AIRHOPPER : BRIDGING THE AIR-GAP 1 Motivation Awareness: Data - - PowerPoint PPT Presentation

create your own exercise

AIRHOPPER : BRIDGING THE AIR-GAP

Alexander Güssow and François Blondel

1

Motivation

• Awareness: Data leaks from isolated systems

– Using non-conventional methods – NSA uses it, other organizations might – Risks and possibilities: Learn how to detect and possibly protect

2

Lecture Overview

• Use radio frequencies and simple hardware

– EM radio : FM/AM, Light, etc. – Sound waves – Passive listening

• Using common software and hardware tools

(gnuradio, microphone/speakers)

3

Basics: Electro Magnetic (EM)

4

• There is free space path loss („attenuation“)
• Will go through walls, follow conductors for

reasonably „low“ frequencies (up to 300 GHz)

• Higher frequencies: light
• Described by Maxwell’s equations
• No medium needed (vacuum is fine)

The electromagnetic spectrum

5

EM: attenuation

6

Basics: Sound

7

• Medium required (Air, Water, …)
• Pressure Wave, Velocity depends on the

Medium (Air: about 343 m/s)

• Different scales: dB(SPL), dB(A)
• Will decrease with distance

Going Ultrasonic

• Standard equipment will allow Ultrasonic

transmission and reception (to some degree) at least at moderate Frequencies (<22kHz)

• Reasonably old people will not hear it
• At 25kHz, no one should be able to hear it (but

your dog of course, he‘ll run away barking)

8

First experiment: Data leak over ultrasound

• Use of computer speakers and microphones of

the lab to build a one-way data connection

• Use of minimodem
• No reliability: no retransmit, errors may occur
• Enough for realtime keylogging

9

GnuRadio

10

Source: anfractuosity.com

Second experiment : Broadcast music using a VGA cable

• “Tricking” the video adapter

into doing AM to broadcast music via VGA

• Reception using GnuRadio

and an SDR stick

• Special hardware required

11

Practical Part

12

VGA Screen SDR Stick Speakers Microphone

PC 1 PC 2 PC 3 PC 4

What will YOU learn?

13

The Following Learning Goals are Covered in the Lecture PreLab Lab Some physics: different physical channels and their ranges X X Learn the actual state of the art: what is already possible X X Leaking data in a nonconventional way: audio transmission X X Leaking data in a nonconventional way: EM (mis)using VGA X X Protection: How to detect and prevent this ? X X X

Source: Y. K. Roland Tai, Video eavesdropping - RF, UCambridge

create your own exercise

EVIL TWINS WIFI SSID SPOOFING & MORE

Janosch Maier & Christoph Schmidt

1

Motivation

Attacking a WLAN is really easy!

• What could happen, e.g. at Starbucks?

2

Lecture Summary

• WLAN Basics

– Spoofing SSIDs – Creating an Evil Twin

• Think of Countermeasures

3

Different APs, same SSID?

• Some WLAN basics (whiteboard)

– BSS, BSSID, (E)SSID, ESS

• We will use special wifi drivers

– Boot a special kernel (see lab instructions) – Unlocks channels and signal strength

• Please adhere to German laws

4

Countermeasures?

Ideas?

5

Evil Twin at work

6 6 Wifi AP (PC 1) Evil Twin Image Evil Twin (PC 4) Evil Twin Image Unsuspicious User (PC 6) Normal Image Attacker (PC 3) Evil Twin Image

Summary/ Learning Goals

7

The Following Learning Goals are Covered in the Lecture PreLab Lab Get to know SSID spoofing X X Understand how evil twins work X X Spoof specific SSIDs X X Create an evil twin X X Reroute web traffic (iptables) X X Develop counter measures X