You're mixing up two scenarios. The "international spy agency" scenario is using custom hardware listening to side channel noise from an untouched computer. That's stuff like decoding screen images from EMI from VGA/HDMI cables, or getting crypto keys from EMI from a CPU running standard code. That's what the whole TEMPEST thing was about decades ago. Those demos are interesting. We also use them in device security research, e.g. power or EMI analysis to extract crypto keys from a secure SoC.

This guy just puts malware on the airgapped computer to force it to broadcast its secrets in the slowest, simplest, easiest to pick up way through some channel. That is not hard.

His entire clickbait operation is basically predicated on the fact that people confuse these two scenarios, while they are two completely different things.

Exactly. It's impressive when the computer is untouched and air gapped. If you can load malware on the PC, you might as well just extract/copy the data while you're in there.

Stuxnet destroyed Iran’s air gapped nuclear reactors. I agree data exfil might look differently, but I’m not 100% confident there will never be a scenario where an attack like this is combined with others.

The article was talking specifically about exfil on air gapped systems.

I guess I'm just trying to say that non-intrusive side channels are more impressive to me since you cut out the need for any form of system access to plant the malware.

My point specifically of mentioning Stuxnet is that it’s an impressive stack up of various complex exploits. They released a neutered, self-replicating version of the virus into the wild to mask their intrusion into Iran. The virus in the wild had all the code needed to attack Siemens microcontrollers for the reactor cooling (if I recall correctly) but it was neutered unless running in the Iranian reactor (imagine trying to write such code that would correctly detect the Iranian reactors). They then used social engineering to actually get a contracted on prem to infect the air gapped computers. This created confusion in the Iranian security services long enough that Iran was brought to the negotiating table for the nuclear deal.

My point here is that seemingly innocuous (or previously innocuous) methods can still be utilized. The overall attack is the thing that’s impressive (at least to me). Technical attacks are impressive. So are social ones. Ones that combine the two in novel ways to accomplish audacious goals can only be more so and having a view of “this isn’t a complete attack by itself and is therefore uninteresting” seems myopic to me. I’m more curious about how this could be leveraged to be a piece of an overall attack. For example, with very little time you could “permanently” compromise devices your victim has and spy on them without them knowing about it. Sure you don’t get C&C but if you’re just looking to monitor what’s happening may not be so bad.

I definitely agree with ops point that if this is a basic technique and just a routine transformation to apply to different sensors, academically this is not interesting and a corruption of the principles of scientific publishing. As a proof of concept though it’s still valuable because you are characterizing the bitrate you’re able to get from different sensor types.

It's a valid concept, but the concept is already existing - infect a machine and have it blink a light or emit RF.

I guess it isn't very interesting, for me, compared to passive side channel attacks (interpreting naturally generated RF).

'“this isn’t a complete attack by itself and is therefore uninteresting” seems myopic to me'

I think you are misunderstanding me. I do agree that how attacks are put together and coordinated is interesting. I just don't see much to get excited about for this exploit. So viewing this from a larger perspective... Most of the time if you are attacking air gapped systems for data exfil, the physical site will have security countermeasures, especially for RF. I would be more interested to see an exploit that doesn't use RF (at least not in the known data bands like wifi in this case) to rely data since RF is so scrutinized in the target setting.

So my position isn't that I don't like it because it's not a full attack, it's that I don't like it because the author is basically recycling old ideas and I view this idea, for the intended use (air gapped data exfil), to be lacking when evaluated from a systems thinking perspective. It's like giving someone a knife and telling them to sneak into a secure facility with metal detectors to stab someone. Can it work? Sure, but probably not as well as other options. It isn't very imaginative either.

Ah! Data exfiltration through modulation of industrial processes allowing 1 bit per minute detectable through seismometers in neighbouring countries!

> If you can load malware on the PC, you might as well just extract/copy the data while you're in there.

Not necessarily. There might be scenarios where you're permitted to bring software in, but not take anything out.

Fair enough. You have to add taking in hardware too to read the signal.

That hardware could be in the presumed-safe next room, though.

Assuming it's a strong/clean enough RF signal and they aren't using any countermeasures, sure.

The point is not "this will work in every scenario".

The point is "this will work in some scenarios".

I'm not saying it can't work.

My point is that it's unimpressive because it won't work very well for the types of targets that they are intending it for (air gapped systems usually have a lot of other countermeasures as part of their system, especially targeting unknown RF sources).

Why is this downvoted?

It's definitely interesting if the concept is new to you, but there's quite a lot of work on this done already, decades ago, which should be known to those who care about securing airgapped machines. Here's a good place to start: https://en.m.wikipedia.org/wiki/Tempest_(codename). I did a demo as an undergrad ~10 years ago playing music on the radio via leaked emissions from my netbook. Didn't have to write a line of code because a complete solution had already been freely available for quite some time.

It's not without value, no, but they've definitely found a formula and are just cranking out variations of that formula as papers. I'd say calling it a paper mill isn't too harsh.

"just cranking out variations of that formula as papers."

You'd be surprised how often variations on a formula are all it takes to destroy security. Security is enumeration at the end of the day. If it takes a paper mill to "count all the ways" then I'm grateful.

> killing your WiFi device on your device is not enough to deter exfiltration even by the least sophisticated attackers.

It may deter the least sophisticated attackers, assuming they are reliant on networking and the only way it's connected to the network is via WiFi. If the least sophisticated hackers just go in physically and steal the PC, then you're correct, though.

> possibly a key component of an elaborated real world attack

Yes, in the sense of key as "required", but the key to Stuxnet was being spread by USB stick, iirc, which could be the same here. The infection would need to start via some sort of direct access, unless it got to it earlier when it was connected, if ever.

Note that this use of an integrated circuit to transmit isn't that innovative either. Oliver Mattos and Oskar Weigl wrote something similar in 2012 called PiFm, though that was a different radio band: https://web.archive.org/web/20121215032057/http://www.icrobo...