Study: Your Internet Cable Can be Spy Hacked with a $30 setup

An Israeli researcher has demonstrated that LAN cablesโ€™ radio frequency emissions can be read by using a $30 off-the-shelf setup, potentially opening the door to fully developed cable-sniffing attacks.

Mordechai Guri of Israelโ€™s Ben Gurion University of the Negev described the disarmingly simple technique to The Register, which consists of putting an ordinary radio antenna up to four metres from a category 6A Ethernet cable and using an off-the-shelf software defined radio (SDR) to listen around 250MHz.

โ€œFrom an engineering perspective, these cables can be used as antennas and used for RF transmission to attack the air-gap,โ€ said Guri.

His experimental technique consisted of slowing UDP packet transmissions over the target cable to a very low speed and then transmitting single letters of the alphabet. The cableโ€™s radiations could then be picked up by the SDR (in Guriโ€™s case, both an R820T2-based tuner and a HackRF unit) and, via a simple algorithm, be turned back into human-readable characters.

Nicknamed LANtenna, Guriโ€™s technique is an academic proof of concept and not a fully fledged attack that could be deployed today. Nonetheless, the research shows that poorly shielded cables have the potential to leak information which sysadmins may have believed were secure or otherwise air-gapped from the outside world.

He added that his setupโ€™s $1 antenna was a big limiting factor and that specialised antennas could well reach โ€œtens of metresโ€ of range.

โ€œWe could transmit both text and binary, and also achieve faster bit-rates,โ€ acknowledged Guri when El Reg asked about the obvious limitations described in his paper [PDF]. โ€œHowever, due to environmental noises (e.g. from other cables) higher bit-rate are rather theoretical and not practical in all scenarios.โ€

One obvious further research technique would be to look at sniffing information over network cables at their full operational speeds, Guri having acknowledged that slowing live network traffic down to levels used in his experiment would be impractical. His full paper, however, noted: โ€œTransmitting UDP packets doesnโ€™t require higher privileges or interfering with the OS routing table. In addition, it is possible to evade detection at the network level by sending the raw UDP traffic within other legitimate UDP traffic.โ€

The academicโ€™s previous research included a technique for turning DRAM into a form of wireless transmitter, as part of his work looking at ways of pwning air-gapped networks.

Professor Alan Woodward of the University of Surrey observed: โ€œWhat this shows is that even an unplugged Ethernet cable can radiate energy which is detectable.โ€

He added: โ€œThe paper is a nice piece of work and reminds us that whilst you might think something is air-gapped, it might be chattering away over the airwaves. People used to laugh at the great clunky terminals used in secure environments but they arose for a reason: TEMPEST.โ€

TEMPEST, as we reported 20 years ago, was originally a US government scheme for reducing the amount of RF emissions generated by computer equipment. Today itโ€™s been adopted as a NATO standard, with the UKโ€™s National Cyber Security Centre having a public webpage about it.

โ€œOften,โ€ observed Woodward, โ€œmodern security systems look for data leaving the network to know that they have an intruder. But if itโ€™s leaving on some unmonitored channel (over the air) then it has a low probability of intercept by the security measures.โ€

We look forward to the infosec industryโ€™s next exciting product launch: a full spectrum RF analysis suite plumbed into your SIEM for a low, low subscription rate.

See more here: theregister.com

Header image: CSO Online

Please Donate Below To Support Our Ongoing Work To Defend The Scientific Method

PRINCIPIA SCIENTIFIC INTERNATIONAL, legally registered in the UK as a company incorporated for charitable purposes. Head Office: 27 Old Gloucester Street, London WC1N 3AX. 

Trackback from your site.

Comments (3)

  • Avatar

    Howdy

    |

    Electromagnetic radiation from current carrying cables is nothing new, and the title is incorrect. Lan is not internet cable.

    โ€œHis experimental technique consisted of slowing UDP packet transmissions over the target cable to a very low speedโ€
    So not applicable in the real world then.

    โ€œspecialised antennas could well reach โ€œtens of metresโ€ of range. โ€œHowever, due to environmental noises (e.g. from other cables) higher bit-rate are rather theoretical and not practical in all scenarios.โ€โ€
    Thereโ€™s always somethingโ€ฆ

    โ€œit is possible to evade detection at the network level by sending the raw UDP traffic within other legitimate UDP traffic.โ€โ€
    Iโ€™d like to see how that fits in with other signals already passing through the cable. Wouldnโ€™t the โ€œhackingโ€ device need itโ€™s own IP? Spoofing would be detected in most environments. I guess that would give the game away, and the radiated interference to other signals within the cable would cause visible slow downs of a full speed flow still raising the alarm. Except the experiment canโ€™t do that.

    โ€œBut if itโ€™s leaving on some unmonitored channel (over the air) then it has a low probability of intercept by the security measures.โ€โ€
    You can certainly grab it, but itโ€™s udp traffic, as stated. How much use is it as a fully fledged attack, even if you can make it work in any useful speed?

    โ€œWhat this shows is that even an unplugged Ethernet cable can radiate energy which is detectable.โ€
    People can radiate detectable energy if it impinges the body, as an extension! Even wet string can give secrets away.
    Ever picked up, or even gone near a portable radio and the signal improves/reduces? You become part of the receiving antenna (aerial) to boost the reception, or impinge on it by causing interference. This is school boy stuff.

    Much ado about nothing.

    Reply

  • Avatar

    Howdy

    |

    โ€œThis is school boy stuff.โ€
    My apologies. It was basic grounding at one time, before indoctrination took over.

    Reply

  • Avatar

    Daniel Staggers

    |

    10โ€™s of meter range? Seriously, so youโ€™re saying you can hack a CAT 5 cable further than the range of a Wi Fi antenna? But even 10โ€™s of meter range is only 30 feet. Blue Tooth range and Easily spotted.

    Reply

Leave a comment

Save my name, email, and website in this browser for the next time I comment.
Share via