USBee: Air-Gap Covert-Channel via Electromagnetic Emission from USB
📝 Abstract
In recent years researchers have demonstrated how attackers could use USB connectors implanted with RF transmitters to exfiltrate data from secure, and even air-gapped, computers (e.g., COTTONMOUTH in the leaked NSA ANT catalog). Such methods require a hardware modification of the USB plug or device, in which a dedicated RF transmitter is embedded. In this paper we present USBee, a software that can utilize an unmodified USB device connected to a computer as a RF transmitter. We demonstrate how a software can intentionally generate controlled electromagnetic emissions from the data bus of a USB connector. We also show that the emitted RF signals can be controlled and modulated with arbitrary binary data. We implement a prototype of USBee, and discuss its design and implementation details including signal generation and modulation. We evaluate the transmitter by building a receiver and demodulator using GNU Radio. Our evaluation shows that USBee can be used for transmitting binary data to a nearby receiver at a bandwidth of 20 to 80 BPS (bytes per second).
💡 Analysis
In recent years researchers have demonstrated how attackers could use USB connectors implanted with RF transmitters to exfiltrate data from secure, and even air-gapped, computers (e.g., COTTONMOUTH in the leaked NSA ANT catalog). Such methods require a hardware modification of the USB plug or device, in which a dedicated RF transmitter is embedded. In this paper we present USBee, a software that can utilize an unmodified USB device connected to a computer as a RF transmitter. We demonstrate how a software can intentionally generate controlled electromagnetic emissions from the data bus of a USB connector. We also show that the emitted RF signals can be controlled and modulated with arbitrary binary data. We implement a prototype of USBee, and discuss its design and implementation details including signal generation and modulation. We evaluate the transmitter by building a receiver and demodulator using GNU Radio. Our evaluation shows that USBee can be used for transmitting binary data to a nearby receiver at a bandwidth of 20 to 80 BPS (bytes per second).
📄 Content
USBee: Air-Gap Covert-Channel via Electromagnetic Emission from USB
Mordechai Guri, Matan Monitz, Yuval Elovici {gurim,monitzm,elovici}@post.bgu.ac.il Ben-Gurion University of the Negev Cyber Security Research Center
Abstract— In recent years researchers have demonstrated how
attackers could use USB connectors implanted with RF
transmitters to exfiltrate data from secure, and even air-gapped,
computers (e.g., COTTONMOUTH in the leaked NSA ANT
catalog). Such methods require a hardware modification of the
USB plug or device, in which a dedicated RF transmitter is
embedded.
In this paper we present ‘USBee,’ a software that can utilize an
unmodified USB device connected to a computer as a RF
transmitter. We demonstrate how a software can intentionally
generate controlled electromagnetic emissions from the data bus
of a USB connector. We also show that the emitted RF signals can
be controlled and modulated with arbitrary binary data. We
implement a prototype of USBee, and discuss its design and
implementation
details
including
signal
generation
and
modulation. We evaluate the transmitter by building a receiver
and demodulator using GNU Radio. Our evaluation shows that
USBee can be used for transmitting binary data to a nearby
receiver at a bandwidth of 20 to 80 BPS (bytes per second).
Keywords—air-gap;
USB;
exfiltration;
malware;
covert
channel)
I. INTRODUCTION
Leaking information from a compromised network is one of the
main goals of an advanced persistent threat attack. In many
cases, common security measures such as firewalls, IDS, and
IPS can provide a basic level of protection to secure the internal
network and its data. However, when highly sensitive data is
involved, the organization may resort to air-gap isolation, where
there is no physical connection between the internal network and
the Internet.
Over the years, a wide range of covert channels have been
proposed to demonstrate how malware can leak data from air-
gapped computers without the need for Internet connectivity or
physical access. Such covert channels may use electromagnetic,
acoustic, thermal, and optical emissions [1] as a medium for data
exfiltration from a computer. In 2014, the ANT catalog leaked
by Eduard Snowden, present COTTONMOUTH, a tool which
allows air-gap communication with a host software, over a USB
dongle implanted with an RF transmitter and receiver [2]. Later,
in 2015, hackers inspired by COTTONMOUTH introduced
TURNIPSCHOOL, a $20 hardware implant concealed in a USB
cable which provides short-range RF communication capability
to a computer [3]. Hardware based USB keyloggers which
include internal radio or Wi-Fi transmitters also exist [4].
However, all of the aforementioned tools require hardware
modification of the USB plugs (embedding an RF transmitter or
receiver within them). In this paper we show how to leak data
from an air-gapped computer over RF signals to a receiver
located a short distance away using an unmodified USB dongle.
We introduce USBee, a malware which utilizes the USB data
bus in order to create electromagnetic emissions from a
connected USB device. USBee can modulate any binary data
over the electromagnetic waves and transmit it to a nearby
receiver. The attack scenario is illustrated in Figure 1.
Figure 1. Illustration of USBee. An ordinary, unmodified USB device (flash drive) (A) is transmitting information to a nearby receiver (B) over an air-gap, via electromagnetic waves emitted from its data bus. In this scenario, USBee software, installed on a compromised compute, uses a USB thumb drive already connected to the computer (Figure 1, A), and creates a short-range RF transmission modulated with data (e.g., passwords or encryption keys). The transmission can be received by a nearby receiver (Figure 1, B) where it is decoded and sent to an attacker. The contribution of our paper is as follows. We introduce a software-only method for short-range data exfiltration using electromagnetic emissions from a USB dongle. Unlike other methods, our method doesn’t require any RF transmitting hardware, since it uses the USB’s internal data bus. We also discuss signal generation, transmission, reception, and demodulation algorithms. This paper is organized as follows. Section II presents related work. Section III provides technical background. Section IV and Section V describe transmission and reception. Section VI discusses countermeasures. We conclude with Section VII. II. RELATED WORK Out-of-band covert channels have been discussed since the 1990s. Suggested methods exploit various types of emanation from different computer components in order to modulate and transmit data. There are four covert channel categories: acoustic, optical, thermal, and electromagnetic.
Acoustic methods, discussed in [5] [6] [7] [8], involve transmitting sonic or near-ultrasonic signals from computer speakers. These signal
This content is AI-processed based on ArXiv data.