Abstract
An air-gapped computer is physically isolated from unsecured networks to guarantee effective protection against data exfiltration. Due to air gaps, unauthorized data transfer seems impossible over legitimate communication channels, but in reality many so-called physical covert channels can be constructed to allow data exfiltration across the air gaps. Most of such covert channels are very slow and often require certain strict conditions to work (e.g., no physical obstacles between the sender and the receiver). In this paper, we introduce a new through-wall physical covert channel named BitJabber that is extremely fast and has a long attacking distance. We show that this covert channel can be easily created by an unprivileged sender running on a victim’s computer. Specifically, the sender constructs the channel by using only memory accesses to modulate the electromagnetic (EM) signals generated by the DRAM clock. While possessing a very high bandwidth (up to 300,000 bps), this new covert channel is also very reliable (less than 1% error rate). More importantly, this covert channel can enable data exfiltration from an air-gapped computer enclosed in a room with thick walls up to 15 cm and the maximum attacking distance is more than 6 m.
Similar content being viewed by others
Availability of Data and Material
The datasets generated during and/or analyzed during the current study are available from the corresponding author on reasonable request.
Code Availability
N/A.
References
Zhan Z, Zhang Z, Koutsoukos X (2020) Bitjabber: The world’s fastest electromagnetic covert channel. In: 2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), IEEE
Guri M, Monitz M, Mirski Y, Elovici Y (2015b) Bitwhisper: Covert signaling channel between air-gapped computers using thermal manipulations. In: 2015 IEEE 28th Computer Security Foundations Symposium (CSF ’15), pp 276–289
Guri M, Zadov B, Elovici Y (2017b) Led-it-go: Leaking (a lot of) data from air-gapped computers via the (small) hard drive led. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA ’17), pp 161–184
Lopes AC, Aranha DF (2017) Platform-agnostic low-intrusion optical data exfiltration. In: Proceedings of the 3rd International Conference on Information Systems Security and Privacy, pp 474–480
Loughry J, Umphress DA (2002) Information leakage from optical emanations. ACM Transactions on Information and System Security (TISSEC) 5(3):262–289
Sepetnitsky V, Guri M, Elovici Y (2014) Exfiltration of information from air-gapped machines using monitor’s led indicator. In: 2014 IEEE Joint Intelligence and Security Informatics Conference, IEEE, pp 264–267
Guri M, Daidakulov A, Elovici Y (2018a) Magneto: Covert channel between air-gapped systems and nearby smartphones via cpu-generated magnetic fields. arXiv preprint arXiv:180202317
Guri M, Zadov B, Daidakulov A, Elovici Y (2018c) Odini: Escaping sensitive data from faraday-caged, air-gapped computers via magnetic fields. arXiv preprint arXiv:180202700
Matyunin N, Szefer J, Biedermann S, Katzenbeisser S (2016) Covert channels using mobile device’s magnetic field sensors. In: 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC ’16), pp 525–532
Carrara B, Adams C (2014) On acoustic covert channels between air-gapped systems. In: International Symposium on Foundations and Practice of Security, Springer, pp 3–16
Guri M, Solewicz Y, Daidakulov A, Elovici Y (2016c) Fansmitter: Acoustic data exfiltration from (speakerless) air-gapped computers. arXiv preprint arXiv:160605915
Guri M, Solewicz Y, Daidakulov A, Elovici Y (2017a) Acoustic data exfiltration from speakerless air-gapped computers via covert hard-drive noise (‘diskfiltration’). In: European Symposium on Research in Computer Security (ESORICS ’17), pp 98–115
Hanspach M, Goetz M (2013) On covert acoustical mesh networks in air. J Commun 8(11)
Guri M, Kedma G, Kachlon A, Elovici Y (2014) Airhopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies. In: 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE ’14), IEEE, pp 58–67
Guri M, Kachlon A, Hasson O, Kedma G, Mirsky Y, Elovici Y (2015a) Gsmem: Data exfiltration from air-gapped computers over gsm frequencies. In: 24th USENIX Security Symposium (USENIX Security 15), pp 849–864
Guri M, Monitz M, Elovici Y (2016b) Usbee: air-gap covert-channel via electromagnetic emission from usb. In: 2016 14th Annual Conference on Privacy, Security and Trust (PST ’16), pp 264–268
Zajić A, Prvulovic M (2014) Experimental demonstration of electromagnetic information leakage from modern processor-memory systems. IEEE Trans Electromagn Compat 56(4):885–893
Callan R, Zajić A, Prvulovic M (2015) Fase: finding amplitude-modulated side-channel emanations. In: 2015 ACM/IEEE 42nd Annual International Symposium on Computer Architecture (ISCA ’15), pp 592–603
Lampson BW (1973) A note on the confinement problem. Commun ACM 16(10):613–615
Szefer J (2019) Survey of microarchitectural side and covert channels, attacks, and defenses. Journal of Hardware and Systems Security 3(3):219–234
Masti RJ, Rai D, Ranganathan A, Müller C, Thiele L, Capkun S (2015) Thermal covert channels on multi-core platforms. In: 24th USENIX Security Symposium (USENIX Security 15), pp 865–880
Maurice C, Neumann C, Heen O, Francillon A (2015) C5: cross-cores cache covert channel. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA ’15), pp 46–64
Ristenpart T, Tromer E, Shacham H, Savage S (2009) Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM conference on Computer and communications security (CCS ’09), ACM, pp 199–212
Sullivan D, Arias O, Meade T, Jin Y (2018) Microarchitectural minefields: 4k-aliasing covert channel and multi-tenant detection in iaas clouds. In: NDSS ’18
Wang Z, Lee RB (2006) Covert and side channels due to processor architecture. In: 2006 22nd Annual Computer Security Applications Conference (ACSAC ’06), IEEE, pp 473–482
Wu Z, Xu Z, Wang H (2012) Whispers in the hyper-space: High-speed covert channel attacks in the cloud. In: Presented as part of the 21st USENIX Security Symposium (USENIX Security 12), pp 159–173
Xu Y, Bailey M, Jahanian F, Joshi K, Hiltunen M, Schlichting R (2011) An exploration of l2 cache covert channels in virtualized environments. In: Proceedings of the 3rd ACM workshop on Cloud computing security workshop (CCSW ’11), pp 29–40
Davidov M, Oldenburg B (2020) Tempesthome - finding radio frequency side channels. Tech. rep., Duo, URL https://duo.com/labs/research/finding-radio-sidechannels
Guri M (2020) Power-supplay: Leaking data from air-gapped systems by turning the power-supplies into speakers. arXiv preprint arXiv:200500395
Zhou Z, Zhang W, Yang Z, Yu N (2017) Exfiltration of data from air-gapped networks via unmodulated led status indicators. arXiv preprint arXiv:171103235
Guri M, Hasson O, Kedma G, Elovici Y (2016a) An optical covert-channel to leak data through an air-gap. In: 2016 14th Annual Conference on Privacy, Security and Trust (PST ’16), pp 642–649
Guri M, Bykhovsky D, Elovici Y (2019) Brightness: Leaking sensitive data from air-gapped workstations via screen brightness. In: 2019 12th CMI Conference on Cybersecurity and Privacy (CMI), IEEE, pp 1–6
Guri M (2019) Hotspot: Crossing the air-gap between isolated pcs and nearby smartphones using temperature. In: 2019 European Intelligence and Security Informatics Conference (EISIC), IEEE, pp 94–100
Guri M, Zadov B, Bykhovsky D, Elovici Y (2018b) Powerhammer: Exfiltrating data from air-gapped computers through power lines. arXiv preprint arXiv:180404014
Nassi B, Pirutin Y, Shamir A, Elovici Y, Zadov B (2020) Lamphone: Real-time passive sound recovery from light bulb vibrations. Cryptology ePrint Archive
Kwong A, Xu W, Fu K (2019) Hard drive of hearing: Disks that eavesdrop with a synthesized microphone. In: 2019 IEEE symposium on security and privacy (SP), IEEE, pp 905–919
Sehatbakhsh N, Yilmaz BB, Zajic A, Prvulovic M (2020) A new side-channel vulnerability on modern computers by exploiting electromagnetic emanations from the power management unit. In: 2020 IEEE International Symposium on High Performance Computer Architecture (HPCA), IEEE, pp 123–138
Shen C, Liu T, Huang J, Tan R (2021) When lora meets emr: Electromagnetic covert channels can be super resilient. In: 2021 2021 IEEE Symposium on Security and Privacy (SP), IEEE Computer Society, Los Alamitos, CA, USA, pp 1304–1317. 10.1109/SP40001.2021.00031, URL https://doi.ieeecomputersociety.org/10.1109/SP40001.2021.00031
Ge Q, Yarom Y, Cock D, Heiser G (2018) A survey of microarchitectural timing attacks and countermeasures on contemporary hardware. J Cryptogr Eng 8(1):1–27
Departments, agencies of the Federal Government (2019) Code of federal regulations. URL https://www.ecfr.gov/cgi-bin/text-idx?SID=8c3c331bc40fd1a017dbf9917665f6c6&mc=true&node=pt47.1.15&rgn=div5
Zhang Z, Zhan Z, Balasubramanian D, Li B, Volgyesi P, Kousoukos X (2020) Leveraging em side-channel information to detect rowhammer attacks. In: 2020 IEEE Symposium on Security and Privacy (S&P ’20), pp 729–746
Hassan M, Kaushik AM, Patel H (2015) Reverse-engineering embedded memory controllers through latency-based analysis. In: 21st IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS ’15), pp 297–306
Pessl P, Gruss D, Maurice C, Schwarz M, Mangard S (2016) Drama: Exploiting dram addressing for cross-cpu attacks. In: 25th USENIX Security Symposium (USENIX Security 16), pp 565–581
Xiao Y, Zhang X, Zhang Y, Teodorescu R (2016) One bit flips, one cloud flops: Cross-vm row hammer attacks and privilege escalation. In: 25th USENIX Security Symposium (USENIX Security 16), pp 19–35
Aweke ZB, Yitbarek SF, Qiao R, Das R, Hicks M, Oren Y, Austin T (2016) Anvil: Software-based protection against next-generation rowhammer attacks. ACM SIGPLAN Not 51(4):743–755
Yağlikçi AG, Patel M, Kim JS, Azizi R, Olgun A, Orosa L, Hassan H, Park J, Kanellopoulos K, Shahroodi T, et al. (2021) Blockhammer: Preventing rowhammer at low cost by blacklisting rapidly-accessed dram rows. In: 2021 IEEE International Symposium on High-Performance Computer Architecture (HPCA), IEEE, pp 345–358
Funding
This work is supported in part by the National Science Foundation (CNS-1739328, CNS-2147217).
Author information
Authors and Affiliations
Contributions
N/A.
Corresponding author
Ethics declarations
Ethics Approval
N/A.
Consent to Participate
All the authors have approved.
Consent for Publication
All the authors have approved.
Competing Interests
Yier Jin.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This is an extension to our previous work [1]
Rights and permissions
About this article
Cite this article
Zhan, Z., Zhang, Z. & Koutsoukos, X. A High-Speed, Long-Distance and Wall-Penetrating Covert Channel Based on EM Emanations from DRAM Clock. J Hardw Syst Secur 6, 47–65 (2022). https://doi.org/10.1007/s41635-022-00128-6
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41635-022-00128-6