Radio sniffing Ethernet LAN cable

LANtenna hack spies on your data from across the room! (Sort of) post tells that Mordechai Guri from the Ben Gurion University of the Negev (BGU) in Israel has recently published a new data exfiltration’ paper detailing an unexpectedly effective way of sneaking very small amounts of data out of a cabled network without using any obvious sort of interconnection. This one is entitled LANTENNA: Exfiltrating Data from Air-Gapped Networks via Ethernet Cables, and it’s the latest of many BGU publications in recent years dealing with a tricky problem in cybersecurity (earlier examples include use of loudspeaker, caps lock LED, CPU fan and screen color to leak information and turning DRAM into a form of wireless transmitter).

Now an Israeli researcher has demonstrated that LAN cables’ radio frequency emissions can be read by using a $30 off-the-shelf setup. Mordechai Guri of Israel’s Ben Gurion University of the Negev described the disarmingly simple technique to The Register, which consists of putting an ordinary radio antenna up to four metres from a category 6A Ethernet cable and using an off-the-shelf software defined radio (SDR) to listen around 250MHz.

The research paper says:
The computers are equipped with 10/100/1000 Mbps Gigabit Ethernet
card. We tested three types of widely used Cat 5e and Cat
6A Ethernet cables listed in Table V. We also tested a laptop
computer and an embedded device (Raspberry Pi) to evaluate
the attack on these types of devices.

For the reception we used two types of
software-defined radio (SDR) receivers, as specified in Table
III. The R820T2 RTL-SDR is capable of sampling up to 16bit
at narrow band and has RF coverage from 30 MHz to 1.8 GHz
or more. The HackRF device has 1 MHz to 6 GHz operating
frequency and 8-bit quadrature samples (8-bit I and 8-bit Q)

LANTENNA ATTACK: Leaking Data from Air-Gapped Networks via Ethernet Cables

Ethernet cables emit electromagnetic waves in the frequency bands of 125 MHz and its harmonics (e.g., 250 MHz and 375 MHz). “Ethernet cable emits electromagnetic waves in the frequency bands of 125 MHz. Changing the adapter speed or turning it on and off makes it possible to regulate the electromagnetic radiation and its amplitude,” says Guri. This can potentially opening the door to fully developed cable-sniffing attacks because “From an engineering perspective, these cables can be used as antennas and used for RF transmission to attack the air-gap,” said Guri. LAN cables sniffing can reveal details from network traffic. In one test data could be transmitted from an air-gapped computer through its Ethernet cable and received 200 cm apart.

In experiment UDP packets with single letters were sent over the target cable to a very low speed and, via a simple algorithm, be turned back from received RF signal back into human-readable characters. Nicknamed LANtenna, Guri’s technique is an academic proof of concept and not a fully fledged attack that could be deployed today. So RF noise from un-shielded LAN cables can be used to lead information air-gapped networks. The experts explained that often air-gapped networks are wired with Ethernet cables since wireless connections are strictly prohibited to avoid data leaks. But clearly even wired networks can leak information when you can get near to them with an SDR radio hardware.

The researchers proposed several defensive measures that can be adopted against the LANTENNA attack such as:

  • implementing zone separation banning radio receiver from the area of air-gapped networks;
  • monitoring the network interface card link activity at the user and kernel levels. Any change of the link state should trigger an alert;
  • using RF monitoring hardware equipment to identify anomalies in the LANETNNA frequency bands;
  • blocking the covert channel by jamming the LANTENNA frequency bands;
  • Cable Shielding;

Paper:

LANTENNA: Exfiltrating Data from Air-Gapped Networks via Ethernet Cables

Sources:

https://nakedsecurity.sophos.com/2021/10/15/lantenna-hack-spies-on-your-data-from-across-the-room-sort-of/

https://www.theregister.com/2021/10/14/lantenna_ethernet_cable_rf_emissions/

https://securityaffairs.co/wordpress/123008/hacking/lantenna-attack-exfiltration-technique.html

https://www.bankinfosecurity.com/lantenna-attacks-exploit-air-gapped-networks-via-ethernet-cables-a-17688

https://arxiv.org/pdf/2110.00104.pdf

5 Comments

  1. Dev says:

    I’m happy to report that it’s a fascinating article to read. Your essay taught me something new, and I think you’re doing a fantastic job. Keep going.

    Reply
  2. Tomi Engdahl says:

    https://hackaday.com/2021/10/27/ethernet-cable-turned-into-antenna-to-exploit-air-gapped-computers/

    Good news, everyone! Security researcher [Mordechai Guri] has given us yet another reason to look askance at our computers and wonder who might be sniffing in our private doings.

    This time, your suspicious gaze will settle on the lowly Ethernet cable, which he has used to exfiltrate data across an air gap. The exploit requires almost nothing in the way of fancy hardware — he used both an RTL-SDR dongle and a HackRF to receive the exfiltrated data, and didn’t exactly splurge on the receiving antenna, which was just a random chunk of wire. The attack, dubbed “LANtenna”, does require some software running on the target machine, which modulates the desired data and transmits it over the Ethernet cable using one of two methods: by toggling the speed of the network connection, or by sending raw UDP packets. Either way, an RF signal is radiated by the Ethernet cable, which was easily received and decoded over a distance of at least two meters. The bit rate is low — only a few bits per second — but that may be all a malicious actor needs to achieve their goal.

    https://arxiv.org/pdf/2110.00104.pdf

    Reply
  3. Tomi Engdahl says:

    Creating Wireless Signals with Ethernet Cable to Steal Data from Air-Gapped Systems
    https://thehackernews.com/2021/10/creating-wireless-signals-with-ethernet.html

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*