Smartphone gyroscopes threaten air-gapped systems, researcher finds

An Israeli security researcher known for foiling air gap security measures has published a reminder of just how vulnerable the approaches are to both visual and ultrasonic threats. 

A pair of preprint papers from Mordechai Guri, head of R&D at Ben-Gurion University's Cyber Security Research Labs, detail new methods for transmitting data ultrasonically to smartphone gyroscopes and sending Morse code signals via LEDs on network interface cards (NICs).

Dubbed Gairoscope and EtherLED respectively, the two exploits are the latest in a long line of research from Guri, who has previously developed air gap exfiltration methods, including stealing data by reading the radio frequency of networking cables, using RAM buses to transmit data electromagnetically, and doing the same with power supplies.

From secure system to smartphone gyroscope

The Gairoscope attack involves using the speakers on an air-gapped computer to generate "covert acoustic sound waves" detectable by the microelectromechanical system (MEMS) gyroscopes that are standard in many smartphones. 

Microphones, which Guri used in a previous exploit, are considered high-security sensors that may give snooping malware difficulty with permissions. It's worth following the linked backreading if you're still scratching your head about what phone gyroscopes have to do with sound detection.

The problem with phone gyroscopes is that, unlike microphones that are generally visibly activated, Gyroscopes can be "used by many types of applications to ease the graphical interfaces, and users may approve their access without suspicion," Guri wrote in the paper. 

Additionally, Guri cites a lack of visual indicator in iOS and Android that the gyroscope is being used and the fact that smartphone gyroscopes can be accessed from a browser using JavaScript, meaning – in theory – that no actual malware need be installed on the device to execute the attack.

Using his method, Guri was able to achieve speeds of up to eight bits per second at a max distance of eight meters, which the paper claims is faster than other established covert acoustic methods. Guri demonstrated the attack in a video showing an Android app detecting and decoding a message typed on a computer monitor within a few seconds of it being typed.

Youtube Video

NICing data from LEDs

The second attack Guri reported on was EtherLED, which uses the familiar green-and-amber lights on network interface cards to transmit data in Morse code. As opposed to similar attacks that rely on exploiting lights on keyboards, hard drives and the brightness of monitors, Guri said Ethernet LEDs are "a threat that has not been studied before, theoretically or technically."

• LockBit gang hit by DDoS attack after threatening to leak Entrust ransomware data
• Ex-HP finance manager jailed after going on $5m spending spree using company plastic
• Ransomware attack on UK water company clouded by confusion
• 1,900 Signal users exposed: Twilio attacker 'explicitly' looked for certain numbers

In this case, the lights being used is the novel element. As with other optical exfiltration techniques, EtherLED requires a visual line of sight, and as such is limited by the placement of existing hackable cameras that can spot the infected NIC and whether the lights face an outside window where someone could place a drone or other camera capable of picking up the blinks and decoding them. 

Additionally, mitigations like covering NIC lights with black tape still apply. 

That doesn't mean NIC exfiltration wouldn't work. In the paper, Guri reported being able to steal a 100-bit password in less than a minute with two LED colors, an RSA key in 30-60 minutes, and was able to decode a keystroke in two seconds.

When able to access the NIC driver or firmware as part of the exploit, those times drop drastically, with a password exfiltrated in one second, an RSA key transmittable in 42 seconds, and a 1KB text file able to be transmitted in less than two minutes.

What's the big deal?

It's easy to dismiss attacks against air-gapped systems as rare instances targeted against specific types of targets. While uncommon, attacks against such systems can be devastating. 

Air gapping is used widely in military and defense systems, and Guri describes it as a common security practice in critical infrastructure, government agencies, finance, and industrial systems. Because of their extreme security posture, it's safe to assume information stored on air-gapped systems would be very valuable to the right people.

Guri cites Stuxnet, a joint operation between the US and Israel to destroy Iranian nuclear enrichment systems, as a successful air gap infiltration. In addition, "several attacks on air-gapped facilities such as the power utilities and nuclear power plants have been publicized in recent years," Guri wrote.

In other words, these attacks might seem like fodder for spy novels, but someone needs to test the most improbable of attacks to see if they work before someone less scrupulous figures them out. ®