NoiseHopper: Emission Hopping Air-Gap Covert Side Channel with Lower Probability of Detection

To shield against malicious attack vectors and safeguard sensitive data, organizations resort to physical isolation called 'air-gap' where the air-gapped device is isolated from the public internet and can only be connected to an internal, secured, 'air-gap network'. Due to their...

Full description

Saved in:
Bibliographic Details
Published in2024 IEEE International Symposium on Hardware Oriented Security and Trust (HOST) pp. 21 - 32
Main Authors Faizul Bari, Md, Sen, Shreyas
Format Conference Proceeding
LanguageEnglish
Published IEEE 06.05.2024
Subjects
Air gaps
Bit error rate
Covert Communication
Data communication
Data Exfiltration
Emanation
Embedded System
Frequency Hopping
Hardware
Microcontrollers
Pulse width modulation
Radio frequency
Online AccessGet full text

Cover

More Information
Summary:To shield against malicious attack vectors and safeguard sensitive data, organizations resort to physical isolation called 'air-gap' where the air-gapped device is isolated from the public internet and can only be connected to an internal, secured, 'air-gap network'. Due to their sensitive nature, air-gap networks have been a coveted target for motivated adversaries, leading to various malware/worms that can infect these devices via insider threats, unauthorized software updates, peripherals, or supply chain attacks and collect data. Due to the absence of a connection to the outside network, collected data cannot be exfiltrated easily. Attackers have developed 'air-gap covert channels' to bridge the gap between the air-gap network and the outside network. These are intentionally generated electromagnetic (EM) emissions produced by varying CPU load or exploiting memory instructions and modulated with data. However, existing covert channels have several limitations. The channels are covert in the sense that the malware is not easy to detect, but the wireless signal itself can be identified as a malicious anomaly by spectrum monitoring tools. Since emission is generated by exploiting CPU/memory which is shared with other parallelly running processes, the channel can be interrupted by their simultaneous activities. Also, most of them have very low data rates (≤1 kbps) that cannot transmit significant data volume in a reasonable time and are not suitable for low-power, air-gapped embedded devices with limited resources. In this work, we propose 'NoiseHopper', an improved covert side channel formed by pulse width modulation (PWM) controlled EM emission with spectrum covertness rendered by frequency hopping. It looks like noise or spurious peaks have been added to the existing RF spectrum, rendering low detection probability. It doesn't depend on any specific shared hardware or peripherals, is suitable for embedded devices, and can transmit data to ~5.5 m range at 100 kbps. We have implemented our proposed method on an ATmega328P microcontroller (part of the AVR family that is found in many embedded systems) and transmitted MNIST dataset images to show its efficacy. The proposed covert channel has been shown to transmit through a 15 cm thick wall to make it more realistic. The bit error rate (BER) has been analyzed. Finally, a few probable countermeasures have been proposed to prevent data leakage.
ISSN:2765-8406
DOI:10.1109/HOST55342.2024.10545402