Creating a buzz: USBee software causes air-gapped computers to leak data via USB connections

Researchers have devised a software-based method of exfiltrating data from air-gapped computers via a USB connection that does not require any prior hardware modification of a USB device.
Researchers have devised a software-based method of exfiltrating data from air-gapped computers via a USB connection that does not require any prior hardware modification of a USB device.

In an attempt to demonstrate that even air-gapped computers can be rendered vulnerable to data exfiltration, three researchers at Israel's Ben-Gurion University of the Negev created a software program that causes USB-connected devices to emit radio-frequency electromagnetic pulses that leak binary data to nearby listeners.

This is not the first time a researcher or cyberespionage group has exploited a USB device to make air-gapped computers secretly communicate data. But in all previously known examples, the hackers responsible had to introduce a malicious USB device that already contained modified hardware, the researchers claim. In this case, the researchers – Mordechai Guri, Matan Monitz and Yuval Elovici – created software (or malware, if you will) that tricks the infected computer into using an ordinary, clean USB device as a transmitter.

The malware, dubbed USBee, “utilizes the USB data bus in order to create electromagnetic emissions from a connected USB device,” according to the researchers' new academic report, released this week. The malware can then “modulate any binary data over the electromagnetic waves and transmit it to a nearby receiver.”

“Air-gap isolation considered to be a hermetic [solution], and as security researchers, we are trying to challenge this assumption,” said Guri, head of research and development at Ben-Gurion University's Cyber Security Research Center, in an email interview with SCMagazine.com.

Any USB device that supports transmission of data via the USB cable's data bus, including flash drives and external storage devices, is susceptible to USBee. The attack does have its limitations – the computer must first be infected somehow, and to intercept the code, the eavesdropper would need to place a receiver in relative proximity to the targeted machine. Nevertheless, determined cyberspies could use such a technique to steal vital data and intelligence from high-profile individuals, companies, organizations or critical infrastructure facilities.

Upon reaching the receiver, the bursts of electromagnetic pulses, which occur at alternating frequencies, can be translated into a series of digital values, revealing key data. USBee is capable of transmitting textual and binary data in small sizes at a bandwidth ranging from 20 to 80 BPS. A top speed of 80BPS “can be used for a transmission of 4096 encryption keys in a matter of seconds,” said Guri, also chief science officer at Morphisec Endpoint Security Solutions. “An hour of keylogging data can be transmitted in a minute or so. The actual bandwidth depends on the distance from the transmitter, the receiver and other factors as well.”

In a video demonstration, the researchers perform a successful signal transmission at a distance of approximately 30 feet, using a simple antenna. From that distance, “the signals are still strong enough and we can assume that they can be received from higher distances with better antennas,” said Guri.

Guri's research partner Matan Monitz is a computer science and philosophy student at Ben-Gurion University. His other partner, Professor Yuval Elovici, is director of the university's Cyber Security Research Center. Earlier this year, Guri and Elovici along with other researchers published research on Fansmitter, a malware that causes air-gapped computers to covertly communicate data via changes in internal fan speeds, and DiskFiltration, a method of exfiltrating data via hard drive noises.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS