In the computing world, as in life, the worst threat is the one you can’t prepare for – like the security threat demonstrated by researchers from Ben Gurion University at a major tech security show in Puerto Rico. Based on hacking experiments they performed over the past year, security researchers Mordechai Guri and Yuval Elovici presented the AirHopper, an Android phone app that takes advantage of electromagnetic waves emanating from computer or server hardware to steal data – meaning that even taking a computer off a network entirely won’t keep it safe from hackers.
It’s an example of an APT – an “advanced persistent threat,” loosely defined as an ongoing hack attack that is difficult to detect and almost impossible to beat – at least until someone comes up with an idea to stop it. “There are many ways to define APTs, but one thing they all have in common is that they are very dangerous – and they are a major threat to society, because those who use them can really disrupt business and government if they so desire,” said Shay Zandani, head of the Israeli branch of ISACA, the Information Systems Audit and Control Association, an international organization that provides training and certification for computer security professionals. It held its annual convention in Israel this week.
AirHopper certainly fulfills the definition of an APT – just ask the Iranians, who my have been early victims of what Guri and Elovici call an “air-gap hack attack,” a connection that is created when a cellphone takes advantage of non-standard connections, even though a system is completed isolated from any external networks, including Ethernet, Wi-fi, Bluetooth, and the rest.
Many researchers believe that the 2010 Stuxnet virus — which infected the servers controlling the Iranian nuclear program’s centrifuges, “choking” them until they ground to a halt – was physically transferred to the closed network via a USB flash drive, and then spread to other computers in that closed network. The air-gap attack demonstrated in Puerto Rico by Guri and Elovici is light-years ahead of Stuxnet — because no physical contact at all is required to compromise a system. But it might have been an aiur-gap attack.
It turns out that even if you don’t think your computer is connected to anything, it really is — via the electromagnetic or acoustic emanations of its hardware. The National Security Agency NSA), for example, has a program called TEMPEST, in which special devices are able to pick up data from computers and servers via leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations from hardware like video monitors, keyboards, network cards, memory chips, and more.
Each stroke on a keyboard, for example, transmits an electrical signal that runs through a computer’s processor and shows up on the monitor — emitting electromagnetic waves. Since each letter is unique, it stands to reason that each key emits a different frequency wave — and if a hacker is able to capture those waves and reconstruct them, he can figure out exactly what usernames and passwords were used to log onto the network.
How could a mobile phone be used to hack into an air-gapped network? In a take-off of an email phishing attack, a hacker could send an unsuspecting employee in a sensitive installation a text message that looks legitimate, but contains a link to malware that surreptitiously gets installed on their cellphone.
Once the malware is on the phone, it scans for electromagnetic waves. Elovici’s team has demonstrated how this is done with computer video cards and monitors. Those can be manipulated to build a “network connection” using FM frequencies to install a virus onto a computer or server. With the virus installed on the system, the phone connects to it via the FM frequency — sucking information out of the server and using the phone’s cellphone network connection to transmit the data back to hackers. All that’s needed is physical proximity to the system — one to six meters (three to 20 feet) is close enough, the team said.
An attack like that, coming literally out of nowhere, is something few companies would be prepared for, said Zandani. “A recent poll by ISACA showed that only 15% of companies felt they were prepared to deal with APTs of any kind, but at least 20% have already been attacked,” he said. “And that is only based on the APTs we’ve already seen – the major hack attacks against banks and governments that are known. Clearly there is a ‘preparation gap’ that needs to be brought under control.”
Helping cyber-security pros prepare for APTs and other security problems is what ISACA is all about, said Zandani. Over 110,000 people in more than 180 countries have gone through ISACA security preparedness training, receiving certificates in Information Systems Auditing (CISA), Governance of Enterprise IT (CGEIT), Risk and Information Systems Control (CRISC), and others. Certification requires going through a course and correctly answering questions on a test, as well as demonstrated knowledge, where candidates are required to deal with security and hacking emergencies. “We also produce documents and plans to guide IT departments in how to secure their systems and prepare for the worst. We also work directly with companies and governments and develop curricula that will help them with specific problems,” Zandani said.
“The notion of a hacker being a pimply-faced teen sitting in a basement and taking on cyber-defenses is long outmoded,” said Zandani. “Hackers today work in big organizations which sell their products and services on the ‘dark web,’ the back roads of the Internet where anything goes. They get paid a lot of money for the data they steal, and the only way to be prepared is to take any and every counter measure you can, whether it is installing the latest anti-virus software, avoiding ‘phishing’ attacks by not clicking on suspicious links, or deploying detection systems that can thoroughly search through a system and detect hidden APTs.”
Or even, in the case of AirHopper, requiring employees to leave their cellphones at the door – but even that isn’t a foolproof solution, said Guri and Elovici, because phones could be placed up to six meters away from a computer and still be able to communicate with its electromagnetic waves.
Right now, Elovici said, there’s little that can be done to prevent this kind of a hack attack — other than turning off the phone. But since that’s not a practical solution in this day and age, his team is searching for other solutions. “We have examined this model and thought about the defensive measures needed to prevent an FM attack via a mobile phone,” Elovici said. “This is a major security challenge that must be addressed to ensure the security of data.”