Stupid Hacker Tricks: Bridging Airgaps and Breaking Data Diodes

welcome to jumping air gaps I'm Monty Elkins from a little company called Fox Guard we did industrial control system security well talk a little bit about kind of the history in the future of security and in particular kind of jumping air gaps I started exploring this concept this year so what's an air gap what's an air gap right right so we're gonna try to protect systems by disconnecting them from the public internet or from any kind of internet normally everything is sort of wired up but we're going to separate this thing out because we think that's probably the the ultimate in network security is to not be connected at all so what better for hackers to look at but you know the

ultimate in security so and in particular you know we work in the kind of electric space and sort of in the nuclear space another place where where these disconnected networks are are kind of the pinnacle of security there so we started playing with with these and here's the other thing is that I want you to know that none of this is magic right if I can do it you guys can do it this is the first thing we played with this is a little teensy microcontroller with a Kevin sulphide bite detector on there and what we did was we modulated the caps-lock light to pull data off the device you know it's a stupid hacker

trick but I can pull data out of there that will probably get past your you know your data exfiltration protection if you guys know we're not really circulated together you can come up and see these later or maybe we can pass them around and pass them around if you want try to make sure they get back up here it's just random Hardware lots of fun but it's really not that hard and a matter of fact though you hear about these things and they've been done forever right this is a watch from 1995 anybody know what anybody recognize this well you have one

right yeah I've got one now I didn't at the time but now it's cool sound the way you could program this before you had before you had pda's was that you would hold it up to the screen and it would flash data and this was a light sensor right so you could put your appointments in here doesn't work with with with the new LCDs you have to have a CRT but they okay so you know we've been using light to transmit data forever back way before that probably in the 60s who knows what this is a modem a dial-up modem back in the day before we had cable internet and they had blinky lights on that and in

particular they had an rx light and a px slide that would blink as it received a bit or as it transmitted a bit and some smart folks at some three-letter agency figured out that you could point a telescope at that and you could read those blinks and you could pull the data off of that from anywhere you could see those blinky lights pretty cool and then eventually it would kind of smear out the lights but whatever we've had done this for a long time we also did ultrasonic transmission of data right this is a pretty non-traditional way to jump an air-gap but this is a little Arduino with a little piece of speaker and then my partner wrote a cell phone

app that would capture the data Andy cut it so we could transmit hello messages and and send a little bit of data and you could pick it up on your cell phone anything like that kind of cool but in today's day and age it's really not that hard the stuff he used to be right very complex complicated stuff today not so much matter of fact we've been using ultrasonic forever does anybody know what this is this is and and and I'm brought one this is the shiny version I think the picture down because it looks older this is a Zenith Space Command it's a remote control ultrasonic remote control the new ones are quiet infrared right but they rent

at a 400 kilohertz modulation tongue which comes from these ultrasonic the history is in the ultrasonic another quick question what kind of batteries does this take any idea no no batteries at all how many transistors zero how many capacitors resistors zero this is an entirely mechanical system they are little tuned metal bars in here and when you push this button the clicker anybody heard of called clickers right now you know where some of the terminology comes for hammers the end of this bar and an ultrasonic frequency you can't hear but that the the television can pick up so we've been using ultrasonic forever as well radio frequencies the new hotness but radio frequency transmission is is

dead simple any place you can blink an LED if you can have some dedicated hardware like an SDR nearby dedicated hardware means that you can pick that up just a little bit of line in the LED so again I said Arduino I send out my callsign and a little hello message actually we're gonna capture the flag I probably shouldn't say this don't tell anybody there's going to be a capture the flag where they can pick up passwords off of decoding information coming out of a Arduino over your SDR but that's kind of dead simple at least on the transmit side and now because of the way technology has changed it's pretty simple to receive and decode with some

dedicated hardware your $15.00 SDRs but anyplace you can blink ally we will pin you can transmit RF pretty much I'm doing this one that at 57 600 kilohertz pretty low while the reasons 57600 is is nice and low then the Arduino is don't have a lot of speed so I can do that anybody recognize the number 57 600 it it's one of yeah yeah it's one of the multiples up the modem 12 24 and 56 so my fault being is that even if I don't have high-speed dedicated hardware maybe I can do it with with things that have serial ports straight off the straight off the serial port right RF frequencies at 57600 and sure

enough I can pick them up over short distances well we've been doing that forever to these any funny just raise your hand you might know what these things are either of these all right here is old design what this is where it's happening yeah I'd say right so these are if you didn't duster control systems in the 60s and the 70s they ran off of these things you you realize you programmed these with the switches on the front right I actually did boot letter tape letters by program em off them off the front but in any case in the sixties or so we realized with some dedicated hardware the dedicated hardware being an AM radio

then we could write programs that generated audio tones and play simple music so we're using computers to run different instructions they're toggling power off and on internally and we can pick that up externally and primarily use it for entertainment oh look the computer can can play a single voice of music not very high fidelity but you can do it did we get up to implants so this is this is my new USB cable oh this is a about a couple different ones this is the Apple version Cassadine the cool thing about this USB cable is is your SIM card goes in here in the slot right and it will transmit voice a GPS location back and you always have power

because the person right you keep this plugged up to the power and then you plug it up to your phone so this is your your hardware sort of data aliens are coming your hardware sort of data exfiltration I paid like 15 bucks for that you know why because the $5.99 ones were sold out so this stuff is incredibly cheap comes straight from China it doesn't say that it does data it's just doing voice and location so it says maybe the data goes straight back to somebody else I don't know but yeah you saw it you slide your SIM card there and that's the way it works believe it doing these things forever - I see you

laughing you know what this is you know the thing anybody else no one the thing is yeah okay right so it won't big justice it's a story in itself but the short short short version is about 1947 I think a bunch of Russian schoolchildren presented this hand-carved seal of the US for the Russian ambassador who promptly hung it on his wall all right where it stayed for I don't know four or five six seven years and and three different ambassadors it turns out on the inside it was basically a passive device it's all hollow but sound would change its resonance cavity and if you illuminated it with microwaves it would modulate an audio signal but you could pick up all

right radio frequency with a audio modulation that you can pick up so that was pretty incredible technology by the way there's no active parts in there it it's powered remotely by microwave you know maybe that's where some of the tinfoil hat myths come from hiss uh by the way anybody heard of one of those musical devices called a theremin yeah he helped invent this thing just by the way yeah I thought that was fascinating he also did the early you know you've heard of the laser microphones I'm doing some work with that right now you bounce a laser he did that too before there were little lasers he did it with infrared mice and invisible yeah I just thought he'd made

silly music you know so it turns out even though the air gaps are great they are often impractical even in industrial control system it turns out that we need data out on a regular basis we need some information about the system for for tuning and efficiency and maintenance purposes to come out on a regular basis so we set up those networks by the way what do you think what's what's this sort of further further east air gapped industrial control system you can think of would be satellites International Space Station all right they're pretty far out there they've been owned by viruses at least twice so just saying that that there are there are some other ways to jump these

air gaps but I'm more interested in a continuous communication channel because sophisticated attacks in the ICS space it's not hey can we make something happen can we turn this thing off let's say it's a power plant can we turn off a power plant great that's old hat right the state of the art in the research in this space is not can I turn off this power plant can I find the most expensive piece in this plant the most difficult to replace and can I destroy it in such a way that it will take you a long time and a lot of money to to destroy it and what that means is that you have to do research for a while you

need an existing network connection for a while to understand what happens in that infrastructure so that you can do the most damage so that's sort of the state of art and ICS space that's where real security happens let me tell you when we facing the most sophisticated and most sophisticated wealth fund a nation-state attacks first in industrial control systems so typically we think about what we're going to move into who's heard of a data diet before you know direction okay oh man well that's much more than I expected from from from I generally speak to ICS very specific audiences right but know that that's about 50% in case you couldn't see in general when we're talking about one-way

communication we often think of it like this where if you had some Intelligence Agency some three-letter agency they want to be able to collect secrets but they want to make sure nothing comes back out right they want to be about it would be it would be awesome if you could just make sure that they don't went in but didn't come out in industrial control systems it's the other way around we would like data to be able to come out so that we can figure out is it working right can we build people for the product we're making we're making water or chemicals or pharmaceuticals or whatever but we don't want data to go in we don't want

people to be able to send in any type of control message for this system right you can't change it it's okay if you can read what's going on but you can't change it so it would be great if we had something like a data Dyer the data diode comes from this concept of a electrical diode if you are an electronics hobbyist or practitioner you know that a data that a diode only allows electric current to flow in one direction not the other and there are a couple patents for data diodes we won't really go over but the principle works something like this imagine this connection where on this side of this if we consider either this or maybe this

whole thing a data diode or perhaps a unidirectional gateway necessarily have time to discuss the difference but that you can only send data in this direction and that's guaranteed by the physics of its operation so you basically have a flashlight on this side and a solar cell over here and this system can blink this flashlight so that this system can read the solar cell and we can send information in this direction but there's no way that you can blink the solar cell and read it with this flashlight so the physics prevents data from coming back in this direction so that's the the basis of your day to die oh and if you will give me a little bit of leeway of your

unidirectional gateways now they call data diode unhackable so and you know a pretty fair term as far as it goes if we think about other devices other computer equipment in the security space imagine this firewall where if I'm able to put any malware if I get malware on a space station I can get malware on here what I want is a continuous connection if I can put malware on the spiral wall if I can change its configuration can I allow data to go in both directions across this firewall yes No yeah if I can change the configuration of this firewall if I can put malware on it I can make it sin theta in both directions

if I can put malware on both of these computers can I make the solar cell generate light and this flashlight receive it No so that's what they mean by unhackable right this is this is enforced by physics which is also a challenge so um here's some of the actual pieces used again if you want to talk we can go into a little more depth but I start by building a model based on the patent data because you know my companies these things start at 50,000 and easily jump to 150,000 and they won't buy me one just to break so but a model it using the the same the same set up from from the from the patent and the inflammation

is is like this although actually I have this data diode going in this direction so this represents generating the light in the little device which is an opto isolator and this is the part that receives the light there is no way to generate the light and receive it on this side right so this is sort of the computer that supports this half this is the computer that supports this half and it only lets data go in the single direction in my model I've built off a model you know the scale but I didn't really have time to paint it now so and this might represent the cooling tower of your important plant or some such and

this might represent the the output right just a just a simple representation of how this works and this light says hey it's doing the right thing or not and this is just the the video the basic demo this this cooling tower is running and as we measure something that happens inside the plant it's able to send data through this opto isolator this light and detector that's read outside the plant that's the way that's supposed to work and we can go outside the plant we can do things like we can reset it but there's no way to send information back in this direction that doesn't work that way the same example so but the concept hasn't

changed but the universe has actually changed in the past few years in that these processors tend to have more power than they used to and we become a little bit smarter about things like software-defined radio so it turns out that transmitting a radio signal if I'm going to send data this way is easy we know that I can blink a LED and transmit data people been doing that forever but we need to specialized hardware to read it an SDR dongle or an AM radio but the power of these new processes are such I can use the built-in analog to digital converter right software-defined radios software and read this transmission over a short distance just what the power

built into the chip no additional hardware nothing but software this isn't an implant that I have to put in this is an attack I could send by software if I can get if I can get malware to the space station right you have to give me that I can put malware on both sides of this what I want to do is mean the connection so in this side of the demo me flipping switches is is when I'm installing the malware on both sides you'd have to give me we transmitted malware to both sides of this of ice but at this point what I'm able to do is transmit a signal by RF that I can pick

up over here so that if you'll watch the fan over there when we push the button the fan stops the light comes on thank you very much so a representation of a new style of attack in the industry because the universe has changed right and we see that a lot that that air security might be the same this year as it was last year but the universe changed around it and made it less secure in particular and we can we can cut the wires and go through that example to see that it works it's not a break of any particular product this is a representation built off of the patent information but in particular so they do

consider RF when you design these things things like Tempest right you look at this device and you see if it radiates anything outside there are two issues with that issue number one is that that measurement is not made assuming that this thing is operating in correctly you measure that with the original firmware issue number two is that they built these inside RF shielded boxes so that you can't get radio signals outside of there anyway for me that's a benefit that means it's nice and quiet in there and it's not hard to pick up that signal out of the noise all right so we are at the end you just want to say that this is a if there's anything to about this

attack and I think there is a bit it's using existing hardware to form an SDR function in a way that probably wasn't anticipated by the original designers also hope this inspires people to do these attacks on additional hardware and on real hardware it won't work on some of these some versions of data diodes use a fiber optic line and are separated by a large distance some of them are built into the same box that's that's where I'm looking at so some places it won't work but some places it will and get back from the sort of philosophical view a lot of the security that we do which was once secure becomes insecure not as much

because what we were doing had change but because things changed around it things like industrial control systems they were secure when they were built and they are the same as they were but now they're not secure because things changed around them like the internet was born so things changed around them that made them less secure so I also want you to consider that that your security practice is a journey not a destination it's always something that has to be reconsidered in light of new technologies but technologies in terms of hardware and availability you know software-defined radio is the hotness now that's why it's it's it's easily accessible for me and for you and for others where it wasn't before so

with that I'm Monty Elkins feel free to stop me and taught me along the way if we have any of the pieces let's pass them back up and I hope you have a great conference Oh questions do we have question time or all right you you know somebody else runs my time I'm just here to look pretty very very quickly are you given something like this talk anywhere else this weekend not I am NOT no you are the you are the only audience there if you happen to be in California in a few weeks at an ICS specific conference I will be doing a longer version of it there sorry you guys are exclusive its

energy sec in Anaheim do you know what you going there are you gonna be there oh well you should be at this we'll do the long version all right thank you very much [Applause]