Yan Jiang,Xiaoyu Ji,Kai Wang,Chen Yan,Richard Mitev,Ahmad-Reza Sadeghi,Wenyuan Xu

DOI: https://doi.org/10.1109/sp46214.2022.9833740

2022-01-01

Abstract:The security of capacitive touchscreens is crucial since they have become the primary human-machine interface on smart devices. To the best of our knowledge, this paper presents WIGHT, the first wired attack that creates ghost touches on capacitive touchscreens via charging cables, and can manipulate the victim devices with undesired consequences, e.g., allowing malicious Bluetooth connections, accepting files with viruses, etc. Our study calls for attention to a new threat vector against touchscreens that only requires connecting to a malicious charging port, which could be a public charging station, and is effective across various power adapters and even USB data blockers. Despite the fact that smartphones employ abundant noise reduction and voltage management techniques, we manage to inject carefully crafted signals that can induce ghost touches within a chosen range. The underlying principle is to inject common-mode noises over the power line to avoid being effectively filtered yet affect the touch measurement mechanism, and synchronize the malicious noise with the screen measurement scanning cycles to place the ghost touches at target locations. We achieve three types of attacks: injection attacks that create ghost touches without users touching the screen, alteration attacks that change the detected legitimate touch position, and Denial-of-Service attacks that prevent the device from identifying legitimate touches. Our evaluation on 6 smartphones, 1 tablet, 2 standalone touchscreen panels, 6 power adapters, and 13 charging cables demonstrates the feasibility of all three type attacks.

Chiachih Wu,Yajin Zhou,Kunal Patel,Zhenkai Liang,Xuxian Jiang

DOI: https://doi.org/10.14722/ndss.2014.23164

2014-01-01

Abstract:Recent years have experienced explosive growth of smartphone sales. Inevitably, the rise in the popularity of smartphones also makes them an attractive target for attacks. In light of these threats, current mobile platform providers have developed various server-side vetting processes to block malicious applications (“apps”). While helpful, they are still far from ideal in achieving their goals. To make matters worse, the presence of alternative (less-regulated) mobile marketplaces also opens up new attack vectors, which necessitate client-side solutions (e.g., mobile anti-virus software) to run on mobile devices. However, existing client-side solutions still exhibit limitations in their capability or deployability. In this paper, we present AirBag, a lightweight OS-level virtualization approach to enhance the popular Android platform and boost our defense capability against mobile malware infection. Assuming a trusted smartphone OS kernel and the fact that untrusted apps will be eventually installed onto users’ phones, AirBag is designed to isolate and prevent them from infecting our normal systems (e.g., corrupting the phone firmware) or stealthily leaking private information. More specifically, by dynamically creating an isolated runtime environment with its own dedicated namespace and virtualized system resources, AirBag not only allows for transparent execution of untrusted apps, but also effectively mediates their access to various system resources or phone functionalities (e.g., SMSs or phone calls). We have implemented a proof-of-concept prototype on three representative mobile devices, i.e., Google Nexus One, Nexus 7, and Samsung Galaxy S III. The evaluation results with a number of untrusted apps, including real-world mobile malware, demonstrate its practicality and effectiveness.

Dian Ding,Yi-Chao Chen,Xiaoyu Ji,Guangtao Xue

DOI: https://doi.org/10.1109/secon58729.2023.10287495

2023-01-01

Abstract:Smart devices are proliferating in every aspect of our lives, providing convenience but also exposing us to the risk of information leakage at any moment. Attackers can monitor the user and infer private information such as the personality and preferences by stealing the behavior information. In this paper, we investigated the potential threat of information stealing via the leakage current of laptop and electrodes in wearable devices (e.g. smart watches and bracelets). Specifically, the leakage current in the laptop adapter can flow from the metal casing into the human body and be collected by electrodes in wearable devices when the user is using a laptop with a metal casing (e.g. MacBook). We verified the correlation between leakage current and working states of the laptop, where different operations corresponding to different CPU instructions can generate different leakage currents. Based on this, we propose LeakThief, the system consists of three components, leakage current detection, application operation detection and application recognition. The experiments in real-world environment demonstrated that the proposed system is able to recognize 10 common applications with high accuracy, including launching-based (97.5%) and in-application operation-based recognition (83.8%).

Yan Jiang,Xiaoyu Ji,Kai Wang,Chen Yan,Richard Mitev,Ahmad-Reza Sadeghi,Wenyuan Xu

DOI: https://doi.org/10.1109/tdsc.2023.3326181

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The security of capacitive touchscreens is crucial since they have become the primary human-machine interface on smart devices. This paper presents Marionette , the first wired attack that creates ghost touches on capacitive touchscreens via charging cables and can manipulate the victim's devices with undesired consequences, e.g., establishing malicious Bluetooth connections. Our study provides a new threat vector against touchscreens that only requires connecting to a malicious charging port, which could be a public charging station, and is effective across various USB data blockers and power adapters. Despite the fact that smartphones employ abundant noise reduction and voltage management techniques, we manage to inject carefully crafted signals that can induce ghost touches within a chosen range. The underlying principle is to inject common-mode noises over the power line to avoid being effectively filtered yet affecting the touch measurement mechanism and synchronize the malicious noise with the screen measurement scanning cycles to place the ghost touches at target locations. We achieve three types of attacks, i.e., injection, alteration, and Denial-of-Service, and the evaluation of 12 commercial electronics, 6 power adapters, and 13 charging cables demonstrate the feasibility of Marionette .

Jianwei Liu,Xiang Zou,Leqi Zhao,Yusheng Tao,Sideng Hu,Jinsong Han,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2022.3173063

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Wireless charging is becoming an essential power supply pattern for electronic devices. Currently, mainstream smartphones are almost compatible with wireless charging. However, when the charging efficiency is continuously improved, its security challenge still remains open yet overlooked. In this paper, we reveal that severe security flaws exist in the wireless charging procedure of off-the-shelf commodity smartphones. Specifically, we find that an attacker can utilize the electromagnetic induction effect between the wireless charger and the smartphone to detect the activities and operations performed on the smartphone. We term such attack as EM-Surfing side-channel attack and build a theoretical model to show its feasibility. To explore the hazard of EM-Surfing , we propose a three-module attack method, with which we conduct real-world experiments over three mainstream models of smartphones. The results show that the attacker can achieve over 99%, 96%, 94%, and 97% accuracy when inferring the passcode, keystroke, App information, and speech content, respectively. We also design an App named SecCharging to prevent smartphones from EM-Surfing attacks. The defense experiment results demonstrate that SecCharging can mitigate the threats posed by EM-Surfing effectively.

Alexander S. La Cour,Khurram K. Afridi,G. Edward Suh

DOI: https://doi.org/10.1145/3460120.3484733

2021-05-27

Abstract:This paper shows that today's wireless charging interface is vulnerable to power side-channel attacks; a smartphone charging wirelessly leaks private information about its activity to the wireless charger (charging transmitter). We present a website fingerprinting attack through the wireless charging side-channel for both iOS and Android devices. The attack monitors the current drawn by the wireless charging transmitter while 20 webpages from the Alexa top sites list are loaded on a charging smartphone. We implement a classifier that correctly identifies unlabeled current traces with an accuracy of 87% on average for an iPhone 11 and 95% on average for a Google Pixel 4. This represents a considerable security threat because wireless charging does not require any user permission if the phone is within the range of a charging transmitter. To the best of our knowledge, this work represents the first to introduce and demonstrate a power side-channel attack through wireless charging. Additionally, this study compares the wireless charging side-channel with the wired USB charging power side-channel, showing that they are comparable. We find that the performance of the attack deteriorates as the contents of websites change over time. Furthermore, we discover that the amount of information leakage through both wireless and wired charging interfaces heavily depends on the battery level; minimal information is leaked at low battery levels.

Cryptography and Security

Jeremy Martin,Douglas Alpuche,Kristina Bodeman,Lamont Brown,Ellis Fenske,Lucas Foppe,Travis Mayberry,Erik C. Rye,Brandon Sipes,Sam Teplov

DOI: https://doi.org/10.48550/arXiv.1904.10600

2019-06-15

Abstract:We investigate Apple's Bluetooth Low Energy (BLE) Continuity protocol, designed to support interoperability and communication between iOS and macOS devices, and show that the price for this seamless experience is leakage of identifying information and behavioral data to passive adversaries. First, we reverse engineer numerous Continuity protocol message types and identify data fields that are transmitted unencrypted. We show that Continuity messages are broadcast over BLE in response to actions such as locking and unlocking a device's screen, copying and pasting information, making and accepting phone calls, and tapping the screen while it is unlocked. Laboratory experiments reveal a significant flaw in the most recent versions of macOS that defeats BLE Media Access Control (MAC) address randomization entirely by causing the public MAC address to be broadcast. We demonstrate that the format and content of Continuity messages can be used to fingerprint the type and Operating System (OS) version of a device, as well as behaviorally profile users. Finally, we show that predictable sequence numbers in these frames can allow an adversary to track Apple devices across space and time, defeating existing anti-tracking techniques such as MAC address randomization.

Networking and Internet Architecture,Cryptography and Security

Hosam Alamleh,Michael Gogarty,David Ruddell,Ali Abdullah S. AlQahtani

2024-01-25

Abstract:This study presents an in-depth analysis of the security landscape in Bluetooth Low Energy (BLE) tracking systems, with a particular emphasis on Apple AirTags and Samsung SmartTags, including their cryptographic frameworks. Our investigation traverses a wide spectrum of attack vectors such as physical tampering, firmware exploitation, signal spoofing, eavesdropping, jamming, app security flaws, Bluetooth security weaknesses, location spoofing, threats to owner devices, and cloud-related vulnerabilities. Moreover, we delve into the security implications of the cryptographic methods utilized in these systems. Our findings reveal that while BLE trackers like AirTags and SmartTags offer substantial utility, they also pose significant security risks. Notably, Apple's approach, which prioritizes user privacy by removing intermediaries, inadvertently leads to device authentication challenges, evidenced by successful AirTag spoofing instances. Conversely, Samsung SmartTags, designed to thwart beacon spoofing, raise critical concerns about cloud security and user privacy. Our analysis also highlights the constraints faced by these devices due to their design focus on battery life conservation, particularly the absence of secure boot processes, which leaves them susceptible to OS modification and a range of potential attacks. The paper concludes with insights into the anticipated evolution of these tracking systems. We predict that future enhancements will likely focus on bolstering security features, especially as these devices become increasingly integrated into the broader IoT ecosystem and face evolving privacy regulations. This shift is imperative to address the intricate balance between functionality and security in next-generation BLE tracking systems.

Cryptography and Security

Ali Abedi,Haofan Lu,Alex Chen,Charlie Liu,Omid Abari

DOI: https://doi.org/10.48550/arXiv.2301.00269

2023-03-25

Abstract:WiFi communication should be possible only between devices inside the same network. However, we find that all existing WiFi devices send back acknowledgments (ACK) to even fake packets received from unauthorized WiFi devices outside of their network. Moreover, we find that an unauthorized device can manipulate the power-saving mechanism of WiFi radios and keep them continuously awake by sending specific fake beacon frames to them. Our evaluation of over 5,000 devices from 186 vendors confirms that these are widespread issues. We believe these loopholes cannot be prevented, and hence they create privacy and security concerns. Finally, to show the importance of these issues and their consequences, we implement and demonstrate two attacks where an adversary performs battery drain and WiFi sensing attacks just using a tiny WiFi module which costs less than ten dollars.

Networking and Internet Architecture

Mordechai Guri,Andrey Daidakulov,Yuval Elovici

DOI: https://doi.org/10.48550/arXiv.1802.02317

2018-02-07

Abstract:In this paper, we show that attackers can leak data from isolated, air-gapped computers to nearby smartphones via covert magnetic signals. The proposed covert channel works even if a smartphone is kept inside a Faraday shielding case, which aims to block any type of inbound and outbound wireless communication (Wi-Fi, cellular, Bluetooth, etc.). The channel also works if the smartphone is set in airplane mode in order to block any communication with the device. We implement a malware that controls the magnetic fields emanating from the computer by regulating workloads on the CPU cores. Sensitive data such as encryption keys, passwords, or keylogging data is encoded and transmitted over the magnetic signals. A smartphone located near the computer receives the covert signals with its magnetic sensor. We present technical background, and discuss signal generation, data encoding, and signal reception. We show that the proposed covert channel works from a user-level process, without requiring special privileges, and can successfully operate from within an isolated virtual machine (VM).

Cryptography and Security

Yue Zhang,Jian Weng,Rajib Dey,Yier Jin,Zhiqiang Lin,Xinwen Fu

DOI: https://doi.org/10.48550/arXiv.1908.10497

2019-09-11

Abstract:To defeat security threats such as man-in-the-middle (MITM) attacks, Bluetooth Low Energy (BLE) 4.2 and 5.x introduce the Secure Connections Only mode, under which a BLE device accepts only secure paring protocols including Passkey Entry and Numeric Comparison from an initiator, e.g., an Android mobile. However, the BLE specification does not explicitly require the Secure Connection Only mode of the initiator. Taking the Android's BLE programming framework for example, we found that it cannot enforce secure pairing, invalidating the security protection provided by the Secure Connection Only mode. The same problem applies to Apple iOS too. Specifically, we examine the life cycle of a BLE pairing process in Android and identify four severe design flaws. These design flaws can be exploited by attackers to perform downgrading attacks, forcing the BLE pairing protocols to run in the insecure mode without the users' awareness. To validate our findings, we selected and tested 18 popular BLE commercial products and our experimental results proved that downgrading attacks and MITM attacks were all possible to these products. All 3501 BLE apps from Androzoo are also subject to these attacks. For defense, we have designed and implemented a prototype of the Secure Connection Only mode on Android 8 through the Android Open Source Project (AOSP). We have reported the identified BLE pairing vulnerabilities to Bluetooth Special Interest Group (SIG), Google, Apple, Texas Instruments (TI) and all of them are actively addressing this issue. Google rated the reported security flaw a High Severity.

Cryptography and Security

Xiaolong Bai,Luyi Xing,Nan Zhang,XiaoFeng Wang,Xiaojing Liao,Tongxin Li,Shi-Min Hu

DOI: https://doi.org/10.1109/SP.2016.45

2016-01-01

Abstract:With the popularity of today's usability-oriented designs, dubbed Zero Configuration or ZeroConf, unclear are the security implications of these automatic service discovery, "plug-and-play" techniques. In this paper, we report the first systematic study on this issue, focusing on the security features of the systems related to Apple, the major proponent of ZeroConf techniques. Our research brings to light a disturbing lack of security consideration in these systems' designs: major ZeroConf frameworks on the Apple platforms, including the Core Bluetooth Framework, Multipeer Connectivity and Bonjour, are mostly unprotected and popular apps and system services, such as Tencent QQ, Apple Handoff, printer discovery and AirDrop, turn out to be completely vulnerable to an impersonation or Man-in-the-Middle (MitM) attack, even though attempts have been made to protect them against such threats. The consequences are serious, allowing a malicious device to steal the user's SMS messages, email notifications, documents to be printed out or transferred to another device. Most importantly, our study highlights the fundamental security challenges underlying ZeroConf techniques: in the absence of any pre-configured secret across different devices, authentication has to rely on Apple-issued public-key certificate, which however cannot be properly verified due to the difficulty in finding a unique, nonsensitive and widely known identity of a human user to bind her to her certificate. To address this issue, we developed a suite of new techniques, including a conflict detection approach and a biometric technique that enables the user to speak out her certificate through 6 distinct, rare but pronounceable words to let those who know her voice verify her certificate. We performed a security analysis on the new protection and evaluated its usability and effectiveness using two user studies involving 60 participants. Our research shows that the new protection fits well with the existing ZeroConf systems such as AirDrop. It is well received by users and also providing effective defense even against recently proposed speech synthesis attacks.

Jan Ruge,Jiska Classen,Francesco Gringoli,Matthias Hollick

DOI: https://doi.org/10.48550/arXiv.2006.09809

2020-06-17

Abstract:Wireless communication standards and implementations have a troubled history regarding security. Since most implementations and firmwares are closed-source, fuzzing remains one of the main methods to uncover Remote Code Execution (RCE) vulnerabilities in deployed systems. Generic over-the-air fuzzing suffers from several shortcomings, such as constrained speed, limited repeatability, and restricted ability to debug. In this paper, we present Frankenstein, a fuzzing framework based on advanced firmware emulation, which addresses these shortcomings. Frankenstein brings firmware dumps "back to life", and provides fuzzed input to the chip's virtual modem. The speed-up of our new fuzzing method is sufficient to maintain interoperability with the attached operating system, hence triggering realistic full-stack behavior. We demonstrate the potential of Frankenstein by finding three zero-click vulnerabilities in the Broadcom and Cypress Bluetooth stack, which is used in most Apple devices, many Samsung smartphones, the Raspberry Pis, and many others. Given RCE on a Bluetooth chip, attackers may escalate their privileges beyond the chip's boundary. We uncover a Wi-Fi/Bluetooth coexistence issue that crashes multiple operating system kernels and a design flaw in the Bluetooth 5.2 specification that allows link key extraction from the host. Turning off Bluetooth will not fully disable the chip, making it hard to defend against RCE attacks. Moreover, when testing our chip-based vulnerabilities on those devices, we find BlueFrag, a chip-independent Android RCE.

Cryptography and Security,Networking and Internet Architecture

Tao Wei,Min Zheng,Hui Xue,Dawn Song

2014-01-01

Abstract:Apple has a strict review process for apps published in its App Store. The review guidelines not only disallow use of the powerful private APIs but also forbid dangerous or deceptive behaviours. The review process, though imperfect, provides good protection for iOS users and makes it difficult for malware to exist in the App Store. However, apps may also be distributed using enterprise provisioning profiles without having to go through such a review process. Apps distributed in this way have become a new attack vector. Attackers can launch targeted attacks by delivering malicious apps leveraging private APIs to the victim’s device. In this paper, we explain the risk of an attacker distributing apps using enterprise provisioning profiles to conduct targeted attacks, including remote installation through spear phishing, autostart after reboot, background monitoring and bypassing certificate revocation. We show that serious, targeted attacks on iOS are both feasible and realistic. We also discuss the implications this has on the iOS security architecture and the challenges of addressing them.

Luyi Xing,Xiaolong Bai,Tongxin Li,XiaoFeng Wang,Kai Chen,Xiaojing Liao,Shi-Min Hu,Xinhui Han

DOI: https://doi.org/10.1145/2810103.2813609

2015-01-01

Abstract:On modern operating systems, applications under the same user are separated from each other, for the purpose of protecting them against malware and compromised programs. Given the complexity of today's OSes, less clear is whether such isolation is effective against different kind of cross-app resource access attacks (called XARA in our research). To better understand the problem, on the less-studied Apple platforms, we conducted a systematic security analysis on MAC OS~X and iOS. Our research leads to the discovery of a series of high-impact security weaknesses, which enable a sandboxed malicious app, approved by the Apple Stores, to gain unauthorized access to other apps' sensitive data. More specifically, we found that the inter-app interaction services, including the keychain, WebSocket and NSConnection on OS~X and URL Scheme on the MAC OS and iOS, can all be exploited by the malware to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the app sandbox on OS~X was found to be vulnerable, exposing an app's private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications. To better understand their impacts, we developed a scanner that automatically analyzes the binaries of MAC OS and iOS apps to determine whether proper protection is missing in their code. Running it on hundreds of binaries, we confirmed the pervasiveness of the weaknesses among high-impact Apple apps. Since the issues may not be easily fixed, we built a simple program that detects exploit attempts on OS~X, helping protect vulnerable apps before the problems can be fully addressed.

Erik Rye,Dave Levin

2024-05-24

Abstract:Wi-Fi-based Positioning Systems (WPSes) are used by modern mobile devices to learn their position using nearby Wi-Fi access points as landmarks. In this work, we show that Apple's WPS can be abused to create a privacy threat on a global scale. We present an attack that allows an unprivileged attacker to amass a worldwide snapshot of Wi-Fi BSSID geolocations in only a matter of days. Our attack makes few assumptions, merely exploiting the fact that there are relatively few dense regions of allocated MAC address space. Applying this technique over the course of a year, we learned the precise locations of over 2 billion BSSIDs around the world.

Cryptography and Security,Networking and Internet Architecture

Mingrui Ai,Kaiping Xue,Bo Luo,Lutong Chen,Nenghai Yu,Qibin Sun,Feng Wu

DOI: https://doi.org/10.1145/3548606.3560668

2022-01-01

Abstract:ABSTRACTBluetooth is a short-range wireless communication technology widely used by billions of personal computing, IoT, peripheral, and wearable devices. Bluetooth devices exchange commands and data, such as keyboard/mouse inputs, audio, and files, through a secure communication channel that is established through a pairing process. Due to the sensitivity of those commands and data, security mechanisms, such as encryption, authentication, and authorization, have been developed and adopted in the standards. Nevertheless, vulnerabilities continue to be discovered. In the literature, few successful attacks against the Bluetooth connection establishment stage have been reported. Many attacks simply assume that connections are already established or use a compromised agent, e.g, a malicious app or a careless user, to initialize the connection. We argue that such assumptions are strong and impractical. A stealthily established connection is a critical starting point for any practical attack against Bluetooth devices. In this paper, we demonstrate that the Bluetooth Specification contains a series of vulnerabilities that will enable an attacker to impersonate a Bluetooth device and successfully establish a connection with a victim device. The entire process does not require any involvement of the device owner/user or any malicious app on the victim device. The attacker could further escalate permissions by switching Bluetooth profiles to retrieve sensitive information from the victim device and inject arbitrary commands. We name our new attack as the Blacktooth Attack. To demonstrate the effectiveness and practicality of the Blacktooth attack, we evaluate it against 21 different Bluetooth devices with diverse manufacturers and operating systems, and all major Bluetooth versions. We show that the newly proposed attack is successful on all victim devices.

Luyi Xing,Xiaolong Bai,Tongxin Li,XiaoFeng Wang,Kai Chen,Xiaojing Liao,Shi-Min Hu,Xinhui Han

DOI: https://doi.org/10.48550/arXiv.1505.06836

2015-05-26

Abstract:On modern operating systems, applications under the same user are separated from each other, for the purpose of protecting them against malware and compromised programs. Given the complexity of today's OSes, less clear is whether such isolation is effective against different kind of cross-app resource access attacks (called XARA in our research). To better understand the problem, on the less-studied Apple platforms, we conducted a systematic security analysis on MAC OS~X and iOS. Our research leads to the discovery of a series of high-impact security weaknesses, which enable a sandboxed malicious app, approved by the Apple Stores, to gain unauthorized access to other apps' sensitive data. More specifically, we found that the inter-app interaction services, including the keychain, WebSocket and NSConnection on OS~X and URL Scheme on the MAC OS and iOS, can all be exploited by the malware to steal such confidential information as the passwords for iCloud, email and bank, and the secret token of Evernote. Further, the design of the app sandbox on OS~X was found to be vulnerable, exposing an app's private directory to the sandboxed malware that hijacks its Apple Bundle ID. As a result, sensitive user data, like the notes and user contacts under Evernote and photos under WeChat, have all been disclosed. Fundamentally, these problems are caused by the lack of app-to-app and app-to-OS authentications. To better understand their impacts, we developed a scanner that automatically analyzes the binaries of MAC OS and iOS apps to determine whether proper protection is missing in their code. Running it on hundreds of binaries, we confirmed the pervasiveness of the weaknesses among high-impact Apple apps. Since the issues may not be easily fixed, we built a simple program that detects exploit attempts on OS~X, helping protect vulnerable apps before the problems can be fully addressed.

Cryptography and Security

Mordechai Guri

DOI: https://doi.org/10.48550/arXiv.2212.03520

2022-12-07

Cryptography and Security

Abstract:Air-gapped systems are isolated from the Internet due to the sensitive information they handle. This paper presents COVID-bit, a new COVert channel attack that leaks sensitive information over the air from highly isolated systems. The information emanates from the air-gapped computer over the air to a distance of 2m and more and can be picked up by a nearby insider or spy with a mobile phone or laptop. Malware on an air-gapped computer can generate radio waves by executing crafted code on the target system. The malicious code exploits the dynamic power consumption of modern computers and manipulates the momentary loads on CPU cores. This technique allows the malware to control the computer's internal utilization and generate low-frequency electromagnetic radiation in the 0 - 60 kHz band. Sensitive information (e.g., files, encryption keys, biometric data, and keylogging) can be modulated over the emanated signals and received by a nearby mobile phone at a max speed of 1000 bits/sec. We show that a smartphone or laptop with a small \$1 antenna carried by a malicious insider or visitor can be used as a covert receiver. Notably, the attack is highly evasive since it executes from an ordinary user-level process, does not require root privileges, and is effective even within a Virtual Machine (VM). We discuss the attack model and provide technical details. We implement air-gap transmission of texts and files, and present signal generation and data modulation. We test the covert channel and show evaluation results. Finally, we present a set of countermeasures to this air-gap attack.

Wei Wang,Lin Yang,Qian Zhang,Tao Jiang

DOI: https://doi.org/10.48550/arXiv.1801.09224

2018-01-28

Abstract:On-body devices are an intrinsic part of the Internet-of-Things (IoT) vision to provide human-centric services. These on-body IoT devices are largely embedded devices that lack a sophisticated user interface to facilitate traditional Pre-Shared Key based security protocols. Motivated by this real-world security vulnerability, this paper proposes SecureTag, a system designed to add defense in depth against active attacks by integrating physical layer (PHY) information with upper-layer protocols. The underpinning of SecureTag is a signal processing technique that extracts the peculiar propagation characteristics of creeping waves to discern on-body devices. Upon overhearing a suspicious transmission, SecureTag initiates a PHY-based challenge-response protocol to mitigate attacks. We implement our system on different commercial off-the-shelf (COTS) wearables and a smartphone. Extensive experiments are conducted in a lab, apartments, malls, and outdoor areas, involving 12 volunteer subjects of different age groups, to demonstrate the robustness of our system. Results show that our system can mitigate 96.13% of active attack attempts while triggering false alarms on merely 5.64% of legitimate traffic.

Networking and Internet Architecture