Ethernet, now broadcasting

At the Chaos Communication Congress late last year, researcher and radio amateur Jacek Lipkowski presented the results of his experiments involving exfiltration of data from an isolated network by means of the background electromagnetic radiation generated by network equipment. Lipkowski’s presentation may be the latest, but it’s hardly the only one: New methods of exfiltrating information from computers and networks located beyond an air gap are discovered with disturbing regularity.

Any wire can function as an antenna, and attackers infiltrating an isolated network and executing their code could, in theory, use such an antenna to transmit data to the outside world — they’d just have to modulate the radiation with software.

Lipkowski decided to test the feasibility of using conventional Ethernet networks for that data transmission.

A caveat right off the bat: The researcher mainly used the Raspberry Pi 4 model B in his experiments, but he says he is confident that the results are reproducible with other Ethernet-connected devices — or, at least, embedded ones. He used Morse code to transmit the data. It’s not the most efficient method, but it is easy to implement; any radio amateur can receive the signal with a radio and decipher the message by listening to it, making Morse code a fine option for demonstrating the vulnerability in question, which the author dubbed Etherify.

Experiment 1: Modulating frequency

Modern Ethernet controllers use the standardized media-independent interface (MII). The MII provides for data transmission at various frequencies depending on bandwidth: 2.5 MHz at 10 Mbit/s, 25 MHz at 100 Mbit/s, and 125 MHz at 1 Gbit/s. At the same time, network devices permit bandwidth switching and corresponding changes in frequency.

Data transmission frequencies, which generate different electromagnetic radiation from the wire, are the “gear switches” that can be used for signal modulation. A simple script — using 10 Mbit/s interference as 0 and 100 Mbit/s interference as 1, say — can instruct a network controller to transmit data at one speed or another, thus, essentially, generating the dots and dashes of Morse code, which a radio receiver can easily capture from up to 100 meters away.

Experiment 2: Transferring data

Switching data transfer speed is not the only way to modulate a signal. Another way employs variances in background radiation from running network equipment; for example, malware on an isolated computer might use the standard networking utility for verifying connection integrity (ping -f) to load the channel with data. Transfer interruptions and resumptions will be audible from up to 30 meters away.

Experiment 3: You don’t need the wire

The third experiment was unplanned, but the results were still interesting. During the first test, Lipkowski forgot to connect a cable to the transmitting device, but he was still able to hear the change in the controller’s data transmission rate from about 50 meters away. That means, by and large, the data can be transferred from an isolated machine as long as the machine has a network controller, regardless of whether it is connected to a network. Most modern motherboards do have an Ethernet controller.

Further experiments

The Air-Fi method of data transmission is generally reproducible on office devices (laptops, routers), but with varying effectiveness. For example, the laptop network controllers Lipkowski used to try and reproduce the initial experiment established a connection a few

Continue reading

This post was originally published on this site