CBG in the News
The team of security researchers—who last month demonstrated how attackers could steal data from air-gapped computers protected inside a Faraday cage—are back with its new research showing how two (or more) air-gapped PCs placed in the same room can covertly exchange data via ultrasonic waves. Air-gapped computers are believed to be the most secure setup wherein the systems remain isolated from the Internet and local networks, requiring physical access to access data via a USB flash drive or other removable media. Dubbed MOSQUITO, the new technique, discovered by a team of researchers at Israel’s Ben Gurion University, works by r...Read More ...
Boffins shows that sound output devices secretly capture audio Computer speakers and headphones make passable microphones and can ...Read More ...
‘Assume every camera on a network can be hacked,’ cautioned the police cybercrimes unit. Aviral Peeping Tom who hacked into th...Read More ...
Prof. Elovici is Head of the Cyber Security Research Center at Ben Gurion University Think of your typical day: you wake up, do yo...Read More ...
If you ever find a lost charger, don’t use it. If you need power and are tempted to plug into a public USB port, don’t...Read More ...
A team of Israeli researchers have discovered that the average IoT devices you buy on store shelves can be compromised within 30 minutes and added to a botnet. As Internet of Things devices multiply exponentially, it looks like security still isn’t improving. A team of Ben-Gurion University researchers recently went out and bought a bunch of off-the-shelf devices to see how easily they could compromise them—and then use that information to attack other devices like them over the internet. In an interview with TechRepublic, BGU senior lecturer Yossi Oren explained what they found. You can watch the video interview above or read the tra...Read More ...
Israel is among those countries everyone would want to watch her steps in matters security. No debate, the country has it all when it comes to criminology and everything weaponry related. But, in its current move to use artificial intelligence as a tool to fight crime, that’s a serious move that requires deep thinking especially with the current fears associated with the technology. Since the release of the report that revealed how AI is vulnerable for use against human security, to date, experts have been arguing fiercely over whether this technology should be declared illegal or wiped from the earth, but that seems too late now. AI is G...Read More ...
“Today, we are on the threshold of the next big breakthrough: analyzing big data to discover hidden patterns to predict and prev...Read More ...
Enhancing offensive capacity by creating attack toolboxes | Yuval Elovici AI helps to defend against cyber attacks – but can a...Read More ...
The epicenter of Cybertech Tel Aviv 2018 was Beer Sheva’s pavilion which has turned into a magnet for executives from abroad...Read More ...
THE FIELD OF cybersecurity is obsessed with preventing and detecting breaches, finding every possible strategy to keep hackers fr...Read More ...
Cybersecurity researchers at Ben-Gurion University say they are developing AI-driven solutions to foil hacks, by making sure medic...Read More ...
The team of security researchers—who last month demonstrated how attackers could steal data from air-gapped computers protected inside a Faraday cage—are back with its new research showing how two (or more) air-gapped PCs placed in the same room can covertly exchange data via ultrasonic waves.
Air-gapped computers are believed to be the most secure setup wherein the systems remain isolated from the Internet and local networks, requiring physical access to access data via a USB flash drive or other removable media.
Dubbed MOSQUITO, the new technique, discovered by a team of researchers at Israel’s Ben Gurion University, works by reversing connected speakers (passive speakers, headphones, or earphones) into microphones by exploiting a specific audio chip feature.
Two years ago, the same team of researchers demonstrated how attackers could covertly listen to private conversations in your room just by reversing your headphones (connected to the infected computer) into a microphone, like a bug listening device, using malware.Now, with its latest research [PDF], the team has taken their work to the next level and found a way to convert some speakers/headphones/earphones that are not originally designed to perform as microphones into a listening device—when the standard microphone is not present, muted, taped, or turned off.
Since some speakers/headphones/earphones respond well to the near-ultrasonic range (18kHz to 24kHz), researchers found that such hardware can be reversed to perform as microphones.
Moreover, when it comes to a secret communication, it’s obvious that two computers can’t exchange data via audible sounds using speakers and headphones. So, inaudible ultrasonic waves offer the best acoustic covert channel for speaker-to-speaker communication.
Video Demonstrations of MOSQUITO Attack
Ben Gurion’s Cybersecurity Research Center, directed by 38-year-old Mordechai Guri, used ultrasonic transmissions to make two air-gapped computers talk to each other despite the high degree of isolation.
The attack scenarios demonstrated by researchers in the proof-of-concept videos involve two air-gap computers in the same room, which are somehow (using removable media) infected with malware but can not exchange data between them to accomplish attacker’s mission.
The attack scenarios include speaker-to-speaker communication, speaker-to-headphones communication, and headphones-to-headphones communication.
“Our results show that the speaker-to-speaker communication can be used to covertly transmit data between two air-gapped computers positioned a maximum of nine meters away from one another,” the researchers say.
“Moreover, we show that two (microphone-less) headphones can exchange data from a distance of three meters apart.”
However, by using loudspeakers, researchers found that data can be exchanged over an air-gap computer from a distance of eight meters away with an effective bit rate of 10 to 166 bit per second.
It’s not the first time when Ben-Gurion researchers have come up with a covert technique to target air-gapped computers. Their previous research of hacking air-gap computers include:
- aIR-Jumper attack steals sensitive data from air-gapped PCs with the help of infrared-equipped CCTV cameras that are used for night vision.
- USBee can be used to steal data from air-gapped computers using radio frequency transmissions from USB connectors.
- DiskFiltration can steal data using sound signals emitted from the hard disk drive (HDD) of air-gapped computers.
- BitWhisper relies on heat exchange between two computers to stealthily siphon passwords and security keys.
- AirHopper turns a computer’s video card into an FM transmitter to capture keystrokes.
- Fansmitter technique uses noise emitted by a computer fan to transmit data.
- GSMem attack relies on cellular frequencies.
Source: The Hacker News
Boffins shows that sound output devices secretly capture audio
Computer speakers and headphones make passable microphones and can be used to receive data via ultrasound and send signals back, making the practice of air gapping sensitive computer systems less secure.
In an academic paper published on Friday through preprint service ArXiv, researchers from Israel’s Ben-Gurion University of the Negev describe a novel data exfiltration technique that allows the transmission and reception of data – in the form of inaudible ultrasonic sound waves – between two computers in the same room without microphones.
The paper, titled, “MOSQUITO: Covert Ultrasonic Transmissions between Two Air-Gapped Computers using Speaker-to-Speaker Communication,” was written by Mordechai Guri, Yosef Solwicz, Andrey Daidakulov and Yuval Elovici, who have developed a number other notable side-channel attack techniques.
These include: ODINI, a way to pass data between Faraday-caged computers using electrical fields; MAGNETO, a technique for passing data between air-gapped computers and smartphones via electrical fields; and FANSMITTER, a way to send acoustic data between air-gapped computers using fans.
Secret data transmissions of this sort expand on prior work done by National Security Agency on TEMPEST attacks, which utilize electromagnetic, magnetic, acoustic, optical and thermal emanations from electronic devices to collect and transmit data.
MOSQUITO, the researchers explain, demonstrates that speakers can covertly transmit data between unconnected machines at a distance of up to nine meters. What’s more, the technique works between mic-less headphones – the researchers say their work is the first to explore headphone-to-headphone covert communication.
Speakers, the paper explains, can be thought of as microphones working in reverse: Speakers turn electrical signals into acoustic signals while microphones turn acoustic signals into electrical ones. And each includes a diaphragm to assist with the conversion, which can help reverse the process.
Modern audio chipsets, such as those from Realtek, include an option to alter the function of the audio port via software, the paper explains. This capability is referred to as “jack retasking.”
“The fact that loudspeakers, headphones, earphones, and earbuds are physically built like microphones, coupled with the fact that an audio port’s role in the PC can be altered programmatically, changing it from output to input, creates a vulnerability which can be abused by attackers,” the paper explains.
Malware, thus, may be able to reconfigure a speaker or headphone to act as a microphone, provided the device is passive and unpowered.
That’s a significant caveat since most modern PCs have active, powered speakers; headphones and earbuds generally have passive speakers, as do some older PCs.
In an email to The Register, Mordechai Guri, one of the paper’s authors, head of R&D at Ben-Gurion University of the Negev’s Cyber-Security Research Center, and chief scientific officer at Morphisec, said, “The main problem involves headphones, earphones and earbuds since they are reversible and can become good pair of microphones (even when they don’t have an integrated mic at all).”
Using frequencies ranging from 18kHz to 24kHz, the researchers were able to achieve a data transmission rate of 166 bit/sec with a 1 per cent error rate when transmitting a 1Kb binary file over a distance of three meters. At distances ranging from 4 to 9 meters, that same error rate could only be achieved with a 10 bit/sec transmission rate, largely as a consequence of interference from environmental noise.
The paper discusses several mitigation techniques, all of which have limitations, including designing headphones and speakers with on-board amplifiers (which prevents use as a mic), using an ultrasonic jammer, scanning for ultrasonic transmissions, preventing jack retasking via software, and completely disabling audio hardware via the UEFI/BIOS.
Disconnecting speakers, headphones and the like represents the most practical solution, Guri said, “but this is not always feasible.”
Monitoring the ultrasonic band is a good theoretical and academic solution, he added, but has potential problems. “In practice, it will raise many false alarms,” he said.
Guri said ultrasonic malware does not appear to be very common. “A few years ago, a security researcher claimed that he found ultrasonic malware in the wild. It was dubbed BadBios. But in any case, it was claimed to be able to communicate between two laptops with both speakers and microphones.”
Inaudible audio is more likely to be used for marketing, and has prompted the development of defensive code called Silverdog. It’s an ultrasonic firewall in the Google Chrome browser that’s designed to block ultrasonic beacons (uBeacons), employed for cross-device tracking. ®
‘Assume every camera on a network can be hacked,’ cautioned the police cybercrimes unit.
Aviral Peeping Tom who hacked into the closed-circuit TV surveillance camera at a women’s bathing suit shop has led to a warning from the Israel Police Cybercrimes Unit that similar systems may be compromised and violate the privacy of unsuspecting persons.
According to police, an unidentified 41-year-old man was arrested on Wednesday after he allegedly used his computer to hack into the CCTV system at a high-end boutique in northern Tel Aviv and recorded customers as they undressed and tried on bathing suits.
While details of the incident remain unclear due to a gag order, police said the suspect subsequently posted the videos to a social media page.
“When the footage became public earlier this week, the national Cybercrimes Unit opened an investigation and arrested the suspect on Wednesday,” said police spokesman Micky Rosenfeld, adding that a Tel Aviv Magistrate’s Court judge ordered the suspect be remanded through Sunday.
Following the hacking, the Cybercrimes Unit recommended a number of preventive measures that should be taken by the public and by store owners to protect their privacy in similar situations.
“Take into account and assume that every camera that is on a network system can be hacked,” the unit warned in a statement. “Therefore, clothing store owners should ensure no cameras are placed in changing rooms or other sensitive locations.”
Additionally, the unit recommended that those who implement CCTV systems use complex passwords for accessing surveillance footage to make it difficult to hack into such video, and not connect the network systems used by the cameras to a public computer.
According to cyber-researchers at Ben-Gurion University of the Negev in Beersheba, security cameras infected with malicious software can use infrared light to receive covert signals and leak sensitive information.
The technique, called “aIR-Jumper,” also enables the creation of bidirectional covert optical communication between air-gapped internal networks that are isolated and disconnected from the Internet without remote access to the organization.
Source: The Jerusalem Post
Prof. Elovici is Head of the Cyber Security Research Center at Ben Gurion University Think of your typical day: you wake up, do your morning routine, open the fridge, maybe turn on the heat, boiler for the shower? Get in the car and drive to work. We hear the term Internet of Things get thrown around a lot and it seems as a society we are developing some sort of phobia from ‘smart’ devices.
On the TEDxBGU stage Prof. Elovici will take us through a typical day just a few years from now and make us realize the power of connectivity, for good or – for bad. This talk was given at a TEDx event using the TED conference format but independently organized by a local community.
Source: TEDx Talks YouTube
If you ever find a lost charger, don’t use it. If you need power and are tempted to plug into a public USB port, don’t do it.
It’s long been known that you should never insert an unknown USB drive to your computer because it could be loaded with malware. However, new research from Ben-Gurion University has exposed 29 types of USB attacks, and extends to your smartphone. It shows that you should never use a USB charger you find lying around or plug into a public USB port. Both can be compromised by attackers, as we talked about with one of the researchers on the project, Ran Yahalom.
Yahalom is the co-author of a journal article on the research with Dr. Nir Nissim, head of the Malware Lab of the Cyber Security Research Center at Ben-Gurion University, and Yuval Elovici, head of BGU’s Cyber Security Research Center (CSRC).
Yahalom said, “There are many non-trivial USB-based attacks. Some are carried out by the host, the computer connecting the USB peripheral. The most common ones are infected, or malicious. Once connected, they have access and take control of your computer.
“Microcontrollers are another attacks category. Microcontrollers can impersonate a USB peripheral. For example, you can program a teensy microcontroller or an Arduino [board] to act like a keyboard or a mouse. Once you program a keyboard and connect, it actually starts injecting key presses. It’s actually like having someone working on your computer.”
Yahalom added, “A more complicated category to implement doesn’t require any implantation. Someone can use an off-the-shelf product to find a way to reprogram firmware, update firmware, a legitimate process, supported by our protocol. It does bidding.
“A client bought the product benign but once reprogrammed by firmware update, it’s malicious and it’s owned and operated by someone else who has control.
“We surveyed 29 attacks, updated last year. New methods of likely developed and published attacks increase that number. The microcontroller, a reprogrammable microcontroller used to impersonate peripherals as well as an actually the firmware update. Academic circles call this ‘bad USB.’ It’s a family of attacks based on reprogramming the firmware.”
He continued, “The other are electrical attacks. In 2015, showed how to generate or build an electrical component enclosed in a flash drive casing. It looks like a flash drive, but it’s not a flash drive, it conducts a power surge attack once connected, and, fry the entire computer. New developments in this area of attack are also likely.
“If you go into a coffee shop and use charger there, or an airport or a train station, any charger that is not your own, you don’t know what that piece of hardware really does,” Yahalom stresses. “It may not be a charger, but a microcontroller hidden inside a charger casing. It could be something else. You don’t know. Once put into your phone, anything could happen.
I demonstrated how to connect a keyboard to a phone. But it doesn’t look like a keyboard, it looks like a charger, but it’s actually a microcontroller I reprogrammed. I programmed it to act as a keyboard, so it impersonates a keyboard and it looks like a charger. It’s connected to the socket, but without an electrical part of that charger, it’s just a microcontroller. I showed how to connect it to and lock the phone, a sort of ‘ransomware.'”
And Yahalom means “ransom” as in, “‘If you want the pin number, then to pay me,’ which can really happen. There are other types of attacks, where someone reprograms your phone and you wouldn’t even know. You’re carrying spyware, without knowledge of it, just because you injected something you weren’t aware of.
“The general rule of thumb is: treat technology as something you don’t naturally trust. As users, we have a tendency to trust technology, to trust peripherals, i.e., you trust your flash drive, you trust your keyboard, but you trust it because you’re not aware. Treat it as a syringe: You wouldn’t find a syringe in the parking lot, pick it up, and inject it to yourself. Because you’re aware you could be infected. You have no knowledge of what could happen, but are afraid because it could be dangerous. This is exactly the same thing.”
“Now that we’re moving from the cyber world to the physical world, it becomes increasingly clearer and we must get the word out,” he said.
“Bring your own charger.
“Use your own hardware.
“Don’t trust Wi-Fi networks.
“Educate yourself about different levels of security. For example, 3G is commonly believed to be more secure than Wi-Fi, since Wi-Fi’s easier to hack.”
In conclusion, Yahalom said, “These are important rules that will keep you safe. Anything like that, that you can do. Again, you don’t stop using technology because, obviously, that’s not the idea. Until manufacturers secure hardware and regulators enforce laws to keep us safe, we need to be extra aware and follow the simple rules.
Just be careful. Don’t trust anything.”
A team of Israeli researchers have discovered that the average IoT devices you buy on store shelves can be compromised within 30 minutes and added to a botnet.
As Internet of Things devices multiply exponentially, it looks like security still isn’t improving. A team of Ben-Gurion University researchers recently went out and bought a bunch of off-the-shelf devices to see how easily they could compromise them—and then use that information to attack other devices like them over the internet. In an interview with TechRepublic, BGU senior lecturer Yossi Oren explained what they found.
You can watch the video interview above or read the transcript below.
Oren said, “So together with my team, we tried to find out how difficult it is to buy an IoT camera and get into its secrets—find out passwords, connections, all sorts of information. What we discovered is that you need about 30 minutes after you unbox the camera, until you can find its default password, and also the services it’s running. And then use this information to add this camera and all the cameras of the same make and model into a botnet, which you control. And it’s very, very concerning.”
“We investigated 16 different devices—baby monitors, doorbells, cameras, temperature sensors, [etc.] And out of these 16 devices, we were able to find the password for 14 of them. So, that’s a good percentage. What we did is we took these cameras apart in our lab and we looked for what is called a debug port. This is a connector, which developers and engineers use when they are building this camera to make sure it’s built properly. And because it’s very expensive to print out a new circuit board once you’re finished developing, all of these cameras actually had these debug ports still in the hardware. Once you connect to there, you have backstage access to the camera. Sometimes, there is a password you need to crack, so we had to do that.”
Oren said, “One device is the later generation version of a very popular thermostat, [It] actually didn’t have this diagnostic port because it’s a very well-selling device. They actually had the engineering time to create a new version without this port and another two devices had a port, but [were] protected by passwords which were unable to crack in one hour. It could be that if we would spend a week on it, we would be able to crack it.
“Right now, devices you are buying today are very, very easy to attack and the problem is that once you attack it once, all of these devices can be attacked remotely. So you only need to do this one time—this process of taking them apart. And one problem, a big problem, with IoT devices when you compare them to computers and phones is that these devices are mostly going to be installed in some corner, in some alley, in some doorway, and not touched for 10 or 20 years. Think of street lights or traffic lights. And this means that you might be still using these devices after their manufacturer has gone out of business and nobody will ever issue firmware updates. You compare this to phones, where you find a vulnerability and the next week later, your phone restarts and voila, it’s patched. So, these devices are going to be here to stay and this means that probably consumers or network providers or something are going to be responsible for keeping these devices secure. This is very concerning based on what consumers have been able to demonstrate so far.”
Oren concluded, “You only need physical access once. Once you buy one copy of a make and model of a camera and you attack it in your lab, you get information which will allow you to attack this make and model anywhere remotely. So out of the devices we surveyed, nine of them were able to be accessed over the network. The access was protected by a password, this password we discovered using our methods. So once you get this password, anywhere in the world, you can access [the device].”
Israel is among those countries everyone would want to watch her steps in matters security. No debate, the country has it all when it comes to criminology and everything weaponry related. But, in its current move to use artificial intelligence as a tool to fight crime, that’s a serious move that requires deep thinking especially with the current fears associated with the technology.
Since the release of the report that revealed how AI is vulnerable for use against human security, to date, experts have been arguing fiercely over whether this technology should be declared illegal or wiped from the earth, but that seems too late now.
AI is Getting into the Fabrics of Governments
Like a month ago, the government of Spain made it official that they’ll be employing AI to help stop corruption by predicting where it likely occurs most. Now, Israel is going deeper as it thinks artificial intelligence can effectively help fight crime.
Israel Police has engaged the Ben-Gurion University of Negev and the two are building cutting-edge cyber, big-data AI-powered tools that will be able to prevent crime through foretelling when and where it may happen.
The concept led to the launch of a new Center for Computational Criminology at the Advanced Technology Park of BGU. And the event was officiated by BGU’s president professor Rivka, together with the Police Commissioner General Roni Alsheikh.
The System Might Snoop On People Online
Based on its recent researches, the university stated that cybercrime has been on the rise because of the policies that promote anonymity of cyberspace. And that is often exposed by the information shared online.
The researchers are set to coordinate with Police’s cyber investigators in developing the new machine-learning and AI tools for law enforcement. Obviously, this might trigger public concern and it is possible that some folks will go to court to have it interpret whether it’s okay for the authorities to monitor people’s online trails.
For the peace-seeking Johns and Jacks, this might help reduce online insecurity significantly, because the truth is both cybercrime and normal crime are planned online these days. “But, this can help turn threats into opportunities,” said Alsheikh.
Training AI-Powered Security Systems
Ideally, this is the trickiest part according to the recent war of words between experts. Elon Musk, the titan billionaire and founder of Telsa is on record saying that he has access to the most advanced potential of AI, and warns that if these systems are wrongly trained they can cause havoc.
Musk gave an example where an AI concluded that everybody who stood near a stove was a woman, which rose concerns about the credibility of the data that created that system. In other words, if these platforms consume wrong data, the whole thing can become more of a threat than good.
To ensure accuracy in investigations, those involved in training these systems must take responsibility for any cases that might victimize citizens who didn’t have anything to do with the crime. Maybe that would ensure data credibility as it’s the major factor in developing unquestionable AI.
Testing the System Before Implementation
No matter how many times artificial intelligence beats humans at doing complex tasks; still there is great need to test these models. Here we are talking about controlling crime using machine learning and nothing should go to chance.
That is, in all aspects the system must itself be in tack. We don’t want a case where hackers can break into a police investigative tool and use it to send the officers to a certain location where they can be ambushed.
In other words, there will be need to ensure that it is actually the authorities who are in full control of the investigations online. Fortunately, companies like Accenture and others have taken the job of testing AI platforms, to ensure they stick to their foundational promise.
Ideally, if this application of AI turns successful and Israel Police comes forward to confirm that artificial intelligence is a reliable tool to handle crime, we will see more governments turn to the technology for help.
“Today, we are on the threshold of the next big breakthrough: analyzing big data to discover hidden patterns to predict and prevent crime.”
Ben-Gurion University of the Negev and the Israel Police aim to develop advanced cyber, big-data and artificial intelligence tools that may eventually be able to predict and prevent crime.
In a joint initiative with the police, the university launched the Center for Computational Criminology this week at BGU’s Advanced Technologies Park in the presence of Police Commissioner Insp.-Gen. Roni Alsheikh and BGU president Prof. Rivka Carmi.
“The last, most significant scientific breakthrough to change law enforcement was DNA testing,” said Prof. Lior Rokach, head of the new center, chairman of the Department of Software and Information Systems Engineering, and a leading expert on artificial intelligence.
“Today, we are on the threshold of the next big breakthrough: analyzing big data to discover hidden patterns to predict and prevent crime,” he said. “The AI revolution of the past few years will prove to be even more significant than DNA testing for law enforcement, providing them with unprecedented investigative tools and new sources of evidence.”
According to the university, cybercrime has risen precipitously in recent years as criminals and even rogue governments have capitalized on the anonymity of cyberspace to cloak their activities while reaping sizable profits.
Additionally, the use of social media-based evidence has also been on the uptick in recent years as more and more information is shared online.
As part of the initiative, BGU researchers will work side by side with the Israel Police’s cyber investigators to develop new artificial-intelligence and machine-learning tools for law enforcement.
Alsheikh said that the police’s Cyber Unit, which was created to lead the national effort to combat cybercrime, would collaborate with the university’s cybersecurity experts to improve police enforcement and prevention capabilities.
“The cooperation will enable the police to bring technology to bear more effectively in enforcing the law and fighting crime – whether [committed by] cybercriminals or traditional criminals – by turning a threat into an opportunity,” Alsheikh said.
Ben-Gurion has in recent years become a recognized international leader in cybersecurity and big data research with a national initiative to promote Beersheba as the “Cyber Capital of Israel.”
The Center joins Cyber@BGU (CBG), a shared research platform for the most innovative and technologically challenging cyber-related projects run in collaboration with multi-national companies and government organizations.
Among others, the CBG includes the Cyber Security Research Center, a joint initiative with the Israel National Cyber Bureau and Telekom Innovation Laboratories, in partnership with Deutsche Telekom.
Carmi said that “putting that expertise to work for the State of Israel is a privilege,” which comes on the heels of the government’s decision to place the national Computer Emergency Response Team at the Advanced Technologies Park.
Source: The Jerusalem Post
Enhancing offensive capacity by creating attack toolboxes | Yuval Elovici
Reinforcing defences against intelligent aggression | Bracha Shapira
Designing adaptive attacks to identify and target defensive vulnerabilities | Lior Rokach
Source: World Economic Forum YouTube
The epicenter of Cybertech Tel Aviv 2018 was Beer Sheva’s pavilion which has turned into a magnet for executives from abroad, researchers from around the world and promising youngsters with a spark in their eyes coming to see the magic.
Cyber @ Ben-Gurion University led a powerful display of advanced research, alongside multinational companies such as EMC and IBM and the young generation of cyber companies nurtured by Jerusalem Venture Partners’ Cyber Labs incubator.
In addition to showcasing their latest research, Cyber@BGU launched a newly redesigned and rebranded website, which features the latest news on partnerships and collaborations, media articles, presentations, information about publications, and proof of concept videos. The site can be found at: https://cyber.bgu.ac.il/.
THE FIELD OF cybersecurity is obsessed with preventing and detecting breaches, finding every possible strategy to keep hackers from infiltrating your digital inner sanctum. But Mordechai Guri has spent the last four years fixated instead on exfiltration: How spies pull information out once they’ve gotten in. Specifically, he focuses on stealing secrets sensitive enough to be stored on an air-gapped computer, one that’s disconnected from all networks and sometimes even shielded from radio waves. Which makes Guri something like an information escape artist.
More, perhaps, than any single researcher outside of a three-letter agency, Guri has uniquely fixated his career on defeating air gaps by using so-called “covert channels,” stealthy methods of transmitting data in ways that most security models don’t account for. As the director of the Cybersecurity Research Center at Israel’s Ben Gurion University, 38-year-old Guri’s team has invented one devious hack after another that takes advantage of the accidental and little-noticed emissions of a computer’s components—everything from light to sound to heat.
Guri and his fellow Ben-Gurion researchers have shown, for instance, that it’s possible to trick a fully offline computer into leaking data to another nearby device via the noise its internal fan generates, by changing air temperatures in patterns that the receiving computer can detect with thermal sensors, or even by blinking out a stream of information from a computer hard drive LED to the camera on a quadcopter drone hovering outside a nearby window. In new research published today, the Ben-Gurion team has even shown that they can pull data off a computer protected by not only an air gap, but also a Faraday cage designed to block all radio signals.
An Exfiltration Game
“Everyone was talking about breaking the air gap to get in, but no one was talking about getting the information out,” Guri says of his initial covert channel work, which he started at Ben-Gurion in 2014 as a PhD student. “That opened the gate to all this research, to break the paradigm that there’s a hermetic seal around air-gapped networks.”
Guri’s research, in fact, has focused almost exclusively on siphoning data out of those supposedly sealed environments. His work also typically makes the unorthodox assumption that an air-gapped target has already been infected with malware by, say, a USB drive, or other temporary connection used to occasionally update software on the air-gapped computer or feed it new data. Which isn’t necessarily too far a leap to make; that is, after all, how highly targeted malware like the NSA’s Stuxnet and Flamepenetrated air-gapped Iranian computers a decade ago, and how Russia’s “agent.btz” malware infected classified Pentagon networks around the same time.
Guri’s work aims to show that once that infection has happened, hackers don’t necessarily need to wait for another traditional connection to exfiltrate stolen data. Instead, they can use more insidious means to leak information to nearby computers—often to malware on a nearby smartphone, or another infected computer on the other side of the air gap.
Guri’s team has “made a tour de force of demonstrating the myriad ways that malicious code deployed in a computer can manipulate physical environments to exfiltrate secrets,” says Eran Tromer, a research scientist at Columbia. Tromer notes, however, that the team often tests their techniques on consumer hardware that’s more vulnerable than stripped-down machines built for high security purposes. Still, they get impressive results. “Within this game, answering this question of whether you can form an effective air gap to prevent intentional exfiltration, they’ve made a resounding case for the negative.”
A Magnetic Houdini
On Wednesday, Guri’s Ben-Gurion team revealed a new technique they call MAGNETO, which Guri describes as the most dangerous yet of the dozen covert channels they’ve developed over the last four years. By carefully coordinating operations on a computer’s processor cores to create certain frequencies of electrical signals, their malware can electrically generate a pattern of magnetic forces powerful enough to carry a small stream of information to nearby devices.
The team went so far as to built an Android app they call ODINI, named for the escape artist Harry Houdini, to catch those signals using a phone’s magnetometer, the magnetic sensor that enables its compass and remains active even when the phone is in airplane mode. Depending on how close that smartphone “bug” is to the target air-gapped computer, the team could exfiltrate stolen data at between one and 40 bits a second—even at the slowest rate, fast enough to steal a password in a minute, or a 4096-bit encryption key in a little over an hour, as shown in the video below:
Plenty of other electromagnetic covert channel techniques have in the past used the radio signals generated by computers’ electromagnetism to spy on their operations—the NSA’s decades-old implementation of the technique, which the agency called Tempest, has even been declassified. But in theory, the radio signals on which those techniques depend would be blocked by the metal shielding of Faraday cages around computers, or even entire Faraday rooms used in some secure environments.
Guri’s technique, by contrast, communicates not via electromagnetically induced radio waves but with strong magnetic forces that can penetrate even those Faraday barriers, like metal-lined walls or a smartphone kept in a Faraday bag. “The simple solution to other techniques was simply to put the computer in a Faraday cage and all the signals are jailed,” Guri says. “We’ve shown it doesn’t work like that.”
Secret Messages, Drones, and Blinking Lights
For Guri, that Faraday-busting technique caps off an epic series of data heist tricks, some of which he describes as far more “exotic” than his latest. The Ben-Gurion team started, for instance, with a technique called AirHopper, which used a computer’s electromagnetism to transmit FM radio signals to a smartphone, a kind of modern update to the NSA’s Tempest technique. Next, they proved with a tool called BitWhisper that the heat generated by a piece of malware manipulating a computer’s processor can directly—if slowly—communicate data to adjacent, disconnected computers.
In 2016, his team switched to acoustic attacks, showing that they could use the noise generated by a hard drive’s spinning or a computer’s internal fan to send 15 to 20 bits a minute to a nearby smartphone. The fan attack, they show in the video below, works even when music is playing nearby:
More recently, Guri’s team began playing with light-based exfiltration. Last year, they published papers on using the LEDs of computers and routers to blink out Morse-code like messages, and even used the infrared LEDs on surveillance cameras to transmit messages that would be invisible to humans. In the video below, they show that LED-blinked message being captured by a drone outside a facility’s window. And compared to previous methods, that light-based transmission is relatively high bandwidth, sending a megabyte of data in a half an hour. If the exfiltrator is willing to blink the LED at a slightly slower rate, the malware can even send its signals with flashes so fast they’re undetectable for human eyes.
Guri says he remains so fixated on the specific challenge of air gap escapes in part because it involves thinking creatively about how the mechanics of every component of a computer can be turned into a secret beacon of communication. “It goes way beyond typical computer science: electrical engineering, physics, thermodynamics, acoustic science, optics,” he says. “It requires thinking ‘out of the box,’ literally.”
And the solution to the exfiltration techniques he and his team have demonstrated from so many angles? Some of his techniques can be blocked with simple measures, from more shielding to greater amounts of space between sensitive devices to mirrored windows that block peeping drones or other cameras from capturing LED signals. The same sensors in phones that can receive those sneaky data transmissions can also be used to detect them. And any radio-enabled device like a smartphone, Guri warns, should be kept as far as possible from air-gapped devices, even if those phones are carefully stored in a Faraday bag.
But Guri notes that some even more “exotic” and science fictional exfiltration methods may not be so easy to prevent in the future, particularly as the internet of things becomes more intertwined with our daily lives. What if, he speculates, it’s possible to squirrel away data in the memory of a pacemaker or insulin pump, using the radio connections those medical devices use for communications and updates? “You can’t tell someone with a pacemaker not to go to work,” Guri says.
An air gap, in other words, may be the best protection that the cybersecurity world can offer. But thanks to the work of hackers like Guri—some with less academic intentions—that space between our devices may never be entirely impermeable again.
- If you’re still not totally clear on what an air gap is, here’s a little explainer for you
- Yes, blinking LED lights on a computer really can leak data
- But they’ve got nothing on the fan noises that do the same
Cybersecurity researchers at Ben-Gurion University say they are developing AI-driven solutions to foil hacks, by making sure medical instructions match patient’s profile
Cybersecurity researchers at Ben-Gurion University of the Negev say that medical imaging devices, such as CT scans, are vulnerable to cyber-threats, and manufacturers and healthcare providers must therefore be more diligent in protecting them.
During the years it takes to get MID machines from development to market, cyber-threats can change significantly, leaving the devices exposed, the researchers said.
In their paper, “Know Your Enemy: Characteristics of Cyber-Attacks on Medical Imaging Devices,” the researchers show how easy it is to exploit unprotected medical devices, such as computed tomography (CT) and magnetic resonance imaging (MRI) machines, many of which don’t get ongoing security updates.
As MIDs become more connected to hospital networks, they also become more vulnerable to sophisticated cyber-attacks. Attackers can easily penetrate the computers that control CT devices, causing the CT to emit high rates of radiation, which can harm the patient. Hackers can also block access to MIDs or disable them altogether as part of a ransom attack, something that has already happened worldwide, the researchers said.
The research was released ahead of the Cybertech Conference, which runs Monday through Wednesday in Tel Aviv. BGU is the academic partner of the event. The conference, said to be one of the biggest and most important cyber events in the world, draws thousands of guests including delegations from 80 countries.
The BGU cybersecurity experts predicted that attacks on MIDs will increase, as attackers develop more sophisticated skills directed at these devices, the mechanics and software of which are often installed on outdated PCs.
“CTs and MRI systems are not well-designed to thwart attacks,” said lead author Dr Nir Nissim, the head of the Malware Lab at BGU’s Cyber Security Research Center. “The MID development process, from concept to market, takes three to seven years. Cyber-threats can change significantly over that period, which leaves medical imaging devices highly vulnerable.”
Researchers focused on a range of vulnerabilities and potential attacks aimed at MIDs, medical and imaging information systems and medical protocols and standards. While they discovered vulnerabilities in many of the systems, they found that CT devices face the greatest risk of cyber-attacks due to their key role in acute care imaging.
The simulated cyber-attacks conducted by the teams showed four dangerous outcomes: attackers were able to install malware that controls the entire CT operation and puts a patient at risk by manipulating the scan configuration files. They were also able to insert malware to infect the host computer, enabling them to attack the mechanical motors of the MIDs, including the bed, scanner and rotation motors, that get instructions from a control unit.
In addition, hackers could potentially disrupt the imaging results; because a CT sends scanned results connected to a patient’s medical record via a host computer, an attack on that computer could disrupt the results, requiring a second exam. And a more sophisticated attack may also be able to alter results or mix up a transmission and connect images to the wrong patient.
Hackers could also use malware to encrypt a victim’s files and demand a ransom to decrypt them. The WannaCry attack, which affected more than 200,000 devices in more than 150 nations in May 2017, directly infected tens of thousands of UK and US hospital devices, including MRIs.
“In cases where even a small delay can be fatal, or where a dangerous tumor is removed or erroneously added to an image, a cyber-attack can be fatal,” said Tom Mahler, who worked with Nissim on the project. “However, strict regulations make it difficult to conduct basic updates on medical PCs, and merely installing anti-virus protection is insufficient for preventing cyber-attacks.”
BGU cyber researchers said they were working on new solutions to secure CT devices based on machine learning. Their approach assumes a host PC is already infected with malware. So the machine learning algorithm developed by the team first looks at the profile of the patient who is being scanned, and then studies the outgoing commands before they reach the CT itself.
“The algorithms are able to ask the question: do these instructions match the requirements of the patient based on his profile; have I ever before seen such instructions given to this kind of patient?” Mahler said in a phone interview. If the instructions do not match previous such patient profiles that means they have been compromised, he explained.
“We haven’t yet published a paper on this approach,” Mahler said. “It is still a work in progress.”
In future research, Nissim and his team are planning to hold nearly two dozen attacks to further uncover vulnerabilities and propose solutions to address them. They said they are keen to work with imaging manufacturers or hospital systems to evaluate issues on site.
The study was held in collaboration with Clalit Health Services, Israel’s largest health service organization.
Source: Time Of Israel