LANtenna hack spies on your data from across the room! (Sort of) post tells that Mordechai Guri from the Ben Gurion University of the Negev (BGU) in Israel has recently published a new data exfiltration’ paper detailing an unexpectedly effective way of sneaking very small amounts of data out of a cabled network without using any obvious sort of interconnection. This one is entitled LANTENNA: Exfiltrating Data from Air-Gapped Networks via Ethernet Cables, and it’s the latest of many BGU publications in recent years dealing with a tricky problem in cybersecurity (earlier examples include use of loudspeaker, caps lock LED, CPU fan and screen color to leak information and turning DRAM into a form of wireless transmitter).
Now an Israeli researcher has demonstrated that LAN cables’ radio frequency emissions can be read by using a $30 off-the-shelf setup. Mordechai Guri of Israel’s Ben Gurion University of the Negev described the disarmingly simple technique to The Register, which consists of putting an ordinary radio antenna up to four metres from a category 6A Ethernet cable and using an off-the-shelf software defined radio (SDR) to listen around 250MHz.
The research paper says:
“The computers are equipped with 10/100/1000 Mbps Gigabit Ethernet
card. We tested three types of widely used Cat 5e and Cat
6A Ethernet cables listed in Table V. We also tested a laptop
computer and an embedded device (Raspberry Pi) to evaluate
the attack on these types of devices.”
“For the reception we used two types of
software-defined radio (SDR) receivers, as specified in Table
III. The R820T2 RTL-SDR is capable of sampling up to 16bit
at narrow band and has RF coverage from 30 MHz to 1.8 GHz
or more. The HackRF device has 1 MHz to 6 GHz operating
frequency and 8-bit quadrature samples (8-bit I and 8-bit Q)”
Ethernet cables emit electromagnetic waves in the frequency bands of 125 MHz and its harmonics (e.g., 250 MHz and 375 MHz). “Ethernet cable emits electromagnetic waves in the frequency bands of 125 MHz. Changing the adapter speed or turning it on and off makes it possible to regulate the electromagnetic radiation and its amplitude,” says Guri. This can potentially opening the door to fully developed cable-sniffing attacks because “From an engineering perspective, these cables can be used as antennas and used for RF transmission to attack the air-gap,” said Guri. LAN cables sniffing can reveal details from network traffic. In one test data could be transmitted from an air-gapped computer through its Ethernet cable and received 200 cm apart.
In experiment UDP packets with single letters were sent over the target cable to a very low speed and, via a simple algorithm, be turned back from received RF signal back into human-readable characters. Nicknamed LANtenna, Guri’s technique is an academic proof of concept and not a fully fledged attack that could be deployed today. So RF noise from un-shielded LAN cables can be used to lead information air-gapped networks. The experts explained that often air-gapped networks are wired with Ethernet cables since wireless connections are strictly prohibited to avoid data leaks. But clearly even wired networks can leak information when you can get near to them with an SDR radio hardware.
- implementing zone separation banning radio receiver from the area of air-gapped networks;
- monitoring the network interface card link activity at the user and kernel levels. Any change of the link state should trigger an alert;
- using RF monitoring hardware equipment to identify anomalies in the LANETNNA frequency bands;
- blocking the covert channel by jamming the LANTENNA frequency bands;
- Cable Shielding;