AirHopper Program Decodes Radio Signals to Steal from Air-Gapped Computers

Researchers have developed malware called AirHopper that decodes radio frequencies emitted from a computer monitor, video card or cable, in order to steal data from an air-gapped machine.

Air-gapped computers are generally the home of sacrosanct data. The lack of a connection between these machines and others on a network, or the Internet, means in theory that data stored on those devices is kept away from the harm of web-based threats and hackers moving laterally on a network.

Researchers, black hats and white hats alike, still chase the Holy Grail that is cracking an air-gapped machine.

The latest effort comes from researchers at Israel’s Ben-Gurion University of the Negev, who presented a talk at the recent MALCON 2014 event in Puerto Rico, demonstrating a way to leak data from an air-gapped machine to a mobile phone without using Wi-Fi or Bluetooth.

Instead, researchers Mordechai Guri, Gabi Kedma, Assaf Kachlon and Yuval Elovici, said they have developed a malicious program called AirHopper that lifts data from an air-gapped machine using the FM radio receivers built into many mobile devices to decode a radio signal sent from a computer’s video card.

“Mobile phones usually come equipped with FM radio receivers and it is already known that software can intentionally create radio emissions from a video display unit. Yes, from the computer screen,” the researchers wrote in summarizing their paper: “AirHopper: Bridging the Air-Gap Between Isolated Networks and Mobile Phones Using Radio Frequencies.” “Still, this is the first time that a mobile phone is considered in an attack model as the intended receiver of maliciously crafted radio signals emitted from the screen of the isolated computer.”

The researchers said an attacker would have to be in fairly close proximity to the target computer—between one and seven meters—and that AirHopper transmits slowly at about 60 bytes per second. That’s enough to steal a password, they said.

A successful attack requires that the target system and a mobile phone be compromised with the malicious code. The hacked phone then acts as a command and control channel that detects and transmits signals coming from the target system’s video cable to the attacker.

Stuxnet is likely the most infamous case of an air-gapped system breach; that was accomplished with malicious code on a USB stick. The researchers posit that same scenario could be applied here to infect the target system. Attacking the mobile phone used as a C&C channel might be a bit simpler given a broader attack surface than an air-gapped machine.

“Similar to the early stage of an Advanced Persistent threat (APT), this step may utilize data mining, social networks, phishing and similar social engineering methods,” the researchers wrote. Once the phone is infected, an attacker can stealthily have access to the device without the user’s knowledge and send data back to the attacker. It can then begin monitoring the radio channel, decoding the broadcast.

Previous work includes Tempest for Eliza, a program that uses a computer monitor to send out AM radio signals that can be heard through a standard radio. Using the same principle and available materials, AirHopper does the same thing: decodes signals coming off a video card or cable. The researchers admit that the attack is complicated but not beyond the capabilities of the groups behind most of today’s APT-style attacks.

“AirHopper adds to an understanding of electromagnetic emission threats, coupled with APT techniques,” the researchers wrote. “This research area is not sufficiently covered in recent academic literature. We believe that a careful, professional and academic discussion of the threat ultimately serves the interest of the cyberdefense community.”

Suggested articles