Earlier today, my boss sent me this news article with two questions:
- How vulnerable are we
- What are we going to do about it
Now, I’ve firmly believed in reading the news for your boss so that when they ask you questions, you have answers, but this time I was caught off guard. This article was brand new, so I hadn’t really had time to read it. Needless to say, my boss was in a panic. Someone had sent him this link, and he didn’t dive into it.
Let me summarize this article quickly; Researchers at a South Korean University in Soul developed a side-channel attack called Casper which can exfiltrate data off an air-gapped network using the internal sound speakers of the computer.
Now, this sounds terrible; side-channel attacks always carry some risk for an enterprise. Air-Gapped networks provide some of the best defense against malware and insider threats. Air-gapped networks are disconnected from the internet and are often used to protect an organization’s most sensitive data sets. As such, any threat to air-gapped networks is concerning. But as I’ve said before,
…the things you were concerned about before Blackhat are probably the things you should still be concerned about after Blackhat.
My thoughts on a decade of Cyber Security: 10 Lessons I’ve learned – Gravitywall Blog
So how did I reply to my boss? I told her, “no, and nothing.”
I didn’t say it exactly like that, but I did politely tell her that I didn’t believe this vulnerability was worth our time or resources to investigate and attempt to mitigate, and here’s why.
Many Air-gapped vulnerabilities are primarily theoretical, and Casper is no different. This speculative vulnerability was tested in a research lab under ideal circumstances. But ultimately, why did I tell my boss we won’t do anything about it?
Because it’s a perfect example of Lesson 6 from my retrospective post a year and a half ago. The things you’re worried about before Blackhat are the things you should be worried about after Blackhat. Now I understand this wasn’t a Blackhat speaker event, but the statement applies all the same.
According to the article, the vulnerability can exfiltrate data at 20 bits per second to a listener within 1.5 meters. Now let’s look at that for a second. A one-page word document is roughly (based on my anecdotal experience) around 100Kbs. At 20 bits per second, it would take 16 hours to exfiltrate a single-word document.
Taking this further, an adversary must keep a listening device within 4.5 feet of your computer for 16 hours. This also means you’d need to keep the listening device powered for 16 hours and have a method for retrieving it. An adversary would need a listening device that is small enough to sneak into a location with an air-gapped network facility and large enough to continuously record for 16 hours straight.
Additionally, the attacker has to have a way to get the recording off the device. This means they either need to remove the device or provide it a way to communicate through something like 5G. Air-gapped network facilities sometimes have cellular monitoring devices scattered around, so a 5G connected recording device would likely alert on it.
That was 16 hours for a 100Kb word document. I also looked at the personnel roster for my team, and it came in at 3881Kbs. Doing some fuzzy math for a second means it would take an adversary 13.37 Days to exfiltrate that file.
Two files, 14 days, no breaks, complete silence
The paper does not mention if the attack is interruptable or how much ambient noise was in the environment. If the battery dies on the recording device, does it kill the attack? Do they have to restart it? If there’s also no discussion about noise pollution. Since the attack relied on a smartphone speaker, it’s vulnerable to noise pollution. If there’s too much ambient noise, how much of the frequency gets drowned out in background noise?
Based on having to learn Morse Code, my guess is that the attack cannot be interrupted. It’s nearly impossible for someone to step into the middle of a Morse transmission and understand where they are. You could make some guesses on what the word being spelled is, but that doesn’t work when you’re encoding data and then trying to transmit it.
Second, suppose an adversary can get an audio recording device into your environment. In that case, they’re better off just using it to listen to conversations than trying to extract whatever documents the user has open. This attack could get two files in 14 days with zero breaks in recording and complete silence.
I’ve talked about it before, and I will repeat it here: The things you were concerned about before Blackhat are probably the things you should be concerned about after Blackhat.
These new flashy vulnerabilities are exciting and can be neat to read about. Still, they’re rarely something an adversary can feasibly use, and if the adversary can use them, then there are also likely better ways to achieve the same objective in the first place.
Is this a vulnerability? Yes, it technically is.
Is it something we need to worry about? Probably not.
