@@LowLevelTV i could add a noise maker to cancel out any sniffing. It would cost extra electricity but it would certainly stop "sniffers". Like mixing smells... Good luck distinguishing...
"Hacker holding their phone next to the mainframe while a progress bar fills just in time to escape the faraday cage before security shows up" movie writers were ahead of their time. Pack it up security experts, it's time to admit that Hollywood was right.
There has been the ability to capture data wirelessly for a long time. It is just that the data you get is fairly corrupt, you have to be very close, and it usually requires very sensitive receivers. This however, requires specialized malware already installed on the device and then it's so much easier. It just has to find a way to transmit the data. And you can encode data in all kinds of ways. Basically, this is just sending binary signals by ramping up and down the RAM to create distinguishable spikes of emf noise. Which is entirely different than picking up the data that is currently going through an uninfected device.
This is technically called Van Eck Phreaking. It was first used in the 80s to eavesdrop on the images rendered on CRT monitors by listening to the RF given off by the cathode ray. Legend has it that the BBC used this technique to figure out who was using TVs without a loicense back in the day. Pretty neat!!
I think you are misunderstanding the issue. This demonstrates that RAM writes can be read from a distance. This method is expressly exfiltrating data with actual results, but could be an indicator of the possibility of reading ALL writes to RAM without needing a specialized program on the target system.
Yeah, but if there's attacker inside by this method he can tracelessly extract ram data I can see how that could be used in some attacks from inside like when factory employees dug a tunnel under factory to leak apple designs and secrets Edit: near tracelessly as it requires system to be infected
A programmer I worked with in the late '60s wrote some code that would generate noise from the core that could be picked up with a transistor radio set inside the cabinet. With suitable parameters it could generate musical tones and play "Mary Had a Little Lamb" ala "2001 A Space Odyssey". Not very useful as a cyber attack but very amusing to visitors to the data center.
These attacks are useful to attackers that can get something on to the system, but not off of it. Which is a very specific circumstance, but does happen.
Always love these earlier 20's computer stories, they are always so damn stupid and funny. Heard one once about some dudes designing a "religious anti virus" for clients that thought their pc needed to be exorcised, when in fact it just needed to stop visiting certain self pleasuring site. Which, ended up on quite literally the whole local church going to their it service.
Thats basically the same as was done later with Pet2001 and others to have sound. That was writing to a port; specifically 1 bit of a paralel port, or a serial port, which you hooked up to an amp. The system ran on 1 MHz, so plenty of time to flip a bit to KHz range. Its not much different from that broadcast. That would be a 1 MHz radio signal, modulated with the KHz sound signal. Hang a wire from it and its a transmitter. You basically know your clock frequency, which is your carrier wave. And you know what each operation does in the processor, wrt bits flipping, and the number of clock cycles it takes, which is your sound signal.
Why? This only works if they previously had access to the airgapped system to put malware on it. And that point you've already lost. This isn't even a vulnerability it's just...a science fair project.
My heart skipped a beat when I saw the thumbnail. Thought there was a vulnerability with them specifically. Literally just had Corsair vengeance ram delivered today lol.
actually since the corsair has double protection of both tin-foil hat(cooling plates) and LED lights that produce a lot of noice in sequence, especially when in some disco mode. I would think this is impossible to filter out.
This is not a joke, you can totally hear what some hardware is doing. For example I used to hear this specific sound when my mouse was moving or my drive was reading data, on old drives you could totally hear what stage of the boot process devices were at... For example unlocking the old PATA drives by hot swapping them I always did by ear. Either way it doesn't matter if someone says you are crazy, there might just be something...
@@sjoervanderploeg4340 Yes, you're describing auditory experience of hearing acoustic noise, carried in the form of propagating mechanical wave-fronts, which some hardware does make. The electromagnetic noise referred to in the video is a form of electromagnetic radiation, which is not acoustic and can't be heard by listening for sounds. The word "noise" in this case is not describing acoustic sound.
@@sjoervanderploeg4340your absolutely right. While people usually either can't hear that kind of stuff or just don't pay attention to it it definitely does make a noise. More prevalent on older hardware though. Even so you can still hear the hum, whines, and screeches of newer stuff even without the obvious mechanical stuff being a source ( disk drives, and CRT screens are the usual culprit.) What the newer stuff still emits is usually related to the power supply, as the transformer for SMPS will still screech, some times you'll hear the rapid change in power draw of a CPU as it does a task switch (this affects the frequency and amplitude of the power supply hum.) Sometimes it's interference from said hardware affecting output devices like beepers, speakers or even the screen. So yeah you can totally hear electronics if you listen in a quiet place.
I discover something similar around 2002, when I learn programming I found that executing loops in console application it produce some audible noice in speakers along with producing interference to the broadcast radio station. Back then I do not know that I can change pitch by changing loop time. Similar effect was used also in Altair 8800 to produce sound
Was used in commodore early machines too (and other). Throw in some NOPs and there you go. Since every electrical current broadcasts EM, you can pick up on the signal Nothing new.
I used to work in a physics lab. We would get noise from everywhere to the point that some experiments had to be done during the week end because they would otherwise pick up signals from neighboring labs. As an example, not having things properly grounded could generate noise since electricity might start moving between ground states and this can create RF signals. We also twisted the cables together so electricity going in one direction would cancel out the noise from electricity going in the other direction. Point is, you'd be surprised just how easy it is to create electric noise. I wonder if we will start putting computers in Faraday cages or something (for computers doing sensitive stuff, that is).
that's not what twisting does, the other wire is grounded, you're basically inducing eddy currents and creating an inverted signal, they either cancel out or amplify, which make the signal stand out against he noise, basically cancelling it. it is not energy going back in the other direction, they are going in the same direction in parallel. actual robust signaling, like USB even use differential signaling, which is actually putting the signal and the inverted signal in a twisted pair. ethernet CAT cables also use twisting for that, but they don't transmit current, they transmit magnetic fields, a network card is basically a half-transformer on one side of the cable and a half-transformer on the other side of the cable on the other network card. you don't need to put computers in a faraday cage, the problem is ground loops, you just need to use isolating power transformers. computers are already faraday cages kind of, you just have to ground them. unless you have a plastic case, but they are usually aluminum
@@monad_tcp Honestly, I was simplifying for UA-cam because I couldn't be bothered writing things out correctly. Point is, noise comes from everywhere if you aren't careful... And if you have a quantum device as part of the experiment that can pick up basically anything because how sensitive it is, any source of noise can be an issue. Iirc, for some experiments, a normal mobile phone was a problem because it just being turned on could interfere with the experiment. They also aimed to use lasers with a sub 1 Hz bandwidth (might even have been aiming for the sub mHz range). EDIT: Now that I read your reply more carefully, I realize the explanation I got was also a bit simplified. I'm a (former) physics student and the PhD students were primarily physicists, so I guess our electrical engineering stuff was simplified because we were mostly focused on the optical and quantum side of things.
@@monad_tcp very interesting. Help me understand further: my research indicates that the ethernet signal actually is transmitted using current, alternating current to be precise, and that the transformers only use magnet effects for blocking DC noise. Is that correct?
Every electrical signal transmits EM waves And the energy flowing in electrical systems, arent actually electrons, but magnetism. Together, by EM, which is also a broadcast hence, every electrical system, broadcasts em waves. Which is why its so hard to design chips and circuit boards. We call it 'interference', which is basically the em waves of all the rest, coming into a signal we want pure, but never is. And with decreasing voltages in processors and so, it increasingly becomes more susceptable to interference. Which is why space shuttle still used a 5V computer, incl processor. Which is also more heat emission. Since thats a problem, the reason U has been lowered step by step. As for the technique thats presented in the video; its a load of crap. You cant differentiate between signals in a chaotic system, specially paralel signals. Not even with a 'quantum device'. The 'rambo' acronym should have opened peoples eyes allready. You either have something good and name it, then create an acronym and youre not going to care what that acronym ends up like, bc youve made something good. Or you create some catchy acronym, and make a name afterwards to explain your faulty work. This is more or less on par with 'AI' that everyone talks about. But there is no AI. At best, you could call it pseudo AI. But of course if launch the naming as what you have as a product, and nobody sees through it and goes with it, youve effectively changed the definition of the name. Doesnt however mean youve actually created AI. There is way too much of this nonsense going about.
Back in the early days of computers, they had to be FCC certified to not emit a ton of RFI. You had shielded chassis, grounding everywhere. Look inside an IBM PS/2. Now, not so much, partly because the higher operating frequencies attenuate faster, but also they are less likely to interfere with the critical bands like FM radio or TV. This is really interesting stuff.
The thing is "not a ton" is still greater than zero. Even things designed to not emit large amounts of RFI can have transient states where they emit some. For example, motors draw enormous currents during startup.
The Atari 400 still contained a massive solid cast metal shielding against RFI, while modern crap intentionally cooks our nervous system with pulsed microwaves to infest the room with wifi, bluetooth or mobile radio.
35 years ago I worked as a field engineer for a company which made a 100hz-1ghz emi-tempest receiver that could pick up signals from printers, copiers, even from a crt phosphor screen (~220mhz for those keeping score) for surveillance.
You can pick up every electrical 'signal'. And if its serial, you may even be able to read it. Its going to be a lot more difficult, or impossible if its a paralel signal. And completely impossible in real life, as its riddled with signals. Will work in a lab setting, where you can shield off many signals, but not in real life, unless its a very odd frequency, or you are very near to it, or have a pickup that can be directed with great accuracy.
@@GM-zt6tiI see, we now can extract all of secrets through that small LED in the computer 😂😂😂 Edit: I was just making a joke, but I have seen some attacks that legit do that
This takes me back to the late 70's. We were using General Automation computers with core memory, and someone wrote a program that generated EMF signals that could be picked up by a nearby radio (I don't remember for sure if it was AM or FM radio, I believe AM). We were not using it to send signals, but crude music.
You kind of glossed over it.. but the computer has to be infected by their malware first before it starts transmitting data from RAM noise. So.. you'd have to have a man on the inside to load your malware to the air gaped system.. and if you have someone on the inside already anyways...
Except places like SCIFS are locked down to make data exfiltration as hard as possible. No USB drives, DVD drives that are read only, software to monitor and alert if anything unauthorized is connected, and other things. Data exfiltration is still a part of the pipeline, and that's what this guy's team specializes in.
Came here to comment this. He proved that it can be done but with artificial data. In the real world with random days following in and out of ram I doubt it.
Digital products are often factory prebugged to permit national intelligence agencies to read the stored data. Websearch Congaflock (a type of cheap hidden antenna that can be e.g. scanned with radar to extract secret information). Already in the Hard Drivin arcade machine a microcontroller for the driving physics algorithm contains a mode than morses the manufacturer copyright message over the air as AM radio to make it possible to identify piracy of the internal software.
I know guys with security clearances that work in air gapped labs. No internet, no USB, no Bluetooth and faraday caged to a point. If you can get the payload into the hard drive somehow, you still have to get sensitive data out. If all it takes is an inconspicuous radio receiver, then you just have to compromise some OSS (polyfill, anyone?) or other software package used and leak out the data.
basic electronics. A higher current means a higher magnetic field. Which could be detected. They are finding ways to raise currents in different hardware devices then use it to send data.
I mean a lot of people have considered the possibility. any wire is also an antenna, including the traces in your motherboard, so many people have considered it.
RAMBO is just one of my favourite childhood movies! I even got one of these rambo knives with sewing thread - in the handle - and a compass on the handle.
@@jackhand4073 This actually worked better if you could hit a target in the room with the people, like a piece of paper or something lightweight, but yes you could also just use the reflection off a window pane, although it sounded very dull and susceptible to a lot of environmental noise pickup.
@@drozcompany4132 That use of (counter) TEMPEST was real, but what he was talking was researched too, it was a sort of "image reconstruction" from reflected light. Don't think it got to "crystal clear" images though, more like "blurry blobs". But if you're trying to get intel on a place you have no hope of having LoS into, blurry blob beats nothing at all ;) And who knows, maybe NOW we have enough processing power that we could make it actually work...
This was understood back in the 90's. When my father was designing buildings for a major defense contractor they had to place the computers and shielded cables a certain distance from the secure perimeter to prevent infiltration and extraction attempts. After the buildings were completed, it was his job to see if he could get in and extract data.
i like this guy, he thinks outside the box, if I'm not mistaken he found a way to hack to computers by the sound of the electrolytic capacitors of motherboards, absolute insanity.
It's not thinking outside of the box. He's rehashing the same idea; did you see his published papers? It's the same concept but attacking different components of the PC. I also don't believe it's revolutionary to listen to EM waves... when was the first crystal radio invented? The 19th century?
@@natealbatros3848 contextually, it isn't THAT out of the box. i'll still give him massive props for the work, but all of this still roots back to TEMPEST. TEMPEST isn't exactly a novel idea, it's just niche.
in theory you can do various kind of exfiltration if you can modulate the info and receive it. like you can morse the admin password with the numlock key or hdd activation led if you have clear line of sight to the machine (i've seen BIOS level malware doing this kind of attack), you can periodically pin the cpu to 100% and create noise in the vrms (like a capacitor/coil you mentioned) or even by periodically manipulate the fan speed, it's even audible trough a phone call combined with social engineering... back in the day there vas a virus that could play a melody trough the floppy drive's servos, i wasn't that useful for this purpose per se, but if you have initial physical access, you can do all kind of creative hacks.
This is an impressive feat but none of it surprises me, as in, that this was possible ...i remember thinking this was possible about a decade or more ago, surely anyone that has any kind of interest in physics or electronics would have figured there would be a correlation between your computers processes and the electrical noise it generates, the hard part is the deciphering, which this researcher has pulled off, kudos you madlad
Like Van Eck phreaking in the 80s and system bus radio. Can also be used to aid debugging by looking for signals on the control and data bus. Back in the 80s me and my teen nerd buddies used it to listen in real time to a sorting algorithm doing its work on a Z80-based machine, which was mesmerizing. You could clearly distinguish the phases of the algorithm and know when data was moved, but not what the exact data was. Not surprised it is possible to detect the actual data.
Years ago, during a discussion about AI threats, I threw out what was supposed to be a completely insane idea that an AI might figure out how to jump an airgapped network by writing to RAM in a way that allows it to take control of a nearby computer to escape. I can't believe that was actually feasible
The mobile radio network this way may systematically scan all digital things through AI to spy e.g. offline computers.That's one reason why Huawai got banned in USA.
Not impossible but still very unlikely. To pick up the weak ratio signals the researchers used specialized hsrdware and even with this hardware maximum data transfer rate was 1000 bit/s. In order to escape an air gapped system the AI must first devise a way to generate radio signals so strong that are able to "flip" bits in a nearby computer, then it needs the time to transfer all it's neural network to the other PC.
@@lucarossi8442 The attacker does not need to write data (which will need a severely strong radar beam and would be hard without crashing the computer) but only sit and listen to pick up communication. Extracting data using TEMPEST is mainly a bigdata problem, and what else if not a mobile radio network has the size and time to produce enough example data to train an AI for this.
That and the United States government was leaked to be using stingrays to remotely install malware on cellular devices that connected to it through zero day exploits involving google play store, etcetera. The only way to know if your phone even connects to a stingray is to run specialized software that only ran on specific chipsets found in some smart phones and all that software does is inform the user that they have connected to a different cell tower which is only useful if you're stationery. If you're traveling, you're going to be making connections with all sorts of cell towers.
I'm not surprised by that kind of attack. Me and probably many others noticed the effect on 80s 8-bit systems. What changed is that those systems were generally not networked and there were easier avenues such as RF from monitors and TV modulators. Similarly signals from a C64 floppy drive could be heard on an AM radio. Ages ago TEMPEST was the catchword and RAMBO is just one aspect of it. What next level however is to turn this into a practicable transmission mechanism.
These are more proof of concept than actually useful. Several solutions come to mind; short of updating an anti-virus definition list (nullifying his malware), anything which can deaden or silence electrical noise on a computer case solves literally every one of his discoveries. GPU fans, for example, can be water cooled or just passively cooled while your computer case is acoustically silent with anything to mute noise (both electrical and acoustic)
@@Zidbits Do you realise that it’s not just RAM that you can use to hammer codes out of your PC? By sending through a USB cable (outside of your computer) a bitbanging binary, you could turn any USB cable into an antenna. Same goes for video signals. Same goes even for ethernet. If nothing else, altering your PC’s power consumption by using intermittent CPU/GPU loads can turn the variable AC humming due to power fluctuations into decodable data at quite a distance. There are so many side channel attacks you can’t even start to list them all.
This is the reason all federal buildings are wrapped in Faraday mesh. You can buy it in big rolls. But it's expensive, and you have to buy different mesh weave thickness for different spectrum shielding. So you have to wrap the building multiple times, and it doesn't protect if a reader gets inside the building.
The Atari 400 still contained a massive solid cast metal shielding against RFI, while modern crap intentionally cooks our nervous system with pulsed microwaves to infest the room with wifi, bluetooth or mobile radio.
Yes, that was my very first thought. Tempest attacks have been around for decades (en.wikipedia.org/wiki/Tempest_(codename)), but I guess that every so often these lessons have to be learned all over again. There are plenty of people who have secrets MUCH more important than "Some clever advance in my new computer game" who work with rules like "Your computer is absolutely forbidden to be switched on within X metres (a long way) of the perimeter fence"
The formal academic term for this is a “side-channel attack”. You’re using a byproduct of electronics (EMI, noise, thermals, etc) to record information from a system. There is an entire field of ransomware detection that utilizes side-channel analysis to detect the presence of ransomware in a system. Applications of machine learning and signal processing are massive in this field!
RAM encryption wouldn't do anything here. The attacker isn't sensing any data that's in the RAM. They're sensing the RAM activity, and a piece of malware on that system is increasing or decreasing the activity on a pattern based on the data they wanna send out.
of course just soundproofing isn't enough, as your power supply also leaks stuff to the grid, so if you're on the same power circuit you can still exfil
I remember an old 233 mhz pc I had on a old solid wooden desk. When I loaded a particular game, the desk resonated with the drive that just made it a nice soothing rhythm, unique to any othe software I ever used.
That researcher is absolutely genius. I mean, sure, this is done on consumer hardware and with a previously infected computer, but the techniques used/invented and the sheer ideas that this could be done are totally mindblowing. On a side note, is there a reason you don't use an adblocker? In all your vids I've seen, there are those BS ads popping up on your screen. C'mon, use a blocker of your choice already! :D
@@kaischreurs2488 Nope, its the mobile radio network itself that may systematically scan all digital things through AI to spy e.g. offline computers.That's one reason why Huawai got banned in USA.
RF noise, produced by computer, can be quite high. For example, I remember in the old times, I could literally HEAR mouse cursor movement. I.e. when line-in or mic feedback was turned on, background noise was not-so-random: if something happened on the screen, including such tiny things like mouse cursor movement, that noise was reflecting it.
My AsRock Fatality mainboard trumpets out every mouse motion or other USB activity through its sound output jack (despite I shielded my PC bigtower almost TEMPEST-grade). That's quite annoying to have that buzzing through all music on my audiophile tube amplifier.
@@cyberyogicowindler2448 external USB sound card helps to mitigate that: it would be out of the case, and have additional VRMs. But I wonder, how much valuable info could be extracted via this side channel, since, for example for content creators, this noise get recorded for a long time and could be extracted and analyzed later just by downloading their YT videos...
@@Felinaro Beside limited audio bandwidth, UA-cam audio is data reduced (like MP3) which ruins its phase information and so is not that useful anyway. More risky was when people played the dial-up noise of their analogue modem (those were designed to be audio-transmittable), which may have revealed their internet password when someone decoded the sound signal. Of course also recorded touch tones of telephone keys can be be decoded to identify phone numbers (remember the door keypad thing in the Wargames movie).
Fun fact: I hear my external mouse movement in the internal speaker of my 2019 MacBook Pro when I have an USB-C dock connected with an external monitor. Oddly specific, but I think the strange grounding path both through the HDMI cable and through the charger is what causes some internal noise in the computer, as if I disconnect any of it, it disappears. So, it happens till this day.
Oh boy another leakage-based attack! The one based on the power LED was amazing, this one seems like another natural application of that general concept. I used to imagine that stuff like this would be possible as a kid, because why the hell wouldn't it be?
Something similar was presented in the NSA brochure about 10-20 years ago : security key extraction using computer power usage fluctuations, security key extraction using CPU heat fluctuations ...
This is an interesting thought experiment but in highly sensitive applications, it would be quite easy to implement shielding and defeat this. But I'd imagine the only people with this threat profile would be governments
How could somebody inject that malware to pc that is not connected to internet and have no physical access? If attacker get access to pc to be able inject malware he can stole desired information, range of ram noise is only few meters, so information didn't penetrate thru the wall anyway.
That reminds me of an article back in thr day of how someone figured out how to capture the RF signal of CRT monitors and surreptitiously view them. Thankfully this was at the same time CRTs were being phased out so I expect it never really became a thing.
@@truckerallikatuk Good point. I'm surprised about the RAM thing because I didn't know the RAM chips were capable of emitting intelligible radio signals at even "across the room" distances.
TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions[1]) is a U.S. National Security Agency specification and a NATO certification
Mankind will eventually need hobbyist casemodding contests for TEMPEST hardening. A decade ago there were crypto partys (teaching data protection, not shitcoin scam currencies), now it's time to teach hardware stealthing. In early 1980th the Atari 400 still contained a massive solid cast metal shielding against RFI, while modern crap intentionally cooks our nervous system with pulsed microwaves to infest the room with wifi, bluetooth or mobile radio.
Electricians have been using EM circuit testers for decades to find live wires in walls. Things like this are why it's good to look the world to find alternative methods of hacking. Everything is a side channel
Mankind will eventually need hobbyist casemodding contests for TEMPEST hardening. A decade ago there were crypto partys (teaching data protection, not shitcoin scam currencies), now it's time to teach hardware stealthing. In early 1980th the Atari 400 still contained a massive solid cast metal shielding against RFI, while modern crap intentionally cooks our nervous system with pulsed microwaves to infest the room with wifi, bluetooth or mobile radio. Not least its mobile radio networks those may systematically scan all digital things through AI to spy e.g. offline computers (one reason why Huawai got banned in USA).
This is so absurdly niche and impractical. You're able to get the malware on the computer somehow which implies you have had access to it but you can't just download things to a USB but you can place another device within 5 feet of the original device to listen for ram noise with a highly suspicious radio listening device attached to it and you're able to retrieve the information from the suspicious device either wirelessly or through physical proximity. I can imagine Ocean 11 style scenarios where this is actually useful if the noise can get through a wall and maybe and you're able to talk someone into a plugging a USB they got from a stranger into their computer to infect it. What would be infinitely more useful is if you did not need to infect the computer at all and you could detect the ram noise without intentional manipulation of reading/writing but I guess that would require a radio receiver the size of a mini van and even then it wouldn't work because there would be too much background noise. All of that being said, if you could find a way, it would instantly compromise the security of every computer in a way that cannot be stopped.
Mordecai Guri is based out of Isreal and produces these PoCs with a team of engineers from many disciplines at his college. These were always meant to be integrated into an APT workflow. If you didn't know already. Israel is the tip of the spear when it comes to niche cybersecurity tactics
Mordecai Guri is based out of Isreal and produces these PoCs with a team of engineers from many disciplines at his college. These were always meant to be integrated into an APT workflow. If you didn't know already. Israel is the tip of the spear when it comes to niche cybersecurity tactics
Digital products are often factory prebugged to permit national intelligence agencies to read the stored data. Websearch what Congaflock is (a type of cheap hidden antenna that can be e.g. scanned with radar to extract secret information).
I once wrote a program that loaded the cpu in a specific way, modulating its power consumption. Another program could measure the local cpu throughput which modulates when hitting power limitations. I could transfer data between separate VMs running on the same threadripper system in the low 100 bytes/s range using common modulation techniques found in radio communications. If I knew that such things would be relevant... 😀.
Until you replicate it for us I call BS on this. There is no way he is discerning signal from noise or injecting it over any distance. GPU fan, that is just silly. Like the free energy videos often originating from that same region of the planet.
This is really an update to an old hack. They've been able to steal airgapped data with acoustics and RF for decades, doing it with ram now isn't that much of an innovation.
Interesting, but I'm not sure how impressed I am with his mission. It's just signal transmission with all kinds of different properties of a modern (physical) computer. This can be anything and if you have had access to the air gaped computer, it's more about (party trick) creativity but technical stuff.
I've been talking about this since the 90s since I got my degree in computer science. Your house's entire electrical system can also be turned into an antenna and everything with a current flowing through it outputs an EM signature. The feds have been doing this for decades. My friend built an antenna to snoop and made an mistake that ended up emitting an em pulse that got him a visit from the feds. Your brain has an em signature as well, which is how they are mapping dreams and literal imagination. People have no idea how their technology works much less what it's capable of. A SIMM card is a separate computer in your cellphone that has root access to everything as well.
So... 1: You cannot access the system from any network. 2. You don't have psychical access, hence why you would need this hack in the first place. 3. But somehow you need to get some malware on it for this hack to work? I do not feel utterly nervous. It is pretty cool though, I will give him that.
The issues with air-gapped networks are two-fold. Getting in and Getting out. There are other viable methods of Getting In already out their, but without a way to exfiltrate data back out of those systems, the best you can do is cause damage (think randomly crashing the centrifuges Iran used to refine nuclear fuel). The types of vulnerabilities this individual specializes in is that exfiltration piece. So with these you can get in, grab a bunch of data that looks interesting, and get that data back out of the system without a traditional exfiltration strategy which usually involves gaining physical access through a separate operation from the one that was used to infect the system to begin with.
@@jenaf4208 Stuxnet attacked the PLC by physically inserting a malicious slave node for a motor drive into the system. Motor drives do fail and need attending to by the maintenance crew, which they need to have physical spares to swap out. Furthermore, a PLC system for a large plant is spread out over a build - there are plenty of opportunities for a bad actor to do something naughty. It's very different to a PC that's actually air gapped and contained within an office cubical. Until recently, PLC systems didn't have any security on their networks - they're all open, which means they can be sniffed at with WireShark and played with really easily. And a lot of modern PLC systems remain open by default; it's at the programmers discretion as to whether the system gets locked down. In modern systems, programmers can lock out new physical items if they don't have the correct serial numbers.
This is how you do it: You are CCP, you find out about the Australia government secret project to research and develop working warp drives. Unfortunately all the data you want to steal about how to make one is on an air gapped system, in an impenetrable fortress of security. Fortunately you find out that the Aus Gov always buys their motherboards from a supplier in Taiwan that you have infiltrated with CCP agents. You have your agents modify the next motherboard design so that it will include malware on the MB Bios that allows it to not only keylog but also write directly to RAM to get it to sing to the universe. They buy these and you now have malware on their machines collecting the secrets for you and start broadcasting on the RAM. You get your CCP agent to start working at a pizza place down the street from the Warp Drive Research Office, eventually someone orders a pizza and she delivers it with a radio detector hidden in her pizza bag, she gets up close to the gate to drop off the pizza and starts detecting the RAM broadcasting the secrets. She flirts with the gate guard long enough to download the secret design PDFs. She then sends the CCP the data and they beat the Australians to developing the first warp drive as a result and China dominates the interstellar industry.
@@trapfethen Digital products are often factory prebugged to permit national intelligence agencies to read the stored data. Websearch Congaflock (a type of cheap hidden antenna that can be e.g. scanned with radar to extract secret information).
one countermeasure you didn't mention: RAM encryption it's also possible to passively receive whatever data happens to be going to/from RAM (I know because I did it in 2017), but that requires a lot more computation to actually extract the data from the radio signals, especially when there are multiple channels.
There’s another attack using a similar method called a tempest attack which uses EMFs emitted from non-shielded HDMI cables to capture what’s being displayed on a monitor.
This is how governments have been recording data using your phones as listening devices for computers that are not even external network facing devices.
Mobile radio networks this way may systematically scan all digital things through AI to spy e.g. offline computers.That's one reason why Huawai got banned in USA.
I noticed, that over the years, computer cases (chassis) have become more hole-y than ever. Once upon a time, cases were pretty effective faraday cages. Once upon a time, cables were shielded. Amazing!
FYI, "Mordechai" is pronounced with a 'k', not a "ch". It's a Hebrew name. It seems they were only able to read the data because on the target machine they were writing it in a specific way. I don't see how this could be used to read data from any computer you don't have control over.
@@xerr0n the novelty is being able to use it as a data exfiltration system. in a setting that a hacker can get access to a closed system, normally they can't get information out of the system. this would give someone the ability to get information and then convert it to a "screaming bits" formatting for an external monitor to pick up, therefore breaking the closed system.
@@davidfrischknecht8261 I had the same thought at first, but requiring them to get their code onto the computer isn’t actually unfair when you consider that supply chain attacks from software the user willingly includes are a common method of attack even when not air gapped. In the normal case the hidden malicious code calls back out to a command and control server and gives the attacker remote access of some kind. In the air gapped case it can start writing to ram in this pattern. To summarize, this isn’t meant as a way of peering into what a computer is doing in general, it’s a communication method for malicious code that has already gotten there somehow and finds itself in an air gapped environment
@@xerr0n This way mobile radio networks may systematically scan all digital things through AI to spy e.g. offline computers.That's one reason why Huawai got banned in USA.
I'd hardly say it's novel - it's been known for a long while. Back in the 80s, I used to use my Sinclair ZX Spectrum as a crude radio transmitter (it was so RF leaky it wiped out the entire AM band). It was quite easy to modulate the interference it gave out, you could even play really bad music on a nearby radio. Modern computers are better shielded, but you'll always get some RF leakage. Anything you can modulate whether it be the noise of a GPU fan, or RFI from the memory bus etc. can be used to transmit data (perhaps very slowly in some cases). Back in the 80s the military were very worried about this stuff, the whole TEMPEST standard was created to attempt to stop secret data getting expropriated by RFI, either accidentally or deliberately.
Obviously. This guy has been doing this type of research for years. Doing it with RAM is what's novel. Every time someone says, "Oh but we can deal with that one," he comes out with another one. RF, Fan noise, LED blinking. The impressive thing isn't just thinking about it, but actually doing it. Which he did!
When I move my mouse at just the right angle, I can hear the electronics inside make noise. It's an extremely high pitch that hurts my ears. Electronic hum is a real thing and varies in pitch and volume, so I'm not surprised someone can read RAM based on the audible sounds that a computer makes as it stores and retrieves memory. What you don't realize is that the reverse can be true as well. You can use a speaker, for instance, to produce electricity. It's far less efficient at doing so than a microphone, but it works. I suspect all air-gapped systems are technically susceptible to the reverse of these attacks: Actively injecting data into a target system through the air.
The thing is the hardware would not be listening for data. If you're saying to manipulate electrical signals with RF I think it might be better to use electromagnetic signals if anyone wants to try to make an actual research on this.
My AsRock Fatality mainboard trumpets out every mouse motion or other USB activity through its sound output jack (despite I shielded my PC bigtower almost TEMPEST-grade). That's quite annoying to have that buzzing through all music on my audiophile tube amplifier.
I developed this technique with ChatGPT in the past couple of weeks: Multi-layer Faraday cage, grounded to capacitor, to ground. Outside of the Faraday cage, employ a Tesla coil using a white noise algorithm emulating what would be intelligible data. If they are able to discern anything through the high voltage RFI of the Tesla coil, it's goign to be the decoy data being used to power the Tesla coil, while your real data is secure from sniffing. You're welcome.
Just wanted say I am noting your new persona and style. Seems to be some of the influence of The Primeagen. I like how you are branching out and trying new things. I look forward to the synthesis of LowLevelEdPrime :P
This is kinda like someone had an unlimited budget and resources, ignored ethics and genetically engineered a horse with wings and a horn on its head and called it a unicorn. Is it possible? Yea maybe... Is it going to happen and be useful? Fuck no.
can you hear the courses at lowlevel.academy :O ? (they're on sale?! :O)
hello
Can you make a video about the freeBds CVE-2024-43102?
Ever heard of TEMPEST?!
@@LowLevelTV i could add a noise maker to cancel out any sniffing.
It would cost extra electricity but it would certainly stop "sniffers". Like mixing smells... Good luck distinguishing...
This isnt new. You can do the same thing with cpus and this was reported around 8 years ago
"Hacker holding their phone next to the mainframe while a progress bar fills just in time to escape the faraday cage before security shows up" movie writers were ahead of their time. Pack it up security experts, it's time to admit that Hollywood was right.
Sigh. We're sorry Hollywood. You guys were actually on to something...
i kneel.......
Which I hate, but is true.
There has been the ability to capture data wirelessly for a long time. It is just that the data you get is fairly corrupt, you have to be very close, and it usually requires very sensitive receivers.
This however, requires specialized malware already installed on the device and then it's so much easier. It just has to find a way to transmit the data. And you can encode data in all kinds of ways. Basically, this is just sending binary signals by ramping up and down the RAM to create distinguishable spikes of emf noise. Which is entirely different than picking up the data that is currently going through an uninfected device.
life imitates art
This is technically called Van Eck Phreaking. It was first used in the 80s to eavesdrop on the images rendered on CRT monitors by listening to the RF given off by the cathode ray. Legend has it that the BBC used this technique to figure out who was using TVs without a loicense back in the day. Pretty neat!!
Came here to say this, it's an old method, new tricks.
There is a reason classified spaces are Faraday cages...
@@alexandermarvin9536they were already Faraday cages to stop potential RF broadcasting since the existence of the transistor.
So in england in the eighties you had to have a license to operate a television? I know I'm missing something here lol
@HashCracker you're not gonna believe this...
I mean if you're compromised at that level you have bigger problems than ram noise 😅
I think you are misunderstanding the issue. This demonstrates that RAM writes can be read from a distance. This method is expressly exfiltrating data with actual results, but could be an indicator of the possibility of reading ALL writes to RAM without needing a specialized program on the target system.
@@privacyvalued4134 but its useless without the local installed we xxploit
it's kind of a proof of concept. not necessarily useful at this point.
@@privacyvalued4134no
Yeah, but if there's attacker inside by this method he can tracelessly extract ram data
I can see how that could be used in some attacks from inside like when factory employees dug a tunnel under factory to leak apple designs and secrets
Edit: near tracelessly as it requires system to be infected
A programmer I worked with in the late '60s wrote some code that would generate noise from the core that could be picked up with a transistor radio set inside the cabinet. With suitable parameters it could generate musical tones and play "Mary Had a Little Lamb" ala "2001 A Space Odyssey". Not very useful as a cyber attack but very amusing to visitors to the data center.
These attacks are useful to attackers that can get something on to the system, but not off of it. Which is a very specific circumstance, but does happen.
Always love these earlier 20's computer stories, they are always so damn stupid and funny.
Heard one once about some dudes designing a "religious anti virus" for clients that thought their pc needed to be exorcised, when in fact it just needed to stop visiting certain self pleasuring site. Which, ended up on quite literally the whole local church going to their it service.
I believe HAL 9000 was singing "Daisy, Daisy..."
@@spatiallydelusion Now that you remind me, I remember. I haven't seen the movie since I saw it fifty odd years ago.
Thats basically the same as was done later with Pet2001 and others to have sound.
That was writing to a port; specifically 1 bit of a paralel port, or a serial port, which you hooked up to an amp. The system ran on 1 MHz, so plenty of time to flip a bit to KHz range.
Its not much different from that broadcast. That would be a 1 MHz radio signal, modulated with the KHz sound signal. Hang a wire from it and its a transmitter.
You basically know your clock frequency, which is your carrier wave. And you know what each operation does in the processor, wrt bits flipping, and the number of clock cycles it takes, which is your sound signal.
Oh Come on!!!! FUCK IT! THROWING ALL TECH IN THE TRASH AND TURNING AMISH!
...who did you piss off THAT bad?
You don't have to go THAT extreme...
Just throw out all your tech.
Why? This only works if they previously had access to the airgapped system to put malware on it. And that point you've already lost. This isn't even a vulnerability it's just...a science fair project.
Just put your PC into Faraday cage if you are worried
Next year: Learning your password from the clip-clop of your horses' hooves.
Jokes on him, I'm wrapping my whole damn PC in aluminum foil. Who needs airflow when it's a security risk?
To nit pick, use copper foil. Works better at higher frequencies.
Wrap yourself too, they might try the same trick on YOU!
@@BumfluffAddlepatethe one that are allowed to read my mind, will die of cringe
You really need half inch thick lead plating. Works much better.
Underwater my friend, Underwater
we got ram sniffing before gta 6
Get your nose out of my RAM! 😉
@@killer_game_real6805 😂😂😂
What I liked about debates was that trump didn't sniff anyone
😂
@@araz911 Why would he? That's what our current president is known for.
My heart skipped a beat when I saw the thumbnail. Thought there was a vulnerability with them specifically. Literally just had Corsair vengeance ram delivered today lol.
@@durvius2657 also have them, now have to put black tape over the leds too so it does communicate via strobing lights😂🙈
actually since the corsair has double protection of both tin-foil hat(cooling plates) and LED lights that produce a lot of noice in sequence, especially when in some disco mode. I would think this is impossible to filter out.
They made fun of me hearing data barely two decades ago
i know this is probably a joke, but i'm pretty sure this still doesn't make any audible sound, only electromagnetic "noise"
What’s that skip? Bzzzzbzzbzzzz
He’s down the well?!
This is not a joke, you can totally hear what some hardware is doing.
For example I used to hear this specific sound when my mouse was moving or my drive was reading data, on old drives you could totally hear what stage of the boot process devices were at...
For example unlocking the old PATA drives by hot swapping them I always did by ear.
Either way it doesn't matter if someone says you are crazy, there might just be something...
@@sjoervanderploeg4340 Yes, you're describing auditory experience of hearing acoustic noise, carried in the form of propagating mechanical wave-fronts, which some hardware does make. The electromagnetic noise referred to in the video is a form of electromagnetic radiation, which is not acoustic and can't be heard by listening for sounds. The word "noise" in this case is not describing acoustic sound.
@@sjoervanderploeg4340your absolutely right. While people usually either can't hear that kind of stuff or just don't pay attention to it it definitely does make a noise. More prevalent on older hardware though. Even so you can still hear the hum, whines, and screeches of newer stuff even without the obvious mechanical stuff being a source ( disk drives, and CRT screens are the usual culprit.) What the newer stuff still emits is usually related to the power supply, as the transformer for SMPS will still screech, some times you'll hear the rapid change in power draw of a CPU as it does a task switch (this affects the frequency and amplitude of the power supply hum.) Sometimes it's interference from said hardware affecting output devices like beepers, speakers or even the screen. So yeah you can totally hear electronics if you listen in a quiet place.
McNally: 'But your computer can always be opened with... Another computer!'
*Throws a Mac at another Mac, opening both*
uh ohhh, macghettiooo
Please don't try that with any CRT Mac. ;__;
Zoolander moment
@@Xe4ro "This is an iMac G3. It can be opened with another iMac G3... or by dropping it from a sufficient height."
@@Xe4ro please do
I discover something similar around 2002, when I learn programming I found that executing loops in console application it produce some audible noice in speakers along with producing interference to the broadcast radio station. Back then I do not know that I can change pitch by changing loop time. Similar effect was used also in Altair 8800 to produce sound
Was used in commodore early machines too (and other). Throw in some NOPs and there you go.
Since every electrical current broadcasts EM, you can pick up on the signal
Nothing new.
I used to work in a physics lab. We would get noise from everywhere to the point that some experiments had to be done during the week end because they would otherwise pick up signals from neighboring labs. As an example, not having things properly grounded could generate noise since electricity might start moving between ground states and this can create RF signals. We also twisted the cables together so electricity going in one direction would cancel out the noise from electricity going in the other direction.
Point is, you'd be surprised just how easy it is to create electric noise. I wonder if we will start putting computers in Faraday cages or something (for computers doing sensitive stuff, that is).
that's not what twisting does, the other wire is grounded, you're basically inducing eddy currents and creating an inverted signal, they either cancel out or amplify, which make the signal stand out against he noise, basically cancelling it. it is not energy going back in the other direction, they are going in the same direction in parallel.
actual robust signaling, like USB even use differential signaling, which is actually putting the signal and the inverted signal in a twisted pair.
ethernet CAT cables also use twisting for that, but they don't transmit current, they transmit magnetic fields, a network card is basically a half-transformer on one side of the cable and a half-transformer on the other side of the cable on the other network card.
you don't need to put computers in a faraday cage, the problem is ground loops, you just need to use isolating power transformers.
computers are already faraday cages kind of, you just have to ground them. unless you have a plastic case, but they are usually aluminum
@@monad_tcp Honestly, I was simplifying for UA-cam because I couldn't be bothered writing things out correctly. Point is, noise comes from everywhere if you aren't careful... And if you have a quantum device as part of the experiment that can pick up basically anything because how sensitive it is, any source of noise can be an issue. Iirc, for some experiments, a normal mobile phone was a problem because it just being turned on could interfere with the experiment. They also aimed to use lasers with a sub 1 Hz bandwidth (might even have been aiming for the sub mHz range).
EDIT:
Now that I read your reply more carefully, I realize the explanation I got was also a bit simplified. I'm a (former) physics student and the PhD students were primarily physicists, so I guess our electrical engineering stuff was simplified because we were mostly focused on the optical and quantum side of things.
Computers doing important stuff to be put in faraday cages? That's already the case and has been. It's called a hardware security module lol
@@monad_tcp very interesting. Help me understand further: my research indicates that the ethernet signal actually is transmitted using current, alternating current to be precise, and that the transformers only use magnet effects for blocking DC noise. Is that correct?
Every electrical signal transmits EM waves
And the energy flowing in electrical systems, arent actually electrons, but magnetism. Together, by EM, which is also a broadcast
hence, every electrical system, broadcasts em waves.
Which is why its so hard to design chips and circuit boards. We call it 'interference', which is basically the em waves of all the rest, coming into a signal we want pure, but never is.
And with decreasing voltages in processors and so, it increasingly becomes more susceptable to interference. Which is why space shuttle still used a 5V computer, incl processor.
Which is also more heat emission. Since thats a problem, the reason U has been lowered step by step.
As for the technique thats presented in the video; its a load of crap. You cant differentiate between signals in a chaotic system, specially paralel signals. Not even with a 'quantum device'.
The 'rambo' acronym should have opened peoples eyes allready.
You either have something good and name it, then create an acronym and youre not going to care what that acronym ends up like, bc youve made something good.
Or you create some catchy acronym, and make a name afterwards to explain your faulty work.
This is more or less on par with 'AI' that everyone talks about. But there is no AI. At best, you could call it pseudo AI. But of course if launch the naming as what you have as a product, and nobody sees through it and goes with it, youve effectively changed the definition of the name.
Doesnt however mean youve actually created AI.
There is way too much of this nonsense going about.
Thank you for this video. Saw a post on this earlier today, and I'm legitimately am amazed at the ways an attacker can get through if they want to.
Finally the debate is settled: Windows is more secure than Linux thanks to its superior RAM jamming features.
Back in the early days of computers, they had to be FCC certified to not emit a ton of RFI. You had shielded chassis, grounding everywhere. Look inside an IBM PS/2. Now, not so much, partly because the higher operating frequencies attenuate faster, but also they are less likely to interfere with the critical bands like FM radio or TV. This is really interesting stuff.
The thing is "not a ton" is still greater than zero. Even things designed to not emit large amounts of RFI can have transient states where they emit some. For example, motors draw enormous currents during startup.
The Atari 400 still contained a massive solid cast metal shielding against RFI, while modern crap intentionally cooks our nervous system with pulsed microwaves to infest the room with wifi, bluetooth or mobile radio.
35 years ago I worked as a field engineer for a company which made a 100hz-1ghz emi-tempest receiver that could pick up signals from printers, copiers, even from a crt phosphor screen (~220mhz for those keeping score) for surveillance.
You can pick up every electrical 'signal'.
And if its serial, you may even be able to read it.
Its going to be a lot more difficult, or impossible if its a paralel signal.
And completely impossible in real life, as its riddled with signals.
Will work in a lab setting, where you can shield off many signals, but not in real life, unless its a very odd frequency, or you are very near to it, or have a pickup that can be directed with great accuracy.
Gonna need vacuum gaps now, nay Faraday Cage gaps
Hackers will then figure out how to decode the gravity waves generated by your finger movenents while typing, just for the lulz.
@@_Safety_Third_interdimensional space gaps, ez
Electromagnetic waves pass through vacuum just fine
@@GM-zt6tiI see, we now can extract all of secrets through that small LED in the computer 😂😂😂
Edit: I was just making a joke, but I have seen some attacks that legit do that
FYI. Lasers can be used to listen and light can pass through vacuum gaps.
This takes me back to the late 70's. We were using General Automation computers with core memory, and someone wrote a program that generated EMF signals that could be picked up by a nearby radio (I don't remember for sure if it was AM or FM radio, I believe AM). We were not using it to send signals, but crude music.
WoOah Black Betty! - 7:45
@@GrahenKraken goated comment 😆
rambalamb!
You kind of glossed over it.. but the computer has to be infected by their malware first before it starts transmitting data from RAM noise.
So.. you'd have to have a man on the inside to load your malware to the air gaped system.. and if you have someone on the inside already anyways...
Stuxnet didn't need someone on the inside to eventually get into an air-gapped system.
Except places like SCIFS are locked down to make data exfiltration as hard as possible. No USB drives, DVD drives that are read only, software to monitor and alert if anything unauthorized is connected, and other things.
Data exfiltration is still a part of the pipeline, and that's what this guy's team specializes in.
Came here to comment this. He proved that it can be done but with artificial data. In the real world with random days following in and out of ram I doubt it.
Digital products are often factory prebugged to permit national intelligence agencies to read the stored data. Websearch Congaflock (a type of cheap hidden antenna that can be e.g. scanned with radar to extract secret information). Already in the Hard Drivin arcade machine a microcontroller for the driving physics algorithm contains a mode than morses the manufacturer copyright message over the air as AM radio to make it possible to identify piracy of the internal software.
I know guys with security clearances that work in air gapped labs. No internet, no USB, no Bluetooth and faraday caged to a point. If you can get the payload into the hard drive somehow, you still have to get sensitive data out. If all it takes is an inconspicuous radio receiver, then you just have to compromise some OSS (polyfill, anyone?) or other software package used and leak out the data.
How do you even figure out you can do this? 😭
fr
Someone went "dude wouldn't it be wild if..." and then it worked
basic electronics. A higher current means a higher magnetic field. Which could be detected. They are finding ways to raise currents in different hardware devices then use it to send data.
@@jeremymcadams7743 I'd like to think their brainstorming sessions are just like getting baked and figuring out the craziest hypotheticals.
I mean a lot of people have considered the possibility. any wire is also an antenna, including the traces in your motherboard, so many people have considered it.
RAMBO is just one of my favourite childhood movies!
I even got one of these rambo knives with sewing thread - in the handle - and a compass on the handle.
I recall, many years ago, hearing about collecting data from a monitor by collecting the light bouncing off the walls, all line of sight though.
or covertly listening to conversations by reading the vibrations in the glass of the rooms window.
@@jackhand4073I played that Splinter Cell game.
Reading monitors was TEMPEST and it was a real thing. You could see the other screen remotely, based on demodulating the CRTs scanning beam signal.
@@jackhand4073 This actually worked better if you could hit a target in the room with the people, like a piece of paper or something lightweight, but yes you could also just use the reflection off a window pane, although it sounded very dull and susceptible to a lot of environmental noise pickup.
@@drozcompany4132 That use of (counter) TEMPEST was real, but what he was talking was researched too, it was a sort of "image reconstruction" from reflected light. Don't think it got to "crystal clear" images though, more like "blurry blobs". But if you're trying to get intel on a place you have no hope of having LoS into, blurry blob beats nothing at all ;) And who knows, maybe NOW we have enough processing power that we could make it actually work...
This was understood back in the 90's. When my father was designing buildings for a major defense contractor they had to place the computers and shielded cables a certain distance from the secure perimeter to prevent infiltration and extraction attempts. After the buildings were completed, it was his job to see if he could get in and extract data.
i like this guy, he thinks outside the box, if I'm not mistaken he found a way to hack to computers by the sound of the electrolytic capacitors of motherboards, absolute insanity.
It's not thinking outside of the box. He's rehashing the same idea; did you see his published papers? It's the same concept but attacking different components of the PC.
I also don't believe it's revolutionary to listen to EM waves... when was the first crystal radio invented? The 19th century?
@@natealbatros3848 contextually, it isn't THAT out of the box. i'll still give him massive props for the work, but all of this still roots back to TEMPEST. TEMPEST isn't exactly a novel idea, it's just niche.
Brilliant!
in theory you can do various kind of exfiltration if you can modulate the info and receive it. like you can morse the admin password with the numlock key or hdd activation led if you have clear line of sight to the machine (i've seen BIOS level malware doing this kind of attack), you can periodically pin the cpu to 100% and create noise in the vrms (like a capacitor/coil you mentioned) or even by periodically manipulate the fan speed, it's even audible trough a phone call combined with social engineering... back in the day there vas a virus that could play a melody trough the floppy drive's servos, i wasn't that useful for this purpose per se, but if you have initial physical access, you can do all kind of creative hacks.
My oldcard actualöy emitted music from some components😂
This is an impressive feat but none of it surprises me, as in, that this was possible ...i remember thinking this was possible about a decade or more ago, surely anyone that has any kind of interest in physics or electronics would have figured there would be a correlation between your computers processes and the electrical noise it generates, the hard part is the deciphering, which this researcher has pulled off, kudos you madlad
the next fan add should be "So quiet that can't be picked"
I personally like how your diagram shows a line between two monitors which do not have ram @0:18
imagine what kind of IC's must be used to decode the video signal. ;)
@@codefeenix Probably sends someone to the ICU just thinking about it
Reminds me of the Tempest attack decades ago. Where they monitor the radiation from your crts
Also keystrokes on wired keyboards. IBM had a whole line of Tempest - proof PCs.
yeah great comparison.
Like Van Eck phreaking in the 80s and system bus radio. Can also be used to aid debugging by looking for signals on the control and data bus. Back in the 80s me and my teen nerd buddies used it to listen in real time to a sorting algorithm doing its work on a Z80-based machine, which was mesmerizing. You could clearly distinguish the phases of the algorithm and know when data was moved, but not what the exact data was. Not surprised it is possible to detect the actual data.
Years ago, during a discussion about AI threats, I threw out what was supposed to be a completely insane idea that an AI might figure out how to jump an airgapped network by writing to RAM in a way that allows it to take control of a nearby computer to escape. I can't believe that was actually feasible
The mobile radio network this way may systematically scan all digital things through AI to spy e.g. offline computers.That's one reason why Huawai got banned in USA.
Not impossible but still very unlikely. To pick up the weak ratio signals the researchers used specialized hsrdware and even with this hardware maximum data transfer rate was 1000 bit/s. In order to escape an air gapped system the AI must first devise a way to generate radio signals so strong that are able to "flip" bits in a nearby computer, then it needs the time to transfer all it's neural network to the other PC.
@@lucarossi8442 The attacker does not need to write data (which will need a severely strong radar beam and would be hard without crashing the computer) but only sit and listen to pick up communication. Extracting data using TEMPEST is mainly a bigdata problem, and what else if not a mobile radio network has the size and time to produce enough example data to train an AI for this.
That and the United States government was leaked to be using stingrays to remotely install malware on cellular devices that connected to it through zero day exploits involving google play store, etcetera. The only way to know if your phone even connects to a stingray is to run specialized software that only ran on specific chipsets found in some smart phones and all that software does is inform the user that they have connected to a different cell tower which is only useful if you're stationery. If you're traveling, you're going to be making connections with all sorts of cell towers.
It isnt possible.
And there is no AI.
Maybe there will be tomorrow, or in 500 years, but it wont be something we 'created'.
I'm not surprised by that kind of attack. Me and probably many others noticed the effect on 80s 8-bit systems. What changed is that those systems were generally not networked and there were easier avenues such as RF from monitors and TV modulators. Similarly signals from a C64 floppy drive could be heard on an AM radio. Ages ago TEMPEST was the catchword and RAMBO is just one aspect of it.
What next level however is to turn this into a practicable transmission mechanism.
Cryptography nerds: My algorithm is perfect!
Side channel attack enjoyers: But your hardware isn’t.
These are more proof of concept than actually useful. Several solutions come to mind; short of updating an anti-virus definition list (nullifying his malware), anything which can deaden or silence electrical noise on a computer case solves literally every one of his discoveries. GPU fans, for example, can be water cooled or just passively cooled while your computer case is acoustically silent with anything to mute noise (both electrical and acoustic)
@@Zidbits
Do you realise that it’s not just RAM that you can use to hammer codes out of your PC?
By sending through a USB cable (outside of your computer) a bitbanging binary, you could turn any USB cable into an antenna.
Same goes for video signals.
Same goes even for ethernet.
If nothing else, altering your PC’s power consumption by using intermittent CPU/GPU loads can turn the variable AC humming due to power fluctuations into decodable data at quite a distance.
There are so many side channel attacks you can’t even start to list them all.
This is the reason all federal buildings are wrapped in Faraday mesh. You can buy it in big rolls. But it's expensive, and you have to buy different mesh weave thickness for different spectrum shielding. So you have to wrap the building multiple times, and it doesn't protect if a reader gets inside the building.
So when you have built your shielded case…. don’t let the bad guys have access to your power lines as they will get the noise (data) from there 😅
Considering your RAM is in a big Faraday cage, that is impressive!
So security agencies are responsible for the push for glass side panels, got it. :D
The Atari 400 still contained a massive solid cast metal shielding against RFI, while modern crap intentionally cooks our nervous system with pulsed microwaves to infest the room with wifi, bluetooth or mobile radio.
This was the topic of some of my research at my university! We were doing research on power side channel analysis attacks via em recording
Van Eck Phreaking was first found in the 80’s with old CRTs.
Gosh, those days are golden, TEMPEST! It seems people have forgotten all about that
Most People still don't realize their own cell phones are reading and planting thoughts in their owners brain using basically the same technology.
Likely someone has already said this but isn't this just another version of tempest? I'm other words, this type of thing is old.
Yes, that was my very first thought. Tempest attacks have been around for decades (en.wikipedia.org/wiki/Tempest_(codename)), but I guess that every so often these lessons have to be learned all over again. There are plenty of people who have secrets MUCH more important than "Some clever advance in my new computer game" who work with rules like "Your computer is absolutely forbidden to be switched on within X metres (a long way) of the perimeter fence"
@@RichardSimpson-u4c did this wiki used to have info ? I see these links but they often also don’t yield results
The formal academic term for this is a “side-channel attack”. You’re using a byproduct of electronics (EMI, noise, thermals, etc) to record information from a system. There is an entire field of ransomware detection that utilizes side-channel analysis to detect the presence of ransomware in a system. Applications of machine learning and signal processing are massive in this field!
AMD must be loving this given that they have ram encryption on their epic chips. Its a great demonstration of their chips security.
RAM encryption wouldn't do anything here. The attacker isn't sensing any data that's in the RAM. They're sensing the RAM activity, and a piece of malware on that system is increasing or decreasing the activity on a pattern based on the data they wanna send out.
Thia has been know aince the beginning. One of the first home built computer demos was to play music through an AM radio placed near the computer.
of course just soundproofing isn't enough, as your power supply also leaks stuff to the grid, so if you're on the same power circuit you can still exfil
My thoughts exactly. It would be a fun thing to try. Especially if you can sync a whole room of PCs to increase the signal going to the grid.
Thinking outside of the box!
Cool!
Mordechai Guri is an absolute cyber fiend
The guys a friggin Bond villian ...
I remember an old 233 mhz pc I had on a old solid wooden desk. When I loaded a particular game, the desk resonated with the drive that just made it a nice soothing rhythm, unique to any othe software I ever used.
So this is why Linus Torvald always goes for as quiet of a system as possible.
He is always 2 steps ahead
This would make it worse, you want a noisy system that covers up the RAM's noise with excessive random noise in the same frequency as the RAM.
@@futuzabut the GPU fan can also be used to get data
@@PanDiaxik Only if you're not also randomizing its fan pattern.
Liquid cooling should do but probably this guy is gonna hack that too
His research has also definitely paid off in the clever use of acronyms.
1:14 Shots fired
That researcher is absolutely genius. I mean, sure, this is done on consumer hardware and with a previously infected computer, but the techniques used/invented and the sheer ideas that this could be done are totally mindblowing. On a side note, is there a reason you don't use an adblocker? In all your vids I've seen, there are those BS ads popping up on your screen. C'mon, use a blocker of your choice already! :D
This is some next level James Bond tech. This technique might even work on smart phones too. 😵💫😵💫
kinda hard to airgap a smart phone in the first place
An just like James Bond tech it is unrealistic.
@@AlexandreLefaure it's unlikely for it to be very usefull but I don't see what you mean by unrealistic when it has been done.
@@kaischreurs2488 Nope, its the mobile radio network itself that may systematically scan all digital things through AI to spy e.g. offline computers.That's one reason why Huawai got banned in USA.
It's like monitoring someone's heartrate in IR from afar! I feel violated! I remember HR did that to figure out how nervous people are.
RF noise, produced by computer, can be quite high. For example, I remember in the old times, I could literally HEAR mouse cursor movement. I.e. when line-in or mic feedback was turned on, background noise was not-so-random: if something happened on the screen, including such tiny things like mouse cursor movement, that noise was reflecting it.
My AsRock Fatality mainboard trumpets out every mouse motion or other USB activity through its sound output jack (despite I shielded my PC bigtower almost TEMPEST-grade). That's quite annoying to have that buzzing through all music on my audiophile tube amplifier.
@@cyberyogicowindler2448 external USB sound card helps to mitigate that: it would be out of the case, and have additional VRMs.
But I wonder, how much valuable info could be extracted via this side channel, since, for example for content creators, this noise get recorded for a long time and could be extracted and analyzed later just by downloading their YT videos...
@@Felinaro Beside limited audio bandwidth, UA-cam audio is data reduced (like MP3) which ruins its phase information and so is not that useful anyway. More risky was when people played the dial-up noise of their analogue modem (those were designed to be audio-transmittable), which may have revealed their internet password when someone decoded the sound signal. Of course also recorded touch tones of telephone keys can be be decoded to identify phone numbers (remember the door keypad thing in the Wargames movie).
oooooooooo so that's why my computer makes this weird high pitched noise whenever I move something around in blender
Fun fact: I hear my external mouse movement in the internal speaker of my 2019 MacBook Pro when I have an USB-C dock connected with an external monitor. Oddly specific, but I think the strange grounding path both through the HDMI cable and through the charger is what causes some internal noise in the computer, as if I disconnect any of it, it disappears. So, it happens till this day.
Oh boy another leakage-based attack! The one based on the power LED was amazing, this one seems like another natural application of that general concept. I used to imagine that stuff like this would be possible as a kid, because why the hell wouldn't it be?
Pump up the jam on your ram, while your feet are stompin'
Damn, I'm gonna play that now
Something similar was presented in the NSA brochure about 10-20 years ago : security key extraction using computer power usage fluctuations, security key extraction using CPU heat fluctuations ...
This is an interesting thought experiment but in highly sensitive applications, it would be quite easy to implement shielding and defeat this. But I'd imagine the only people with this threat profile would be governments
How could somebody inject that malware to pc that is not connected to internet and have no physical access? If attacker get access to pc to be able inject malware he can stole desired information, range of ram noise is only few meters, so information didn't penetrate thru the wall anyway.
US military called it tempest in the 90s 90s. We had special shielded computers, even the keyboards for certain uses.
he is the one! the computer whisperer!
shhh! he needs to listen first
"yes yes, his bank password is 123456789"
i love that he named the one about the motherboard buzzer "El Grillo" you can tell it's a passion project when he gives everything funny names
We're reaching the point of building an anechoic chamber for work makes sense.
More like a facility in the middle of nowhere that doesn't allow unauthorized personnel to even get close to. Like Area 51. Also secret alien tech. :D
That reminds me of an article back in thr day of how someone figured out how to capture the RF signal of CRT monitors and surreptitiously view them. Thankfully this was at the same time CRTs were being phased out so I expect it never really became a thing.
Wait, someone re-discovered the EM signals from the machine? That was first used in the '80s to read CRTs... there's nothing new in the world.
How do they do it back in CRT era? just curious
@@truckerallikatuk Good point. I'm surprised about the RAM thing because I didn't know the RAM chips were capable of emitting intelligible radio signals at even "across the room" distances.
TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions[1]) is a U.S. National Security Agency specification and a NATO certification
@@peterirvin7121 That's why they have to pump it multiple times per bit flip so they can be sure that's what it is and not just more random noise.
We're at the point now that even the shielding needs shielding to stop the shielding from leaking all the things.
Mankind will eventually need hobbyist casemodding contests for TEMPEST hardening. A decade ago there were crypto partys (teaching data protection, not shitcoin scam currencies), now it's time to teach hardware stealthing. In early 1980th the Atari 400 still contained a massive solid cast metal shielding against RFI, while modern crap intentionally cooks our nervous system with pulsed microwaves to infest the room with wifi, bluetooth or mobile radio.
Electricians have been using EM circuit testers for decades to find live wires in walls. Things like this are why it's good to look the world to find alternative methods of hacking. Everything is a side channel
Finally, I can get rid of my router and just network all my rams together!
Faraday cages for desktops just might be the next big thing. Better get on this, entrepreneurs.
Holland Shielding BV has been on it for years already.
Wrap the computer in aluminum foil. Or just don’t let anyone who doesn’t have business with the computer near the hardware…
Just take a good case
Mankind will eventually need hobbyist casemodding contests for TEMPEST hardening. A decade ago there were crypto partys (teaching data protection, not shitcoin scam currencies), now it's time to teach hardware stealthing. In early 1980th the Atari 400 still contained a massive solid cast metal shielding against RFI, while modern crap intentionally cooks our nervous system with pulsed microwaves to infest the room with wifi, bluetooth or mobile radio. Not least its mobile radio networks those may systematically scan all digital things through AI to spy e.g. offline computers (one reason why Huawai got banned in USA).
Home scifs
Wow... Quite impressive that it is possible to do that!
Thanks for the video!
This is so absurdly niche and impractical. You're able to get the malware on the computer somehow which implies you have had access to it but you can't just download things to a USB but you can place another device within 5 feet of the original device to listen for ram noise with a highly suspicious radio listening device attached to it and you're able to retrieve the information from the suspicious device either wirelessly or through physical proximity.
I can imagine Ocean 11 style scenarios where this is actually useful if the noise can get through a wall and maybe and you're able to talk someone into a plugging a USB they got from a stranger into their computer to infect it.
What would be infinitely more useful is if you did not need to infect the computer at all and you could detect the ram noise without intentional manipulation of reading/writing but I guess that would require a radio receiver the size of a mini van and even then it wouldn't work because there would be too much background noise. All of that being said, if you could find a way, it would instantly compromise the security of every computer in a way that cannot be stopped.
Mordecai Guri is based out of Isreal and produces these PoCs with a team of engineers from many disciplines at his college. These were always meant to be integrated into an APT workflow. If you didn't know already. Israel is the tip of the spear when it comes to niche cybersecurity tactics
Mordecai Guri is based out of Isreal and produces these PoCs with a team of engineers from many disciplines at his college. These were always meant to be integrated into an APT workflow. If you didn't know already. Israel is the tip of the spear when it comes to niche cybersecurity tactics
Digital products are often factory prebugged to permit national intelligence agencies to read the stored data. Websearch what Congaflock is (a type of cheap hidden antenna that can be e.g. scanned with radar to extract secret information).
I thought about this concept 15 years ago except in reverse; It's not that they are listening, it's that the RAM is transmitting.
wait until RAM Radio becomes a hobby and people compete to broadcast to higher and higher distances
The virgin Ham Radio vs. the Chad RAM Radio
I once wrote a program that loaded the cpu in a specific way, modulating its power consumption. Another program could measure the local cpu throughput which modulates when hitting power limitations. I could transfer data between separate VMs running on the same threadripper system in the low 100 bytes/s range using common modulation techniques found in radio communications. If I knew that such things would be relevant... 😀.
Until you replicate it for us I call BS on this. There is no way he is discerning signal from noise or injecting it over any distance. GPU fan, that is just silly. Like the free energy videos often originating from that same region of the planet.
This is really an update to an old hack. They've been able to steal airgapped data with acoustics and RF for decades, doing it with ram now isn't that much of an innovation.
Wow not understanding the original concept, the video and some extra racism thrown in! What a treat.
Interesting, but I'm not sure how impressed I am with his mission. It's just signal transmission with all kinds of different properties of a modern (physical) computer. This can be anything and if you have had access to the air gaped computer, it's more about (party trick) creativity but technical stuff.
I can't take this anymore. Modern computing is so broken. We need a complete reset.
I've been talking about this since the 90s since I got my degree in computer science. Your house's entire electrical system can also be turned into an antenna and everything with a current flowing through it outputs an EM signature. The feds have been doing this for decades.
My friend built an antenna to snoop and made an mistake that ended up emitting an em pulse that got him a visit from the feds. Your brain has an em signature as well, which is how they are mapping dreams and literal imagination. People have no idea how their technology works much less what it's capable of. A SIMM card is a separate computer in your cellphone that has root access to everything as well.
So...
1: You cannot access the system from any network.
2. You don't have psychical access, hence why you would need this hack in the first place.
3. But somehow you need to get some malware on it for this hack to work?
I do not feel utterly nervous. It is pretty cool though, I will give him that.
The issues with air-gapped networks are two-fold. Getting in and Getting out. There are other viable methods of Getting In already out their, but without a way to exfiltrate data back out of those systems, the best you can do is cause damage (think randomly crashing the centrifuges Iran used to refine nuclear fuel). The types of vulnerabilities this individual specializes in is that exfiltration piece. So with these you can get in, grab a bunch of data that looks interesting, and get that data back out of the system without a traditional exfiltration strategy which usually involves gaining physical access through a separate operation from the one that was used to infect the system to begin with.
Stuxnet got into air gapped systems, so thats alread, happened, the attack vector is more viable than you think
@@jenaf4208 Stuxnet attacked the PLC by physically inserting a malicious slave node for a motor drive into the system. Motor drives do fail and need attending to by the maintenance crew, which they need to have physical spares to swap out. Furthermore, a PLC system for a large plant is spread out over a build - there are plenty of opportunities for a bad actor to do something naughty. It's very different to a PC that's actually air gapped and contained within an office cubical.
Until recently, PLC systems didn't have any security on their networks - they're all open, which means they can be sniffed at with WireShark and played with really easily. And a lot of modern PLC systems remain open by default; it's at the programmers discretion as to whether the system gets locked down. In modern systems, programmers can lock out new physical items if they don't have the correct serial numbers.
This is how you do it:
You are CCP, you find out about the Australia government secret project to research and develop working warp drives. Unfortunately all the data you want to steal about how to make one is on an air gapped system, in an impenetrable fortress of security. Fortunately you find out that the Aus Gov always buys their motherboards from a supplier in Taiwan that you have infiltrated with CCP agents. You have your agents modify the next motherboard design so that it will include malware on the MB Bios that allows it to not only keylog but also write directly to RAM to get it to sing to the universe. They buy these and you now have malware on their machines collecting the secrets for you and start broadcasting on the RAM. You get your CCP agent to start working at a pizza place down the street from the Warp Drive Research Office, eventually someone orders a pizza and she delivers it with a radio detector hidden in her pizza bag, she gets up close to the gate to drop off the pizza and starts detecting the RAM broadcasting the secrets. She flirts with the gate guard long enough to download the secret design PDFs. She then sends the CCP the data and they beat the Australians to developing the first warp drive as a result and China dominates the interstellar industry.
@@trapfethen Digital products are often factory prebugged to permit national intelligence agencies to read the stored data. Websearch Congaflock (a type of cheap hidden antenna that can be e.g. scanned with radar to extract secret information).
Guy has talent when it comes to naming techniques
If these ram sticks could talk… oh no
one countermeasure you didn't mention: RAM encryption
it's also possible to passively receive whatever data happens to be going to/from RAM (I know because I did it in 2017), but that requires a lot more computation to actually extract the data from the radio signals, especially when there are multiple channels.
Joke's on him! I play DUBSTEP on my machine to make MOAR noise :DD
I mean, he literally did put "make more noise" as an optional countermeasure in the paper...
There’s another attack using a similar method called a tempest attack which uses EMFs emitted from non-shielded HDMI cables to capture what’s being displayed on a monitor.
This is how governments have been recording data using your phones as listening devices for computers that are not even external network facing devices.
Mobile radio networks this way may systematically scan all digital things through AI to spy e.g. offline computers.That's one reason why Huawai got banned in USA.
I noticed, that over the years, computer cases (chassis) have become more hole-y than ever. Once upon a time, cases were pretty effective faraday cages. Once upon a time, cables were shielded. Amazing!
"Jam your ram, and then ram your jam"
Mordechai is exactly the kind of dude who could figure out how to blow up a bad guy's pager at a distance. Respect!
FYI, "Mordechai" is pronounced with a 'k', not a "ch". It's a Hebrew name.
It seems they were only able to read the data because on the target machine they were writing it in a specific way. I don't see how this could be used to read data from any computer you don't have control over.
perhaps with an ai.....that been fed large amounts of training data specifically on this topic....
yeah, now that ive watched the whole video, "screaming" bits for the radio to hear is rather specific
@@xerr0n the novelty is being able to use it as a data exfiltration system. in a setting that a hacker can get access to a closed system, normally they can't get information out of the system. this would give someone the ability to get information and then convert it to a "screaming bits" formatting for an external monitor to pick up, therefore breaking the closed system.
@@davidfrischknecht8261 I had the same thought at first, but requiring them to get their code onto the computer isn’t actually unfair when you consider that supply chain attacks from software the user willingly includes are a common method of attack even when not air gapped. In the normal case the hidden malicious code calls back out to a command and control server and gives the attacker remote access of some kind. In the air gapped case it can start writing to ram in this pattern. To summarize, this isn’t meant as a way of peering into what a computer is doing in general, it’s a communication method for malicious code that has already gotten there somehow and finds itself in an air gapped environment
@@xerr0n This way mobile radio networks may systematically scan all digital things through AI to spy e.g. offline computers.That's one reason why Huawai got banned in USA.
I'd hardly say it's novel - it's been known for a long while. Back in the 80s, I used to use my Sinclair ZX Spectrum as a crude radio transmitter (it was so RF leaky it wiped out the entire AM band). It was quite easy to modulate the interference it gave out, you could even play really bad music on a nearby radio. Modern computers are better shielded, but you'll always get some RF leakage. Anything you can modulate whether it be the noise of a GPU fan, or RFI from the memory bus etc. can be used to transmit data (perhaps very slowly in some cases).
Back in the 80s the military were very worried about this stuff, the whole TEMPEST standard was created to attempt to stop secret data getting expropriated by RFI, either accidentally or deliberately.
Obviously. This guy has been doing this type of research for years. Doing it with RAM is what's novel. Every time someone says, "Oh but we can deal with that one," he comes out with another one. RF, Fan noise, LED blinking.
The impressive thing isn't just thinking about it, but actually doing it. Which he did!
When I move my mouse at just the right angle, I can hear the electronics inside make noise. It's an extremely high pitch that hurts my ears. Electronic hum is a real thing and varies in pitch and volume, so I'm not surprised someone can read RAM based on the audible sounds that a computer makes as it stores and retrieves memory. What you don't realize is that the reverse can be true as well. You can use a speaker, for instance, to produce electricity. It's far less efficient at doing so than a microphone, but it works. I suspect all air-gapped systems are technically susceptible to the reverse of these attacks: Actively injecting data into a target system through the air.
The thing is the hardware would not be listening for data. If you're saying to manipulate electrical signals with RF I think it might be better to use electromagnetic signals if anyone wants to try to make an actual research on this.
Similar to CRT TVs. They admit a high-pitch noise
My AsRock Fatality mainboard trumpets out every mouse motion or other USB activity through its sound output jack (despite I shielded my PC bigtower almost TEMPEST-grade). That's quite annoying to have that buzzing through all music on my audiophile tube amplifier.
I developed this technique with ChatGPT in the past couple of weeks:
Multi-layer Faraday cage, grounded to capacitor, to ground.
Outside of the Faraday cage, employ a Tesla coil using a white noise algorithm emulating what would be intelligible data.
If they are able to discern anything through the high voltage RFI of the Tesla coil, it's goign to be the decoy data being used to power the Tesla coil, while your real data is secure from sniffing.
You're welcome.
Ram your Jam & Jam your Ram
Just wanted say I am noting your new persona and style. Seems to be some of the influence of The Primeagen. I like how you are branching out and trying new things. I look forward to the synthesis of LowLevelEdPrime :P
Even TempleOS is vulnerable!
At MIT in 1967 we had the PDP 1, the first time-sharing computer. One of our nerds wired up a ram bit to make music.
This is kinda like someone had an unlimited budget and resources, ignored ethics and genetically engineered a horse with wings and a horn on its head and called it a unicorn.
Is it possible? Yea maybe... Is it going to happen and be useful? Fuck no.
Unlimited budget, oh no, government grant I bet. We paid for it.
jesus h christ
Truly insane. Lesson learned - if someone wants in, they'll find a way.