LANtenna attack reveals Ethernet cable traffic contents • The Register

An Israeli researcher has demonstrated that radio frequency emissions from LAN cables can be read using a standard setting of $ 30, which potentially opens the door to fully developed cable-finding attacks.

Mordechai Guri of Israel’s Ben Gurion University in the Negev describes a disarmingly simple technique to The register, which consists of placing a simple radio antenna up to four meters from a Category 6A Ethernet cable and using a ready-made software radio (SDR) to listen to about 250 MHz.

“From an engineering point of view, these cables can be used as antennas and used for radio frequency transmission to attack the air gap,” Guri said.

His experimental technique consists of delaying the transmission of UDP packets over the target cable at a very low speed and then transmitting single letters of the alphabet. The cable’s emissions can then be captured by the SDR (in the case of Guri, both on an R820T2-based tuner and a HackRF unit) and converted back into human-readable symbols by a simple algorithm.

Called LANtenna, Guri’s technique is academic proof of concept, not the full-blown attack that can be deployed today. Nevertheless, research shows that poorly shielded cables have the potential to leak information that sysadmins may have thought were safe or otherwise discarded from the outside world.

He added that the $ 1 antenna of his tuning is a major limiting factor and that specialized antennas can reach “tens of meters” of range.

“We could transmit both text and binary and also achieve faster bitrates,” admitted Guri. Reg asked about the obvious limitations described in his report [PDF]. “However, due to environmental noise (for example from other cables), the higher transmission speed is rather theoretical and not practical in all scenarios.”

An obvious further research technique would be to consider eavesdropping on network cables at their full operating speed, with Guri acknowledging that slowing down live network traffic to levels used in his experiment would be impractical. However, his full document notes: “The transmission of UDP packets does not require higher privileges or interference in the OS routing table. In addition, it is possible to avoid network layer detection by sending raw UDP traffic within other legitimate UDP traffic. “

The academician’s previous research includes technique for converting DRAM into a wireless transmitter, as part of his work on how to run air gap networks.

Professor Alan Woodward of the University of Surrey said: “This shows that even a disconnected Ethernet cable can emit energy that is detectable.”

He added: “The newspaper is a good work and reminds us that although you think something has gaps in the air, it may have been on the air. People laughed at the great cumbersome terminals used in a sheltered environment, but they arose for a reason: TEMPEST. “

TEMPEST as we are reported 20 years ago, was originally a US government scheme to reduce the amount of radio frequency emissions generated by computer equipment. Today, it is accepted as a NATO standard, with the UK National Cyber ​​Security Center having public web page for that.

“Often,” Woodward noted, “modern security systems look for data leaving the network to know they have an intruder. But if they leave on an unobserved channel (over the air), then they are unlikely to be intercepted by security measures. . “

We look forward to the next exciting launch of the product in the infosek industry: a full range of RF analysis included in your SIEM for low and low subscription frequency. ®