An organisation’s most sensitive information is often stored on ‘air-gapped’ computers, which are physically separated from the internet. The lack of a connection protects them from most external attackers, and even if the machine is infected with malware, the data is difficult to exfiltrate.
An Israeli researcher has demonstrated a new technique for transmitting information out of air-gapped computers, using malware to force LEDs to flash in a pattern that can be picked up by a drone hovering outside the window. Other known methods for exfiltrating information over an air gap include varying fan speeds to produce audio signals, and using USB sticks to send RF emissions. LEDs can transmit information at a much faster rate, however, reaching 4000 bits per second with high quality light detection equipment (corresponding to around an A4 page of text every five seconds).
This attack requires infecting air-gapped machines with specific malware, and can be mitigated by simply covering LEDs with opaque tape. However, it illustrates the potential for emerging technologies, such as drones, to enable compromises. A potential variation on drone-enabled hacking could involve mounting a Wi-Fi access point on a drone, impersonating a corporate Wi-Fi network, and positioning it in an otherwise secure location. Employees connecting to it would expose devices and company data to the attacker. The NCSC recommends that security scanning tools may be useful to detect and locate unauthorised or spoof wireless access points.
SHA-1 Collision: Cryptographic standard undermined
Researchers have successfully manipulated a commonly used cryptographic standard. Google and the Centrum Wiskunde & Informatica (CW) made the widely expected announcement regarding the world’s first SHA-1 collision on 23 February.
SHA-1, or Secure Hash Algorithm 1, is a process that provides a unique digital fingerprint for any set of data, whether that be code, a document or a webpage. Any change to the original data, no matter how small, would produce a change in the SHA-1 identifier. SHA-1 can therefore show if data has been tampered with between creator and end-user making it useful for a broad array of security applications such as HTTPS verification, digital document signing, version control and backing-up systems.
A ‘collision’ of SHA-1 means that two different inputs have given the same output fingerprint, which should be extremely rare. The researchers have been able to manipulate SHA-1 to force a collision 100,000 times more quickly than a brute-force approach.
Given the difficulty and cost involved in creating the collision, it’s likely that applying it, or similar methods, for other inputs would only be feasible for determined and well-resourced actors. It can however be seen as a proof of concept for a potential attack vector in future, as computing power increases and costs decrease.
Hypothetically, an actor could forge a SHA-1 certificate for malign code which they had altered from an original legitimate version. A victim’s computer would see their malicious version as being identical to the verified original.
SHA-1 is already being phased out, and many web browsers will cease support for it in 2017. But its pervasiveness means that the transition will take time, and the risk is only likely to grow in future.