A group of scientists based at the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel have just released papers detailing how they managed to hack devices protected by a Faraday Cage. The team has developed a reputation for some extraordinary and generally spectacular hacks which seem impossible at the time.
A Faraday cage, or sometimes referred to as a Faraday Shield, is a metallic enclosure meant to block electromagnetic fields coming in or going out. Named after Michael Faraday who invented them, such devices utilize the phenomenon that when an external electrical field causes the electric charges within the cage's conducting material to be distributed such that they cancel the field's effect in the cage's interior. The phenomenon is used to protect sensitive electronic equipment from external radio frequency interference (RFI). Faraday cages are also used to enclose devices that produce RFI, such as radio transmitters, to prevent their radio waves from interfering with other nearby equipment. These protective devices have found a lot of commercial use with companies placing sensitive networking equipment, servers, or workstations inside data centers or rooms protected by a Faraday cage. Banks regularly use Faraday-shielded rooms to protect servers.
MAGNETO and ODINI
The group of scientists based in Israel have proven that such protections can be rendered inadequate. The team’s findings have been published in two separate papers, each detailing a different method of stealing information from devices within such protective cages. The two techniques have been called MAGNETO and ODINI . While being different they both operate on the same premise. That being to use malware installed on air-gapped devices inside the Faraday cage to regulate the workloads on CPU cores in order to control the magnetic fields emanating from the computer.
Binary data from the computer is then encoded in the magnetic field frequencies, these are strong enough to penetrate Faraday cages in question. The team describes the process thus:
“Moving charges in a wire generate a magnetic field. The magnetic field changes according to the acceleration of the charges in the wire. In a standard computer, the wires that supply electricity from the main power supply to the motherboard are the primary source of the magnetic emanation. The CPU is one of the largest consumers of power in the motherboard. Since modern CPUs are energy efficient, the momentary workload of the CPU directly affects the dynamic changes in its power consumption. By regulating the workload of the CPU, it is possible to govern its power consumption, and hence to control the magnetic field generated. In the most basic case, overloading the CPU with calculations will consume more current and generate a stronger magnetic field. By intentionally starting and stopping the CPU workload, we can generate a magnetic field at the required frequency and modulate binary data over it.”
In order for the attack to be successful, the attacker must plant a "receiver" outside the Faraday cage in order to record the incoming magnetic field and decode the data. As the attack requires the installation of malware on the target device and the placing of a “receiver” near the Faraday Cage such a hack is incredibly unlikely to be employed on mass by cybercriminals. As a proof-of-concept though the hack is incredibly interesting and will hopefully help develop more secure means of protecting sensitive data.
The Difference between MAGNETO and ODINI
Both MAGNETO and ODINI achieve the same result based on the same premise, that being data exfiltration, there are differences between the two. According to the published findings, ODINI can transmit data at more considerable distances and at higher speeds but needs a dedicated magnetic sensor to receive the data. This could potentially blow the operation as such a sensor could be detectable. MAGNETO, however, works with the help of an Android app installed on a regular smartphone. Smartphones are now commonplace and they tend to have low-cost magnetometers embedded within. These would make detection of the operation far harder given that most users carry a smartphone on their person nearly continually.
These attacks are considered novel as they can break out of shielded devices, something that previous attacks could not. Previous attacks attempting to do the same thing would inevitably fail as they were not pure magnetic attacks, but electromagnetic attacks. The reliance on electromagnetic attacks would mean that they could not pass through the Faraday cage. The MAGNETO and ODINI transmission channel is a pure magnetic field which implies that it will pass through walls, humans, other objects, and importantly Faraday cages.
One of the major drawbacks to both of these attacks is that they are initially dependant on being able to infect the target device within the cage with malware. This would make it easy to thwart an attack in this stage. By having proper network hygiene and good security practices it would be a struggle to get the attack of the ground by successfully installing the required malware.
The List of Impressive Hacks Grows
The scientists based at the above mentioned cybersecurity research facility a long history of weird hacks and ingenious attacks. These include:
- LED-it-Go - exfiltrate data from air-gapped systems via an HDD's activity LED
- SPEAKE(a)R - use headphones to record audio and spy on nearby users
- 9-1-1 DDoS - launch DDoS attacks that can cripple a US state's 911 emergency systems
- USBee - make a USB connector's data bus give out electromagnetic emissions that can be used to exfiltrate data
- AirHopper - use the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
- Fansmitter - steal data from air-gapped PCs using sounds emanated by a computer's GPU fan
- DiskFiltration - use controlled read/write HDD operations to steal data via sound waves
- BitWhisper - exfiltrate data from non-networked computers using heat emanations
- Unnamed attack - uses flatbed scanners to relay commands to malware infested PCs or to exfiltrate data from compromised systems
- xLED - use router or switch LEDs to exfiltrate data
- Shattered Trust - using backdoored replacement parts to take over smartphones
- aIR-Jumper - use security camera infrared capabilities to steal data from air-gapped networks
- HVACKer - use HVAC systems to control malware on air-gapped systems