How Attackers Can Use Radio Signals and Mobile Phones to Steal Protected Data

Radio Signals Waves

Computers housing the world’s most sensitive data are usually “air-gapped” or isolated from the internet. They’re also not connected to other systems that are internet-connected, and their Bluetooth feature is disabled, too. Sometimes, workers are not even allowed to bring mobile phones within range of the computers. All of this is done to keep important data out of the hands of remote hackers.

But these security measures may be futile in the face of a new technique researchers in Israel have developed for stealthily extracting sensitive data from isolated machines—using radio frequency signals and a mobile phone.

The attack recalls a method the NSA has been secretly using for at least six years to siphon data in a similar manner. An NSA catalogue of spy tools leaked online last year describes systems that use radio frequency signals to remotely siphon data from air-gapped machines using transceivers—a combination receiver and transmitter—attached to or embedded in the computer instead of a mobile phone. The spy agency has reportedly used the method in China, Russia and even Iran. But the exact technique for doing this has never been revealed.

The researchers in Israel make no claims that theirs is the method used by the NSA, but Dudu Mimran, chief technology officer at the Israeli lab behind the research, acknowledges that if student researchers have discovered a method for using radio signals to extract data from hard-to-reach systems, professionals with more experience and resources likely have discovered it, too.

“We are doing research way behind people [like that],” he told WIRED. “The people who are doing that are getting a lot of money and are doing that [full time].”

Dubbed “AirHopper” by the researchers at Cyber Security Labs at Ben Gurion University, the proof-of-concept technique allows hackers and spies to surreptitiously siphon passwords and other data from an infected computer using radio signals generated and transmitted by the computer and received by a mobile phone. The research was conducted by Mordechai Guri, Gabi Kedma, Assaf Kachlon, and overseen by their advisor Yuval Elovici.

The attack borrows in part from previous research showing how radio signals(.pdf) can be generated by a computer’s video card (.pdf). The researchers in Israel have developed malware that exploits this vulnerability by generating radio signals that can transmit modulated data that is then received and decoded by the FM radio receiver built into mobile phones. FM receivers come installed in many mobile phones as an emergency backup, in part, for receiving radio transmissions when the internet and cell networks are down. Using this function, however, attackers can turn a ubiquitous and seemingly innocuous device into an ingenious spy tool. Though a company or agency may think it has protected its air-gapped network by detaching it from the outside world, the mobile phones on employee desktops and in their pockets still provide attackers with a vector to reach classified and other sensitive data.

The researchers tested two methods for transmitting digital data over audio signals but Audio Frequency-Shift Keying (A-FSK) turned out to be the most effective.

“[E]ach letter or character was keyed with different audio frequency,” they note ina paper released last week (.pdf) that describes their technique. “Using less than 40 distinct audio frequencies, we were able to encode simple textual data—both alphabetical and numerical. This method is very effective for transmitting short textual massages such as identifiers, key-stroking, keep-alive messages and notifications.”

The data can be picked up by a mobile phone up to 23 feet away and then transmitted over Wi-Fi or a cellular network to an attacker’s command-and-control server. The victim’s own mobile phone can be used to receive and transmit the stolen data, or an attacker lurking outside an office or lab can use his own phone to pick up the transmission.

“With appropriate software, compatible radio signals can be produced by a compromised computer, utilizing the electromagnetic radiation associated with the video display adapter,” the researchers write. “This combination, of a transmitter with a widely used mobile receiver, creates a potential covert channel that is not being monitored by ordinary security instrumentation.”

The researchers note that the chain of attack “is rather complicated,” but it’s not beyond the skills and abilities already seen in advanced attacks conducted by hackers in China and elsewhere. Or by the NSA.

Generally the most common method for infecting air-gapped machines is a USB flash drive or other removable media. Once one air-gapped machine is infected, the malware can spread to other machines on an air-gapped network. Data can be extracted the same way, though this is more of a challenge. The malware stores stolen data on the machine until a flash drive is inserted, at which point data is copied to the drive. When the flash drive is then inserted into another computer that’s connected to the internet, the data gets transmitted back to the attackers’ command-and-control center. This method takes time, however, since it requires the attacker to wait until someone inserts a flash drive into the air-gapped machine and carries it to an internet-connected machine.

AirHopper, however, doesn’t require repeated action like this once the malware is installed. An attacker only needs to get their malicious transmitter code onto the targeted machine and then either install the malicious receiver component on the victim’s mobile phone or use the attacker’s own mobile phone in the vicinity of the computer to receive the data and transmit it to the attacker’s command-and-control server. The malware can be programmed to store siphoned data on the infected machine for later transmission at specified hours or intervals. The researchers also devised methods for hiding the data transmission on the targeted machine to avoid detection, including transmitting data only when the monitor is turned off or in sleep mode and altering the FM receiver on the phone so that there is no audible tone when data is transmitted to it.

Although the distance for transmitting data from an infected computer to a mobile phone is limited—due to the limitations of the receiver in phones—attackers could use a stronger portable receiver, set up in a parking lot for example or installed on a drone flying overhead, to pick up data from greater distances.

There are other limitations, however. The proof-of-concept test allows for data to be transmitted at only 60 bytes a second—about a line of text per second—which limits the speed and volume at which attackers could siphon data. But Mimran notes that over time, a lot of sensitive data can still be extracted this way.

Table showing transmission time for various kinds of data. Courtesy of Cyber Security Labs.

“We can take out whatever we want,” he told WIRED. “That only depends on the malicious software that resides on the computer. If it is a keylogger, then you can take out whatever the user types.”

A 100-byte password file takes 8-10 seconds to transmit using their method, and a day’s worth of keystrokes takes up to 14 minutes to transmit this way. But a document just .5 megabytes in size can take up to 15 hours to transmit.

Extracting documents “would be very slow and it will take a long time,” Mimran acknowledges, “but this [demonstration] is just a proof-of-concept. I guess the bad people can make it more sophisticated.”

Indeed, the NSA catalogue of surveillance tools leaked last year, known as the ANT catalogue, describes something called the Cottonmouth-I, a hardware implant that resembles an ordinary USB plug except it has a tiny transceiver, called the HowlerMonkey, embedded in it for extracting data via RF signals. According to theNew York Times, which published additional information about the Cottonmouth-I, the transceiver transmits the stolen data to a briefcase-sized NSA field station or relay station, called the Nightstand, which can be positioned up to eight miles away. Once the data is received by the relay station, it’s further transmitted to the NSA’s Remote Operations Center. Available since 2009, the Cottonmouth-1 is sold in packs of 50 for about $1 million.

This method of data extraction may have been used in Iran to siphon intelligence about the nuclear program there, the Times reports—perhaps in preparation for the Stuxnet attack, which sabotaged computers controlling centrifuges used to enrich uranium gas in Iran.

A USB plug, however, requires physical access to a targeted computer in the field or it requires the victim to unwittingly insert the USB plug into the computer before the transmission can occur. An alternative method to this, the leaked document notes, is embedding tiny circuit boards in the targeted computer to do the transmission. One way to compromise the machine would be to intercept new equipment enroute to a customer so that it arrives to the victim already equipped to transmit stolen data. According to the document published by the Times, the RF transceiver can also be used to implant malware on a targeted system, not just extract data from it.

Radio frequency hacks are difficult to mitigate, short of physically insulating computers and cables to prevent emissions from being picked up by receivers. This may be practical for military and other classified facilities to do, but not for commercial companies that are trying to protect sensitive data from such attacks. Prohibiting mobile phones from work areas will not help, since outside receivers can be used in place of mobile phones to extract data.

“We’re disclosing there is this danger,” Mimran says, “but the biggest problem that we are really working hard on is finding mitigation for that. From preliminary results, it’s not easy.”

Source: www.wired.com

Check Whole Article...

Why Asia's Glaciers Are Mysteriously Expanding, Not Melting

Glacier-Wired Hub

Glaciers around the world are melting, retreating and even vanishing altogether. But in the mountainous Karakoram region of Asia — home to K2, the second-highest peak on Earth — the glaciers aren't melting. If anything, some are expanding.

Now, scientists have found an explanation for this mysterious glacial stability. While precipitation is increasing across the Himalayas, most of this moisture drops in the summer — except in Karakoram, where snow dominat"It's been a source of controversy that these glaciers haven't been changing while other glaciers in the world have," said study researcher Sarah Kapnick, a postdoctoral researcher in atmospheric and ocean sciences at Princeton University. [Ice World: A Gallery of Awe-Inspiring Glaciers]

"This gives a reasoning for why you can have increased snowfall in a region and have increased glaciers or stable glaciers in a warming world," Kapnick told Live Science.

Unusual ice

The Karakoram is a picturesque chain of snowy peaks along the border of India, Pakistan and China. It's part of the larger Himalaya mountain chain, which is losing its glaciers as the climate warms.

Yet observations in the Karakoram region reveal that the glaciers there are stable, and snowfall is increasing instead of decreasing.

"I really wanted to dive deeply into why that is," Kapnick said.

She and her colleagues collected data on recent precipitation and temperatures from the Pakistan Meteorological Department and other sources, including satellite data. They combined this information with climate models to track changes in three regions of the Himalayas between 1861 and 2100: the Karakoram; the central Himalayas; and the southeast Himalayas which included part of the Tibetan Plateau. 

The researchers found that a new model that simulates climate down to an area of 965 square miles (2,500 square kilometers) was able to match the observed temperature and precipitation cycles seen in the Karakoram. A model used by the Intergovernmental Panel on Climate Change (IPCC) to simulate what will happen if the world continues to emit greenhouse gases at current rates was unable to capture these seasonal cycles, Kapnick said.

The reason, she said, is that the IPCC and other climate models are lower-resolution, capturing climate change over areas no finer than about 17,027 square miles (44,100 square km). The coarser resolution "smoothes out" variations in elevation, which works fine for the central Himalayas and southeast Himalayas. However, the Karakoram region has more elevation variability than the other two regions. Ultimately, the result is that the IPCC and other models overestimate the amount of warmth in this region, Kapnick said.

Winter weather

Because previous models overestimated the temperature of the Karakoram, they also underestimated the amount of snow in the region. This is the crux of the mysterious Karakoram anomaly, the researchers report today (Oct. 12) in the journal Nature Geoscience.

As the globe warms, precipitation increases across the Himalayas. Because of the Karakoram region's geography, it gets most of this extra moisture in the winter, when westerly winds bring snow to the mountains.

In contrast, the central and southeast Himalayan regions get most of their moisture from monsoons in the summer. Because summer is warmer, most of this precipitation falls as rain.

"The total amount of water that is falling from the sky is increasing during the summer months," Kapnick said. "But since the temperatures are rising above freezing, they're not translating to increased snowfall; they're actually translating to decreased snowfall in those two regions."

In Karakoram, snowfall is decreasing in the summer but increasing in the winter, she said. Though the researchers didn't test the idea, this snow presumably feeds Karakoram's glaciers, keeping them from retreating.

Kapnick and her team found that the snow in Karakoram is likely to persist through at least 2100. If the climate continues to warm after that point, temperatures could eventually get high enough to wipe out the region's wintertime snow advantage, Kapnick said. For now, however, it's not clear when that might happen.

Understanding the snowfall in the Karakoram and the rest of the Himalayas is important for teasing out regional variations in climate change, but the findings have a more immediate use as well. Snow acts as a water reservoir for the people in the Himalayan region, so seasonal precipitation predictions are important for understanding water availability. If snow and ice melt too quickly, Kapnick said, it can cause devastating floods.

"Understanding how that changes into the future is important from a climate perspective, but it's also important from a societal perspective," 

Check Whole Article...

5 Discoveries Made By the Large Hadron Collider (So Far)

Sometimes the machine charged with facilitating head-spinning discoveries needs a little downtime. Here, a maintenance worker inspects the LHC tunnel on Nov. 19, 2013-Wired Hub

At times, it's the little things that drive you crazy. By the early 20th century, physicists seemed to have the universe pretty well sewn up, between Newtonian gravity and Maxwell's electromagnetic equations. There was just one nagging problem: how to explain radioactivity. Addressing it sparked a scientific revolution that revealed the amazing truth about little things: Sometimes they contain universes.

Particle physics and quantum mechanics, the sciences of the truly tiny, brought physics two more fundamental forces and a menagerie of strange elementary particles, but after the 1970s little remained but to test and refine the dominant theory, the standard model. Another 30 years' worth of subatomic specks churned out by accelerators and colliders filled key blanks, yet many questions remained: Why did some particles have mass while others didn't? Could we unify the four fundamental forces or make general relativity and quantum mechanics get along?

Would one of these dangling threads spark another revolution? Finding out would take a bigger, more powerful particle collider than ever before, a 16.8-mile (27-kilometer) ring of superconducting magnets colder than outer space, capable of slamming particles together at near light speed in an ultrahigh vacuum. On Sept. 10, 2008, this $10 billion Large Hadron Collider (LHC), the collaborative effort of hundreds of scientists and engineers globally, joined the European Organization for Nuclear Research (CERN) campus of accelerators and soon broke particle collision records.

Let's look back at what we've learned so far, starting with the most famous discovery of all.

Check Whole Article...

Message Queue Telemetry Transport - Communication

Have you heard about MQTT?

MQTT, which stands for Message Queue Telemetry Transport, is a publish or subscribe, lightweight messaging protocol designed for low-bandwidth communications with high latency. It is intended to be primarily used by machine to machine (M2M) or the Internet of Things (IoT) and telemetry data communications.

MQTT

The protocol was invented by Dr. Andy Stanford-Clark, an IBM Distinguished Engineer and Master Inventor, and Arlen Nipper of Arcom (now Eurotech) in 1999. You can see them talking about the protocol here.

Although the protocol is considered simple and lightweight, it can ensure reliability and some degree of assurance of delivery. You can find the MQ Telemetry Transport V3.1 Protocol Specification at the IBM developerWorks site.

For more information, there is an interesting IBM Redbooks publication Building Smarter Planet Solutions with MQTT and IBM WebSphere MQ Telemetry.

The MQTT FAQ is also a good resource for beginners.

Mobile applications and MQTT

With all these features, MQTT is becoming the de facto standard and the ideal protocol for all M2M and IoT applications, where we have many devices and sensors sending high volumes of messages continuously. However, MQTT is also being used by a growing number of mobile applications nowadays, mainly because MQTT seems to be a very smart choice for a protocol, as it demands fewer resources compared to many other protocols currently available for mobile application development.

One big example of a well-known application that uses MQTT is the Facebook Messenger client, and you can find out about its usage of the MQTT protocol here.

Also, there are many Android applications and Arduino applications starting to use MQTT as the main protocol.

MQTT and Eclipse tools

The website eclipse.org also supports MQTT, and it hosts and supports the Paho project.

The Eclipse Paho open source messaging project was proposed in late 2011 and is currently an incubator Eclipse project.

The initial contributions came from IBM as well as Eurotech in the form of Java and C clients. A Lua MQTT client was also contributed shortly after the project went live, and an MQTT JavaScript client is coming soon.

Other messaging protocols

While there are other messaging protocols, and while MQTT has been around for years now, it seems it is gaining traction as the de facto standard for M2M and IoT, as a recently created OASIS MQTT Technical Committee is now working on a common, standardized version of MQTT supported not only by IBM and Eurotech but also by Red Hat, Cisco and other companies.

So as it seems that MQTT is really becoming the definitive protocol for a Smarter Planet, would you use MQTT on your next mobile application? Do you see any advantages of using MQTT in more common mobile applications beyond M2M and IoT ones?

Let me know your opinion. Please provide feedback in the comments section or connect with me on Twitter.

Check Whole Article...