44 views
0

WHY THIS MATTERS IN BRIEF

Faraday cages are supposed to be the ultimate in stopping air gapped computer systems from being attacked and their data exfiltrated, but hackers in Israel have just proved that’s no longer the case.

 

Two common methods of physical cybersecurity, air gapping and Faraday cages, have been found breachable in two papers released by researchers from Ben Gurion University in Israel, and that’s after other hacks that used electric powerlines, fan noise, heat, infra red cameras, and even LED light and drones, to exfiltrate dtaa from advanced air gapped networks and systems… Faraday cages are grounded cages made of electrically conductive material that can completely block electromagnetic fields and signals. Air-gapped computers are those completely isolated from outside networks and signals. Air-gap setups commonly include Faraday cages.

 

RELATED
Brace yourselves AI is about to make the "Fake News!" problem a whole lot worse

 

Anyone who has interacted with a Faraday cage can attest to their effectiveness, put a smartphone in a Faraday cage and you can watch the signal drop instantly. What researchers found, however, is that commonly overlooked low-level magnetic fields can still penetrate air gaps and Faraday cages, allowing attackers to intercept and steal data.

Take a basic compass into a Faraday cage, research lead Dr. Mordechai Guri said, and it will still work.

“While Faraday rooms may successfully block electromagnetic signals that emanate from computers, low frequency magnetic radiation disseminates through the air, penetrating metal shields within the rooms,” he said.

It’s that low-level field that allows attackers to covertly access any device with a CPU hidden inside a Faraday cage or air-gapped room. That’s worth reiterating, anything with a CPU can be manipulated using what Guri and his team call the Odini method.

 

RELATED
DARPA's new P3 program aims to stop all pandemics dead within 60 days

 

A device infected with Odini malware can control the low-level magnetic field emitted by a CPU by regulating the load on its cores. Data can then piggyback on the CPU’s magnetic field, transmit outside the Faraday cage or air gap, and be picked up by a receiving device designed to detect magnetic field manipulation.

A second attack, which the team calls Magneto, uses the same method of CPU magnetic field manipulation but allows it to be picked up by a nearby smartphone.

Don’t think sticking the smartphone in a Faraday bag or putting it into airplane mode will stop it from detecting the signal, it’s magnetic, so it passes right through and is picked up by the device’s magnetic field sensor, a standard feature in most modern smartphones.

It’s impossible to escape magnetic fields, they’re a basic part of nature and a fundamental part of computing, which makes Odini and Magneto seriously threatening. The researchers do propose several methods for blocking the attacks, though their practicality is questioned by the team recommending them.

 

RELATED
Pentagon tests Artificial Intelligence electronic warfare systems

 

First is shielding sensitive computers from magnetic fields, which the researchers point out is impractical in all but the most sensitive military and scientific applications. In order to reliably shield against the low-frequency fields manipulated by Odini and Magneto, multiple layers of ferromagnetic material, which would weight multiple tons, would need to be built into secure rooms. The paper adds that these ferromagnetic rooms are incredibly expensive.

The second suggestion the team gives is signal jamming using either magnetic field-generating hardware or software. The hardware needed can produce magnetic fields much stronger than CPUs, rendering their emissions unreadable. Software is also available that can run dummy tasks that generate random magnetic signals, but it is processor-intensive and can severely reduce performance.

Third, the team recommends zoning. This would be physical restriction of certain devices, like smartphones, from being anywhere near sensitive machines. It’s no longer enough to just drop the devices into a small Faraday cage, they need to be across the building from vulnerable hardware.

 

RELATED
Scientists discovered a new energy source eight times more powerful than nuclear fusion

 

Guri and his team also recommend monitoring hardware for abnormal processes and magnetic radiation, which can be done with standard antivirus, intrusion detection, and intrusion prevention software.

There’s no reason to assume that these attacks exist in the wild, and executing one would require planting malware on the target machines, making it quite difficult, though not impossible, as we saw with Stuxnet. Don’t take chances if you’re responsible for systems secure enough to warrant Faraday cages and air gaps—make plans to enhance your security knowing these kinds of nearly unstoppable attacks are increasingly possible.

About author

Matthew Griffin

Matthew Griffin, award winning Futurist and Founder of the 311 Institute is described as "The Adviser behind the Advisers." Recognised for the past five years as one of the world's foremost futurists, innovation and strategy experts Matthew is an author, entrepreneur international speaker who helps investors, multi-nationals, regulators and sovereign governments around the world envision, build and lead the future. Today, asides from being a member of Centrica's prestigious Technology and Innovation Committee and mentoring XPrize teams, Matthew's accomplishments, among others, include playing the lead role in helping the world's largest smartphone manufacturers ideate the next five generations of mobile devices, and what comes beyond, and helping the world's largest high tech semiconductor manufacturers envision the next twenty years of intelligent machines. Matthew's clients include Accenture, Bain & Co, Bank of America, Blackrock, Bloomberg, Booz Allen Hamilton, Boston Consulting Group, Dell EMC, Dentons, Deloitte, Deutsche Bank, Du Pont, E&Y, Fidelity, Goldman Sachs, HPE, Huawei, JP Morgan Chase, KPMG, Lloyds Banking Group, McKinsey & Co, Monsanto, PWC, Qualcomm, Rolls Royce, SAP, Samsung, Schroeder's, Sequoia Capital, Sopra Steria, UBS, the UK's HM Treasury, the USAF and many others.

Your email address will not be published. Required fields are marked *