Published Date: 2016-02-16
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident happened in November 2014 [Article 31764]. 2. The software failure incident happened in November 2014 [Article 31501]. |
| System | 1. Lenovo 3000 N20 laptop 2. Samsung Galaxy S3 3. Air-gapped machines 4. GnuPG encryption software 5. FM radio receivers in mobile phones 6. Computer graphics card generating FM radio signals 7. Air-gap network security measure |
| Responsible Organization | 1. Researchers from Ben Gurion University in Israel [40727, 31764, 31501] |
| Impacted Organization | 1. Employees at places such as nuclear power plants [40727] 2. Companies storing sensitive data on air-gapped computers [31764, 31501] |
| Software Causes | 1. The software cause of the failure incident was the development of malware by researchers that exploited vulnerabilities in computer systems to transmit data via FM radio signals generated by the computer's graphics card, which could then be picked up by a nearby mobile phone [31501, 31764]. 2. The malware allowed hackers to surreptitiously siphon passwords and other data from infected computers using radio signals, creating a potential covert channel that was not being monitored by ordinary security instrumentation [31764]. 3. The attack method, known as AirHopper, involved the transmission of data over audio signals using Audio Frequency-Shift Keying (A-FSK), allowing for the encoding of textual data for transmission to an attacker's command-and-control server [31764]. |
| Non-software Causes | 1. The failure incident was caused by the emission of electromagnetic radiation from the laptop, which was picked up by a nearby mobile phone, allowing hackers to access information on an encryption key [40727]. 2. The incident was also caused by the transmission of keystrokes via FM radio signals generated by the computer's graphics card, which were then picked up by a nearby mobile phone equipped to receive radio signals [31501]. |
| Impacts | 1. The software failure incident allowed hackers to steal data from a laptop that was not connected to the internet using a mobile phone in a nearby room, compromising the security of air-gapped machines [40727, 31764, 31501]. 2. The incident highlighted the vulnerability of air-gapped computers to attacks using radio frequency signals and mobile phones, potentially exposing sensitive information to unauthorized access [40727, 31764, 31501]. 3. The attack method demonstrated by the researchers raised concerns about the effectiveness of air-gap networks in protecting important data, leading to the need for new protective measures to be developed [31501]. 4. The incident showed that even highly secure computers, isolated from the internet, could be compromised using electromagnetic radiation emitted by the computer, posing a significant risk to data security [40727, 31764]. 5. The researchers' findings indicated that the attack technique could be used by individuals or organizations with malicious intentions, prompting a discussion on mitigating the newly presented risk [31501]. |
| Preventions | 1. Implementing physical security measures to prevent unauthorized access to the air-gapped machine, such as restricting physical access to the machine and ensuring that only authorized personnel can interact with it [40727, 31764, 31501]. 2. Regularly monitoring and auditing the air-gapped machine for any unauthorized software installations or suspicious activities that could indicate a potential breach [40727, 31764, 31501]. 3. Enhancing employee training and awareness regarding the risks associated with bringing personal devices like mobile phones into secure areas where air-gapped machines are located [40727, 31764, 31501]. 4. Developing and deploying countermeasures to detect and prevent the transmission of data through unconventional channels like radio signals, as demonstrated in the reported incidents [40727, 31764, 31501]. |
| Fixes | 1. Implementing suitable countermeasures to prevent similar attacks in the future, as mentioned in the research paper by the team from Ben Gurion University [40727]. 2. Developing new protective measures to safeguard air-gapped machines from attacks like AirHopper, as suggested by computer scientists from Ben-Gurion University [31501]. 3. Finding mitigation strategies to address the danger posed by the newly presented risk of data extraction from air-gapped machines using radio signals, as highlighted by Dudu Mimran, the chief technology officer for the cyber security labs at Ben-Gurion University [31501]. 4. Continuing research to identify and address vulnerabilities in air-gapped systems, considering the potential risks posed by techniques like AirHopper, as emphasized by the researchers from Ben Gurion University [31764]. | References | 1. Cyber Security Labs at Ben Gurion University [40727, 31764, 31501] 2. Dudu Mimran, Chief Technology Officer at the Israeli lab behind the research [31764, 31501] 3. Mordechai Guri, Gabi Kedma, Assaf Kachlon, and Yuval Elovici from Ben Gurion University [31764] 4. Ars Technica [31501] 5. German computer scientists [31501] 6. US National Security Agency (NSA) [31764] 7. Werner Koch, lead developer of GnuPG [40727] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident related to compromising air-gapped machines using radio signals and mobile phones has happened again at Ben-Gurion University in Israel. Researchers from the university have found ways to attack air-gapped machines and steal data using techniques like AirHopper [31501]. (b) Similar incidents of compromising air-gapped machines using radio signals and mobile phones have also been reported at other organizations. For example, the NSA has been reported to have used similar methods for at least six years to siphon data from air-gapped machines in countries like China, Russia, and Iran [31764]. |
| Phase (Design/Operation) | design, operation | (a) In the articles, the software failure incident related to the design phase is evident in the development of techniques to extract sensitive data from air-gapped machines using radio frequency signals and mobile phones. Researchers from Ben-Gurion University in Israel developed the AirHopper method, which allows hackers to steal data from isolated machines by transmitting data via FM radio signals generated by the computer's graphics card, picked up by a nearby mobile phone equipped to receive radio signals [31764, 31501]. (b) The software failure incident related to the operation phase is demonstrated by the successful execution of the AirHopper method, where hackers can surreptitiously siphon passwords and other data from infected computers using radio signals generated and transmitted by the computer and received by a mobile phone. This operation involves transmitting data over audio signals, particularly using Audio Frequency-Shift Keying (A-FSK), allowing for the transmission of textual data such as identifiers, key-stroking, and notifications [31764]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident described in the articles is related to an "air-gapped" machine being hacked using radio frequency signals and a mobile phone. The attack involved exploiting vulnerabilities within the system, such as using malware to transmit keystrokes via FM radio signals generated by the computer's graphics card, which were then picked up by a nearby mobile phone equipped to receive radio signals [31501]. The incident showcases how even highly secure systems like air-gapped computers can be compromised due to internal vulnerabilities within the system itself. (b) outside_system: The software failure incident can also be attributed to factors originating from outside the system. The attack method used in the incident involved utilizing radio frequency signals and a mobile phone to extract sensitive data from isolated machines. This technique bypassed the physical isolation of air-gapped networks, highlighting how external factors like radio signals and mobile phones can be used as vectors to breach secure systems [31764]. The incident demonstrates how threats from external sources can pose risks to the security of systems that are designed to be isolated from external networks. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The software failure incident in the articles is related to a security vulnerability where data was stolen from air-gapped machines using radio frequency signals and mobile phones [40727, 31764, 31501]. - The attack involved transmitting data via FM radio signals generated by the computer's graphics card, which was then picked up by a nearby mobile phone equipped to receive radio signals [31501]. - The attack method, known as AirHopper, allowed hackers to surreptitiously siphon passwords and other data from infected computers using radio signals [31764]. - The incident highlighted a new technique for extracting sensitive data from isolated machines using radio frequency signals, which could bypass traditional security measures [31764]. (b) The software failure incident occurring due to human actions: - The incident involved researchers developing malware and conducting experiments to demonstrate the vulnerability in air-gapped systems [31501]. - The researchers intentionally designed software to log keystrokes and transmit them via FM radio signals, showcasing how human actions can introduce vulnerabilities into secure systems [31501]. - The researchers from Ben-Gurion University in Israel conducted the experiments to show how attackers could exploit the vulnerability, indicating that human actions in creating and testing the attack method were key factors in the software failure incident [31501]. |
| Dimension (Hardware/Software) | hardware, software | (a) The articles discuss a software failure incident related to hardware contributing factors. The incident involves a technique where sensitive data was stolen from an air-gapped laptop by using electromagnetic radiation emitted by the computer, which was then intercepted by a nearby mobile phone [40727, 31764, 31501]. This incident highlights a vulnerability in air-gapped machines where the hardware (computer emitting electromagnetic radiation) was exploited to breach security measures. (b) The articles also discuss a software failure incident related to software contributing factors. The incident involves the development of malware that logs keystrokes and transmits them via FM radio signals generated by the computer's graphics card to a nearby mobile phone for data extraction [31764, 31501]. This incident demonstrates how software vulnerabilities can be exploited to bypass security measures and steal sensitive data from isolated machines. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident described in the articles is malicious in nature. Researchers from Ben Gurion University in Israel developed techniques such as AirHopper to stealthily extract sensitive data from isolated machines using radio frequency signals and a mobile phone [31764]. The attack method involves transmitting data from infected computers to mobile phones using radio signals generated by the computer and received by the mobile phone [31764]. This technique allows hackers and spies to surreptitiously siphon passwords and other data from infected computers [31764]. The attack borrows from previous research showing how radio signals can be generated by a computer's video card and exploited to transmit data to mobile phones [31764]. The researchers demonstrated that a hacker could collect data from devices protected by an air-gap using this method [31501]. (b) The incident is non-malicious as it was conducted by researchers as part of their study to identify security vulnerabilities in air-gapped systems. The researchers are referred to as 'white hat' hackers, meaning they look for security flaws to help fix them [40727]. The researchers worked with the lead developer of GnuPG to develop countermeasures to prevent others from using their techniques [40727]. |
| Intent (Poor/Accidental Decisions) | unknown | (a) The intent of the software failure incident was not due to poor decisions but rather a sophisticated attack method developed by researchers to extract sensitive data from air-gapped machines using radio frequency signals and a mobile phone. The incident involved the development of techniques like AirHopper by researchers at Ben Gurion University in Israel, which allowed hackers to surreptitiously siphon passwords and other data from infected computers using radio signals generated by the computer and received by a mobile phone [31764, 31501]. The attack method involved transmitting data over audio signals using techniques like Audio Frequency-Shift Keying (A-FSK) to steal data from isolated machines, highlighting the vulnerability of air-gapped networks to such attacks [31764]. (b) The incident was not a result of accidental decisions but rather a deliberate effort by the researchers to demonstrate the vulnerability of air-gapped machines to sophisticated attacks using radio signals and mobile phones. The researchers developed malware that exploited vulnerabilities in computer systems to generate radio signals that could be received and decoded by FM radio receivers in mobile phones, allowing for the extraction of sensitive data from isolated machines [31764, 31501]. The attack method, known as AirHopper, showcased how even highly secure air-gapped networks could be compromised using advanced techniques, emphasizing the need for new protective measures to safeguard against such threats [31501]. |
| Capability (Incompetence/Accidental) | accidental | (a) The articles do not provide information about the software failure incident occurring due to development incompetence. (b) The software failure incidents described in the articles are related to accidental factors. The incidents involve researchers from Ben Gurion University in Israel discovering methods to extract sensitive data from air-gapped machines using radio frequency signals and mobile phones. The attacks were conducted as experiments to highlight the vulnerability of machines in air-gap networks [40727, 31764, 31501]. The researchers developed malware that transmitted keystrokes via FM radio signals generated by the computer's graphics card, which were then picked up by a nearby mobile phone equipped to receive radio signals [31501]. This accidental discovery raises concerns about the security of air-gapped systems and the potential for malicious actors to exploit such vulnerabilities [31764]. |
| Duration | temporary | The software failure incident described in the articles is temporary. The incident involved a method called AirHopper, developed by researchers at Ben-Gurion University in Israel, which allowed hackers to extract sensitive data from air-gapped machines using radio frequency signals and a mobile phone [31764, 31501]. The attack method involved transmitting data via FM radio signals generated by the computer's graphics card, which was then picked up by a nearby mobile phone equipped to receive radio signals [31501]. The incident was a temporary failure as it was due to specific circumstances introduced by the method developed by the researchers, rather than a permanent failure affecting all circumstances. |
| Behaviour | omission, value, other | (a) crash: The articles do not mention any software failure incident related to a crash. (b) omission: The software failure incident described in the articles is related to omission. The incident involves the system omitting to perform its intended functions by allowing hackers to steal data from air-gapped machines that were supposed to be isolated from the internet [31764, 31501]. (c) timing: The articles do not mention any software failure incident related to timing. (d) value: The software failure incident described in the articles is related to value. The incident involves the system performing its intended functions incorrectly, allowing hackers to access sensitive data from supposedly secure machines [31764, 31501]. (e) byzantine: The articles do not mention any software failure incident related to a byzantine behavior. (f) other: The other behavior observed in the software failure incident is related to a security vulnerability where the system emits electromagnetic radiation that can be intercepted by a nearby mobile phone, leading to data theft from supposedly secure air-gapped machines [40727, 31764, 31501]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, theoretical_consequence | (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident described in the articles involved a method called AirHopper, developed by researchers at Ben-Gurion University in Israel, that allowed hackers to steal sensitive data from air-gapped machines using radio signals and a mobile phone. This incident impacted the security of sensitive data stored on computers that were not connected to the internet, potentially exposing confidential information to unauthorized access [40727, 31764, 31501]. The stolen data included encryption keys and other sensitive information, highlighting the vulnerability of air-gapped systems to such attacks. |
| Domain | information | (a) The failed system was related to the industry of information, particularly in terms of data security and encryption [40727, 31764, 31501]. (b) The transportation industry was not directly mentioned in the articles. (c) The natural resources industry was not directly mentioned in the articles. (d) The sales industry was not directly mentioned in the articles. (e) The construction industry was not directly mentioned in the articles. (f) The manufacturing industry was not directly mentioned in the articles. (g) The utilities industry was not directly mentioned in the articles. (h) The finance industry was not directly mentioned in the articles. (i) The knowledge industry was not directly mentioned in the articles. (j) The health industry was not directly mentioned in the articles. (k) The entertainment industry was not directly mentioned in the articles. (l) The government industry was not directly mentioned in the articles. (m) The failed system was not directly related to any other specific industry mentioned in the options. |
Article ID: 40727
Article ID: 31764
Article ID: 31501