Ethernet, now broadcasting

At the Chaos Communication Congress late last year, researcher and radio amateur Jacek Lipkowski presented the results of his experiments involving exfiltration of data from an isolated network by means of the background electromagnetic radiation generated by network equipment. Lipkowski’s presentation may be the latest, but it’s hardly the only one: New methods of exfiltrating information from computers and networks located beyond an air gap are discovered with disturbing regularity.

Any wire can function as an antenna, and attackers infiltrating an isolated network and executing their code could, in theory, use such an antenna to transmit data to the outside world — they’d just have to modulate the radiation with software.

Lipkowski decided to test the feasibility of using conventional Ethernet networks for that data transmission.

A caveat right off the bat: The researcher mainly used the Raspberry Pi 4 model B in his experiments, but he says he is confident that the results are reproducible with other Ethernet-connected devices — or, at least, embedded ones. He used Morse code to transmit the data. It’s not the most efficient method, but it is easy to implement; any radio amateur can receive the signal with a radio and decipher the message by listening to it, making Morse code a fine option for demonstrating the vulnerability in question, which the author dubbed Etherify.

Experiment 1: Modulating frequency

Modern Ethernet controllers use the standardized media-independent interface (MII). The MII provides for data transmission at various frequencies depending on bandwidth: 2.5 MHz at 10 Mbit/s, 25 MHz at 100 Mbit/s, and 125 MHz at 1 Gbit/s. At the same time, network devices permit bandwidth switching and corresponding changes in frequency.

Data transmission frequencies, which generate different electromagnetic radiation from the wire, are the “gear switches” that can be used for signal modulation. A simple script — using 10 Mbit/s interference as 0 and 100 Mbit/s interference as 1, say — can instruct a network controller to transmit data at one speed or another, thus, essentially, generating the dots and dashes of Morse code, which a radio receiver can easily capture from up to 100 meters away.

Experiment 2: Transferring data

Switching data transfer speed is not the only way to modulate a signal. Another way employs variances in background radiation from running network equipment; for example, malware on an isolated computer might use the standard networking utility for verifying connection integrity (ping -f) to load the channel with data. Transfer interruptions and resumptions will be audible from up to 30 meters away.

Experiment 3: You don’t need the wire

The third experiment was unplanned, but the results were still interesting. During the first test, Lipkowski forgot to connect a cable to the transmitting device, but he was still able to hear the change in the controller’s data transmission rate from about 50 meters away. That means, by and large, the data can be transferred from an isolated machine as long as the machine has a network controller, regardless of whether it is connected to a network. Most modern motherboards do have an Ethernet controller.

Further experiments

The Air-Fi method of data transmission is generally reproducible on office devices (laptops, routers), but with varying effectiveness. For example, the laptop network controllers Lipkowski used to try and reproduce the initial experiment established a connection a few seconds after each change in the data rate, substantially slowing the transmission of data using Morse code (although the researcher did manage to convey a simple message). The maximum distance to the equipment also depends heavily on specific models. Lipkowski continues to experiment in this field.

Practical value

Contrary to popular belief, isolated networks behind air gaps are used not only in top-secret laboratories and critical infrastructure facilities but also in regular businesses, which also often use isolated devices such as hardware security modules (for managing digital keys, encrypting and decrypting digital signatures, and other cryptographic needs) or dedicated isolated workstations (as local certification authorities, or CAs). If your company uses something of that kind, bear in mind the potential for information leaking from the system behind the air gap.

That said, Lipkowski used a fairly inexpensive USB home receiver. Hackers endowed with significant resources can likely afford more sensitive equipment, increasing the receiving range.

As far as practical measures to protect your company from such leaks, we must repeat a few obvious tips:

• Implement zoning and perimeter control. The closer a potential attacker can get to rooms containing isolated networks or devices, the more likely they are to intercept signals.
• Use metal to line any room in which critical equipment is stored, creating a Faraday cage to protect it.
• Shield network cables. Although not a perfect solution in theory, shielding the cables should greatly reduce the zone in which changes in electromagnetic oscillations can be received. Combined with zoning, this can provide sufficient protection.
• Install solutions for monitoring suspicious processes in the isolated systems. After all, attackers need to infect a computer before they can transmit its data outside. With the help of dedicated software, you can ensure critical systems remain free of malware.