AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones using Radio Frequencies (1411.0237v1)

Abstract: Information is the most critical asset of modern organizations, and accordingly coveted by adversaries. When highly sensitive data is involved, an organization may resort to air-gap isolation, in which there is no networking connection between the inner network and the external world. While infiltrating an air-gapped network has been proven feasible in recent years (e.g., Stuxnet), data exfiltration from an air-gapped network is still considered to be one of the most challenging phases of an advanced cyber-attack. In this paper we present "AirHopper", a bifurcated malware that bridges the air-gap between an isolated network and nearby infected mobile phones using FM signals. While it is known that software can intentionally create radio emissions from a video display unit, this is the first time that mobile phones are considered in an attack model as the intended receivers of maliciously crafted radio signals. We examine the attack model and its limitations, and discuss implementation considerations such as stealth and modulation methods. Finally, we evaluate AirHopper and demonstrate how textual and binary data can be exfiltrated from physically isolated computer to mobile phones at a distance of 1-7 meters, with effective bandwidth of 13-60 Bps (Bytes per second).

• The paper introduces a novel method for exfiltrating data from isolated networks by transforming a computer’s VDU emissions into controllable FM signals.
• It details modulation techniques like A-FSK and DTMF, achieving effective transmission rates of 13-60 Bps over distances up to 20 meters.
• The study also examines stealth and countermeasure strategies, including display shielding and mobile device restrictions, to mitigate such covert data breaches.

This paper, "AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones using Radio Frequencies" (Guri et al., 2014 ), presents a novel method for exfiltrating data from air-gapped computer networks using electromagnetic emanations from video display units (VDUs) and receiving these signals with nearby mobile phones equipped with FM radio receivers. The core idea is to turn a computer's video display adapter into a controllable FM radio transmitter and a mobile phone into a covert receiver.

The attack model involves four main steps:

1. Infecting the Target System: Hostile code is introduced into the air-gapped network, similar to vectors used by APTs like Stuxnet (e.g., via removable media, outsourced components).
2. Infecting the Mobile Phone: Malware infects mobile phones likely to be in the vicinity of targeted computers (e.g., via phishing, malicious apps, physical access).
3. Establishing a C&C Channel: The attacker sets up a command and control channel with the infected mobile phone (e.g., via Internet, SMS) to issue commands and receive exfiltrated data.
4. Radio Monitoring and Data Exfiltration: The malware on the air-gapped computer modulates sensitive data onto radio signals emitted by the VDU cable. The malware on the mobile phone tunes its FM receiver to the specific frequency, records the audio, decodes it, and transmits the exfiltrated data back to the attacker via the C&C channel.

The technical implementation leverages the fact that VDU cables emit electromagnetic radiation. The timing of pixel signals sent to the display, governed by the pixel clock ($PC$), can be manipulated to generate specific radio frequencies. The pixel clock is determined by the display resolution, refresh rate, and synchronization parameters:

$$PC = (H_{pixel} + H_{sync})(V_{pixel} + V_{sync}) R_r$$

where $H_{pixel}, V_{pixel}$ are horizontal and vertical resolution, $H_{sync}, V_{sync}$ are horizontal and vertical synchronization lengths, and $R_r$ is the refresh rate.

By constructing specific image patterns of alternating black and white pixels, the malware can generate a carrier wave at a frequency related to the pixel clock and the pattern structure. To transmit digital data, the malware modulates this carrier wave with audio tones that represent the data. Since mobile phone FM receivers output audio, the data must be encoded in the audio signal. This forms a multi-layer modulation process: Data -> Audio Tones -> FM Carrier Signal -> Electromagnetic Emanation.

The paper describes an algorithm (Algorithm 1) to generate the pixel map for modulating a specific audio tone ($F_a$) over the carrier frequency ($F_c$). The algorithm essentially draws horizontal stripes whose pattern emulates the carrier frequency and whose vertical periodicity modulates the audio tone.

Algorithm 1: Pixel map for signal tone modulation 01 k <= 2 * Fa / PC 02 all pixels - BLACK 03 For i = 0 to Vp: // Iterate through vertical pixels 04 IF floor (t*k) is odd: 05 For j = 0 to Hp: // Iterate through horizontal pixels 06 IF floor (t*k) is odd: 07 pixel[j][i] = WHITE 08 t = t + 1 09 Else: 10 t = t + Hp

Note: This pseudocode is adapted from the paper's presentation and clarifies the logic.

Two data modulation methods over audio tones were implemented and evaluated:

1. Audio Frequency-Shift Keying (A-FSK): Each character or byte is represented by a unique audio frequency. This is simpler for textual data (e.g., using < 40 frequencies) but less effective for binary data (using 256 frequencies) due to DSP processing in FM receivers that affects adjacent frequencies. It was found to be more resilient to interference and offered a greater reception range.
2. Dual-Tone Multiple-Frequency (DTMF): Similar to telecommunication DTMF, each byte is represented by a combination of two simultaneous audio tones chosen from a 16x16 matrix (e.g., one frequency from 600-5000Hz and another from 6000-10400Hz). This requires splitting the screen logically to transmit two different image patterns simultaneously. While it had slightly lower range and reception quality compared to A-FSK, it was much more efficient for binary data transmission. The operational audio frequency range was limited to 600Hz - 11kHz due to interference at lower frequencies and reception diminishing at higher frequencies.

On the mobile phone receiver side, the malicious code needs to access and process the FM audio output. On Android devices prior to API 18, this capability was undocumented but found to be possible by using the AudioRecord object with a specific audio source value (8) and a standard sampling rate (44.1 kHz).

Signal processing involves:

1. Audio Sampling: Recording the FM audio output into a buffer, typically using Pulse-Code Modulation (PCM) at 16 bits per sample.
2. Signal Processing: Applying a Fast Fourier Transform (FFT) to the audio buffer to convert the signal from the time domain to the frequency domain. This allows identifying the dominant audio tones. The frequency resolution depends on the sampling rate and buffer size (e.g., 44100 Hz / 1024 samples $\approx$ 43 Hz per frequency bin).
3. Data Demodulation: Based on the modulation method (A-FSK or DTMF), identifying the peak frequencies in the spectrum (one for A-FSK, two for DTMF) and mapping them back to the original data byte using the predefined frequency mapping table.

A practical implementation hurdle was that some phones require headphones to be connected (as they act as an antenna). The paper describes bypassing this software-level check by modifying system files (framework2.odx on a Samsung Galaxy S3) using tools like smali to force the headphone status to true.

Data transmission protocols were also developed:

• Raw Transmission: Data bytes are transmitted sequentially. Simple and efficient but susceptible to errors and losses without detection. Suitable for continuous streams like keylogging where some loss is acceptable.
• Structured Transmission: Data is sent in packets with headers including a synchronization pulse, sequence number, packet size, data payload, and checksum. This allows the receiver to detect errors, identify missing packets, and reconstruct the data reliably. Necessary for transmitting binary files or sensitive data where integrity is critical.

Hiding the transmission is crucial for stealth. The paper discusses both visual and signal hiding techniques:

• Visual Hiding:
  • Transmitting when the monitor is off (leveraging power-saving states).
  • Programmatically turning the monitor off using Display Data Channel Command Interface (DDC/CI).
  • Detecting KVM switch state via DDC/CI and transmitting only when the target machine's display is switched away.
  • Using a secondary, disconnected display output on multi-output graphics cards or transmitting over cables connected to projectors that are often off.
• Signal Hiding:
  • Transmitting on non-standard FM frequencies (below 87.5 MHz) which are not used for broadcasting in most regions and are often software-disabled on mobile phones. The paper describes modifying phone firmware (FMRadioService) to enable this extended frequency range and to use finer frequency scanning steps (50 KHz instead of default 200 KHz) to allow the receiver to tune into frequencies inaccessible to standard FM apps.

The evaluation demonstrated the feasibility and characterized the performance:

• Effective Distance: With a standard headphone cable acting as an antenna, effective transmission distances of 8-20 meters were achieved, depending on the VDU cable type. Unshielded cables (like an extension VGA) resulted in significantly larger distances compared to shielded ones (standard VGA, HDMI, DVI). Without an antenna, the distance was much shorter (centimeters).
• Signal Strength: RSSI and dBm measurements confirmed the signal strength drops with distance, with acceptable reception typically corresponding to RSSI values above 10.
• Transmission Quality & Speed: Using DTMF with a 70ms delay per byte (found to be optimal), transmission quality was consistently high (>97%) within the effective range. The data transfer rate is slow compared to network methods but sufficient for exfiltrating small amounts of sensitive data:
  • 10 bytes (e.g., IP/MAC) took <1 sec (raw) or 1 sec (structured).
  • 100 bytes (e.g., password file) took 8 sec (raw) or 10 sec (structured).
  • 8 KB (e.g., 1 day keylogging) took 10.25 min (raw) or 14.1 min (structured).
  • 0.5 MB (e.g., document) took 10.9 hours (raw) or 15 hours (structured).
  • The effective bandwidth reported in the abstract is 13-60 Bytes per second (Bps).

Countermeasures discussed include both technical and procedural approaches. Technical measures align with general Tempest (emission security) principles: physical insulation, software methods to reduce compromising emissions (though the paper focuses on generating them), and potentially encrypting data before it is prepared for transmission (though this doesn't prevent the signal itself). Procedural measures include establishing 'zones' where mobile devices are prohibited and ensuring the use of properly shielded display cables.

In summary, AirHopper demonstrates a practical, albeit low-bandwidth, method to bridge the air-gap using standard computer hardware and readily available mobile phone capabilities. The implementation involves precise control over display signals, sophisticated audio modulation techniques decoded on the mobile phone, and stealth measures to evade detection. While the data rate is slow, it is sufficient for exfiltrating sensitive information like passwords, keys, or small documents covertly. The research highlights a previously overlooked covert channel and underscores the importance of considering electromagnetic emanations in air-gap security.