PIXHELL攻击：一种从隔离、音频隔离系统中窃取敏感数据的新方法.pdf资源-CSDN文库

需积分: 5 74 浏览量 2024-09-11 10:34:45 上传评论收藏 31.55MB PDF 举报

资源推荐

资源详情

资源评论

PIXHELL Attack: Leaking Sensitive Information

from Air-Gap Computers via ‘Singing Pixels’

Mordechai Guri

Ben-Gurion University of the Negev, Israel

Department of Software and Information Systems Engineering

Air-Gap Research Lab (http://www.covertchannels.com)

Demo video: https://youtu.be/TtybA7C47SU

Email: gurim@post.bgu.ac.il

Abstract—Air-gapped systems are disconnected from the Inter-

net and other networks because they contain or process sensitive

data. However, it is known that attackers can use computer

speakers to leak data via sound to circumvent the air-gap defense.

To cope with this threat, when highly sensitive data is involved,

the prohibition of loudspeakers or audio hardware might be

enforced. This measure is known as an ‘audio gap’.

In this paper, we present PIXHELL, a new type of covert

channel attack allowing hackers to leak information via noise

generated by the pixels on the screen. No audio hardware or

loudspeakers is required. Malware in the air-gap and audio-gap

computers generates crafted pixel patterns that produce noise in

the frequency range of 0 - 22 kHz. The malicious code exploits the

sound generated by coils and capacitors to control the frequencies

emanating from the screen. Acoustic signals can encode and

transmit sensitive information. We present the adversarial attack

model, cover related work, and provide technical background.

We discuss bitmap generation and correlated acoustic signals

and provide implementation details on the modulation and de-

modulation process. We evaluated the covert channel on various

screens and tested it with different types of information. We also

discuss evasion and stealth using low-brightness patterns that

appear like black, turned-off screens. Finally, we propose a set

of countermeasures. Our test shows that with a PIXHELL attack,

textual and binary data can be exﬁltrated from air-gapped, audio-

gapped computers at a distance of 2m via sound modulated from

LCD screens.

Index Terms—air-gap, exﬁltration, covert channel, screen,

LCD, pixels, audio, acoustic

I. INTRODUCTION

Information security is a major concern for organizations

and industries. A wide range of threats, including ransomware,

phishing attacks, data breaches, and nation-state offensive

activities, characterize the modern cybersecurity environment.

To address these emerging challenges, security technologies,

threat intelligence, and regulatory frameworks continue to

evolve. As part of defenders’ efforts to protect sensitive

information, they implement robust security measures. They

raise awareness about cybersecurity risks, and use a variety of

security solutions such as ﬁrewalls, data leakage prevention,

anomaly detection systems and more.

A. Air-gap Networks

One of the strategies to protect sensitive and conﬁdential

information is the ‘air-gap’ security measure. In this strat-

egy, a network is physically isolated from external networks,

meaning there is no direct wired or wireless connection to

the Internet [27]. Air-gapped networks are immune to many

types of online cyber threats, such as remote exploitation,

malware infection, and phishing attacks, as there is no direct

connection to external networks. In addition, since there is no

direct connection to the outside world, the risk of unauthorized

access and data leakage is signiﬁcantly reduced.

Air-gap networks may be employed when susceptible data

is involved. Certain industries, such as healthcare, ﬁnance,

and defense, may be subject to regulations that mandate air-

gapped networks to protect sensitive data and comply with

industry standards. For example, stock exchange computer

networks may be disconnected from the Internet because they

are considered conﬁdential [8]. Air-gapping may be employed

in critical infrastructure sectors such as energy, transportation,

and manufacturing to safeguard control systems from cyber

threats that could lead to physical harm or disruption. There

may be signiﬁcant restrictions on maintaining air-gapped net-

works, such as limiting the use of removable media in the

network (USB drives, external hard drives) and preventing

LAN or WAN connectivity. Additionally, air-gapped systems

may require strict access controls, including biometric au-

thentication and surveillance, to prevent unauthorized access

[3][12][23].

B. Air-gap Breaches

Despite the high level of security and isolation, air-gapped

networks are not completely immune to breaches. One of

the examples is the Stuxnet worm, which was believed to

speciﬁcally target supervisory control and data acquisition

(SCADA) systems used in Iran’s nuclear facilities [39]. It

spread via infected USB drives and exploited vulnerabilities

in the Windows operating system. Agent.btz is another worm

that gained notice for its involvement in a signiﬁcant cyberse-

curity cyberattack on the United States military’s classiﬁed

and unclassiﬁed networks [17]. This incident was one of

the most serious breaches of U.S. military networks at the

time. Agent.btz was primarily spread in disconnected systems

via removable media such as USB drives. When an infected

USB drive is connected to a computer, the worm copies

itself onto that system. In 2018, the U.S. Department of

Homeland Security reported that the Russian hacking group

arXiv:2409.04930v1 [cs.CR] 7 Sep 2024

compromised the air-gapped systems of America’s electric

utilities by exploiting third-party vendors in a so-called supply

chain attack [2]. In August 2023, it was reported that a nation-

state actor with links to China was suspected of launching a

series of attacks last year against industrial organizations in

Eastern Europe to siphon data stored on air-gapped systems.

The attacks entailed using more than 15 distinct implants

and their variants. These implants were broken down into

three broad categories based on their ability to establish

persistent remote access. They could also gather sensitive

information and transmit the collected data to actor-controlled

infrastructure [5].

C. Leaking Information from Air-gapped Facilities

After breaching the air-gap networks, the attack might

want to continue its activity and move on to the subse-

quent phases of APT attacks, such as lateral movement and

exﬁltration. Security ﬁrm ESET pointed out more than 15

attack frameworks designed to breach air-gapped networks

that were publicly documented, including USBCulprit, US-

BStealer, Ramsay, PlugX, and others [16]. As noted in the

report, all these malware used USB media to transfer data

in and out of the air-gap environment. However, in secured

environments, external media may be strictly forbidden or

regulated [7]. In these cases, attackers might exploit ‘air-

gap covert channels’ for exﬁltration. Using these methods,

malware could modulate binary information on top of physical

mediums such as electromagnetic emission, optical emanation,

and acoustic waves. Researchers have demonstrated that com-

ponents such as computer RAM, fan noise, keyboard LEDs,

and power supply emissions can modulate data [27][9].

One of the main air-gap covert channels explored in the past

is acoustic covert channels that use computer speakers. In this

method, data is modulated and transmitted from a computer

over sound waves generated from the computer’s loudspeakers

or built-in speakers in the sonic or ultrasonic bands [47].

D. Air-Gap, Audio-Gap Environments

Although acoustic covert channels from loudspeakers were

extensively explored in past works [47] it might not always

be practical. In secured networks, audio-capable hardware and

speakers may not be allowed to create a so-called ‘audio-

gapped’ environment [1]. Since audio-gap computers lack

loudspeakers, the acoustic covert channels described above are

impossible.

E. PIXHELL Attack

This paper presents the PIXHELL attack, an acoustic covert

channel for leaking information from audio-gapped systems.

LCD screens contain inductors (coils) and capacitors as part

of their internal components and power supply. For example,

electrical current passing through coils can cause them to

vibrate at an audible frequency, producing high-pitched noise.

This phenomenon is known as ‘coil noise’ or ‘coil whine’

[6]. Also, when alternating current (AC) passes through the

screen capacitors, they vibrate at speciﬁc frequencies. The

acoustic emanates are generated by the internal electric part

of the LCD screen. Its characteristics are affected by the

actual bitmap, pattern, and intensity of pixels projected on

the screen. By carefully controlling the pixel patterns shown

on our screen, our technique generates certain acoustic waves

at speciﬁc frequencies from LCD screens.

F. Our Contribution

Our contribution is as follows.

• Air-gap, audio-gap attack. We introduce an acoustic

convert channel that does not require audio hardware,

loudspeaker, or internal speaker on the compromised

computer. Instead, we use the LCD screen to generate

acoustic signals using designated bitmap patterns.

• Transmission and reception. We designed and imple-

mented a transmitter and receiver and modulation and

demodulation algorithms.

• Evasion and stealth. To avoid detection, we used a low-

brightness pixel pattern that is difﬁcult to detect. During

this attack, the screen may appear dark.

• Multiple transmitters. Our research evaluates the ca-

pability of maintaining the covert channel with multiple

screen transmitters to increase the bandwidth.

• Splitted patterns. We show that the bitrate can be

increased by using split screen techniques. We visual-

ize different pixel patterns concurrently on the screen,

enabling modulations such as OFDM.

• Countermeasures. We discuss countermeasures to this

type of acoustic covert channel.

The paper is organized as follows. We discuss the related

work in Section II, present the adversarial attack model in

Section IV, and examine modulation techniques and different

types of receivers in Section V. We evaluate the proposed

covert channel in Section VII, and present countermeasures in

Section VIII. We conclude in Section IX.

II. RELATED WORK

The term air-gap covert channels refers to methods of

communication that allow the transfer of information between

two systems or networks that are physically separated [9].

Researchers and attackers have demonstrated various tech-

niques for bypassing this isolation, creating covert channels

for data transfer over air gaps. Air-gap covert channels can be

categorized into several groups.

Electromagnetic emanations from electronic devices like

computers can be exploited as a covert channel. By modulating

electromagnetic radiation, information can be transmitted and

received with specialized equipment. Electromagnetic extrac-

tion methods have been investigated in the past. AirHopper

attack uses the screen cables as antennas to emit radio signals

at the FM bands [29]. GSMem exploited the memory and

CPU bus to leak data out of air-gapped computers [28].

Other works use data exﬁltration from memory in various

ways and modulation schemes for data exﬁltration in covert

and side channels, including LoRa [45], BitJabber [48], and

RAMBO [25]. The operation of optical covert channels in-

volves using light emissions or variations in screen brightness

to transmit data. For instance, a malware-infected system could

manipulate the display’s brightness, and a nearby camera on

another system could capture and interpret the variations [26].

Other techniques utilize indicator LEDs such as the keyboard,

routers, printers, and LCD screens [35][13]. Electric covert

channels like PowerHammer involve modulating electrical

characteristics, such as voltage or current, to transmit data. A

simple sensor could capture and interpret these changes [36].

Electronic components generate magnetic ﬁelds to encode

and transmit data. Magnetic sensors on nearby devices could

capture and interpret these variations. Covert channels that

exploit magnetic ﬁelds, including Odini [37], Magneto [21],

MagView [50], and others [42], usually have limited bit rates.

Thermal covert channels leverage temperature variations to

transmit data. Malicious software can manipulate CPU and

GPU temperatures; a temperature sensor on another PC could

interpret these variations. Few thermal covert channels have

been successfully demonstrated between computers [30] and

cores [41].

A. Acoustic Communication in Air-Gapped Systems

Acoustic communication channels use sound or ultrasonic

frequencies to enable data transfer between isolated systems

[47]. This method typically involves malware on a secured

system manipulating speaker outputs to generate sounds en-

coded with data. A microphone on a nearby device can capture

these sounds, decoding them to retrieve the original data.

Previous research has largely focused on the capabilities of

loudspeakers in these covert operations. Studies by Carrara

[11] and Hanspach [38] delved into the communication ca-

pabilities and characteristics of air-gapped systems, exploring

various scenarios and practical applications of these covert

channels. Hanspach et al. have successfully shown that it’s

possible to send data through the air using ultrasonic fre-

quencies undetectable by human ears, highlighting the tech-

nique’s potential for creating a mesh network and its security

concerns [38]. Beyond computers, acoustic signals have been

used to transmit data between mobile devices [44][15]. Other

attacks, such as the MOSQUITO [33] and SpeakEar [32],

have even transformed computer speakers into microphones.

Recent advancements include Sherry et al.’s demonstration

of a software-deﬁned radio (SDR) approach for establishing

ultrasonic frequency channels with low bandwidth [46], and

Zhang et al.’s discussion on ultrasound-based communication

among smart devices [49]. Techniques like AirViber [19] and

Gairoscope [20] leverage mechanical vibrations from com-

puter parts for data transmission, with smartphones acting as

receivers. Additionally, Matyunin has introduced a method us-

ing vibrations from low-frequency acoustic signals for covert

communication [43].

B. Overcoming Audio-Gap Restrictions

Researchers have developed methods of exﬁltrating sound

from computer systems that lack speakers as a result of audio-

gapping security measures. Guri et al. introduced Fansmitter,

a technique that varies the noise of computer fans (CPU/GPU)

through malware, with these sound variations being detectable

by nearby smartphones [34][24]. Diskﬁltration leverages hard

disk drive noise [31], while CD-LEAK uses sounds from

CD/DVD drives for data modulation [18]. The power-supply

attack, introduced by Guri et al. in 2020, demonstrates how

power supply units can be manipulated to emit sound or ultra-

sonic waves without traditional speakers [22]. More recently,

inkjet printers have been adapted by Briseno et al. to send

mechanical acoustic signals, allowing for the low-rate transfer

of sensitive data over short distances [14].

III. ATTACK MODEL

The attack model on air-gapped networks is composed of

three main phases: (1) network inﬁltration, (2) data gathering,

and (3) data exﬁltration.

Network inﬁltraton. In computer security, an air gap is

a measure to ensure that a secure network is completely

disconnected from unsecured networks, including the Internet.

However, despite the isolation, determined attackers may still

ﬁnd ways to breach the air gap and compromise the security

of the isolated system, installing high-proﬁle malware or APT.

Attackers may gain physical access to the isolated system

through direct inﬁltration or by manipulating insiders. Once

physical access is achieved, malware or malicious hardware

can be introduced to compromise the system [16]. USB drives

or other removable media can be used as malware delivery

vectors. An attacker may infect a device outside the air-

gapped environment, insert an infected USB drive into the

isolated system, and execute or transfer malware. Phishing,

malicious insiders, or other social engineering techniques

may be employed to trick individuals with access to the air-

gapped system into taking actions that compromise security,

such as clicking on malicious links or downloading infected

ﬁles. Attackers may also use software supply chain attacks

by targeting software application dependencies or third-party

libraries. By compromising these dependencies, they can intro-

duce vulnerabilities or malicious code that may go unnoticed

during development and testing [40].

Data gathering. At the second stage, the malware may

gather information of interest, including ﬁles, keylogging,

biometric information, encryption keys, images, etc. The in-

formation might be collected locally or by several instances of

the APT and may be kept in a persistent way in a ﬁle system

on the hard disk drive.

Data exﬁltration. As part of the third phase of the attack,

the APT may choose to exﬁltrate the information. At this stage,

the data is encoded and exﬁltrated acoustically, modulated

over the acoustic signals emanating from the LCD screens of

local computers. Nearby microphones, compromised laptops,

or malicious-infected smartphones can collect acoustic signals.

The receiving device records the acoustic signals, demonstrates

and decodes them, and then sends them to the attack over the

Internet.

剩余11页未读，继续阅读

评论收藏

内容反馈

网络研究观

粉丝: 1w+
资源: 2667

PIXHELL攻击：一种从隔离、音频隔离系统中窃取敏感数据的新方法.pdf

一种针对多核神经网络处理器的窃取攻击.pdf

深度学习数据窃取攻击在数据沙箱模式下的威胁分析与防御方法研究.docx

实验系统漏洞攻击分析共10页.pdf.zip

电信设备-一种敏感信息防窃取的安全传输方法及系统.zip

电信设备-一种敏感信息防窃取的安全传输系统.zip

网络游戏-一种网络物理隔离情况下相同系统之间数据同步方法.zip

行业分类-设备装置-一种界面中敏感数据的显示方法及装置.zip

机器学习系统面临的安全攻击及其防御技术研究.pdf

安全法下谈敏感数据安全防护.pdf

电力系统终端敏感数据保护研究与设计.pdf

一种基于行为链的Android应用隐私窃取检测方法.pdf

电信设备-一种信息隔离器.zip

电力系统网络攻击方法研究综述.pdf

一种协同工作环境中(分布式)的容错和安全数据存储方法.pdf

菜鸟数据中台技术演进之路-陈飞.pdf

基于激光扫描的网络敏感数据智能存储系统设计.pdf

网络安全隔离卡在局域网中的应用.pdf

靶机数据窃取渗透实验.zip

局域网攻击的常见方法.pdf

基于权限组合的Android窃取隐私恶意应用检测方法.pdf

计量终端DDoS网络安全模拟攻击研究.pdf

【安全通知】NPM遭遇供应链投毒攻击窃取K8S集群凭证.pdf

利用Oracle 10G R2保护HIS系统的敏感数据.pdf

利用打印机窃取目标系统哈希值.pdf

一种局域网数据安全防护系统.pdf

一种无线局域网中隧道建立方法及系统.pdf

无源CAN隔离器不需要外接电源实现高效数据传输.pdf

行业分类-设备装置-一种android系统的软构可信平台模块STPM的构建方法.zip

最新资源