Hacking your data without touching your network
It's an IT manager's nightmare. A hacker -- perhaps an employee, a service provider or custodial staff -- plants a sensor near a critical server to capture the flow of data without ever having to crack a password or break through a firewall.
And the problem isn't only the data breach. Since the hacker didn't access the network, there's no audit trail -- you may never know what data has been stolen or by whom.
No, it's not a scene from Mission Impossible. Researchers at MWR Security, a cybersecurity company headquartered in England, have shown how they could "sniff" data being transferred internally within a device by analyzing electromagnetic radiation leaking from the device.
It's called "near-field analysis," and the MWR Security researchers say they have successfully grabbed data by analyzing variations in the electromagnetic field leaking from a storage device and then applying an algorithm to decode the traffic.
According to MWR researcher Piotr Osuch, near-field detection tools don't have to necessarily be right next to the device being monitored. "Near-field might not be that 'near,'" Osuch said. "If a subsystem of a device is operating at 1 MHz, for example a keyboard, then near-field can be up to 150 meters away." He added that many electronic components operate at 32 MHz, which means their electromagnetic fields could be detected from a distance of 4 meters.
What's more, Osuch said, the equipment needed to gather the data is getting less expensive, costing from a few thousand to tens of thousands of dollars, depending on the sophistication of the attack. If the data moving through the monitored device is not encrypted -- and data is rarely encrypted while it is transiting inside an organization's network -- it is susceptible to being picked up. While tempest shielding -- usually a simple metal enclosure around a device -- might prevent a data leak, there is little assurance without testing.
How big is the threat? That, said Osuch, depends on the scenario. "Suppose that the attack path is to sniff keyboard strokes in an institution -- that has been done at distances of roughly 20 meters, across walls," said Osuch. "This would be a high threat. A solution would be using electromagnetic-safe keyboards."
Tapping into a 4G wireless transmission, he says, would be more problematic but not impossible, particularly if the attacker were to setup a baseband station and "fuzz the device until a crash occurs," then analyze the crash and determine how to gain system-level code execution.
The key point is that near-field analysis of electromagnetic fields can allow a hacker to gather transmissions that can -- with varying amounts of further work and decoding -- result in data leakage without actually entering the network.
How to protect against this? "There is no general answer," Osuch said, "as this is very application-specific." At the same time, Osuch noted that using near-field analysis as a hacking tool, for now at least, is likely to be used only against high-value targets.
"In most cases the attacks would have to be quite sophisticated," he said. "Probably targeting equipment that is expensive to design from the get go and so would deserve a comprehensive and formal EM evaluation by an RF engineer."
Posted by Patrick Marshall on Sep 27, 2016 at 9:37 AM