LANtenna attacks exploit isolated networks over Ethernet
Exploits use Ethernet cables and can scare data away from several feet away
Prajeet Nair (@prajeetspeaks) •
October 7, 2021
Researchers from Ben-Gurion University in the Negev, Israel, has discovered a new type of electromagnetic attack, dubbed LANtenna, which exfiltrates sensitive data from an isolated, isolated computer using Ethernet cables as a transmitting antenna.
See also: IT visibility gap study: how vulnerable is your IT infrastructure?
Mordechai Guri, head of research and development at the university’s Cybersecurity Research Center, said that “malicious code in isolated computers collects sensitive data and encodes it over radio waves emanating from Ethernet cables, in using them as antennas. A nearby receiving device can intercept wireless signals, decode the data and send it to the attacker. “
Air gap networks are said to be more secure because their infrastructure is physically isolated and they are separated from the Internet and other unsecured connections. Large industrial companies, such as power companies and oil and gas companies, as well as government agencies, use these networks.
“This article shows that attackers can exploit Ethernet cables to exfiltrate data from empty networks,” Guri explains. “Malware installed on a secure workstation, laptop or embedded device can invoke various network activities that generate electromagnetic emissions from Ethernet cables. “
Javvad Malik, security awareness advocate at cybersecurity company KnowBe4, says such attacks are likely to affect critical infrastructure or other areas with sensitive systems.
“Like many other attacks on critical infrastructure or airspace systems like the Iranian nuclear facility, which has been targeted by Stuxnet, the biggest challenge is to start with the malware on the airspace system,” he said. Malik told Information Security Media Group.
Guri says LANtenna allows adversaries to disclose sensitive data from isolated and isolated networks several meters away.
“The Ethernet cable emits electromagnetic waves in the frequency bands of 125 MHz. Changing the speed of the adapter or turning it on and off regulates the electromagnetic radiation and its amplitude, ”explains Guri.
In that case, the data could be transmitted from an air gap computer via its Ethernet cable and received 200cm away, he said, adding that the signal was coiled around 125.010 MHz.
His research also shows how a standard software-defined radio receiver in the region could decode the information and transmit it to the attacker via the Internet.
“Our research topic focuses on secret channels and airspace security. The interesting point about this research is that the cables that were used to protect the network actually aided this attack. Wireless communication have been exploited as antennas for wireless communication, ”Guri told ISMG.
Research also shows that social engineering techniques, stolen credentials, insider threats and supply chain attacks are said to be the most likely ways to be successful, Malik says.
“Generally speaking, these are also the primary avenues through which the majority of attacks are carried out, so organizations should focus on closing these avenues as best as possible. In doing so, they greatly reduce the chances of a successful attack, ”notes Malik.
Zoning, according to Guri, is a mitigation measure in which no wireless receivers are allowed within a specified distance of idle networks. Users can also install software that monitors and detects suspicious activity, he says, adding that special shielded cables can also help.
The researcher recommends shielding Ethernet cables, which face the threat presented in this research by limiting signal leakage generated by LANtenna techniques.
“Different techniques can be used for shielding Ethernet cables. The most common is to place a shield around each twisted pair to reduce overall electromagnetic emission and internal crosstalk between the wires. It is possible to increase the protection by placing a metal shield around all the wires in the cable, ”notes Guri.
While there haven’t been any vacuum network attacks recently, Guri told ISMG that malware that attacks air vacuum networks has been reported by security companies in the past, including software. malicious Ramsay in 2020.
In May 2020, security researchers at ESET discovered a cyber espionage toolkit called Ramsay, designed to infiltrate isolated networks in order to steal documents, take screenshots and compromise other devices.
Researchers found that Ramsay potentially posed an unusual threat due to his ability to penetrate and operate in vacuum networks (see: Cyberespionage malware targets isolated networks: report).