CBG in the News

How to leak sensitive data from an isolated computer (air-gap) to a near by mobile phone – AirHopper

  Security researcher Mordechai Guri with the guidance of Prof. Yuval Elovici from the cyber security labs at Ben-Gurion University in Israel presented at the 9th IEEE International Conference on Malicious and Unwanted Software (MALCON 2014), at Puerto Rico, a breakthrough method (“AirHopper) for leaking data from an isolated computer to a mobile phone without the presence of a network. In highly secure facilities the assumption today is that data can not leak outside of an isolated internal network. It is called air-gap security (full lecture on the topic by Prof. Yuval Elovici is here). The common policy in such secure organizat...

Read More ...

Mobile Malware Detection through Analysis of Deviations in Application Network Behavior

Recently an exciting research on the topic of malware detection based on mobile networking activities analysis has been accepted t...

Read More ...

 

Security researcher Mordechai Guri with the guidance of Prof. Yuval Elovici from the cyber security labs at Ben-Gurion University in Israel presented at the 9th IEEE International Conference on Malicious and Unwanted Software (MALCON 2014), at Puerto Rico, a breakthrough method (“AirHopper) for leaking data from an isolated computer to a mobile phone without the presence of a network. In highly secure facilities the assumption today is that data can not leak outside of an isolated internal network. It is called air-gap security (full lecture on the topic by Prof. Yuval Elovici is here). The common policy in such secure organizations is to leave your mobile phone in some locker when you enter the facility and then pick it up when you go out. We at the cyber security labs challenged this assumption and found a way to leak data from a computer inside the organization to a remote a mobile phone without using Wifi or Bluetooth. “Such technique can be used potentially by people and organizations with malicious intentions and we want to start a discussion on how to mitigate this newly presented risk.” said Dudu Mimran CTO of the cyber security labs.

The following video demonstrates AirHopper:

The main idea behind the research is to use radio frequencies in order to transmit the secret data from the computer to the mobile phone. Mobile phones usually come equipped with FM radio receivers and it is already known that software can intentionally create radio emissions from a video display unit. Yes, from the computer screen. Still, this is the first time that a mobile phone is considered in an attack model as the intended receiver of maliciously crafted radio signals emitted from the screen of the isolated computer. AirHopper demonstrates how textual and binary data can be exfiltrated from physically a isolated computer to mobile phones at a distance of 1-7 meters, with effective bandwidth of 13-60 Bps (Bytes per second). Enough to steal a secret password.

 

AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones using Radio Frequencies from mordechaiguri

Follow the story on twitter @cyberlabsbgu #airhopper.

The team of cyber security labs @ Ben-Gurion University of the Negev in Israel.

Recently an exciting research on the topic of malware detection based on mobile networking activities analysis has been accepted to the lucrative Computers & Security journal. The paper was written as part of a project sponsored by Telekom Innovation Labs which dealt with different Android security solutions.

In simple words (though you’ll need to get the full version to see all the exciting revelations and achievements) we built a technology which is able to detect malware activity based only on analyzing the network traffic coming out from a mobile handset (Android).

The full research can be accessed here

Here’s the abstract:

In this paper we present a new behavior-based anomaly detection system for detecting meaningful deviations in a mobile application’s network behavior. The main goal of the proposed system is to protect mobile device users and cellular infrastructure companies from malicious applications by: (1) identification of malicious attacks or masquerading applications installed on a mobile device, and (2) identification of republished popular applications injected with a malicious code (i.e., repackaging). More specifically, we attempt to detect a new type of mobile malware with self-updating capabilities that were recently found on the official Google Android marketplace. Malware of this type cannot be detected using the standard signatures approach or by applying regular static or dynamic analysis methods. The detection is performed based on the application’s network traffic patterns only. For each application, a model representing its specific traffic pattern is learned locally (i.e., on the device). Semi-supervised machine-learning methods are used for learning the normal behavioral patterns and for detecting deviations from the application’s expected behavior. These methods were implemented and evaluated on Android devices. The evaluation experiments demonstrate that: (1) various applications have specific network traffic patterns and certain application categories can be distinguished by their network patterns; (2) different levels of deviation from normal behavior can be detected accurately; (3) in the case of self-updating malware, original (benign) and infected versions of an application have different and distinguishable network traffic patterns that in most cases, can be detected within a few minutes after the malware is executed while presenting very low false alarms rate; and (4) local learning is feasible and has a low performance overhead on mobile devices.

The paper authors are:

  • Dr. Asaf Shabtai
  • Dr. Lena Tenenboim-Chekina
  • Dudu Mimran
  • Prof. Lior Rokach
  • Prof. Bracha Shapira
  • Prof. Yuval Elovici