PC system bus transfers music at medium frequencies
A bus between the processor and memory is used as an antenna of a radio transmitter.
In information security there is the concept of “physical gap” (air gap), when a secure computer network is physically isolated from unsafe networks: the Internet and local networks with a low level of security. These are military systems, command centers, control systems for nuclear power plants, medical equipment and so on.
But if someone infected a physically isolated computer, and then he desperately needs to remove information - what should I do? Here you have to invent different ingenious and non-standard ways. For example, turn a regular PC into a radio signal generator - and catch this signal with a radio receiver. This is exactly the task that System Bus Radio utility once mentionedon the GT. Although to be honest, it is unlikely that someone will use it for espionage - this is just a curious program for entertainment. It uses the system bus of a PC or laptop as a radio transmitter to broadcast any sounds at the set radio frequency.
During the time that has passed since the beginning of development, users have compiled extensive statistics on which radios of which model and at what frequency the signal is caught. In addition, an online modulator has been created where you can compose music without leaving your browser - and generate a radio signal at a frequency of 1560 Hz with the click of a button from the Play Tune .
Online Modulator Format :
400 2673
400 2349
400 2093
400 2349
400 2673
400 0
400 2673
400 0
790 2673
400 2349
400 2349
400 0
790 2349
400 2673
400 3136
400 0
Here, the first digit indicates the time the note is played in milliseconds, and the second digit indicates the frequency of this note in hertz.
In the Chrome browser, errors may occur when opening the file locally (
file://
), so it is recommended to use a command like php -S localhost:8000
for a fast web server. In the program, radiation generation is implemented using an instruction
_mm_stream_si128
, the result of which is recorded at a specific address in the RAM ( _mm_stream_si128
you can use it instead x++
). This concept called GSMem was presented in a report by specialists from Ben-Gurion University (Israel) at the USENIX Security 15 conference (see pages 849-864 in the collection of conference reports or in a separate pdf) In their report, the authors mention other works in the related field, when information from a physically isolated computer is transmitted in non-standard ways:- on FM radio frequencies by detecting radiation from a monitor cable ( AirHopper ), frequency 78-108 MHz, distance 7 meters, speed 104-480 bit / s
- via audio speakers ( Ultrasonic ), 19.7 m, 20 bit / s
- by reading CPU radiation with special sensors ( SAVAT ), 80 kHz, distance 1 m
- by reading CPU / GPU heat dissipation by heat sensors ( BitWhisper ), 0.4 m, 8 bit / hour
The scientific work presents such an algorithm for modulating an audio signal with digital information:
Sending one bit of information is a variant of B-ASK (Binary amplitude shift keying) binary amplitude modulation. In this case, for transmission “0” we do nothing for T seconds, and for transmission “1” we increase the signal amplitude by T seconds. To determine the fact of transmission by the receiver and synchronization, framing is used , where every 12 bits of useful information is preceded by the standard sequence 1010.
From the point of view of information security, this method is convenient for an attacker, because the generator program occupies only 4 kilobytes in memory, does not use any APIs and does not require root rights on the victim's computer to work. At the same time, it will work perfectly on machines with any processor (Intel, AMD ...) and under any operating system (Windows, Linux, macOS and others).
Here is the algorithm for receiving (decrypting) a signal from a physically isolated computer:
Theoretically, even a mobile phone can act as a receiver, since many modern phones have antennas for receiving a radio signal at medium frequencies with AM modulation. It is only required to modify the firmware of the baseband chip in the phone. There is a project OsmocomBB, where hundreds of enthusiasts have been working on modifying the firmware of GSM phones for several years. This project was described in detail on Habré ( introduction , hardware , software ).
As experiments showed, on a good Sony STR-K670P receiver with a stock antenna, the signal is caught at a distance of up to 2 meters (1 meter through the wall).
Signal generation has already been tested on laptops MacBook Air, HP ENVY 15-j142na, Asus X201E, Mac mini, MacBookPro Retina, Lenovo X1 Carbon, Dell Inspiron 17 7000, Acer Aspire E1-572-6 BR691, on a desktop computer with Athlon II X2 240 and the motherboard Gigabyte GA-MA785GM-US2H. The signal is found in all cases. But the Raspberry Pi, it seems, does not generate waves of sufficient amplitude so that they can be caught. In general, the amount of interference and the maximum distance to the transmitter seem to depend on the model of the computer. Some generate a more powerful signal, while others produce a weaker signal or not at all. Although the quality of the reception also depends on many other factors that still cannot be formalized.
The authors of the scientific work using a high-quality antenna and a software-defined radio system (SDR) recorded reliable reception from a distance of 30-40 meters.
In their opinion, the maximum distance is even greater. That is, such a system can receive a signal from the street that emits a physically isolated computer inside the building.
Modulation of the radio signal from the system bus can be used not only for espionage. For example, one craftsman in this way debugged his Apple Newton computer , which did not want to turn on, but it was possible to upload a new firmware there. Actually, the hacker did just that: uploaded a new firmware with small cycles that performed different tasks on the bus and sounded differently on AM waves, while being associated with different boot paths. After an hour of listening to the radio, he still determined where the problem is.
ACTION GLOBALSIGN: Wildcard SSL + 1 YEAR AS A GIFT
Protect all subdomains with one certificate!
Save up to 30 thousand rubles when buying a Wildcard SSL certificate for 2 years!
Promo code: WC001HRFR
The offer is valid for GlobalSign blog subscribers until June 15, 2018.
For more information, please contact GlobalSign managers by phone: +7 (499) 678 2210 or by filling out a form on the website indicating the promo code.