An Israeli researcher has demonstrated that LAN cables' radio frequency emissions can be read by using a $30 off-the-shelf setup, potentially opening the door to fully developed cable-sniffing attacks.
Mordechai Guri of Israel's Ben Gurion University of the Negev described the disarmingly simple technique to The Register, which consists of putting an ordinary radio antenna up to four metres from a category 6A Ethernet cable and using an off-the-shelf software defined radio (SDR) to listen around 250MHz.
"From an engineering perspective, these cables can be used as antennas and used for RF transmission to attack the air-gap," said Guri.
His experimental technique consisted of slowing UDP packet transmissions over the target cable to a very low speed and then transmitting single letters of the alphabet. The cable's radiations could then be picked up by the SDR (in Guri's case, both an R820T2-based tuner and a HackRF unit) and, via a simple algorithm, be turned back into human-readable characters.
Nicknamed LANtenna, Guri's technique is an academic proof of concept and not a fully fledged attack that could be deployed today. Nonetheless, the research shows that poorly shielded cables have the potential to leak information which sysadmins may have believed were secure or otherwise air-gapped from the outside world.
He added that his setup's $1 antenna was a big limiting factor and that specialised antennas could well reach "tens of metres" of range.
"We could transmit both text and binary, and also achieve faster bit-rates," acknowledged Guri when El Reg asked about the obvious limitations described in his paper [PDF]. "However, due to environmental noises (e.g. from other cables) higher bit-rate are rather theoretical and not practical in all scenarios."
One obvious further research technique would be to look at sniffing information over network cables at their full operational speeds, Guri having acknowledged that slowing live network traffic down to levels used in his experiment would be impractical. His full paper, however, noted: "Transmitting UDP packets doesn't require higher privileges or interfering with the OS routing table. In addition, it is possible to evade detection at the network level by sending the raw UDP traffic within other legitimate UDP traffic."
The academic's previous research included a technique for turning DRAM into a form of wireless transmitter, as part of his work looking at ways of pwning air-gapped networks.
- How to leak data via Wi-Fi when there's no Wi-Fi chip: Boffin turns memory bus into covert data transmitter
- Spoof an Ethernet adapter on USB, and you can sniff credentials from locked laptops
- GCHQ and Cable and Wireless teamed as Masters of the Internet™
- NSA coughs up secret TEMPEST specs
Professor Alan Woodward of the University of Surrey observed: "What this shows is that even an unplugged Ethernet cable can radiate energy which is detectable."
He added: "The paper is a nice piece of work and reminds us that whilst you might think something is air-gapped, it might be chattering away over the airwaves. People used to laugh at the great clunky terminals used in secure environments but they arose for a reason: TEMPEST."
TEMPEST, as we reported 20 years ago, was originally a US government scheme for reducing the amount of RF emissions generated by computer equipment. Today it's been adopted as a NATO standard, with the UK's National Cyber Security Centre having a public webpage about it.
"Often," observed Woodward, "modern security systems look for data leaving the network to know that they have an intruder. But if it's leaving on some unmonitored channel (over the air) then it has a low probability of intercept by the security measures."
We look forward to the infosec industry's next exciting product launch: a full spectrum RF analysis suite plumbed into your SIEM for a low, low subscription rate. ®