Sunday, September 6, 2009

The Hacking Signal






"That's the signal that hacked our network." - Keller - Transformers I the movie.




In "Transformers" the movie, Decepticons used a "signal" to hack the military network. Being a security professional, at first sight given the current technologies that I know, I think that this is not something realistic, at the time being. Hacking nowadays is done on different levels including application, network, systems and even physical. Physical here denotes fooling people and physical locks. However, after a second thought, this movie illustrates (probably without knowledge) the possibility of hacking computers on the "electronic layer" if I may call it.

What I meant by Hacking on the electronic layer is dealing with the computer on the level of signals, volts, filters, conductivity; all of the very low level components that comprises the computer. This field is very recent (from the security point of view) and few people are researching into it. But my vision is that, in the future, electronic hacking is going to be a hot topic.

What if we can hack into motherboards, processors and network interface cards? Anyone involved in computing knows that the computer logic is based on zeros and ones. Currently we implement this logic using electricity. Mapping between computer logic and electronics is the main issue that concerns us now. There are mappings between voltage levels and Logic values. Since voltage levels are continuous and Logic levels are discrete, it's common to have voltage intervals (not values) that maps to Logic values. This leaves us with values on the boarder of the interval that are loosely defined. Usually when circuits operate on these threshold, output values are claimed to be "rubbish". If you ask a typical programmer, what would happen if someone tries to call a dangling pointer, what would be the output? A typical answer would be "rubbish". But for us, security professionals, a dangling pointer means a potential code execute vulnerability!. The point that I'm trying to make here is that if security experts examines this "rubbish" output from operating at threshold electronic values and tries to analyze, abuse and exploit it, this would definitely lead to something.

What about signal leakages? I remember a presentation back from Blackhat DC 2009 for "lcars" and "danbia" entitled "Sniffing Keystrokes With Lasers and Voltmeters". The presentation shed the light on two brilliant techniques for keystrokes sniffing. One of the ideas is based on the fact that PS2 keyboards operates at frequencies in the order of KHz which is very low compared to any other frequency the computer uses. Combined with unshielded cables, it's possible (and they proved it) to sniff the signal fluctuations from the power grid lines using a suitable filter from distances as far as 15 meters and infer the keystrokes from it.

Another idea was utilizing the sound vibrations of buttons during typing and sniffing it using a laser microphone. With appropriate filters and patterns, they proved that it is feasible to sniff and identify keystrokes.


Amazing! This is a very good start for electronic hacking. Yet, not a proactive approach. In the field of information security, usually hot topics rotate across layers. Remember back in the early times when Mitnick hacked by phone calls. Then, comes the era of network hacking when no firewalls were present. After that worm storms exploiting system vulnerabilities. Currently we're living the application nightmare, where SQL injection, cross site scripting, cross site request forgery and session hijacking make the news. Black Hat DC 2009 conference had some presentations that can be considered to be electronic hacking. I think that this trend is going to grow. Application vulnerabilities are not going to go away any time soon. But this, this is big. I think electronic hacking era is going to be overlapping with the application vulnerabilities resulting in a security nightmare!

1 comment:

  1. As far as i know the sniffing of sounds of keyboard strikes is being practically used for maybe 5 years now

    ReplyDelete