By Josep Albors
In recent years we’ve seen increasing numbers of
attacks designed to affect systems which are isolated from the network and
cannot be attacked using conventional methods. Almost all research into this
has been carried out by experts in Israel – that comes as no great
surprise since this is a country at the forefront of cybersecurity. The latest
– USBee – is no exception.
Techniques for attacking isolated computers
If a system is isolated from the network, not
directly connected, or “air gapped”, the chances of it being affected by an IT
attack are fairly limited. There’s no real threat from remote attacks (at least
not from any executed from more than a few meters away) and in most cases the
attacker has to get physically close enough to capture the information.
“Transmission speeds are
not fast, but can be sufficient to obtain passwords within a few seconds.”
In recent years we’ve seen the development of data
exfiltration techniques using some unconventional methods. A number of
researchers have demonstrated how to obtain data from computers that
are isolated from the network by using the sound output from the hard
drive, processor or fan, for example. USBee, which was developed by
researchers in Israel, joins a new variety of these exfiltration techniques,
known as “air gap attacks”.
Using USB devices as data transmitters
The way USBee works is relatively simple, but it
requires certain conditions in order for it to be effective. The first and most
important condition is that it manages to infect the target computer with malware
specially designed for such an attack. Bearing in mind that the
computer in question will be in an isolated environment, this can be difficult
to achieve. That said, there’s always the possibility of getting someone to
connect an infected USB device – if we’ve learned anything from Mr.
Robot and a certain
university study it’s that if someone finds a USB device, they
tend to plug it in…
If the attacker achieves the goal of infecting the
computer, there’s another important factor which can determine the attack’s
success or failure: the cable connecting the device to the computer. Just as
some devices use a cable as an antenna for receiving information, USBee uses one to transmit it. That doesn’t mean that
using a cable is critical, but it does ensure that the stolen information can
be sent over a wider range.
“LIKE A LOT OF ISOLATED
SYSTEM ATTACKS, ITS EFFECTIVENESS IS LIMITED TO SPECIFIC SITUATIONS.”
Not all USB devices can be used to carry out this
attack: some camera models, for instance, are useless as they do not receive
any data flow from the computer. But these exceptions aside, USBee can work
with any USB device that meets the specifications of USB 2.0.
When the malware successfully executes itself on
the target computer and detects that there’s a USB device which can be used to
transmit the information the attacker wants to steal, it starts sending the
device a sequence of zeros. This causes the device to transmit sound at
detectable frequencies between 240 and 480 Mhz.
These transmissions can be captured by a nearby
receiver which – while it cannot be far away – can be positioned
in an adjacent room so the attacker can avoid arousing suspicion. While the
transmission speed isn’t very fast (approximately 80 bytes per second), it can
be sufficient to obtain confidential information like
passwords within a few seconds.
Furthermore, one of the benefits of the USBee
attack is that there’s no need to modify the hardware used. Neither the USB
device acting as the transmitter, nor the receiver antenna need to be modified,
making this kind of attack very cheap to carry out.
As you might expect, the name “USBee” was inspired
by bees. Why? Because they fly through the air carrying pollen from one place
to another. In this case, though, the package being delivered is information.
A good countermeasure against this and other
attacks based on USB drives are security solutions,
which allow users to block USB drives and only accept those that the system
administrators previously authorized.
Conclusion: USBee is an attack that can be
effective in very specific situations
Like the vast majority of attacks designed with
isolated systems in their sights, USBee’s effectiveness is limited to very
specific environments and situations. It would be difficult for an attack such
as this to be carried out on a mass scale. However, for certain operations
carried out by some governments and security agencies, or indeed any form of
espionage, it could be a valuable technique.
And for that reason, we should see USBee for what
it really is: yet another demonstration of how a system doesn’t need to
be connected to a network to become the target of an attack. Other
techniques that have been around for some time have proved their effectiveness,
but in many cases they are nothing more than experiments to get IT security
devotees excited.