Israeli researcher Mordechai Guri has detailed two novel techniques that allow to steal data from highly secured air-gapped systems and MEMS gyroscopes.
The first method, dubbed “ETHERLED,” can be used for exfiltrating data from air-gapped networked devices like computers, printers, network cameras, embedded controllers, and servers, using the LED indicators on network interface controllers (NIC).
The attack method works like this: an intruder infects the device with a specially crafted malware and replaces the card driver with a version, which can control the LEDs color and blinking mechanism to transmit information encoded using simple encoding such as Morse code. The attacker with the line of sight to the status LEDs can intercept and decode these signals using a remote drone or local surveillance camera.
The second attack method, dubbed “GAIROSCOPE,” involves using the speakers on an air-gapped system to generate resonance frequencies captured by microelectromechanical system (MEMS) gyroscopes from the distance of up to 6 meters.
“Our malware generates ultrasonic tones in the resonance frequencies of the MEMS gyroscope. These inaudible frequencies produce tiny mechanical oscillations within the smartphone’s gyroscope, which can be demodulated into binary information,” the paper reads.
The first stage of the attack involves infecting a target smartphone with malware via various attack vectors such as phishing, social engineering techniques, via malicious email attachments, compromised websites, Wi-Fi, or malicious advertisements. Upon getting access to the smartphone the attacker could obtain sensitive data like credentials or encryption keys, encode the data and transmit it by covertly sending out acoustic sound waves through the device’s loudspeaker.
“In the exfiltration phase, the malware encodes the data and broadcast it to the environment, using covert acoustic sound waves in the resonance frequency generated from the computer’s loudspeakers. A nearby infected smartphone ‘listens’ through the gyroscope, detects the transmission, demodulates and decodes the data, and transfers it to the attacker via the Internet (e.g., over Wi-Fi),” the paper explains.
Previously, Mordechai Guri detailed another data exfiltration attack named “SATAn,” which makes use of the Serial ATA (SATA) cables as a wireless antenna to transmit data from a breached system to a nearby receiver.