Hackers no longer need the Internet to invade and control a system, Ben Gurion University researchers say
The hack isnâ€™t new, according to Prof. Yuval Elovici, head of BGUâ€™s Cyber Security Lab. The technique was used to attack Iranian servers in the Stuxnet hack attack. Whatâ€™s new is the use of a cellphone to do it.
The Iranian network targeted by Stuxnet was an air-gapped one, connected only to local computers, with no external connection to the Internet. The virus infected the servers controlling the Iranian nuclear programâ€™s centrifuges, â€œchokingâ€ them until they ground to a halt. It was, many experts believe, physically transferred to the closed network via a USB flash drive. The attack described by Elovici is light-years ahead of Stuxnet, because no physical contact is required to compromise a system.
Even if you donâ€™t think your computer is connected to anything, it sendsÂ electromagnetic or acoustic emanations fromÂ its hardware. The NSAâ€™s (National Security Agency) TEMPEST program usesÂ special devices to pick up data from computers and servers via leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations from hardware such asÂ video monitors, keyboards, network cardsÂ andÂ memory chips.
Each stroke on a keyboard, for example, transmits an electrical signal that runs through a computerâ€™s processor and shows up on the monitor, emitting electromagnetic waves. Since each letter is unique, each key gives offÂ a different frequency wave. If a hacker canÂ capture those waves and reconstruct them, he couldÂ figure out what usernames and passwords were used to log onto the network.
How could a mobile phone be used to hack into an air-gapped network? In a take-off of anÂ email phishing attack, a hacker could send an unsuspecting employee in a sensitive installation a text message that looks legitimate, but contains a link to malware that surreptitiously gets installed on their cellphone.
Once the malware is on the phone, it scans for electromagnetic waves which can be manipulated to build a network connection using FM frequencies to install a virus onto a computer or server. Eloviciâ€™s team has demonstrated how this is done with computer video cards and monitors.Â With the virus installed on the system, the phone connects to it via the FM frequency,Â sucksÂ information out of the server and uses the phoneâ€™s cellphone network connection to transmit the data back to hackers. All thatâ€™s needed is physical proximity to the system. The team said thatÂ one to six meters is enough.
Elovici and his team demonstrated this technique to President Shimon Peres during hisÂ visitÂ toÂ BGUâ€™s Cyber Lab last month.
Right now, Elovici said, thereâ€™s little that can be done to prevent this kind of cyber-attack other than turning off the phone. As that is not a practical solution in this day and age, his team is searching for other solutions. Itâ€™s a major security risk, he said. Until a solution isÂ found, that risk willÂ only increase, as news of the hack spreads in the hacker community.
- Click to share on Facebook (Opens in new window)
- Click to share on Twitter (Opens in new window)
- Click to share on Google+ (Opens in new window)
- Click to share on WhatsApp (Opens in new window)
- Click to share on Tumblr (Opens in new window)
- Click to share on Skype (Opens in new window)
- Click to print (Opens in new window)