Bridging the air-gap Out of sight, (but not) out of mind Nemanja - PowerPoint PPT Presentation

Bridging the air-gap Out of sight, (but not) out of mind Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Agenda Motivation Attack scenario Famous examples Academic research Future attack vectors Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Agenda Motivation Attack scenario Famous examples Academic research Future attack vectors Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Attack scenario Exfiltration and data extraction Expansion Infection and data collection Damage! Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Agenda Motivation Attack scenario Famous examples Academic research Future attack vectors Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Famous examples: Agent.BTZ Infection autorun.inf rundll32.exe .\\[random_name].dll,InstallM Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Famous examples: Agent.BTZ Infection Expansion autorun.inf Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Famous examples: Agent.BTZ Infection Expansion Extraction thumbs.dd Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Famous examples: Stuxnet Infection CVE-2008-4250 CVE-2010-2729 CVE-2010-2568 Natanz Nuclear Facility Contractors Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Famous examples: Stuxnet Infection Expansion S7-417 CVE-2010-2772 CVE-2012-3015 Modified STL code S7-315 Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Famous examples: Stuxnet Infection Expansion Damage! Attack 1 – Centrifuge Overpressure Protection System Replay Lock exhaust Record sensor recorded valves to S7-417 values – 21s values in a create loop overpressure Attack 2 – Centrifuge Drive System Decrease Lock rotor Increase rotor speed 500x speed to a speed to 30% and speed up S7-315 fixed value above normal again Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Famous examples: COTTONMOUTH COTTONMOUTH-I http://www.nsaplayset.org/turnipschool Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Famous examples: COTTONMOUTH COTTONMOUTH-I COTTONMOUTH-II Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Famous examples: COTTONMOUTH COTTONMOUTH-I COTTONMOUTH-II COTTONMOUTH-III Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Famous examples: Brutal Kangaroo Infection Brutal Kangaroo Drifting Deadline Shattered Assurance Broken Promise Shadow (infection) (expansion) (postprocessor) (persistence) None EZCheese Lachesis RiverJack (Manual) (CVE-2015-0096) (autorun.inf) (library-ms) Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Famous examples: Brutal Kangaroo Infection Expansion Brutal Kangaroo Drifting Deadline Shattered Assurance Broken Promise Shadow (infection) (expansion) (postprocessor) (persistence) Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Famous examples: Brutal Kangaroo Infection Expansion Extraction Brutal Kangaroo Drifting Deadline Shattered Assurance Broken Promise Shadow (infection) (expansion) (postprocessor) (persistence) Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Agenda Motivation Attack scenario Famous examples Academic research Future attack vectors Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Research: Covert-channels Electromagnetic FOSDEM ‘16 JM Friedt http://bit.ly/2wTsXGs Van Eck Phreaking USBee, AirHopper, GSMem (Guri et al.) Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Research: Covert-channels Electromagnetic Acoustic RSA Acoustic Cryptanalysis (Genkin et al.) badBIOS ? On Covert Acoustical Mesh Networks in Air (Hanspach and Goetz) Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Research: Covert-channels Electromagnetic Acoustic Thermal Revealing Hidden Services by their Clock Skew (Murdoch) BitWhisper (Guri et al.) HVACKer: Bridging the Air-Gap by Attacking the Air Conditioning System (Mirsky et al.) Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Research: Covert-channels Electromagnetic Acoustic Thermal Light Ambient Light Sensors (Hasan et al.) xLED (Guri et al.) Information Leakage from Optical Emanations (J. Loughry and D. A. Umphress) Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Research: Covert-channels Electromagnetic Acoustic Thermal Light Other Seismic Magnetic Sensing-Enabled Channels for Hard-to-Detect Command and Control of Mobile Devices (Hasan et al.) Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Agenda Motivation Attack scenario Famous examples Academic research Future attack vectors Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Future? Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Example attack vectors Evil Cable 300 kbps ± 10% EMCA Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Example attack vectors Evil Cable CC C & C Firmware Bank And 2 Data Firmware Bank Patched 1 Firmware Bootloader Bootloader OS fingerprinting? Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Example attack vectors Evil Cable Evil Charger C & C Laptop connected And to Internet Data Evil Charger Patched Firmware Bootloader Air-gapped laptop Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Example attack vectors Evil Cable Evil Charger http://www.chongdiantou.com Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Example attack vectors Evil Cable Evil Charger Evil Dongle BadUSB scenario on an HDMI dongle SBU1 CC D- D+ VCONN SBU2 WorseUSB Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Countermeasures? Superglue in a USB port? Disabling firmware upgrade? Firmware signing? USB Type-C Authentication Specification Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Bridging the air-gap: Takeaways USB is the most frequent air-gap attack vector USB-C introduces new methods for bridging the air-gap Proposed countermeasures are not yet widely implemented Nemanja Nikodijevic <nemanja@micropsi-industries.com>

Thanks for your attention! Questions? Nemanja Nikodijevic <nemanja@micropsi-industries.com>