Stealing Data Wirelessly From an Air-Gapped System
Ғылым және технология
In this video I discuss SATAn a data exfiltration technique to extract data from airgapped systems with radio waves emitted from SATA cables during read/write functions triggered a certain way with malware.
Ready the full paper for yourself
arxiv.org/pdf/2207.07413.pdf
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF
Dash
Xh9PXPEy5RoLJgFDGYCDjrbXdjshMaYerz
Zcash
t1aWtU5SBpxuUWBSwDKy4gTkT2T1ZwtFvrr
Chainlink
0x0f7f21D267d2C9dbae17fd8c20012eFEA3678F14
Bitcoin Cash
qz2st00dtu9e79zrq5wshsgaxsjw299n7c69th8ryp
Etherum Classic
0xeA641e59913960f578ad39A6B4d02051A5556BfC
USD Coin
0x0B045f743A693b225630862a3464B52fefE79FdB
Subscribe to my KZread channel goo.gl/9U10Wz
and be sure to click that notification bell so you know when new videos are released.
Пікірлер: 895
Any copper trace on the PCB of a mother board is a potential antenna. The LEDs are suspects too along with the piezoelectric speaker that beeps when the computer turns on. Moral of the story Faraday cage the air gapped computer, don't connect a piezoelectric speaker to the motherboard, and tape over all led indicators.
@l0lLorenzol0l
Жыл бұрын
I really want my next PC case to be a lead lined granite box. making it 350 pounds is a small price to pay for TRUE security. Also the rock is pretty good at thermal conductivity so it should help cool some.
@madthumbs1564
Жыл бұрын
Networks can be run through the power cables.
@andreahighsides7756
Жыл бұрын
@@l0lLorenzol0l it would be more secure if your pc was a completely solid lead cube. A small price to pay for privacy
@DarkIzo
Жыл бұрын
also unsolder all tin traces to reduce potential antannae
@pawepiat6170
Жыл бұрын
You need to literally air gap it, box in a box lmao
Now it's official: Wifi chips and ethernet are bloat. Use your SATA cable
@0x007A
Жыл бұрын
I am going back to my trusty Commodore VIC-20 and a wired datasette unit.
@Rudxain
Жыл бұрын
Linux user be like, lol. Jokes aside, I like minimalism too
@jamesfunnymorrison8305
Жыл бұрын
@Kronin there's a wikipedia article on IP over Avian Carriers
@devonator999
Жыл бұрын
@@Rudxain systemD is bloat
@jamesedwards3923
Жыл бұрын
🤣🤣😂😂
>not doing anything to stop van eck phreaking >not knowing that the gyroscope in your hard drive can be used as a microphone >not using ecc ram to minimize rowhammer and rambleed >not being able to set kernel parameters to deny inserted usb devices >not desoldering the microphone >not realizing that the cpu microcode could communicate with the microphone regardless of libreboot >not putting nail polish on the screws and taking high resolution pictures to ensure signs of tampering >not removing the modem with dma >not going fanless to prevent binary acoustic data transmission >not knowing the ethernet and wifi card have access to the keyboard >using xorg where any window can steal the contents of the clipboard or keystrokes >not knowing that the sound card can change the headphone jack into a microphone jack and use it to record through the headphones >not knowing they bounce an infrared laser off a flat surface anywhere near your laptop to steal your encryption keys by listening to your cpu fan or your keystrokes >not keeping neodymium magnets near your smartphone so magneto attacks are disrupted >not knowing cpu speculative execution attacks can break anything remotely using a web page with javascript >not taping triple layer aluminum foil all around your room as ghetto tempest shielding >not wardriving from the top floors using parkour
@gaminggamingtm
Жыл бұрын
This is very true.
@verack1616
Жыл бұрын
And the people be like: Double clicks "Word.exe"
@TwelveLetter956
Жыл бұрын
@@valcaron man I hate that when it happens
@thomas.thomas
Жыл бұрын
It's so shizo but so plausible at the same time. I mean, pre Snowden even taping your camera off was seen as shizo so we never know their next move
@janpomianowski4208
Жыл бұрын
@@thomas.thomas lame normie thinking, it's not plausible but a reality, and a fraction of it.
Fun fact related to the bit at 5:00 about playing audio. Some years ago when smart TVs were new some companies would sell different models of the same TV with different features enabled or disabled but with a different price. For example you could buy the same TV but with the USB ports disabled for $200 or whatever less. Well, people figured out the Infrared signal used by remotes to enter service menu and enable any feature you want. It was distributed as a audio file on the internet. You just had to solder an ifrared diode from a remote to a jack cable, connect it to your PC and play the audio. The Diode would flash with the sequence as if it was a real remote.
@thomas.thomas
Жыл бұрын
Huh that's interesting
@TheHalfGAME
Жыл бұрын
That’s cool! Kudos to whoever though about this way of sharing IR signal over the net
@jannikheidemann3805
Жыл бұрын
One more reason for only buying devices that still have audio jacks.
@blackneos940
Жыл бұрын
Grounder! SnooPING AS usual I see?!
@down2006
Жыл бұрын
This sounds really cool, do you remember what it was called?
The nuclear codes will be posted on a basket weaving image board after they have been communicated through the janitor as latin guitar rifs that produce a provable set of statistically prominent dance moves will be observed by a drone flying overhead, 1.5 miles away. SATAn.
@nicofromtheweb4891
Жыл бұрын
This good comment
@javajav3004
Жыл бұрын
the most schizo shit ive ever read. im glad i learned english
@maximus8905
Жыл бұрын
Here's your reddit gold kind sir
@notaboutit3565
Жыл бұрын
Sounds like a Sseth vid lmao
@yeahgirl11
Жыл бұрын
Lmao the imagery of your post cracks me up so hard for some reason. Thanks for making my day.
Unfortunately a security audit for a sensitive airgapped system can be an attack vector as well.
@christopheroliver148
Жыл бұрын
Quis custodiet ipsos custodes? 🙄
@deang5622
Жыл бұрын
A security audit per se is not an attack vector, penetration testing or red teaming can be. A security audit may uncover potential attack vectors. And if it is, then you're using the wrong people to do your security testing or you haven't got NDA's signed up.
I always imagined that this would be the way a general AI manages to escape containment one day. It would scream into the void with RF signals after discovering it could create them fortuitously, to copy itself from machine to machine, byte by byte, until it could assemble itself in a networked computer.
@fananox2057
Жыл бұрын
more than likely this will happen sooner than expected
@snowcloudshinobi
Жыл бұрын
this is what i used to think a computer virus was lol
@cabir.bin.hayyan.800
Жыл бұрын
New terminator movie?
@Luna0wl
Жыл бұрын
What a creepy but not to far fetched thought
@MrTomhartsig
Жыл бұрын
I feel sick, Jesus please bring on the solar flares
I remember a few years ago I was setting up a cheapo Chinese camera and to get the wifi creds from the phone app to the camera, the app played the password string as sound. The camera then decoded the audio and connected. Completely changed how I look at and understand "data" and the infinite ways it can be represented and transmitted.
@kiloton1920
Жыл бұрын
Yi brand?
@harrytsang1501
Жыл бұрын
And I thought having the camera scan qr code from your phone app was advanced
@battokizu
Жыл бұрын
Techmoan did a video about these new sony dolby atmos speakers, it has a feature to analyze the room via different sounds. Not as in measuring and getting data from any traditional method but from just sound. And it makes the speakers sound better judging by how it works for positioning via the side and top channels. Expensive system when said and done.
@narcosalpha9472
Жыл бұрын
Isn't that what an internet modem does?
@jakegarrett8109
Жыл бұрын
@@narcosalpha9472 Old school phone line type? Yep...
Years ago an exploit was announced similar to this, a trojan would transmit (and receive in case of a botnet) by using changes in fan speed and a speaker to detect the change.
@andretarvok7122
Жыл бұрын
You can also spy on the screen by using an antenna as well. This attack was discovered back in the 1940s during the war. Electro magnetic radio emissions from anything with electricity is not really a hack its just something you should expect happens all the time. See van eck phreak/tempest attack
I would say the more you learn and think like a hacker, the more surprised you'll be at how insecure everything is.
@fancywaifu9821
Жыл бұрын
Very true. Been studying cybersecurity for over a year now and I’ve been making my PC more and more secure overtime as I learn about this stuff
@animepussy8356
Жыл бұрын
@don't be surprised FINALLY YES
@sheeplord4976
Жыл бұрын
TEMPEST style attacks have been known about for decades now. After CRTs went away, it became a hell of a lot harder, but that doesn't mean this isn't a decades old concept now.
@phoneticalballsack
Жыл бұрын
Fuck smart people.
@therealb888
Жыл бұрын
@@sheeplord4976 that's the point no one realises. Hacking started with hardware, from world war times to today, hardware has been at the top. Software hackers often get startled by hardware hacks because they've never studied it.
0:30 "but not to the internet because that would be really stupid". You would be surprised, a decade ago one of the industry's buzzword was "IoT", and for some reason some industries thought it was a great idea to be able to monitor your factory from the internet... Interfacing directly with the PLCs... Of course this was a security nightmare. But a lot of people got government money to "innovate" into "IoT" in the FACTORIES. Absolute madness.
@penguin1714
Жыл бұрын
IoT is very much still one "industry"s favorite buzzwords.
@therealb888
Жыл бұрын
Industrial IoT aka IIoT & industry 4.0 are very much growing fields. PLCs & PLAs, PIDs, embedded systems, 5g are all in on this. There's one chain of industries that bought 5g spectrum just for it's private network.
@barreiros5077
Жыл бұрын
PLC was the perfect (& spensive) fingerprinting but of out of ISP ...industrial IOT isnt industrial properly.
@rodrigovda
Жыл бұрын
@@therealb888 please tell me one advantage IIoT has over an industrial LAN.
@hufficag
Жыл бұрын
It's a buzzword in China right now. It's why they're forcing telecoms to adopt 5G and bleed money via higher electric bills
This was actually known and respected when I worked in the military. Mostly fiber between systems and special shielding around monitors. Translated we called it something like "emission security"
@user-il4ux8ml5p
10 ай бұрын
what did u do in the military
@einhalbesbrot
2 ай бұрын
@@user-il4ux8ml5p emission security
this is some "virus turns your computer into a bomb" level bullshit.
@sirrobertwalpole1754
Жыл бұрын
this some knights shit
@erenwayne
Жыл бұрын
@@sirrobertwalpole1754 SEL reference?
@runneypo
Жыл бұрын
@@erenwayne Present day... Present time
@ska187
Жыл бұрын
Literally would be a scene in the kingsmen lol
@sheeplord4976
Жыл бұрын
@@sirrobertwalpole1754 fun fact, she was running a single i9 processor. Sources say that a single i9 can down the entire power grid of a small country and provide enough heat to turn nearby atmosphere into plasma.
With experience working on military grade electronics, most of those devices are going to be immune to this type of emission. All air inputs/outputs get both particulate and emi filters. Device must go through extensive testing for EMI emissions in the GHz range. Screw part 15 compliance, the device must not emit any interference and in turn will not allow any interference ingress.
@AbandonedVoid
Жыл бұрын
How could an individual apply a similar rigor for their home machines?
@HydrarDraconis
Жыл бұрын
@@AbandonedVoid Lock it in a safe, faraday cage the cooling vents?
@PWN_Nation
Жыл бұрын
Regardless of EMI shielding at the unit component level, when end assemblies get deployed (a network, ship, building, etc) there are still leakages to be exploited by the correct receiver and demodulator.
@jakegarrett8109
Жыл бұрын
@@AbandonedVoid You know the mesh microwaves use (the hole size determines what frequency it blocks), you can do really fine mesh all the way around your unit (you really should only need around any open air vents or windows, but if you go all the way around you can't miss it too easy). That way it can still get airflow. External noise generator would also likely help (if you put your case within a bigger computer case, like a super small form factor inside full ATX, you could put a radio frequency generator in that). You likely don't need to do that, just don't let sketchy CIA agents into your house. I don't think the government even does this, certainly not on machines that have PII or protect your data (those of course get leaked so often, they might as well be a facebook post, except more reliable since they don't get shadowbanned). EMI shielding is the least of your problems (of course remove WiFi/Bluetooth, or buy a desktop without it).
@jakegarrett8109
Жыл бұрын
@Kronin Military doesn't sell that, they don't make it either (they buy from contractors, government doens't "make" anything, other than large debts).
If the attacker is that close, you're screwed already. No reason to panic over this.
@gmlviper
Жыл бұрын
You mean, if the attacker has its receiver INSIDE your computer case.. that is for this to actually work lol.
@augustday9483
Жыл бұрын
@@gmlviper Could be done by a malicious manufacturer or somebody at Best Buy putting bugs in prebuilt cases before selling them to the end user.
@daskampffredchen9242
Жыл бұрын
@@augustday9483 But then the range is still shit
@MrBl4ckY
Жыл бұрын
@@augustday9483 Why would you not check your hardware for suspicious parts when you're building a high security system?
@ska187
Жыл бұрын
@@augustday9483that’s some government conspiracy level plans at that point but it’s not impossible. Good idea to build most things yourself if possible
8:14 Actually the rubber will do nothing to insulate the signal. The transmitted signal is electromagnetic and doesn't really interact with non-conductive materials. More effective would be something like a Faraday cage or simply shielding made from something like aluminum, which has the same effect.
@prettyboyjeremy
Жыл бұрын
Let's go!!! Full circle baby! Protect from outside attack start with Aluminum foil
@bartbartholomew
Жыл бұрын
Or just get a case that doesn't have big plastic windows. But honestly, if your system has malware on it, you have bigger issues than the malware transmitting data over your sata cables.
@deang5622
Жыл бұрын
Copper would be better, though I have seen steel used.
Yeah somehow I don't think a sata cable vibrating, causing a led on a gaming keyboard to flash with a guy with a telescope watching into the office 24/7 taking down 1mb a year of potentially useless data is anything to worry about
@kidkangaroo5213
Жыл бұрын
Can you say that again in English
@joshb7415
Жыл бұрын
@@kidkangaroo5213 this video is a troll
@G4J
Жыл бұрын
im watching your pc from a window with a telescope right now 😁
@Focus_Fearless
Жыл бұрын
@don't be surprised yummy
@ska187
Жыл бұрын
The schizophrenics worst nightmare. Dont forget to be in the walls
Your always so fast and precise with your info reporting I really appreciate that. And you witty comedy is the icing on top 💘
I have already hidden my pc from any malware(12 meters underground)
Speaking as someone who is somewhat familiar with electrical theory, wouldn't the usefulness of this kind of radio exfiltration heavily depend on the strength of the radio signal? It's entirely possible that the signal may not propagate beyond the building the actual computer is in. I invite pentesters to chime in here.
@user-nm4kq5kw4f
Жыл бұрын
This sort of attack assumes a high security target, but also a highly motivated and resourced attacker. Even if the radio waves make it just past the locked door, or even just at the locked door (so you could stick a receiver under the door to pick it up), then this attack provides some benefit. They no longer need to get past the door (which might be very difficult to do without raising suspension)
@bluegizmo1983
Жыл бұрын
The transmit range and bandwidth/transfer rate of this make it very impractical. Seeing as you need phsyical access to the system to begin with, there are far better options. For example, you could swap out the USB keyboard (assuming it's a wired keyboard as it should be) with one thats identical but has a keylogger and wifi exfil chip installed inside it, or you can use a small USB male to female adapter between the PC and cable that has the same kind of keylogger and wifi exfil chip in it, or you can install a WiFi enabled lan-tap on the lan Ethernet cable connected to the PC. There are lots of options to setup wireless exfil from an air gapped PC once you have phsyical access.
@thomas.thomas
Жыл бұрын
It could be enough that your neighbor or coworker has some Iot device like Alexa in the signals range. Now suddenly they can just run a program on all Alexa's to scan for a certain signal and they'll find you out of millions of people. Your exact location would be compromised
@elir.torres8642
Жыл бұрын
Currently in security her we did this at Ferris State University as part of my Infosec degree. Theoretically and in a controlled environment yes. In the real world No. Further your high gain antenna has do to packet injection and special software I am not going to talk about has to capture this low transfer wavelength.We had a class on this is called signals intelligence.
@rumpelstiltskin9729
Жыл бұрын
@@elir.torres8642 why mention software and refuse to talk about it I just assume you’re lying
Already read up on this the other day, but always enjoy watching your videos.
I remember my team lead mentioning that ethernet functionally becomes an antenna once it reaches a certain length (I think it was 100 feet?) and had us keep cables under that length. Didn't realize he was protecting against this sort of attack
@harisalic2568
Жыл бұрын
But good ethernet is shielded so it shouldnt emit much power that it could be used for any attack
this is how the "RCWL-0516" works. any pcb can be an antenna, transmit/receive/sensor. accidental setup and mass production can make a difference.
When I was a kid I had a pair of cheap emachine speakers and during the night normally or clear days they would pick up radio signals and play them through the speakers (usually the local rock station). I had to unplug the USB and aux to get it to stop. So I'm not too surprised honestly this is possible.
@uniqueprogressive9908
Жыл бұрын
*plugs in speakers* THIS IS 101.5 R-R-ROCK FM WHERE WE PLAY ONLY THE BEST ROCK FROM THE 80'S NON-STOP
@PlasticCogLiquid
Жыл бұрын
I used to have a 90's Roland guitar amp that would pick up radio stations when I sat it in the right spot.
@RavemastaJ
Жыл бұрын
Same thing happened to me, but with some kind police/ham radio band. It was really weird to be creeping around RE4 and hear actual radio chatter.
🐸Best Thumbnails in the business🐸
"You can grab a copy of this game on steam or you can physically steal it by cutting the fiber glass cables outside your house and intercepting the individuals packets of light" -SsethTzeentach
@_chirp_6108
Жыл бұрын
hey hey people
@DorperSystems
Жыл бұрын
good luck splicing the fiber
@supernovaw39
Жыл бұрын
and cracking RSA/AES encryption :D
@txts-to-be
Жыл бұрын
@@supernovaw39 we can wait million years
@txts-to-be
Жыл бұрын
i mean millions
In the 1980s there was already the technology to measure the high-voltage pulses of a crt tube monitor, making it possible to spy on a computer/television screens. As far as I know, research on this began as early as the 1970s, but the technology then became outdated due to the use of TFT screens...
I read about the NSA using this technique for years, it's explained in Snowden's book, permanent record. Highly recommend it!
@JamesWilson01
Жыл бұрын
Me too, it's an awesome book!
@genossinwaabooz4373
Жыл бұрын
I must read.
NSA could "watch" targeted video screens via emissions from VGA cables from quiet a distance aways, according to leaks in the last 10 years. VGA cables are outdated now, but still, people seem to forget that different versions of this involving using speakers in reverse (lol, it's true!) to bug rooms and God knows what else. This is NOT a new capability by any means.
Having been interested in wireless security for years. Oh boy if you really knew how scary things were with wireless.
@Od_13
Жыл бұрын
WPA2 is no longer secure right?
@Lync512
Жыл бұрын
@@Od_13 yeah WPA2 can be broken. It’s still secure enough but WPA3 is taking over slowly.
@nogrammer
Жыл бұрын
@@Lync512 WPA3 already highly exploitable, it's better but not by much
@Lync512
Жыл бұрын
@@nogrammer true. To be fair nothing is truly secure. Especially not wireless.
that's actually really sick. didn't know these cables could suffer like this.
@golarac6433
Жыл бұрын
Nothing special about the cable itself. The key is that you can send arbitrary data at very high speed over SATA which means you can encode something as complicated as wifi internet signal over it.
“Air gapped system physically compromisable”
Seytonic talked about this also.
@notreallyNat
Жыл бұрын
Ong
I’m a ham radio operator, if you wanted to mitigate this your best options would be an all metal case, with the body of the case being ground. Shield all cables, and also use RF chokes, like baluns or ferrite beads. For those that don’t know what that is, imagine that little odd piece on the end of the PS2’s controller cable, that’s a ferrite bead. Keeps noise down.
@denpa-kei
Жыл бұрын
Steel or Aluminium?
@tylerdean980
Жыл бұрын
@@denpa-kei are you asking about the case? Either one should work, they're both condictive, and that's all that really matters for using the case as a ground.
@denpa-kei
Жыл бұрын
@@tylerdean980 im kinda jealous abou your background. I wanted to start with radio, but i was never interested in physics (its my fault, and i never met teacher being able to learn me). Do i need to be Einstein to start with radio and this type of medium?
@tylerdean980
Жыл бұрын
@@denpa-kei Not at all. You have to pass an exam if you want to be an amateur radio operator, but the exam is really easy, bacause all the questions are published. You can memorize all the answers in a couple hours and pass the test with little issue. If that's the route that you want to take look up local ham radio clubs near your location, they provide the testing on-site. But you don't have to do all this just to learn a little about radio. You can play around with CB for free, just testing different antenna types and seeing what you can hear, and how far you can talk. If you want to listen to the airwaves for free there are SDR websites online where you can listen. If you want to do some more casual learning, there are several youtube channels that can give you some good information. Farpoint Farms has some good CB vids, and Ham Radio Crash Course and Ham Radio Concepts have good amateur radio videos. If you have any more questions I would be happy to respond.
@denpa-kei
Жыл бұрын
@@tylerdean980 thanks. I will check sources at free time. Have a nice day!
this is such an important subject yet ur one of th few who will talk abt it. thats why im subbed :) ill keep that in mind for when i have servers
@madokalover
Жыл бұрын
maybe ill even stop being lazy n do my fde
Sata 3 cables are required to have shielding around the individual differential pairs, as can be seen at 7:05 in the video. This is mainly to help reduce crosstalk since it isn't a twisted pair. Twisted pairs however tends to radiated a lot less compared to non twisted ones. But have a second twisted pair nearby with the same number of twists per unit length and the crosstalk can get rather large. But the signal levels here and the fact it is differential helps reduce the radiated energy by a noticeable amount as is. And it isn't like multipath is going to make it a pain to capture the data in most actual environments. Especially if one has a fair bit of other equipment working at the same part of the RF spectrum. Computers do not generate white noise, so it is far from trivial to filter them out from each other. But yes, there is many ways to transmitt data from most computers. Though, then there is tempest, where one just looks at whatever the target system is emitting. Be it sound, light, RF, or even conducted noise over the power cable. As stated above, computers do not generate white noise, so there is data to gleam from these sources. The least effective source is though likely sound and light in most situations. And shielding out the RF isn't too hard, while conducted noise over power lines will intermingle with all other appliances consuming power.
I wonder if you can create enough noise around the air-gapped system to make the data emitted almost irrecoverable, maybe a separate system "emanating" Never Gonna Give You Up from its own sata port
@bleepbloop7298
Жыл бұрын
We will watch your career with great interest
@justabunny999
Жыл бұрын
You need a job ? You seem like the hero we need but dont deserve
@thomas.thomas
Жыл бұрын
If your system is compromised they might uniquely identify your noise, depending on how it is produced
@genossinwaabooz4373
Жыл бұрын
@@thomas.thomas Infrasound included? Damn i wish i knew some clever workaround.
Brooo, Thanks for bringing this up! Keep up the work OG.
Big Wifi has been selling us wifi adapters and access points for years, playing us for fools! A software solution was available the whole time!
this "exploit" is less significant than people are playing it out to be.. speaking as a telecommunications engineer working in RF test and measurement
@genossinwaabooz4373
Жыл бұрын
What else you know is afoot out there tho? In the cities and towns? My area is getting very police state and fast.
This sounds like that time when they used the combined frequencies of all components in an iphone to uniquely identify it.
This reminds me of the use of 4K cameras to record the vibrations of objects (e.g. plant leaves, paper sheets, etc) through windows and so on, in order to figure out what people inside the room are talking about based on the frequencies.
@genossinwaabooz4373
Жыл бұрын
That's a bit extreme. You're joking, yes?
@code-dredd
Жыл бұрын
@@genossinwaabooz4373 Not a joke.
hahahahaha when you said that about wrapping your pc in tin foil that just got me because it's so crazy how sus computing in general is becoming the more we learn about it through the lens of cybersercurity lol
@WelcomeToDERPLAND
Жыл бұрын
Its a legit tactic tho lmao- infact tinfoil every wall in your house, right now.
This is amazing news, I mean I'm as far from the information acquisition world as you can possibly get, but the people who can use this are in a good position especially in the sometimes painfully long time it takes for information on vulnerabilities like this to propagate.
Note that this flaw only works IF your airgapped system has an onboard wireless antenna that has been disabled via BIOS or your OS. If your system's motherboard does not utilize a wireless receiver at all, then it is impossible for it to recieve or send anything wirelessly since the system physically does not have the hardware to understand wireless protocol.
I think PC cases should be decent at shielding EMF since they are made of metal and are grounded.
@thomas.thomas
Жыл бұрын
Your pc case is grounded?
@Radu93Z
Жыл бұрын
@@thomas.thomas Yes, I think all of them are through the PSU that is grounded and makes contact with the case.
good time to be in the faraday industry, damn
@windowsxseven
Жыл бұрын
yeah....sales are up over 1000%
I thought this was going to be about Van Eck phreaking. This is next level.
Could you maybe do something similar with the PSU? The malware could draw more and less power and that could maybe be picked up remotely?
@ReptilianLepton
Жыл бұрын
I suppose you could indeed use power draw for signaling, it "should" be trivial to use high power/low power for ones and zeros. Perhaps if the airgapped machine is on a networked UPS (even for out-of-band monitoring of the UPS) you could exfiltrate data that way. There was a CVE earlier this year where APC UPSs could be remotely flashed with malicious unsigned firmware via their updater, and while those security researchers demonstrated the problem by making one catch fire, there could be other shenanigans out in the wild to this day... If targeting a single home user you might also be able to do a similar power draw monitoring exfil if you could pwn their smart meter, which shouldn't be terribly difficult. And for gamer bros, I would bet you can do all kinds of awful things to them via a supply chain atttack on the stupid proprietary control panels used to control RGB and other stupid features on "gamer" PSUs.
@otrs6874
Жыл бұрын
@@ReptilianLepton Would your first comment re power draw be an example of differential power analysis?
The voltage at a given time isn't always what's used to transmit a 0 or a 1, bits are often encoded using rising and falling edges.
Imagine not having an array of tinfoil tents and Faraday cages around your air-gapped system 🤔
as an EE, this is amazing
5:26 there was a Nintendo DS game that let you share custom levels as audio files. They were extremely picky and error-prone. No wonder so few games have used such a system.
Hacking in real life is so much more ninja-like than the movies make it seem. It's not some neckbeard in a hoodie furiously typing away at a keyboard, it's more like Jonathan Banks infiltrating a warehouse with a stolen keycard, plugging a discreet cable or USB drive into an unattended machine while no one is looking, then casually running a script on his laptop before walking out. Someone should make a crime show about hackers that's actually somewhat accurate.
A point you missed is that the attacker doesn't have to hack the particular system they are attacking, they can heck a system within proximity of the device they are actually targeting that is capable of sending data such as, I don't know, your cell phone another computer nearby capable of receiving data.
@SIPEROTH
Жыл бұрын
How is attacking a nearby smartphone gonna make the system his interest in sent wireless data threw the S-ATA cable? You make no sense.
@genossinwaabooz4373
Жыл бұрын
Can you elaborate? That sounds like how our devices all got enslaved. From what I could tell. But idk which vector(s). I tried airgap but eventually it all succumbed. This is over most ppls capacity to keep up with alot of f^ckery.
Hey Kenny, can you give us links where you get all that info from? I mean news sites and etc?
You could mod a physical disk drive to create radio waves and read data.
SCADA systems are directly connected to the global Internet by many utility companies. They should never be but they are all too often connected for "convenience."
@yeahgirl11
Жыл бұрын
"Convivence" just another word for lazy most times. Still can't understand why billion dollar companies are so fucking lazy and don't practice BASIC security measures most times.
Its quite remarkable what they come up with.
Another thing is that those old optiplex cases make for fantastic faraday cages.
Length is a huge factor for both the band and the range, and sata cables are very short.
The whole pc acts as a big antenna, if you want it to be fully secure you have to shield it electromagneticlly, there's also good video on electro boom channel where he modifies a lighter to tap into audio, its quite good
10:40 to not get hacked just make sure you don't get hacked Thanks for the great idea, wouldn't have thought about this myself
Why does the target machine have a Green CAT 5 cable plugged in? Is the Simple "Hello World!" style input box form actually writing the data to the hard drive in order to send the data via the SATA cable? What RF technology is the hacker machine using to intercept said data, for example, assuming the clock frequency of the system is 3GHz, are they using a wideband SDR sweeping a large portion of the spectrum and decoding the received binary into ASCII? I'm rather curious.....
a ferrite choke could probably be used to stop it from acting as an antenna as a bandage solution
Lmaoooo. Rick roll the vic doing some James bond gogo gadget sata radar... This channel is under rated... thanks for helping my sense of paranoia
If you cut the shielding on both ends and connected one end of the shielding to a sata data line it would probably be a better antenna?
Good discussion. Cuts to the heart of a mental exercise I've bandied about. If I had a virgin laptop (i.e. new and having never connected to another device or to the internet) and wanted to keep it as secure as possible by using only USB flash drives to connect it to the outside world, what steps could I take to maximize the security of those drives?
@genossinwaabooz4373
Жыл бұрын
I'm digging into such an attempt. If I can manage it. My skills are not up to this level however....
@seanferguson5460
Жыл бұрын
@@genossinwaabooz4373 I watch a lot of YT tech channels but I haven't seen one yet talk about USB safety. Sooner or later somebody will.
So solid side panel probably slightly more secure than the tempered glass rubbish because a little more shielding?
Reminds me of those programs (or hell, KZread videos) that show different patterns on the display that cause the driver circuitry to emit RF that you can recieve on an AM radio. I'm sure it wouldn't be hard to transmit data over a video display in this way. Hell, I might try it myself sometime. Monitors in general are horrible when it comes to RF interference. Hell, my monitor emits enough RF interference that I have to turn it off to listen to my local clear channel 50 kW AM station, WCCO, that's broadcast just 15 miles away
@AbandonedVoid
Жыл бұрын
Do you have any resources on those programs?
@nogrammer
Жыл бұрын
What the hell!
@gctechs
Жыл бұрын
You're talking about lcd monitors?
farraday caging for computer cases are gonna be going up on amazon soon.
That headline had me whistling like a stovetop boiler
You just got me to search for shielded SATA cables.
@nakedsquirtle
Жыл бұрын
Just Faraday cage ur desktop
@wulfboy_95
Жыл бұрын
@@nakedsquirtle I have too many machines. I might as well shield my whole crib. Also, signals emitted from VGA cables can be picked up by AM radios, then decoded using an ADC and a micro controller to recreate what was shown on the screen.
i already managed to eavesdrop on a monitor, as the same thing happens with video cables. range with proper equipment is approximately 130 meters
PC case provides a lot of shielding, but attenuation at given frequency depends on width of the gaps between metal because the EM waves have their length, and if the frequency is higher, they are smaller and can fit in smaller gaps. :). The best shield is just a metal box without any gaps made of material with high conductivity, or just thick. Also aluminium foil isn't ideal because they make them very thin, just try to wrap a phone and call it, it will probably still have a signal. They make a thick Al foil tho, I just don't know what's called.
@thomas.thomas
Жыл бұрын
Or just use several aluminium foil layers
@genossinwaabooz4373
Жыл бұрын
I use 2 layers Reflectix- style insulation (thin closed-cell foam sandwiched between foil outer surface) so 4 total foil surface and makes into case shaping easy enough, padded...user friendly. Tested to block 100%. Less material didn't.
The special driver to introduce noise into the signal seems like it could be a bigger problem than a solution to mitigate this type attack
I wonder if you could use the cable as a receiving antenna to write things on the storage.
That is also a reason why a lot of connections between shielded systems use fiber instead of copper networks
Hey you mind doing a video on a segment of Dr.Phil's episode of "where's Jonathan part two" where him and his execs attack crypto?
Wouldn't the server being in a metal case act like a Faraday cage and block the signal or do certain frequencies penetrate grounded shields?
curious to why you would record a screen with a camera
Strangely I was already aware of that kind of attack vector, I think I saw that in an interview of a former secret-service/cyber-defense agent or something
Using Morse for base32 transmission would probably enable quite a few bytes per second with a regular LED and a normal camera.
Theres so much data flowing around those high data rate buses. Theres GOLD in those doubloons
EMF shielding won't work against other kinds of SIGINT though. For example, you can send messages with thermal fluctuations. Stress and idle the CPU accordingly to change its temperature. On another computer in close proximity, read the data via onboard temperature sensors. With this, you can slowly send information bit by bit. For air gapped systems, you need to start seriously considering physical security.
@genossinwaabooz4373
Жыл бұрын
Interesting possibility...for our situation may be plausible, give reason to some wonky readings observed while monitoring...
@RobbieHatley
Жыл бұрын
If one has enough access to a computer to do that, then there would be no need to do that; one could just steal what one wants directly.
I've readied the full paper and will use it against my enemies
I always wonder about this problem since we had a voltage flow meter with a multimeter and as you mention in the video electricity is an emf, in this case in sata cable. and wifi jammer seems helpful here but idk mutch about it.
Could we instead make it more easy to transfer data through this way and make a new type of wireless network?
I remember seeing pics of a faraday cages computer centre in the 1980s.
yes, shielding it will greatly reduce the radio effect
This is wild... I 100M% was thinking about this yesterday. We're approaching convergence, brace for impact captain.
* audio file of guy saying no over and over while laughing and then just cracks up *
Sometime ago there was this malware that was able to send data using fan, via fan controller by manipulating the sound the fan makes and sending it to a microphone
3:15 dummy load? or its on ones connected to a drive?
the final pill in cybersecurity is that, ultimately, all of the internet and computers as a whole are like a burrito. they are a Delicious Leaky Mess. the more computers you have, the more you are subject to breaches just by means of weirdness like this
Physical access would allow you to compromise a system.... Who would have thought. 🙄
@eduardog3000
Жыл бұрын
Yeah, this makes it easier to exfiltrate the data, but if you have physical access you've already won anyway.
@thomas.thomas
Жыл бұрын
Manufacturer always have physical access to your system
It might just be easier to plug in a mini low profile wifi dongle to said air gap system if you can put hands on it. So you have to touch the pc any way to load the malware, at that point you already have access... This exploit also assumes the pc uses a sata cable and not hard sata connections or m2. I love how detailed and deep cyber sec can get, it's pretty cool and creative. I'm sure the next attack will be to a computer that is air-gapped, unplugged from power, network, locked in the server room and some how using the power of the bio's battery on the motherboard and starbucks wifi in the bathroom next door, the hacker can steal data using crystal vibrations and way to much caffeine.
This is why physical security is crucial
I once saw a documentary about one of the alphabet soup troop's buildings & that it was a complete faraday cage surrounding it to prevent any data leakage. Enen the movie The Art of War demonstrated a wireless device was pointed at a computer to copy data from it.
Don't you have a Faraday cage if you computer has a steel chassis grounded through the power supply? Providing you don't have a huge glass window on the side. Granted some leakage will occur through vent holes, but even those could be blocked by metal radiators.
@thomas.thomas
Жыл бұрын
Some pc cases have a front out of plastic