USBee exfiltrates data from air-Gapped networks via electromagnetic emission from USB

A group of Israeli researchers has devised a new technique dubbed USBee to hack air-gapped networks and exfiltrate information.

Mordechai Guri, head of  R&D at Ben-Gurion’s Cyber Security Center and the chief scientist officer at Morphisec Endpoint Security, and his team have devised a new technique dubbed USBee to hack air-gapped networks and exfiltrate information.

This time, the Israel researchers exploited covert-channel via electromagnetic emission from USB. The USBee technique leverages USB connectors implanted with RF transmitters to steal sensitive data.

In this scenario, the USBee application is installed on a compromised computer. The attacker exploits a USB thumb drive already connected to the computer and establish a short-range RF transmission modulated with data. On the other end of the communication, the data transmitted are received by a nearby receiver and decoded.

“In recent years researchers have demonstrated how attackers could use USB connectors implanted with RF transmitters to exfiltrate data from secure, and even air-gapped, computers (e.g., COTTONMOUTH in the leaked NSA ANT catalog). Such methods require a hardware modification of the USB plug or device, in which a dedicated RF transmitter is embedded.” reads the introduction to the paper published by the experts. “In this paper we present USBee, a software that can utilize an unmodified USB device connected to a computer as a RF transmitter. We demonstrate how a software can intentionally generate controlled electromagnetic emissions from the data bus of a USB connector. We also show that the emitted RF signals can be controlled and modulated with arbitrary binary data. We implement a prototype of USBee, and discuss its design and implementation details including signal generation and modulation. We evaluate the transmitter by building a receiver and demodulator using GNU Radio. Our evaluation shows that USBee can be used for transmitting binary data to a nearby receiver at a bandwidth of 20 to 80 BPS (bytes per second).”

The researchers discovered that the transmission of a sequence of ‘0’ bits to a USB port generates a detectable emission between 240ℎ and 480ℎ. The researchers exploited this mechanism by sending data from the compromised computer to a USB device in order to generate controllable EMR that can carry modulated data. The researcher used a nearby RF receiver to receive the EMR and decode the information.

Guri and his team were able to exfiltrate 80 bytes per second using this technique, a transmission speed that could an attacker to send out a 4,096-bit crypto key in less than 10 seconds, very interesting when hacking air-gapped networks if compared with other hacking techniques.

The experts explained that it is possible to create a basic carrier wave using this algorithm:

inline static void fill_buffer_freq
(u32 *buf, int size, double freq)
{
  int i = 0;
  u32 x = 0;
  double t = freq / 4800 * 2;
  for (i = 0, x = 0x00000000; i<size*8; i++)
  {
    x = x<<1;
    if ((int)(i*t)%2==0)
      x++;
    if((i%32)==31)
    {
      *(buf++) = x;
      x=0x00000000;
    }
  }
}

The transmission starts when the application writes the fill_buffer_freq to an arbitrary data block in the USB device, the application just requires the permission to create a file on the device.

“The actual data transmission is done by writing the byte pattern generated by fill_buffer_freq to an arbitrary data block or stream in the USB device. For our purposes, we used a temporary file within the USB thumb drive’s file system. The transmission process doesn’t require special privileges (e.g., root or admin). It only requires permission to create a file on the removable device.” reads the paper.

The researchers also published a video PoC of the attack that shows how the data is exfiltrated by a laptop with a $30 radio antenna from around 15 feet away.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Air-Gapped network, USBee)

[adrotate banner=”5″]

[adrotate banner=”13″]