{"id":5253,"date":"2024-09-11T08:00:44","date_gmt":"2024-09-11T13:00:44","guid":{"rendered":"https:\/\/www.darkreading.com\/ics-ot-security\/air-gapped-networks-vulnerable-to-acoustic-attack-via-lcd-screens"},"modified":"2024-09-11T08:00:44","modified_gmt":"2024-09-11T13:00:44","slug":"air-gapped-networks-vulnerable-to-acoustic-attack-via-lcd-screens","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/09\/11\/air-gapped-networks-vulnerable-to-acoustic-attack-via-lcd-screens\/","title":{"rendered":"Air-Gapped Networks Vulnerable to Acoustic Attack via LCD Screens"},"content":{"rendered":"<div class=\"media_block\"><a href=\"https:\/\/i0.wp.com\/eu-images.contentstack.com\/v3\/assets\/blt6d90778a997de1cd\/blt1f82b754fe316f64\/66e09dad2157f3d779084b5f\/Screen_noise-MISCELLANEOUSTOCK-Alamy.jpg?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/air-gapped-networks-vulnerable-to-acoustic-attack-via-lcd-screens.jpg?w=640&#038;ssl=1\" class=\"media_thumbnail\"><\/a><\/div>\n<div><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/air-gapped-networks-vulnerable-to-acoustic-attack-via-lcd-screens.jpg?w=640&#038;ssl=1\" class=\"ff-og-image-inserted\"><\/div>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">A newly devised covert channel attack method could undermine diligently devised air gaps at highly sensitive organizations.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">In industrial control systems security, the term &#8220;air gap&#8221; is contested. It typically describes a total physical separation between networks \u2014 a literal gap through which no Wi-Fi signals, wires, etc., can pass. The most critical military, government, and industrial sites use air gaps to prevent Internet-based cyber threats from penetrating the kinds of networks that protect state secrets and human lives.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">But any medium capable of transmitting information can, in theory, be weaponized to transmit the bad kind. Mordechai Guri of Israel&#8217;s Ben-Gurion University has long researched ways of crossing air gaps with sound waves: via computer fans, hard disk drives, CD\/DVD drives, and more. His latest attack scenario, &#8220;Pixhell,&#8221; enables data theft using sounds produced by specially generated, rapidly shifting bitmap patterns on an LCD screen.<\/span><\/p>\n<h2 class=\"ContentText ContentText_variant_h2 ContentText_align_left\" data-testid=\"content-text\" id=\"How Pixhell Works\">How Pixhell Works<\/h2>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">It&#8217;s midnight, and everyone working at the top secret intelligence facility has long gone home for the night, when all of a sudden a computer screen flashes with what appears to be random noise, as if it&#8217;s missing a signal. It isn&#8217;t missing a signal \u2014 the apparent noise <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><span class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_italic\">is <\/span><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">the signal.&nbsp;&nbsp;<\/span><\/p>\n<p><iframe title=\"Embedded content\" src=\"https:\/\/www.youtube.com\/embed\/TtybA7C47SU?si=20SMIxM2diVwKrC7\" height=\"315px\" width=\"100%\" allowfullscreen data-testid=\"iframe-video\">[embedded content]<\/iframe><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Pixhell only works if an attacker can infect or control at least one device on each side of an air gap.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Air gaps typically connect critical networks with less critical networks, so the latter half of that job might be achieved by an Internet-based attack, while the former will require <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.darkreading.com\/cyber-risk\/stuxnet-five-years-later-did-we-learn-the-right-lesson-\" rel=\"noopener\">more stringent measures<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">. Still, a machine behind an air gap can be infected in any number of ways: via supply chain compromise, <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.darkreading.com\/ics-ot-security\/weirdest-trend-cybersecurity-nation-states-usb\" rel=\"noopener\">a removable drive<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> in the hands of a malicious or unwitting insider, or assorted other options.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Then, with no other obvious means of communicating \u2014 not Wi-Fi, Bluetooth, a speaker, or anything else \u2014 a computer can be made to transmit information over an air gap via the sounds generated by its screen.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Simplified, LCD screens have capacitors \u2014 which store and release electrical charge \u2014 and inductors \u2014 which help manage the voltage to those capacitors. While they&#8217;re working, these components generate the faintest of high-pitched frequencies, inaudible to the human ear.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">However, &#8220;Speakers and microphones generally have a frequency range that is broader than human hearing,&#8221; explains Andrew Ginter, vice president of industrial security at Waterfall Security Solutions. &#8220;The high end of the frequency range is where you can encode the greatest amount of information \u2014 the largest number of bits per second \u2014 and it&#8217;s ultrasound. Dogs might freak out in the room, but humans can&#8217;t hear it.&#8221;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">In experiments, the Pixhell malware manipulated pixels on a screen in such a way as to cause its inductors and capacitors to vibrate at specific frequencies. In so doing, they generated sound waves translating stolen, encoded data to the machine on the other side of an air gap, with varying fidelity at distances of up to two and a half meters. As Ginter puts it, &#8220;An attacker can send information from either computer to the other&#8217;s microphone, and you can be sitting in the room and not realize information is being communicated.&#8221;<\/span><\/p>\n<h2 class=\"ContentText ContentText_variant_h2 ContentText_align_left\" data-testid=\"content-text\" id=\"The Wide World of Covert Channel Attacks\">The Wide World of Covert Channel Attacks<\/h2>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Besides acoustics, there are any number of other, equally creative means to carry out covert channel attacks in theory.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;It&#8217;s been reported that with sufficient effort, you can use Ethernet wiring as software-defined radio transmitters and receivers,&#8221; Ginter notes. Some 20 years ago, 56-kilobit-per-second modems had an LED on the front so users could see if their data was moving. Ginter says you could turn the LED on when there was a one bit being transmitted, or off when it was a zero bit. &#8220;And it turned out that the LED was extremely responsive \u2014 so responsive that if you had a fast enough camera or detector, you could actually detect every bit that was being sent through the modem by watching the LED,&#8221; he adds.&nbsp;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Countless other fun examples can be found in the annals of computer research archives. &#8220;Some computers have the ability to do detailed measurements on the voltage that&#8217;s coming into the battery. And what that means is that if you have two computers plugged into the same circuit, even if they&#8217;re using different outlets, one computer can consume more power briefly and less power a fraction of a second later, and the other one can detect these very tiny changes in voltage, so they can signal to each other that way. Even though they&#8217;re electrically connected to different networks, they&#8217;re both connected to the same power,&#8221; he explains.<\/span><\/p>\n<h2 class=\"ContentText ContentText_variant_h2 ContentText_align_left\" data-testid=\"content-text\" id=\"What the Best Air Gaps Look Like\">What the Best Air Gaps Look Like<\/h2>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">For the overwhelming majority of organizations, a physical air gap is sufficient to protect against even high-level adversaries, who aren&#8217;t likely to pull off Pixhell-style attacks.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Those few most sensitive sites on the planet that have to worry about covert channel attacks \u2014 spy agencies, military headquarters, power plants \u2014 have already dedicated significant time and resources to building not just air gaps, but air gaps that make these scenarios impractical.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;At some extremely sensitive OT sites, they will have all of the OT equipment in one server room, and they&#8217;ll have the IT equipment in another server room down the hall. And the only connection between the server rooms is a single fiber-optic connection that is a unidirectional gateway from OT to IT,&#8221; Ginter explains.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Past that, he adds, the greater the distance between communicating computers, the more difficult it is to exploit covert channels. &#8220;If it&#8217;s an electrical [channel you&#8217;re worried about], you&#8217;ve got electrical noise between rooms. If it&#8217;s audible, there are closed doors in the way. If it&#8217;s temperature, you can heat up the room in a region very slightly [at intervals], so there&#8217;s so much thermal noise that it becomes impractical to send any information out.&#8221; The operative idea is signal-to-noise ratio (SNR): How much noise does one have to generate to make a covert channel attack impractical?<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Whether such science-fiction-level defenses are warranted will depend on the organization at risk. &#8220;Some of the countermeasures were given for scientific discussion, but they are less practical to deploy in real life,&#8221; Guri says. As an example, he points out that acoustic jammers would stop Pixhall right in its tracks: &#8220;Such a noise jammer may work in countering the attack, but it will make the environment too noisy for people to work.&#8221;<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><span class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_bold ContentText-BodyTextChunk_italic\">Don&#8217;t miss the latest <\/span><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link ContentText-BodyTextChunk_bold ContentText-BodyTextChunk_italic\" target=\"_blank\" href=\"https:\/\/www.darkreading.com\/podcasts\" rel=\"noopener\">Dark Reading Confidential podcast<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><span class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_bold ContentText-BodyTextChunk_italic\">,<\/span><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><span class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_italic\"> where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail &#8212; just for doing their pen-testing jobs.<\/span><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><span class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_bold ContentText-BodyTextChunk_italic\">&nbsp;<\/span><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link ContentText-BodyTextChunk_bold ContentText-BodyTextChunk_italic\" target=\"_blank\" href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/dark-reading-confidential-pen-test-arrests-five-years-later\" rel=\"noopener\">Listen now!<\/a><\/span><\/p>\n<p><a href=\"https:\/\/www.darkreading.com\/ics-ot-security\/air-gapped-networks-vulnerable-to-acoustic-attack-via-lcd-screens\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A newly devised covert channel attack method could undermine diligently<\/p>\n","protected":false},"author":12,"featured_media":5254,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-5253","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/air-gapped-networks-vulnerable-to-acoustic-attack-via-lcd-screens-scaled.jpg?fit=2560%2C1440&ssl=1",2560,1440,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/air-gapped-networks-vulnerable-to-acoustic-attack-via-lcd-screens-scaled.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/air-gapped-networks-vulnerable-to-acoustic-attack-via-lcd-screens-scaled.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/air-gapped-networks-vulnerable-to-acoustic-attack-via-lcd-screens-scaled.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/air-gapped-networks-vulnerable-to-acoustic-attack-via-lcd-screens-scaled.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/air-gapped-networks-vulnerable-to-acoustic-attack-via-lcd-screens-scaled.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/air-gapped-networks-vulnerable-to-acoustic-attack-via-lcd-screens-scaled.jpg?fit=2048%2C1152&ssl=1",2048,1152,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/air-gapped-networks-vulnerable-to-acoustic-attack-via-lcd-screens-scaled.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/air-gapped-networks-vulnerable-to-acoustic-attack-via-lcd-screens-scaled.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/air-gapped-networks-vulnerable-to-acoustic-attack-via-lcd-screens-scaled.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/air-gapped-networks-vulnerable-to-acoustic-attack-via-lcd-screens-scaled.jpg?fit=2560%2C1440&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5253","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5253"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5253\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/5254"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5253"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5253"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5253"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}