This article is more than 1 year old
USBee stings air-gapped PCs: Wirelessly leak secrets with a file write
Technique turns connected storage devices into transmitters
Video Mordechai Guri, the Israeli researcher who has something of a knack for extracting information from air-gapped PCs, has done it again – this time using radio frequency transmissions from USB 2 connections.
Dubbed USBee, the technique turns a computer's USB ports into mini RF transmitters by modulating the data fed at high speed to plugged-in devices. By banging out a string of '0' bits to a USB port, the voltage changes in the interface generate detectable emissions between 240MHz and 480MHz, according to Guri.
Next, by writing sequences of '0' and '1', we're told you can create a carrier wave from the rapid voltage changes on the interface's data pins. You can then use binary frequency shift keying (B-FSK) to encode useful information into the wave.
Guri reckons you can beam 80 bytes per second over the air using this technique, which is fast enough to send a 4,096-bit crypto key to a nearby receiver in less than 10 seconds.
You can create a basic carrier wave using this function:
inline static void fill_buffer_freq (u32 *buf, int size, double freq) { int i = 0; u32 x = 0; double t = freq / 4800 * 2; for (i = 0, x = 0x00000000; i<size*8; i++) { x = x<<1; if ((int)(i*t)%2==0) x++; if((i%32)==31) { *(buf++) = x; x=0x00000000; } } }
You then write the resulting buffer to, say, a mounted removable storage device to generate the signal. You don't need to be root or an administrator to do this; you just need permission to write to a file on the device.
"The actual data transmission is done by writing the byte pattern generated by fill_buffer_freq() to an arbitrary data block or stream in the USB device," Guri and his team said in a research paper that surfaced this week.
"The transmission process doesn't require special privileges (e.g., root or admin). It only requires permission to create a file on the removable device."
In a video the team showed how the data can be picked up by a laptop with a $30 radio antenna from around 15 feet away. That's certainly enough to spy on someone working in the next hotel room, or in a crowded office.
It's an interesting hack, and one that could have some utility. Of course, to pull this off, you first have to get malware onto the air-gapped computer that then writes to a USB device, and you have to be nearby to pick up the signal – and hope no one notices. That's not outside the realms of possibility if you grease the right palms, threaten the right people, or exploit OPSEC screw-ups to get your espionage code onto the target machine. ®