USBee makes USB devices transmit data from air-gapped computers
After devising ways of exfiltrating data from air-gapped computers via mobile phones, using radio frequencies, heat, rogue software that transmits electromagnetic signals at cellular frequencies, hard drive noise and fan noise, Mordechai Guri along with other researchers from the Ben-Gurion University of the Negev’s Cyber Security Research Center have now demonstrated that USB devices can be turned into a short-range RF transmitter via their USBee malware.
Unlike COTTONMOUTH, NSA’s USB hardware implant that allows attackers to infiltrate air-gapped systems, load exploit software on and exfiltrate data from them, USBee uses generic, otherwise unmodified USB devices, and equips them with software that intentionally generates controlled electromagnetic emissions from the data bus of a USB connector.
The team created a receiver (a $30 RTL-SDR software-defined radio connected to a laptop) and demodulator to see how effective this data exfiltration approach is, and they established that USBee can transmit data at a rate of 80 bytes per second. This is enough to quickly exfiltrate things like passwords or encryption keys.
The receiver can be positioned up to nine feet away from the transmitting USBee, and still successfully receive the sent data. The gap can be even wider if the USB transmitter is equipped with a cable that can function as an antenna.
Of course, for this attack to work, this specific malware has to already be present on the targeted computer, and that means that the computer has been already compromised, likely by an insider as the air-gapped computer is not connected to the Internet or to another network.
Average users does not have to worry about run-of-the-mill cyber crooks wielding USBee, but intelligence agencies and hacking teams backed by governments and involved in cyber espionage could definitely find this approach useful in some cases.
The researchers pointed out a few countermeasures that could work to defend air-gapped computers from this type of attack, including physical isolation (shielding or preventing EMR from USB components) and positioning the air-gapped computer into a restricted area, far away from other electronic equipment.