wrote: | Van Eck phreaking works through walls. I haven't seen the | interview but most likely he was just hiding the physical act | of typing, since that too can leak information about a | password. | lallysingh wrote: | Password prompts usually don't show the passwords you're | typing in. | jacquesm wrote: | Your fingers are hitting the keys. | lazide wrote: | What would that have to do with a CRT? | badrabbit wrote: | Sorry, the attack works in laptop monitors not crt. ___________________________________________________________________ (page generated 2022-07-18 23:00 UTC)