Study: Your Internet Cable Can be Spy Hacked with a $30 setup
An Israeli researcher has demonstrated that LAN cablesโ radio frequency emissions can be read by using a $30 off-the-shelf setup, potentially opening the door to fully developed cable-sniffing attacks.
Mordechai Guri of Israelโs Ben Gurion University of the Negev described the disarmingly simple technique to The Register, which consists of putting an ordinary radio antenna up to four metres from a category 6A Ethernet cable and using an off-the-shelf software defined radio (SDR) to listen around 250MHz.
โFrom an engineering perspective, these cables can be used as antennas and used for RF transmission to attack the air-gap,โ said Guri.
His experimental technique consisted of slowing UDP packet transmissions over the target cable to a very low speed and then transmitting single letters of the alphabet. The cableโs radiations could then be picked up by the SDR (in Guriโs case, both an R820T2-based tuner and a HackRF unit) and, via a simple algorithm, be turned back into human-readable characters.
Nicknamed LANtenna, Guriโs technique is an academic proof of concept and not a fully fledged attack that could be deployed today. Nonetheless, the research shows that poorly shielded cables have the potential to leak information which sysadmins may have believed were secure or otherwise air-gapped from the outside world.
He added that his setupโs $1 antenna was a big limiting factor and that specialised antennas could well reach โtens of metresโ of range.
โWe could transmit both text and binary, and also achieve faster bit-rates,โ acknowledged Guri when El Reg asked about the obvious limitations described in his paper [PDF]. โHowever, due to environmental noises (e.g. from other cables) higher bit-rate are rather theoretical and not practical in all scenarios.โ
One obvious further research technique would be to look at sniffing information over network cables at their full operational speeds, Guri having acknowledged that slowing live network traffic down to levels used in his experiment would be impractical. His full paper, however, noted: โTransmitting UDP packets doesnโt require higher privileges or interfering with the OS routing table. In addition, it is possible to evade detection at the network level by sending the raw UDP traffic within other legitimate UDP traffic.โ
The academicโs previous research included a technique for turning DRAM into a form of wireless transmitter, as part of his work looking at ways of pwning air-gapped networks.
Professor Alan Woodward of the University of Surrey observed: โWhat this shows is that even an unplugged Ethernet cable can radiate energy which is detectable.โ
He added: โThe paper is a nice piece of work and reminds us that whilst you might think something is air-gapped, it might be chattering away over the airwaves. People used to laugh at the great clunky terminals used in secure environments but they arose for a reason: TEMPEST.โ
TEMPEST, as we reported 20 years ago, was originally a US government scheme for reducing the amount of RF emissions generated by computer equipment. Today itโs been adopted as a NATO standard, with the UKโs National Cyber Security Centre having a public webpage about it.
โOften,โ observed Woodward, โmodern security systems look for data leaving the network to know that they have an intruder. But if itโs leaving on some unmonitored channel (over the air) then it has a low probability of intercept by the security measures.โ
We look forward to the infosec industryโs next exciting product launch: a full spectrum RF analysis suite plumbed into your SIEM for a low, low subscription rate.
See more here: theregister.com
Header image: CSO Online
Please Donate Below To Support Our Ongoing Work To Defend The Scientific Method
PRINCIPIA SCIENTIFIC INTERNATIONAL, legally registered in the UK as a company incorporated for charitable purposes. Head Office: 27 Old Gloucester Street, London WC1N 3AX.
Trackback from your site.
Howdy
| #
Electromagnetic radiation from current carrying cables is nothing new, and the title is incorrect. Lan is not internet cable.
โHis experimental technique consisted of slowing UDP packet transmissions over the target cable to a very low speedโ
So not applicable in the real world then.
โspecialised antennas could well reach โtens of metresโ of range. โHowever, due to environmental noises (e.g. from other cables) higher bit-rate are rather theoretical and not practical in all scenarios.โโ
Thereโs always somethingโฆ
โit is possible to evade detection at the network level by sending the raw UDP traffic within other legitimate UDP traffic.โโ
Iโd like to see how that fits in with other signals already passing through the cable. Wouldnโt the โhackingโ device need itโs own IP? Spoofing would be detected in most environments. I guess that would give the game away, and the radiated interference to other signals within the cable would cause visible slow downs of a full speed flow still raising the alarm. Except the experiment canโt do that.
โBut if itโs leaving on some unmonitored channel (over the air) then it has a low probability of intercept by the security measures.โโ
You can certainly grab it, but itโs udp traffic, as stated. How much use is it as a fully fledged attack, even if you can make it work in any useful speed?
โWhat this shows is that even an unplugged Ethernet cable can radiate energy which is detectable.โ
People can radiate detectable energy if it impinges the body, as an extension! Even wet string can give secrets away.
Ever picked up, or even gone near a portable radio and the signal improves/reduces? You become part of the receiving antenna (aerial) to boost the reception, or impinge on it by causing interference. This is school boy stuff.
Much ado about nothing.
Reply
Howdy
| #
โThis is school boy stuff.โ
My apologies. It was basic grounding at one time, before indoctrination took over.
Reply
Daniel Staggers
| #
10โs of meter range? Seriously, so youโre saying you can hack a CAT 5 cable further than the range of a Wi Fi antenna? But even 10โs of meter range is only 30 feet. Blue Tooth range and Easily spotted.
Reply