Malware can force air-gapped computers in Faraday cages to leak data

Secrets stored on air-gapped computers inside Faraday cages are about as secure as data can be, but they’re not immune to new techniques developed by cyber security researchers at Isreal's Ben Gurion University of the Negev.

The researchers today released new papers describing two malware prototypes, Magento and Odini, which exploit the magnetic field emitted by a CPU to leak secrets. 

Faraday cages can prevent electromagnetic waves from escaping an enslosure, however magnetic radiation generated by CPUs at a the low frequency can still pass through metal mesh or plates. That's why, as they note, a compass will still work in a Faraday cage.

The Odini malware is capable of controlling these magnetic fields by regulating the workload of the CPU cores, which in turn makes it possible to control the CPU’s power consumption and the magnetic field it generates. Overloading the CPU with calculations will, for example, cause it consume more power and generate a stronger magnetic field.  

“Arbitrary data can be modulated and transmitted on top of the magnetic emission and received by a magnetic receiver (’bug’) placed nearby,” they write. 

“We developed a fine-grained approach, in which we control the workload of each of the CPU core independently from the other cores,” they explain later. “Regulating the workload of each core separately enables greater control of the magnetic field generated." 

The malware doesn’t need special privileges to work and can do its work successfully from within an isolated VM on the target machine. 

Odini, the more powerful of the two, relies on magnetic receivers and can extract data a rate of 40 bits per second from a distance of 100 to 150cm. 

Magneto, which uses a different technique, could be launched from an infected smartphone and extracts data at 2 bits per second but needs to be within 12 centimeters from the target. 

Defending against these attacks is tricky. Antivirus, intrusion detection systems, and intrusion prevention systems, would likely suffer from a high rate of false alarms, the researchers note. 

Alternatively, a well-resourced organization could build a room constructed of ferromagnetic plates, but this is expensive and bulky. 

One approach that would work and is cost effective is the magnetic equivalent of signal jamming, which relies on commercially available magnetic field generators that can generate magnetic field far more powerful than that of a CPU, allowing it to override the CPU’s magnetic signals. 

 

Tags malwareisrael

Show Comments