create your own exercise Alexander Güssow and François Blondel AIRHOPPER : BRIDGING THE AIR-GAP 1
Motivation • Awareness: Data leaks from isolated systems – Using non-conventional methods – NSA uses it, other organizations might – Risks and possibilities: Learn how to detect and possibly protect 2
Lecture Overview • Use radio frequencies and simple hardware – EM radio : FM/AM, Light, etc. – Sound waves – Passive listening • Using common software and hardware tools (gnuradio, microphone/speakers) 3
Basics: Electro Magnetic (EM) • There is free space path loss („attenuation“) • Will go through walls, follow conductors for reasonably „low“ frequencies (up to 300 GHz) • Higher frequencies: light • Described by Maxwell’s equations • No medium needed (vacuum is fine) 4
The electromagnetic spectrum 5
EM: attenuation 6
Basics: Sound • Medium required (Air, Water, …) • Pressure Wave, Velocity depends on the Medium (Air: about 343 m/s) • Different scales: dB(SPL), dB(A) • Will decrease with distance 7
Going Ultrasonic • Standard equipment will allow Ultrasonic transmission and reception (to some degree) at least at moderate Frequencies (<22kHz) • Reasonably old people will not hear it • At 25kHz, no one should be able to hear it (but your dog of course, he‘ll run away barking) 8
First experiment: Data leak over ultrasound • Use of computer speakers and microphones of the lab to build a one-way data connection • Use of minimodem • No reliability: no retransmit, errors may occur • Enough for realtime keylogging 9
GnuRadio Source: anfractuosity.com 10
Second experiment : Broadcast music using a VGA cable • “Tricking” the video adapter into doing AM to broadcast music via VGA • Reception using GnuRadio and an SDR stick • Special hardware required 11
Practical Part PC 1 VGA Screen PC 2 SDR Stick Speakers Microphone PC 4 PC 3 12
What will YOU learn? Source: Y. K. Roland Tai, Video eavesdropping - RF, UCambridge The Following Learning Goals are Covered in the Lecture PreLab Lab Some physics: different physical channels and their ranges X X Learn the actual state of the art: what is already possible X X Leaking data in a nonconventional way: audio transmission X X Leaking data in a nonconventional way: EM (mis)using VGA X X Protection: How to detect and prevent this ? X X X 13
create your own exercise Janosch Maier & Christoph Schmidt EVIL TWINS WIFI SSID SPOOFING & MORE 1
Motivation Attacking a WLAN is really easy! • What could happen, e.g. at Starbucks? 2
Lecture Summary • WLAN Basics – Spoofing SSIDs – Creating an Evil Twin • Think of Countermeasures 3
Different APs, same SSID? • Some WLAN basics (whiteboard) – BSS, BSSID, (E)SSID, ESS • We will use special wifi drivers – Boot a special kernel (see lab instructions) – Unlocks channels and signal strength • Please adhere to German laws 4
Countermeasures? Ideas? 5
Evil Twin at work Unsuspicious Attacker (PC 3) User (PC 6) Evil Twin Image Normal Image Wifi AP (PC 1) Evil Twin (PC 4) Evil Twin Image Evil Twin Image 6 6
Summary/ Learning Goals The Following Learning Goals are Covered in the Lecture PreLab Lab Get to know SSID spoofing X X Understand how evil twins work X X Spoof specific SSIDs X X Create an evil twin X X Reroute web traffic (iptables) X X Develop counter measures X 7
Recommend
More recommend