TY - JOUR
T1 - ODINI
T2 - Escaping Sensitive Data from Faraday-Caged, Air-Gapped Computers via Magnetic Fields
AU - Guri, Mordechai
AU - Zadov, Boris
AU - Elovici, Yuval
N1 - Publisher Copyright:
© 2005-2012 IEEE.
PY - 2020/1/1
Y1 - 2020/1/1
N2 - Air-gapped computers are devices that are kept isolated from the Internet, because they store and process sensitive information. When highly sensitive data is involved, an air-gapped computer might also be kept secluded in a Faraday cage. The Faraday cage prevents the leakage of electromagnetic signals emanating from various computer parts, which may be picked up remotely by an eavesdropping adversary. The air-gap separation, coupled with the Faraday shield, provides a high level of isolation, preventing the potential leakage of sensitive data from the system. In this paper, we show how attackers can bypass Faraday cages and air-gaps in order to leak data from highly secure computers. Our method is based on exploitation of the magnetic field generated by the computer's CPU. Unlike electromagnetic radiation (EMR), low frequency magnetic fields propagate through the air, penetrating metal shielding such as Faraday cages (e.g., a compass still works inside a Faraday cage). Since the CPU is an essential part of any computer, the magnetic covert channel is relevant to virtually any device with a CPU: desktop PCs, servers, laptops, embedded systems, and Internet of Things (IoT) devices. We introduce a malware codenamed 'ODINI' that can control the low frequency magnetic fields emitted from the infected computer by regulating the load of the CPU cores. Arbitrary data can be modulated and transmitted on top of the magnetic emission and received by a magnetic 'bug' located nearby. We implement a malware prototype and discuss the design considerations along with the implementation details. We also show that the malicious code does not require special privileges (e.g., root) and can successfully operate from within isolated virtual machines (VMs) as well. Finally, we propose different types of defensive countermeasures such as signal detection and signal jamming to cope with this type of threat (demonstration video: https://www.youtube.com/watch?v=h07iXD-aSCA).
AB - Air-gapped computers are devices that are kept isolated from the Internet, because they store and process sensitive information. When highly sensitive data is involved, an air-gapped computer might also be kept secluded in a Faraday cage. The Faraday cage prevents the leakage of electromagnetic signals emanating from various computer parts, which may be picked up remotely by an eavesdropping adversary. The air-gap separation, coupled with the Faraday shield, provides a high level of isolation, preventing the potential leakage of sensitive data from the system. In this paper, we show how attackers can bypass Faraday cages and air-gaps in order to leak data from highly secure computers. Our method is based on exploitation of the magnetic field generated by the computer's CPU. Unlike electromagnetic radiation (EMR), low frequency magnetic fields propagate through the air, penetrating metal shielding such as Faraday cages (e.g., a compass still works inside a Faraday cage). Since the CPU is an essential part of any computer, the magnetic covert channel is relevant to virtually any device with a CPU: desktop PCs, servers, laptops, embedded systems, and Internet of Things (IoT) devices. We introduce a malware codenamed 'ODINI' that can control the low frequency magnetic fields emitted from the infected computer by regulating the load of the CPU cores. Arbitrary data can be modulated and transmitted on top of the magnetic emission and received by a magnetic 'bug' located nearby. We implement a malware prototype and discuss the design considerations along with the implementation details. We also show that the malicious code does not require special privileges (e.g., root) and can successfully operate from within isolated virtual machines (VMs) as well. Finally, we propose different types of defensive countermeasures such as signal detection and signal jamming to cope with this type of threat (demonstration video: https://www.youtube.com/watch?v=h07iXD-aSCA).
KW - Network security
KW - air gaps
KW - computer viruses
UR - http://www.scopus.com/inward/record.url?scp=85071689722&partnerID=8YFLogxK
U2 - 10.1109/TIFS.2019.2938404
DO - 10.1109/TIFS.2019.2938404
M3 - Article
AN - SCOPUS:85071689722
VL - 15
SP - 1190
EP - 1203
JO - IEEE Transactions on Information Forensics and Security
JF - IEEE Transactions on Information Forensics and Security
SN - 1556-6013
M1 - 8820015
ER -