Cybersecurity experts have demonstrated a cutting-edge cyberattack technique that could let malicious hackers steal data from some of the computers with the best security.
Because of the type of information they handle, air-gapped systems are cut off from the internet. The theory behind this is that by being totally cut off from both the rest of the network and the internet, any data that is processed and stored within them stays safe from unauthorized access by outsiders.
Air-gapped systems are typically found in sensitive or high-risk environments, which are likely to be alluring targets for malicious hackers. Examples of these environments include critical infrastructure, satellite, and military networks.
However, new research from the Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev demonstrates that it is possible for attackers to breach air-gapped systems by taking advantage of low-frequency electromagnetic radiation produced by the targeted computer.
According to Mordechai Guri, director of research and development at the Cyber Security Research Center at Ben Gurion University, the attack is highly evasive since it executes from an ordinary user-level process, does not require root privileges, and is effective even within a Virtual Machine.
The COVID-bit covert channel attack first depends on the attacker being able to physically access the targeted system in order to use a USB drive to infect it with malware. The air-gapped machine may be in a secure facility where a covert agent has gained access. Alternatively, a malicious insider may have been duped, blackmailed, or persuaded into installing the malware.
According to numerous reports, USB flash drives were used to plant the Stuxnet malware worm, which was used to severely disrupt Iranian nuclear and uranium enrichment facilities in 2010. Physical access is thus challenging to obtain but not impossible.
The malicious code manipulates the brief loads placed on CPU cores and takes advantage of computers’ dynamic power consumption. By using this technique, the malware is able to influence how the computer is used internally and produce low-frequency electromagnetic radiation in the 0–60 kHz band.
Researchers claim that it is possible to use this technique to steal private bitcoin wallet keys as well as other sensitive data from the compromised machine, including files, encryption keys, biometric data, and keylogging data, which can include usernames and passwords.
An attacker only needs a smartphone or laptop with a small antenna, which can be purchased for $1, and to be within two meters of the compromised device to accomplish this. The electromagnetic radiation being generated can pass through walls, so the attacker wouldn’t necessarily need to be in the same room as the targeted system.
A large amount of data, such as keylogging data for the previous hour, may take up to 10 minutes to transfer over this frequency, according to researchers. Data transmitted over this frequency does not transfer as quickly as data transmitted via standard methods. However, the information will be covertly transmitted as long as the attacker isn’t physically ejected from the perimeter.
Even though this doesn’t address the problem of a compromised insider with the appropriate authorization, the best defense against a COVID-bit attack would be to make sure that only authorized personnel is allowed anywhere near systems.
The study suggests using antivirus software that can recognize unusual CPU patterns in addition to frequency restrictions for specific CPUs as additional defenses against this kind of attack on air-gapped systems.
Malware protection and detection applications, for example, can monitor how running threads use CPU cores to detect suspicious patterns. Threads that persistently change CPU utilization in the case of COVID-bit would be reported for further forensic investigation, Guri stated.
Guri has discovered ways to get around air-gapped systems before, as evidenced by earlier research showcasing other strategies, including Powerhammer, Power-SuppLaY, and Air-Fi, among others. COVID-bit is just one of these methods.
