'GSMem' malware designed to infiltrate air-gapped computers, steal data
Israeli researchers detailed a new attack that can steal data from air-gapped computers, which are often seen as relatively safe.
Newly designed malware could, if properly replicated, allow an attacker to pick up the data of air-gapped computers, which are typically thought of as relatively secure.
GSMem, as the researchers call it, exploits electromagnetic radiation (EMR) emissions and forces a computer's memory bus to function similarly to an antenna in order to wirelessly transmit data to a phone over cellular frequencies. The Israeli researchers will open their paper, “GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies” to the public once they present it at the USENIX Security Symposium in August.
The malware runs in conjunction with a mobile rootkit embedded in the baseband firmware of a cell phone. It can be installed through social engineering, physical access or a malicious app. Baseband chips manage the low-level Radio Frequency (RF) connection with the cell phone network.
The malware, on the target computer, is slightly more difficult to install as it can only be put on through physical access or interdiction methods, such as poisoning the supply chain.
But once both the rootkit and the malware are successfully implemented, data transmissions can be received from 3 to 18 feet away. With a hardware receiver, the data can be sent from a distance of more than 98 feet.
The components “exploited by the proposed [attack] model are present on virtually all computers and cellular devices,” the researchers write. And even lower-end cell phones have this capability.
The researchers note that the attack preys on a perfect combination of conditions.
“Modern computers are electronic devices and are bound to emit some electromagnetic radiation (EMR) at various wavelengths and strengths,” they write. “Furthermore, cellular phones are agile receivers of EMR signals. Combined, these two factors create an invitation for attackers seeking to exfiltrate data over a covert channel.”
They also acknowledge that many organizations air-gap their computers and sometimes go as far as preventing USB insertion. Other companies, such as Intel Security, also prevent smartphones with Wi-Fi capability, cameras and Bluetooth, to enter classified areas.
As a result, the researchers recommend multiple countermeasures, including “meticulous forensic analysis” of a device and “behavioral (dynamic) analysis and anomaly detection,” or “trying to detect GSMem activities at runtime on the process level.”