Modern technology relies on electricity for everything. But a researcher at Black Hat 2015 demonstrated how to turn electronic devices into secret radio transmitters, thanks to physics.
Black Hat Bug ArtAng Cui of Red Balloon security is the first to admit that he doesn’t understand how electricity works. “I didn’t know a lot at first, and I know even less than I did before,” he quipped at the beginning of his presentation. But most people understand that when you run current through a wire, it induces a magnetic field. That magnetic field induces other electric fields and so on and so forth. Cui figured that he could use these principles to induce electronics to emanate radio transmissions by controlling how bits of information move across wires in a piece of technology.
Cui demonstrated a kind of escalation. He started by inducing a small, cheap laser printer to “sing” its bootcode. It was surprisingly upbeat and bouncy, and even more surprisingly audible. Cui then tweaked the emissions from the printer until he eventually boosted it into the radio frequency (RF) range. On stage, he demonstrated how his system could receive and translate text sent from the infected printer in real time. For his text, Cui chose the opening lines of Neuromancer: “The sky above the port was the color of television, tuned to a dead channel.”
Why does this matter? When you have a computer that contains super-secret information, or controls something really important, the best way to secure it is to sequester it. These computers are placed in secured areas with no connection to the Internet, or an “air gap.”
Cui’s goal was to create tiny malware that could use whatever hardware was available on the infected device to jump that air gap. He called his creation Funtenna, and he induced radio transmissions from an infected device that could penetrate 2 feet of steel-reinforced concrete. That, not coincidentally, matches the description of some secure military facilities.
Cui’s approach is unique since it’s able to send information out of a secure device without leaving transmitting hardware on the target device. The Soviet Union, for example, tackled the problem decades ago by placing a retroreflective device in the American embassy. When Soviet agents shone a radar beam on the hidden device, they were able to listen in to anything said within the room.
That was just one piece of the large body of previous research on the subject of emissions detection. One example, Van Eck Phreaking, allows attackers to read screens through walls and will probably sound familiar to fans of Neil Stephenson’s Cryptonomicon. The difference, of course, is that Cui’s software induces emissions, rather than trying to detect accidental ones.
Affecting physical objects with software isn’t new, but it is an exciting part of the security field. Careful readers will recall that the Stuxnet malware was allegedly developed to attack and physically disable Iranian centrifuges. We’re expecting more Black Hat sessions this year that will focus on attacking physical infrastructure with software.
Without a doubt, Cui’s research is impressive—and terrifying. Because it doesn’t rely on networks policed by firewalls, like Bluetooth or Wi-Fi, detecting these transmission is very hard. After all, there’s plenty of radio spectrum in which to hide. Cui quipped that with a simple AM radio, he defeated billions of dollars in firewall research.
Like all attacks, it has limitations. For example, the malware has to be installed on the target device. For another, Cui struggled to find cabling within the target devices long enough to act as a suitable antenna. In the end, his demonstration required 10 feet of cable connected to the target device.
It’s unlikely that low-level Internet bad guys will pay much attention to Cui’s research, so don’t expect your computer to start singing its bootcode any time soon. But people in three-letter organizations will no doubt be interested. Assuming, of course, that they haven’t figured out the trick already.