Study: Your Internet Cable Can be Spy Hacked with a $30 setup

An Israeli researcher has demonstrated that LAN cables’ radio frequency emissions can be read by using a $30 off-the-shelf setup, potentially opening the door to fully developed cable-sniffing attacks.

Mordechai Guri of Israel’s Ben Gurion University of the Negev described the disarmingly simple technique to The Register, which consists of putting an ordinary radio antenna up to four metres from a category 6A Ethernet cable and using an off-the-shelf software defined radio (SDR) to listen around 250MHz.

“From an engineering perspective, these cables can be used as antennas and used for RF transmission to attack the air-gap,” said Guri.

His experimental technique consisted of slowing UDP packet transmissions over the target cable to a very low speed and then transmitting single letters of the alphabet. The cable’s radiations could then be picked up by the SDR (in Guri’s case, both an R820T2-based tuner and a HackRF unit) and, via a simple algorithm, be turned back into human-readable characters.

Nicknamed LANtenna, Guri’s technique is an academic proof of concept and not a fully fledged attack that could be deployed today. Nonetheless, the research shows that poorly shielded cables have the potential to leak information which sysadmins may have believed were secure or otherwise air-gapped from the outside world.

He added that his setup’s $1 antenna was a big limiting factor and that specialised antennas could well reach “tens of metres” of range.

“We could transmit both text and binary, and also achieve faster bit-rates,” acknowledged Guri when El Reg asked about the obvious limitations described in his paper [PDF]. “However, due to environmental noises (e.g. from other cables) higher bit-rate are rather theoretical and not practical in all scenarios.”

One obvious further research technique would be to look at sniffing information over network cables at their full operational speeds, Guri having acknowledged that slowing live network traffic down to levels used in his experiment would be impractical. His full paper, however, noted: “Transmitting UDP packets doesn’t require higher privileges or interfering with the OS routing table. In addition, it is possible to evade detection at the network level by sending the raw UDP traffic within other legitimate UDP traffic.”

The academic’s previous research included a technique for turning DRAM into a form of wireless transmitter, as part of his work looking at ways of pwning air-gapped networks.

Professor Alan Woodward of the University of Surrey observed: “What this shows is that even an unplugged Ethernet cable can radiate energy which is detectable.”

He added: “The paper is a nice piece of work and reminds us that whilst you might think something is air-gapped, it might be chattering away over the airwaves. People used to laugh at the great clunky terminals used in secure environments but they arose for a reason: TEMPEST.”

TEMPEST, as we reported 20 years ago, was originally a US government scheme for reducing the amount of RF emissions generated by computer equipment. Today it’s been adopted as a NATO standard, with the UK’s National Cyber Security Centre having a public webpage about it.

“Often,” observed Woodward, “modern security systems look for data leaving the network to know that they have an intruder. But if it’s leaving on some unmonitored channel (over the air) then it has a low probability of intercept by the security measures.”

We look forward to the infosec industry’s next exciting product launch: a full spectrum RF analysis suite plumbed into your SIEM for a low, low subscription rate.

See more here: theregister.com

Header image: CSO Online

Please Donate Below To Support Our Ongoing Work To Defend The Scientific Method

PRINCIPIA SCIENTIFIC INTERNATIONAL, legally registered in the UK as a company incorporated for charitable purposes. Head Office: 27 Old Gloucester Street, London WC1N 3AX. 

Trackback from your site.

Comments (3)

  • Avatar

    Howdy

    |

    Electromagnetic radiation from current carrying cables is nothing new, and the title is incorrect. Lan is not internet cable.

    “His experimental technique consisted of slowing UDP packet transmissions over the target cable to a very low speed”
    So not applicable in the real world then.

    “specialised antennas could well reach “tens of metres” of range. “However, due to environmental noises (e.g. from other cables) higher bit-rate are rather theoretical and not practical in all scenarios.””
    There’s always something…

    “it is possible to evade detection at the network level by sending the raw UDP traffic within other legitimate UDP traffic.””
    I’d like to see how that fits in with other signals already passing through the cable. Wouldn’t the “hacking” device need it’s own IP? Spoofing would be detected in most environments. I guess that would give the game away, and the radiated interference to other signals within the cable would cause visible slow downs of a full speed flow still raising the alarm. Except the experiment can’t do that.

    “But if it’s leaving on some unmonitored channel (over the air) then it has a low probability of intercept by the security measures.””
    You can certainly grab it, but it’s udp traffic, as stated. How much use is it as a fully fledged attack, even if you can make it work in any useful speed?

    “What this shows is that even an unplugged Ethernet cable can radiate energy which is detectable.”
    People can radiate detectable energy if it impinges the body, as an extension! Even wet string can give secrets away.
    Ever picked up, or even gone near a portable radio and the signal improves/reduces? You become part of the receiving antenna (aerial) to boost the reception, or impinge on it by causing interference. This is school boy stuff.

    Much ado about nothing.

    Reply

  • Avatar

    Howdy

    |

    “This is school boy stuff.”
    My apologies. It was basic grounding at one time, before indoctrination took over.

    Reply

  • Avatar

    Daniel Staggers

    |

    10’s of meter range? Seriously, so you’re saying you can hack a CAT 5 cable further than the range of a Wi Fi antenna? But even 10’s of meter range is only 30 feet. Blue Tooth range and Easily spotted.

    Reply

Leave a comment

Save my name, email, and website in this browser for the next time I comment.
Share via