ODINI: Escaping Sensitive Data From Faraday-Caged, Air-Gapped Computers via Magnetic Fields

Air-gapped computers are devices that are kept isolated from the Internet, because they store and process sensitive information. When highly sensitive data is involved, an air-gapped computer might also be kept secluded in a Faraday cage. The Faraday cage prevents the leakage of electromagnetic sign...

Full description

Saved in:
Bibliographic Details
Published inIEEE transactions on information forensics and security Vol. 15; pp. 1190 - 1203
Main Authors Guri, Mordechai, Zadov, Boris, Elovici, Yuval
Format Journal Article
LanguageEnglish
Published New York IEEE 2020
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects
Air gaps
Computer industry
computer viruses
Computers
Eavesdropping
Electromagnetic radiation
Embedded systems
Faraday cage
Internet of Things
Jamming
Laptop computers
Leakage
Low frequencies
Magnetic cores
Magnetic fields
Magnetic noise
Magnetic shielding
Malware
Network security
Signal detection
Virtual environments
Online AccessGet full text

Cover

More Information
Summary:Air-gapped computers are devices that are kept isolated from the Internet, because they store and process sensitive information. When highly sensitive data is involved, an air-gapped computer might also be kept secluded in a Faraday cage. The Faraday cage prevents the leakage of electromagnetic signals emanating from various computer parts, which may be picked up remotely by an eavesdropping adversary. The air-gap separation, coupled with the Faraday shield, provides a high level of isolation, preventing the potential leakage of sensitive data from the system. In this paper, we show how attackers can bypass Faraday cages and air-gaps in order to leak data from highly secure computers. Our method is based on exploitation of the magnetic field generated by the computer's CPU. Unlike electromagnetic radiation (EMR), low frequency magnetic fields propagate through the air, penetrating metal shielding such as Faraday cages (e.g., a compass still works inside a Faraday cage). Since the CPU is an essential part of any computer, the magnetic covert channel is relevant to virtually any device with a CPU: desktop PCs, servers, laptops, embedded systems, and Internet of Things (IoT) devices. We introduce a malware codenamed `ODINI' that can control the low frequency magnetic fields emitted from the infected computer by regulating the load of the CPU cores. Arbitrary data can be modulated and transmitted on top of the magnetic emission and received by a magnetic `bug' located nearby. We implement a malware prototype and discuss the design considerations along with the implementation details. We also show that the malicious code does not require special privileges (e.g., root) and can successfully operate from within isolated virtual machines (VMs) as well. Finally, we propose different types of defensive countermeasures such as signal detection and signal jamming to cope with this type of threat (demonstration video: https://www.youtube.com/watch?v=h07iXD-aSCA).
ISSN:1556-6013
1556-6021
DOI:10.1109/TIFS.2019.2938404