14 DAY TRIAL // Researchers from the Ben-Gurion University in Israel have discovered a novel method of using USB connectors to steal data from air-gapped computers without the need for special radio-transmitting hardware mounted on the USB.
Their attack scenario relies on infecting a computer with malware they've created, called USBee.
An NSA cyber-weapon inspired the research
Researchers said that NSA cyber-weapons inspired their research, namely the COTTONMOUTH hardware implant included in a catalog of NSA hacking tools leaked by Edward Snowden via the German newspaper DerSpiegel.
USBee is superior to COTTONMOUTH because it does not need an NSA agent to smuggle a modified USB connector/dongle/thumb drive into the location from where they want to steal data, nor does it involve implants in USB firmware and drivers to work.
The malware created by researchers can be spread like regular computer malware, and once it reaches a high-value target, it will work with any USB connector plugged into the computer, regardless of whether it's a USB dongle, thumb drive, or cable interconnecting the PC with a nearby device.
USBee steals data via electromagnetic emissions
In a simple explanation of the attack, the USBee malware sends hidden commands to the USB connector's data bus, which gives out electromagnetic emissions as it is processing the commands.
Researchers have found a series of operations that can make the USB's data bus give off electromagnetic emissions at two very different frequencies, which they use to represent binary "1" and "0."
The malware takes information it wants to steal, breaks it down to its 1-s and 0-s, and then transmits the data via the USB connector, to a nearby radio antenna.
The first "weird" data-theft attack to be feasible in real life
In the past, the same researchers from the Ben-Gurion University created attacks that steal data from air-gapped PCs using the sounds emanated by a computer's GPU fan (Fansmitter attack); that can steal data using HDD sounds (DiskFiltration attack); that can steal data using the heat given off by a computer's internal components (BitWhisper attack); that can steal data via radio signals (AirHopper); and attacks that can steal data using a computer's coil whine noise and overall electromagnetic field.
All these scenarios mentioned above have very small transmission speeds, usually no more than 10 bits per minute, and can send data to a very short distance, usually at maximum 3-5 meters.
USBee can transmit data up to 80 bytes per second, and at larger distances than all previous attacks (researchers did not specify the maximum distance in meters).
This breakthrough makes USBee the second theoretical attack the team developed that can be deployed in real-world scenarios right away and be effective. The first was AirHopper, which exfiltrated 60 bytes of data per second and worked at distances up to seven meters.
Below is a short video of the attack, but more details can be found in the paper USBee: Air-Gap Covert-Channel via Electromagnetic Emission from USB.
