Schneier on Security

Clive Robinson • April 29, 2017 7:42 AM

@ Ben Nassi,

I suggest to understand the entire topic better before criticizing a work.

Hmm… Some of us here have not only discovered air gap jumping methods over thirty years ago, we also worked out ways to not require malware on the gapped machine (look for “EM Fault Injection” attacks). Oh and also gave information to those that went on to write the very very few books to cover the subject. Some of us discussed air gap crossing techniques here –long befor stuxnet used exactly the same idea–, when discussing how to attack voting machines.

I’ve frequently complained just how far behind and how little academic research has been carried out in the subject, despite dropping fairly big hints to people how to inject faults impressed on energy signals. Oddly perhaps it appears that the western IC and SigInt agencies are also behind the times as well from the little information we have. Which is odd because for most of these things you only need a K12 knowledge of physics to understand why they work.

It would be nice if occasionaly the academic community actually looked out the window of their ivory tower and at the very least acknowledge those who have actually broken the trail for them to follow. I know from experience just as Duncan Campbell does the IC and SigInt agencies will just steal the ideas, and give them to others to profit by, but then they are reputed to have no honour along with no sense of justice or morals.

Oh by the way remember your basic rules of physics about the transmission of energy by radiation, convection and transmission. When it comes to the mechanical vibration that is often called sound, many forget it travells way better in so many mediums than air and usually way way further (it’s why in the movies people put their ear to the rail to hear a train comming). Further remember that all inductors due to magnetic fields generate very small amounts of electrical energy when subjected to a mechanical wave. It’s especially bad in radio frequency oscillators where design and other engineers call it “microphonics”. In fact it’s important to note that many –but not all– transducers are bidirectional in their energy convertions. Thus a speaker can be a microphone and a dc motor can and is a generator, a usefull fact when you are designing electronic speed controlers.

Any way that should give you a few more ideas for setting up other covert channels, especially ones that do not require the infiltration of malware either directly or in the supply chain.

But something else for you to consider most systems with both inputs and outputs are “transparent” in that you can send signals through them without the system being aware of it. The obvious one is a lowish bandwidth forward channel from a keyboard to a network as Mat Blaze and his students demonstrated a decade or so ago. But less obvious is the back channel from the output to the input caused by generating error conditions at the output. This sort of thing can work back upstream through quite a few things including a number of data diodes.

Have fun investigating further.

Clive Robinson • April 30, 2017 10:16 AM

@ Fellow Bunny Rabbit,

Apparently I missed the memo defining what an “airgap” is or why it is significant to computer security.

If you are under fifty, then yeh you probably missed the memo.

Back then the only way to get data into a computer was by magnetic tape or over a serial data line, that had outgrown from the old telex machines.

Thus the way to make the computer secure from intrusion was to issolate it electricaly, and if you had the appropriate security clearance the attachment to the memo that talked about TEMPEST.

In the mid 1970’s there was a BBC television program called “Tomorrow’s World” that showed some equipment reproducing the image on a VDU screen from a considerable distance away, which caused quite a bit of a curfuffle in some circles, especially the insurance/banking sector. Then a decade later another memo issued from outside the Govetnment Security cleaque, that gave rise to Van Ekk Phreaking.

Around this time the PC was getting quite widespread, and information whilst still going down serial lines was mainly transported by floppy disk via what became known as “Sneeker net”. It was only entering the 1990’s that local area networks started making their way down the corporate culture.

But the “air-gap” name had stuck and we still call it that (just like “Robin Red Breast” even though it’s orange).

During the 80’s I independently discovered some interesting tricks with low power CPUs and their susceptability to not just EM fields, but modulated EM fields, where you could cause the execution of a CPU to change in predictable ways. Which is great if you can do it to an electronic wallet in a tamper proof/evident case… With hindsight I can see why certain managment types in the company that made the wallets did not want to know. Similarly why those attached to a SigInt agency feigned lack of further interest after seeing it being demonstrated.

Any way as any K12 should be able to think through from their physics lessons is that any energy source can have information impressed on it and by conduction, radiation snd even convection carry the information into or out of a communications, processing or storage system.

Thus I started calling a higher type of issolation such as those various government agencies try to achive as “energy gapping” hence “energy-gap”. The question now becomes will technical correctness overcome historical short hand 😉

@ Albert,

There are different ways to drive LEDs, most are probably driven by ‘driver chips’. It would be trivial for manufacturers to use bicolor LEDS (better IR/color). Once those traces disappear into the chip, GOK what happens to the signals. If they are software controlled, then Al Betzerov.

Read on to my reply to @Wael next 😉

@ Wael,

I doubt that’s doable at a large scale. This definitely has hardware configuration dependencies… …that piece of malware may need a pre-designed piece of HW ready for software malware updates

Think about PC keyboards and those three LEDs, there is sure one heck of a lot of them and like audio chips in PCs things tend to be oh so standard…

To do it however you need to be able to do two things,

1, Control the diode bias point.
2, Read in the small changes caused by the photovoltaic effect.

There are many ways you can do each of these with discrete components but there would be quite a few and it would be fairly obvious at a glance.

How ever as with power supplies you can strip out a lot of components and get greater precision by Pulse Width Modulation. With just the LED, a resistor and a capacitor and switching the driver line from the microcontroler not just as a pulse wave form but turning it into an input to measure the integration slope. Thus in a similar way to DC motor controlers measure speed of rotation by the EMC, the circuit can measure the light level by the change caused by the photovoltaic effect.

The chances are most people would ignore it if told the PWM is just a way to drivr the LED.

Clive Robinson • April 30, 2017 10:27 PM

@ Wael,

If we don’t have a pre-designed piece of HW ready for software malware updates, then the ‘attack’ becomes not interesting.

The fun of using the keyboard microcontroler in this way is that the circuit with the resistor LED and capacitor is what you would end up with if you took the normal resistance LED driver circuit and added a small capacitor for EMC noise reduction. And as it happens I’ve seen LED circuits with an approropirate circuit in electronic toys and other places including IoT devices. So pre-designed does happen by accident.

As for,

The attacks we care about are one’s that can be mounted remotely without physical access to HW.

Yes and no, with interdiction and supply chain poisoning, we need to know and care about all potential channels so we can assess items correctly. But it might not be “interesting” which is more the perspective of a scientist than an engineer.

The engineering point is to ensure that the discrete component arrangement is one where small changes are made such that making a covert channel at this level becomes to difficult.

Which brings us to your point of,

because if the attacker has that level of access to the hardware, then surely they can mount much more efficient attacks.

We have to go back to the SigInt Agency data collection models of bulk collection and targeted attack.

In the case of bulk collection supply chain poisoning is likely to be an attack vector as other vectors become less effective. The point to note is that if they are going to put one piece of modified code in then they will put in others at the same time to protect the investment of having such an asset in place.

With targeted attacks that might use the last stages of the supply chain putting software in a peripheral chip has many advantages. That is the user will not be able to wipe it, nor find it with the advantage in the case of a keyboard that if another device such as a keylogger is used it will point the finger of suspicion towards an “insider or traitor”.

We’ve seen with the TAO “radar bugs” in Video Cables that this periphery attack by either an “evil maid” or “blackbag job” has been and was presumably still used for a while after it became public knowledge. However they would have started looking for other peripheral attack vectors to replace the radar bugs.

Clive Robinson • May 2, 2017 10:19 PM

@ Wael, Sancho_P,

Me? I believe it’s doable, but I wouldn’t worry about it. There are much more efficient ways of accomplishing the task.

If you add the word “currently” after “task” you would be correct.

Humans even of the Spook variety are inherently lazy, thus the “low hanging fruit” metaphor. That is they tend to do the minimum that gets the job done.

Which means as defenders up their game the spooks have to look for new attack vectors.

In general for an attack type to remain viable the more novel it is the less likely people are to see it deliberately or accidently.

We have seen this happen before with BadBIOS. Somebody started chasing down effects they could not account for. They suggested that a channel might be via sound using the PC microphone and speaker. Now we never did find out if that was the cause of the effect he was seeing or not because he was lept on by a whole variety of people that thought he should be making cuckoo clocks or some such. However some of us had not just thought up using sound for PC-PC communications some years before hand, we had also experemented and known it was viable if problematic. We actually said it was possible but gave reasons as to why. Still people went on saying “no” this time not “no not possible” but “no to complex” then a couple of Uni academic types demonstrated a couple of laptops talking down a corridor, and the next thing you know every malware “gun for hire” is adding it to his skill base.

Now I know this trick with LEDs as Photodiodes works, for the same reason I knew the sound channel worked. Because back in the 80s/90s I had experimented as had others in cheap handheld to handheld communications with what were called “Personal Organisers” at the time.

The real problem Personal Organisers had was “communications” it made them limited in capability and was the main reason they never realy gained market traction unlike todays Smart Phones and Pads / Tablets. Which do have good communications via GSM or WiFi, and arguably are successful to the point they are killing the old desktop and newer laptop PC as the user device of choice.

Us old now grizzeld engineers knew back then that communications was the king maker not fancy icons, applications or displays the limited thinking marketing types were pushing. Thus we looked at how we could get to devices to communicate cheaply and easily with minimum effort for users.

The big problem was one I’ve told Nick P in the past, was the limited lifetime of connectors. Back then the best sort of gaurentee you would get was as little as “50 operations” for the connectivity quality to send data. Worse such connectors brought other problems such as potential fire hazard shorting out in peoples pockets, or connector holes getting filled with dirt. Triping hazard from leads, leading to physical damage to not just the lead but the organiser and computer it was connected to.

Thus we looked into both sound and light as communications channels and got them working, as others did. You may remember that the likes of “Cherry Keyboards” brought out IR diode keyboard and mouse sets. Which had a few problems because although they worked fine on a table or desk they did not work so well when people tilted their chairs back and put the keyboard on their lap. Now with Bluetooth and WiFi we don’t have those communications channel problems, instead we have security problems from the RF communications instead.

But the work us now grizzled engineers did with sound and light still lives on, we broke the trail and made it easily navigable. The outcome of BadBIOS was it brought the idea of sound channels back into the general conciousness. What makes you think the Spooks have not started looking at light as a replacment or are now doing so now peoples defences have been upped a notch by BadBIOS?

Because as I say from time to time “If the laws of nature alow…”.