The researchers, who work at Georgia Tech's School of Electrical and Computer Engineering, described their findings in a recent paper and at the 47th Annual IEEE/ACM International Symposium on Microarchitecture in Cambridge at the end of December.
At the conference, they warned of the dangers of “side-channel” attacks, which relate specifically to the possibility of an attacker intercepting the low-power electronic signals emitted by laptops and smartphones.
Crucially, this interception wouldn't require such devices to be connected to a Wi-Fi hotspot, a common method of attack, and the targeted user would have no idea if their machine was compromised.
These low-power electronic signals or “leaks” can be measured several feet away by using discreet antennas that can receive electromagnetic emissions, a fake battery to measure power performance or microphones that pick up acoustic emissions.
Some signals can also be distilled from AM/FM signals, but others require more sophisticated spectrum analysers, while computer components like voltage regulators produce emissions that can carry signals produced elsewhere in the laptop.
In short, these information leaks could be measured by hackers, and then intercepted. “We believe that these signals could be intercepted and used to obtain information from the devices,” a spokesperson for the researchers said in an email to SCMagazineUK.com.
“People are focused on security for the internet and on the wireless communication side, but we are concerned with what can be learned from your computer without it intentionally sending anything,” said Alenka Zajic, an assistant professor in Georgia Tech's School of Electrical and Computer Engineering.
“Even if you have the internet connection disabled, you are still emanating information that somebody could use to attack your computer or smartphone.”
The researchers continued that there is no mention in open literature of hackers exploiting this attack, but have described how an attack could happen.
In a demonstration, Zajic typed a simulated password on one laptop not connected to the internet, while on the other side of the wall, a colleague used another air-gapped machine to read passwords by intercepting side channel signals produced by the keyboard software, which had however been modified to make the characters easier to identify.
“There is nothing added in the code to raise suspicion,” said Milos Prvulovic, an associate professor in the Georgia Tech School of Computer Science. “It looks like a correct, but not terribly efficient, version of normal keyboard driver software. And in several applications, such as normal spell-checking, grammar-checking, and display-updating, the existing software is sufficient for a successful attack.”
As a result, the researchers are looking to see how these leaks – known technically as “side channel signals” - originate in order to help hardware and software designers and are developing a new metric, called “signal available to attacker” (SAVAT) to measure the strengths of these leaks.
SAVAT looks for 11 different instructions across three laptops, and – in the test – found the largest signals were when the processors accessed the off-chip memory.
“It is not really possible to eliminate all side-channel signal,” said Prvulovic. “The trick is to make those signals weak, so potential attackers would have to be closer, use larger antennas, and utilise time-consuming signal analyses. We have found that some operations are much ‘louder' than others, so quieting them would make it more difficult for attackers.”
Zajic added: “If somebody is putting strange objects near your computer, you certainly should beware. But from the user's perspective, there is not much they can do right now. Based on our research, we hope to develop something like virus scan software that will look for vulnerability in the code and tell developers what they should update to reduce this vulnerability.”
Interestingly, the research team are also studying Android devices as they believe that smartphones' compact design – and the big difference between idle and in-power – could make them even more vulnerable than laptops.
Professor Mike Jackson, a computer security expert at Birmingham University, said that air-gap attacks are not new, but wasn't sure how the password would be obtained.
“One suspects that the example of obtaining a password given may have been achieved via an experimental setup where the keyboard has been adapted to generate side channel signals.”
Dr Gareth Owen, senior lecturer for the school of computing for the University of Portsmouth, agreed that air-gap attacks are becoming more commonplace, and could be hard to stop.
“There has been a long history of side channel attacks that allow one to observe physical artefacts from a device and infer information about what it is doing,” he told SC. “From leaking cryptographic keys to intercepting passwords from keyboards, many poorly implemented devices will leak information. Designing code that is resistant to these attacks is not something that is familiar to the vast majority of software developers.”
Dr Robert Nowill, a director and board member of the Cyber Security Challenge who previously worked at GCHQ and BT, added in an email to SC: “I think I'd simply say that the technology needed to exploit such signals that mobile devices may emit in the foreground or the background clearly can be created. That could be for legitimate purposes, or for exploitation by any of the usual threat actors.
“It is not really a new line in vulnerabilities, but something that has obviously existed for many years brought into the spotlight with the explosion in the use of end point devices such as mobiles.”
This research comes months after researchers from Israel found new ways to compromise air-gapped – or air-walled – machines, through the use of electrical impulses and malware-laden mobile phones and a separate light-based approach.