Exploiting the magnetic field with Odini
Researchers at Israel’s Ben Gurion University (BGU) have demonstrated how attackers can successfully bypass Faraday cages to monitor low-frequency magnetic radiation emitted by air-gapped electronic devices.
“While Faraday rooms may successfully block electromagnetic signals which emanate from computers, low-frequency magnetic radiation disseminates through the air, penetrating metal shields within the rooms,” explains Dr. Mordechai Guri, the director of the Cybersecurity Research Center at BGU.
“That’s why a compass still works inside of a Faraday room. Attackers can use this covert magnetic channel to intercept sensitive data from virtually any desktop PCs, servers, laptops, embedded systems and other devices.”
More specifically, Guri’s Odini method (named after escape artist Harry Houdini), exploits the magnetic field generated by a CPU to circumvent even the most securely equipped room. Put simply, Odini is specially coded malware designed to control the low frequency magnetic fields emitted from an infected computer by regulating the load of the CPU cores. This means arbitrary data can be modulated and transmitted on top of the magnetic emission – and received by a magnetic receiver (bug) placed nearby.
It should be noted that the malicious code does not require special privileges (e.g., root) and can successfully operate from within isolated virtual machines (VMs).
Magneto malware taps covert channels
In a separate attack, Guri and his team utilized malware keystrokes and passwords on an air-gapped computer to transfer data to a nearby smartphone via its magnetic sensor.
“We implement a malware that controls the magnetic fields emanating from the computer by regulating workloads on the CPU cores,” Guri and his research team explained in a recently publish abstract.
“Sensitive data such as encryption keys, passwords, or keylogging data is encoded and transmitted over the magnetic signals, [while] a smartphone located near the computer receives the covert signals with its magnetic sensor.”
The abstract also noted that the proposed covert channel works from a user-level process without requiring special privileges – and can successfully operate from within an isolated virtual machine (VM). Moreover, attackers can intercept the leaked data even when a smartphone is sealed in a Faraday bag or set to airplane mode.
Extracting stolen data
As Wired’s Andy Greenberg reports, Guri’s work aims to demonstrate that once a device is infected, attackers aren’t going to necessarily wait to establish a traditional connection before they exfiltrate stolen data.
“Instead, they can use more insidious means to leak information to nearby computers—often to malware on a nearby smartphone, or another infected computer on the other side of the air gap,” he writes.
According to Guri, challenging the concept of air-gapped devices involves thinking creatively about how computer components can be surreptitiously transformed into clandestine communication devices.
“It goes way beyond typical computer science: electrical engineering, physics, thermodynamics, acoustic science, optics,” he tells Wired. “It requires thinking ‘out of the box,’ literally.”
