Pedro Umbelino, a researcher on the Checkmarx Security Research Team, presented recently at Hack.lu. The focus was on covert channels for air-gapped systems, data exfiltration, NFC research and BLE Smart Bulb research.

1. Mind the (Air)Gap
Data Exfiltration via NFC and Smart Bulbs

2. Email – pedro@char49.com
IRC – kripthor irc.overthewire.org
Twitter - @kripthor
http://pgp.mit.edu:11371/pks/lookup?search=0x64490c55
Pedro Umbelino
Senior Security Researcher
@Checkmarx Research Team
Mind the (Air)Gap | 2
~$ whoami

3. ~$ ls -la
What is this talk about?
Airgap Covert Channels
Data Exfiltration
NFC Research and Demo
BLE Smart Bulb Research and Demo
Mind the Air(Gap)| 3

4. ~$ ls -la
Why Research Airgaps?
High security environments are
increasing, new data exfiltration
methods needed
Low fingerprint or stealthy requirements
Low permissions bypass
Extra challenging, it’s fun and
Hollywood has nothing on us
Mind the Air(Gap)| 4

5. ~$ cat what_is_an_airgap.txt
Mind the (Air)Gap | 5
Airgap
Definition
Air-gapping is a measure or set of measures to ensure a secure computer is physically isolated from unsecured
networks, such as the public Internet or an unsecured local area network.
The name arises from the technique of creating a network that is physically separated (with a conceptual air gap)
from all other networks.
The concept represents nearly the maximum protection one network can have from another (save turning the device
off).
Applications where air-gapping are seen most often:
Military/governmental computer networks/systems
Financial computer systems
Industrial control systems nuclear power plants, aviation, medical equipment

6. ~$ cat what_is_an_airgap.txt
Mind the (Air)Gap | 6
Airgap covert channel
Definition
An air-gap covert channel could be defined as any unintentional channel that is used to transmit and/or receive data
between systems in which air-gapping measures were taken at the emitter, receiver or both.
Unintentional means that the channel was not originally designed to be used as a data communications channel in the
way that it is being used. In this sense, it could also be called out-of-band.
Although there might be some additional software (malware) needed at the target system to make a particular covert
channel viable, there is no additional hardware installed on such systems.

7. ~$ cat what_is_an_airgap.txt
Mind the (Air)Gap | 7
Airgap covert channel supports
Physical Media
Acoustic
Light
Seismic
Magnetic
Thermal
Electromagnetic

8. Real World Examples
From the 80s to Today

9. ~$ cat examples.txt
Mind the (Air)Gap | 9
Examples
Electromagnetic emissions
Van Eck Phreaking (1985)
Markus Kuhn (2004)

10. ~$ cat examples.txt
Mind the (Air)Gap | 10
Examples
Electromagnetic emissions
Barisani and Bianco (2009, PS/2 ground)
Vuagnoux and Pasini (2009, EMF leak, all keyboards)
Light emissions
Loughry and Umphress (2002, CapsLock)

11. ~$ cat examples.txt
Mind the (Air)Gap | 11
Examples
Sound emissions
Asonov and Agrawal (2004, Neural Network for keyboards)
Hanspach and Goetz (2013, Acoustic mesh)

12. ~$ cat state_of_the_art.txt
Mind the (Air)Gap | 12
Latest research
Electromagnetic
Ben-Gurion University (2014, AirHopper, FM transmitter)
Ben-Gurion University (2015, GSMem)
Ben-Gurion University (2016, USBee)
Magnetic
Ben-Gurion University (2018, ODINI)
Acoustic
Tromer, Shamer and Genkin (2014, Acoustic Crypto)

13. ~$ cat state_of_the_art.txt
Mind the (Air)Gap | 13
Latest research
Thermal
Ben-Gurion University (2015, BitWhisper)
Light
Ben-Gurion University (2014, Scanner / Laser Drone)
Seismic
Deshotels (2014, smartphone ultrashort vibrations)

14. Data Exfiltration Research
#1 - Light bulbs Are Getting Smart

15. ~$ cat lightbulb_tale.txt
Mind the (Air)Gap | 15
A BLE tale, from failed root to data exfiltration via a lightbulb
How it began
I like to research stuff. Random stuff. Sometimes even security related stuff.
Turns out I’m not alone. David Sopas shares the same illness.
David nowadays is researching a lot in IoT, when he is not overseeing a bunch of crazy researchers.
Some months ago, he told me about a light bulb he was hacking into and so the story begins…

16. ~$ cat lightbulb_tale.txt
Mind the (Air)Gap | 16
A BLE light bulb, from China with love
Plan A failed
The main idea was, well, to get root on the light bulb.
It wasn’t feasible with the research but there was still something that was possible to control, the light itself.
We were very surprised to see that there were no authentication when it comes to use the lamp. /s
Basic BLE security fails.

17. ~$ cat lightbulb_tale.txt
Mind the (Air)Gap | 17
Enumeration and reversing
BLEAH
BLEAH enumeration
One writable characteristic
Reversing the Android app
Profit, RGB color set

18. ~$ cat lightbulb_tale.txt
Mind the (Air)Gap | 18
Implementation and Testing
The blue channel
Preamble TrailerByte 1
The transmitter was implemented using a simple scheme, by changing the blue light intensity, weaker for binary 1,
stronger for binary 0.
The blue channel was chosen because the human eye has more difficulties in distinguish shades of blue.
The demonstration protocol is simple, for each byte, a preamble and trailer. There is lots of room for improvement.
The low speed of change in light allows for a regular smartphone camera to be able to detect and process the data
(low FPS). A low cost, off the shelf solution.

19. ~$ cat lightbulb_tale.txt
Mind the (Air)Gap | 19
BLEExfil – Data exfiltration from a compromised device via a BLE
light bulb
Attack scenario example
A BLE enabled device has been compromised by malware that steals users credentials
The malware wants to leak the information to an attacker and must be completely stealthy or there is an air-gap in effect
disabling “normal” transmissions (Wifi, Ethernet, GSM/GPRS, etc…), so it uses a nearby BLE lightbulb for exfiltration.
The attacker receives the credentials across the street using a normal smartphone, maybe using a telescope if the light
bulb is far away.

20. BLEExfil - Live Demo
Let the Sacrifice of a Small Penguin Appease the Demo Gods

21. Data Exfiltration Research
#2 - Android and NFC

22. ~$ cat android_tale.txt
Mind the (Air)Gap | 22
An Android tale, from OS audit to NFC data exfiltration
How it began
I like to research stuff. Random stuff. Sometimes even security related stuff.
My overlords are awesome! :)
An Android device audit turned into full Android 6.0 OS audit
Previous experience on Android (CVE-2013-6271 Remove locks, CVE-2013-6272 + Kolme)
Permissions and opportunity
android.nfc.NfcAdapter -> enableReaderMode(…);

23. ~$ cat android_tale.txt
Mind the (Air)Gap | 23
--- Near Field Communications ---
NFC 101
Near-field communication (NFC) is a set of communication protocols that enable two electronic devices, one of which
can be a portable device such as a smartphone, to establish communication by bringing them within 4 cm of each
other.
NFC always involves an initiator and a target; the initiator actively generates an RF field that can power a passive
target, by means of electromagnetic induction between two loop antennas located within each other's near field.
It operates in the radio frequency band of 13.56 MHz.
A device can be a reader and/or a writer. A device (or cards) can be configured as Type A, Type B and others. The
main differences between types concern modulation methods, coding schemes and protocol initialization procedures.

24. ~$ cat android_tale.txt
Mind the (Air)Gap | 24
An Android tale, from OS audit to NFC data exfiltration
Being creative
android.nfc.NfcAdapter -> enableReaderMode(…);
No permissions needed, despite NFC permission blocks everything else
But what does it do exactly?

25. ~$ cat android_tale.txt
Mind the (Air)Gap | 25
An android tale, from OS audit to NFC data exfiltration
Normal Type-A pooling:
RTL-SDR to the rescue

26. ~$ cat android_tale.txt
Mind the (Air)Gap | 26
An Android tale, from OS audit to NFC data exfiltration
Different modes for NFC operation were tested and visualized with the SDR.
If the device is configured as FLAG_READER_NFC_F (among others), the device immediately starts to pool for
nearby tags.
If the device is configured as FLAG_READER_SKIP_NDEF_CHECK, the device immediately is in radio silence (for
our purposes).
What if:
Abusing

27. ~$ cat android_tale.txt
Mind the (Air)Gap | 27
An Android tale, from OS audit to NFC data exfiltration
Are you OOK?
NFC controllable bursts:
Timing not completely controllable
Data exfiltration via bursts
On-Off Keying is the immediate idea

28. ~$ cat android_tale.txt
Mind the (Air)Gap | 28
An Android tale, from OS audit to NFC data exfiltration
Implementation and Testing
We can control the NFC radio (without any permissions); let’s implement a data exfiltration method!
Using radio bursts for binary 1 and silence for binary 0, the simplest ASK implementation = OOK.
Transmission protocol includes Hamming(7,4) correction codes for each nibble, to compensate for interference.
Preamble
Nibble 1 EC1 Nibble 2 EC2
TrailerByte 1 Byte N. . .

29. ~$ cat android_tale.txt
Mind the (Air)Gap | 29
An Android tale, from OS audit to NFC data exfiltration
Implementation and Testing
How can we receive the signal? Custom hardware? SDR decoding?
Remember 13.56Mhz? AKA High Frequency waves, aka Short waves.
A high end receiver is probably nice, a cheap one works as well :).
The receiver is an Android app that collects data from the mic jack.
Practical, low cost receiver with off the shelf components.

30. ~$ cat android_tale.txt
Mind the (Air)Gap | 30
An Android tale, from OS audit to NFC data exfiltration
Ultra low cost long range NFC data exfiltration
Nice. Wait, what do you mean long range? N.F.C. - the N is for near, right?
Turns out that no. Remember the pooling process? It’s sort of a strong signal…
Data exfiltration, one way.
Ok so more than 4cm. How much more then? 40cm? 400cm?
Over forty meters – 40m.

31. ~$ cat android_tale.txt
Mind the (Air)Gap | 31
NFCDrip – Data exfiltration from a compromised device via NFC
Attack scenario example
A NFC enabled device has been compromised by malware that steals users credentials
The malware wants to leak the information to an attacker and must be completely stealthy or there is an air-gap in effect
disabling “normal” transmissions (Wi-Fi, Ethernet, Bluetooth, GSM/GPRS, etc…), so it uses NFC for exfiltration.
The attacker receives the credentials across the street using a normal inconspicuous AM radio connected to his
smartphone.

32. NFCDrip - Live Demo
As he stands in the room, he looks around.
- ”Murphy… are you there?...”

33. ~$ cat conclusion.txt
Mind the (Air)Gap | 33
Research conclusions
“To him that will, ways are not wanting”
Imagination knows no boundaries. As long as a device is on, people will find a way
to exfiltrate data out of it.
The IoT brings extra challenges to security that come into effect with air
gapping processes and policies.
Even a BLE light bulb can be used to exfiltrate data from kilometers away.
NFC should no longer be considered a short range channel. It is demonstrated
that it can be abused effectively on long range, using low cost equipment.

34. ~$ apropos wtf?
Mind the (Air)Gap | 34
Q / A