Author Topic: Exploits And Mitigation  (Read 168 times)

0 Members and 1 Guest are viewing this topic.

MaxPower

  • KMST
  • **
  • Posts: 73
  • Karma: 15
  • Release the Kraken
Re: Exploits And Mitigation
« Reply #15 on: September 12, 2018, 03:54:10 PM »
any electrically conductive material can be used as a antenna. however the antenna length must be tuned to match the desired radio frequency. you *could* use a paperclip as a tv antenna. you wont pick up many (possibly 0) tv stations. this is because the length of the antenna must match the frequency (or a quarter of said frequency)  of the radio wave you want to transmit/receive, or (remote) reception will be degraded. and yes television uses radio waves.
usually antennas are designed to transmit/receive (well not so much transmit) a range of frequencies, such as fm radio, am radio, uhf tv , etc.

a metal heatsink doesnt match any frequency, mainly because they are designed to dissipate heat, not transmit/receive. thus any transmissions will be of poor quality at best. and when encased in a solid metal case (a standard desktop pc for example) is further degraded or blocked entirely because the case becomes a (poor) faraday cage. the new glass cases tend to let radio waves through.
furthermore tempest monitoring* may (further) drown out any transmissions from said heatsink.
modern LCD screen have cut down significantly on tempest monitoring due to much lower power requirements and therefore less transmit power over older crt monitors. while still possible, tempest monitoring may only extend a few tens of feet from the monitor. instead of 100 or so for crt monitors.

*tempest monitoring is when a person picks up emissions from your monitor ,and reconstructs those to see what you are doing on your monitor. arguably it can include monitoring any emissions from your computer.
see here for more info.
I have used a paper clip and a short jumper clipped wire many times for a satisfactory TV antenna. Local reception was just about as good as the old trusty rabbit ear antennas. I always get a laugh when I see commercials for the Magic TV Key and other similar products which are nothing more than a simple indoor antenna marketed to make it sound like you will get a ton of extra channels "for free" only with their magic device.

Many years ago, I remember working on computers that were Tempest rated. Otrona made a "portable" Tempest computer that was time consuming to work on due to all the extra shielding and a ton of screws that had to be removed. A nice but expensive computer used primarily by the military.

Just about anything conductive can be used for a receiving antenna as reception is more forgiving. Transmitting is another story as efficiency and effectiveness is determined by proper design...

Whistler

  • KDWN
  • ***
  • Posts: 236
  • Karma: 77
  • We call ourselves the Nightstalkers...
Re: Exploits And Mitigation
« Reply #16 on: September 13, 2018, 07:09:52 PM »
Quote
any electrically conductive material can be used as a antenna. however the antenna length must be tuned to match the desired radio frequency.

Ding, Ding, Ding, - Give this man a cigar !   ;)
(Would you settle for a +1 instead ?)   ;D

Thanks for the excellent lead in.
Okay - pull out your calculator, let's figure this out.



For an example, we'll be using a laptop from  - oh, I don't know, 2004. This example laptop might be a Toshiba, M-55 Satellite w/ a susceptible Pentium 4M (mobile) cpu running at 2.0 GHz (max cpu freq..)
This lappy is built from molded plastic - except for the back of the lid - which is aluminum. (No Faraday cage effect for the cpu.)
Wifi in 2004 (and still) operates in the 2.4 GHz range.

The first thing to know about antennas is:
There is an inverse relationship between frequency and wavelength: the lower the frequency, the longer the wavelength; the higher the frequency, the shorter the wavelength.

So how do you figure antenna length for one full wavelength of 2.4 GHz ? (This goes for any frequency you want an antenna length for.)
Divide the speed of light in meters, ((Damn Brits... ;) ) ...which is the speed radio signals propagate at,) by the frequency.
c / f = one full wavelength for the target frequency - in meters.

Speed of light in meters: 299,792,458
Freq (cycles per second): 2.4 GHz = 2,400,000,000
Which comes out to: 0.124913524 meters,
or 12.491 Centimeters
Converting to inches, we get 4.9177165", approximately 4 and 59/64 inches.
That's just shy of 5" (actually, right between 4-7/8 and 4-15/16")
Think we can stuff that in a laptop ?  ;) (Heh, heh, heh)
(I actually thought about tearing mine down again to get an accurate measurement on the heatpipe (the copper section) from the cpu to the cooling fins the fan blows through, but a picture will do.)

K000032240 TOSHIBA SATELLITE M55 HEATSINK SERIES "GRADE A"
visitors can't see pics , please register or login


The length of my cooling fins are approximately 2.4 inches.
That means that if the heatpipe was used for an antenna, it would be right in the ballpark for 2.4 GHz.
As far as I'm concerned, yeah, it can easily be used as an antenna.

As far as cpu coolers in desktops ?
It's actually possible they could act like a YAGI antenna
Scope this out...
What we have here is known as a BiQuad wifi antenna, designed for 2.4 & 5 GHz (Hence the different sized plates.)
visitors can't see pics , please register or login

From: https://www.kickstarter.com/projects/1096577862/the-biquad-yagi-antenna-for-wifi-and-fpv

They are right around the size of the larger CPU coolers like the MegaHalems.
visitors can't see pics , please register or login

Granted, these antennas have to be precise in their measurements and spacing, so it's doubtful the coolers would work as antennas, but, most MoBos are mounted on the side panel of the desktop case, which would make a perfect YAGI antenna (for just one direction.)  ;)


Quote
usually antennas are designed to transmit/receive (well not so much transmit) a range of frequencies, such as fm radio, am radio, uhf tv , etc.
Yup, That's why if you wanted to build an AM loop to pick up the entire AM spectrum from 540 KHz to 1700 KHz (1.7 MHz,) you would shoot for the center frequency of 1120 KHz.
((1700 - 540) / 2) + 540 == 1120
Broadcast antennas are a whole different ballgame. You need to consider impedance matching, resistance, grounding, reduction baluns, antenna height, polarization, etc., etc., etc. .
c / f ==
299,792,458 / 1,120,000 == 267.67 meters
Convert.
878.18' is one full wavelength for 1120 KHz
Then make your antenna length 1/4 wave of 878.18'
or
219.5' ( or 219'6") - total length of wire for a 1/4 wave loop.
Gauge of the wire, spacings between turns, winding style (spiral, box, spider,) and size of the loop all make a difference in the nulling and distance of the stations you can pick up.
It's a fun project for DIY'ers, and there's plenty of info on the net .  ;)

Quote
furthermore tempest monitoring* may (further) drown out any transmissions from said heatsink.

How so ?
TEMPEST (a.k.a. Van Eck Phreaking) monitoring is generally passive reconnaissance. What I mean by that is; the target is not being zapped by any electro-magnetics the attacker is putting out. The attacker is reading and interpreting the the targets' electro-magnetic emminations.
This article explains it better than I can.
http://www.surasoft.com/articles/tempest.php

Oh, and I really like this one - they apply TEMPEST mitigation to their website - LOL. (See if you can pick up on it.  ;)  )
https://www.hertzsystems.com/en/product/tempest-equipment/

Quote
modern LCD screen have cut down significantly on tempest monitoring due to much lower power requirements...
Don't be getting slack on me, WR250. (Tisk,tisk.)  ;)
(Just kidding.)

The cables going to those LCDs and metal hinges in laptops make TEMPEST attacks still viable. It's still (as of 2007,) up to 75' with the right target.  Funny how there's no newer information on this in Public Domain. (I smell a R.A.T.)  ;)  ;D
http://web.archive.org/web/20180312095201/https://www.newscientist.com/blog/technology/2007/04/seeing-through-walls.html
https://www.engadget.com/2007/04/21/laptops-and-flat-panels-also-vulnerable-to-van-eck-eavesdropping/


Big D. even had his communications TEMPEST hardened.   
https://electrospaces.blogspot.com/2017/11/trumps-communications-equipment-outside.html

So yeah, I have to disagree with you on these points. 
 
It is kind of a specialist area. Anti TEMPEST, Van Eck, whatever you want to call it, technologies were actually being developed in the last days of WWII by the Army.  ;)

Here's some info on covert channels :  https://hackaday.com/2017/02/02/hacking-the-aether/

And a good Sci-Fi book to read (if you haven't already,) is the Crytonomicon by Neal Stephenson.
https://archive.org/details/cryptonomicon00neal

    ;)      :)
Bloodsuckers, trolls and shills,       ...Beware !

wr250

  • Drone Pilot
  • *****
  • Posts: 530
  • Karma: 197
  • tux the magic penguin
    • https://mastodon.social/@wr250
Re: Exploits And Mitigation
« Reply #17 on: September 15, 2018, 04:58:48 AM »
Quote
Quote
furthermore tempest monitoring* may (further) drown out any transmissions from said heatsink.

How so ?
the same way jamming radio signals work. the more extraneous radio noise tossed out there, the harder it is to sort out what your looking for.
as i understood your "heatsink as a antenna" theory, it is passive reconnaissance, just like tempest monitoring.
additionally thermal paste (what intel and most manufacturers use) is non electrically conductive, forming a barrier to what you are describing, thus weakening the effect.
on recent (core2/i series/pentium/celeron) intel processors (and many amd,but not all) there is thermal paste between the silicon die and the (glued on) heat spreader on the chip. then another layer of thermal paste between the heat spreader and the cpu cooling device.
therefore i do not think this is a valid attack for anything other than govt agencies with more money than brains to carry out. and why would they do that when so many (un)known flaws exist to get information that are far easier to do? or when people actually volunteer said info (farcebook, tweeter, etc)

additionally tempest attacks on crt monitors could be carried out several hundred feet away from the target. lcd monitors use less power and therefore have less "broadcasting" capabilities. no matter how you factor things , more distance in receivable radio emissions required 1 of 2 things.
1. a larger receiving antenna ( i dont see anyone carrying around a 40' dish to tempest monitor)
2. more transmit power.
i can haz  a social media.
https://mastodon.social/@wr250

Whistler

  • KDWN
  • ***
  • Posts: 236
  • Karma: 77
  • We call ourselves the Nightstalkers...
Re: Exploits And Mitigation
« Reply #18 on: September 15, 2018, 05:55:35 AM »
Quote
additionally thermal paste (what intel and most manufacturers use) is non electrically conductive...


" - some companies use silver, aluminum, ceramic, and diamonds which are ground to a very fine powder and mixed with the bonding compound. The final mixture of the thermal paste is often kept as a secret recipe.""

From:
https://www.ekwb.com/blog/thermal-compound-guide/

I'm kind of rushed for time right now, so I didn't check out what the major manufacturers use as standard, But, silver is electrically conductive, Diamonds are generally not - there are exceptions.
https://www.thoughtco.com/diamond-a-conductor-607583

"   After 21 seconds of research, I learnt that it depends on the type of diamond. The range of resistance is pretty high, some are very resistant while some are very conductive. It depends on their constitution (since diamonds are not all the same).   "

https://www.quora.com/Is-diamond-electrically-conductive

(In a pinch, (automotive) Anti-Sieze makes a (cheap, and) fairly decent thermal paste.)   
Yes, I've used it on an old - and very hot - AMD dual-core setup from 2005 and it dropped the cpu temps from 100 C (boiling) to approximately mid 50's C.  ;)

BUT, you are forgetting something; the cpu is electrically grounded to the cooler through the cooler mounting screws. ;)

Quote
additionally tempest attacks on crt monitors could be carried out several hundred feet away from the target. lcd monitors use less power and therefore have less "broadcasting" capabilities. no matter how you factor things , more distance in receivable radio emissions required 1 of 2 things.
1. a larger receiving antenna ( i dont see anyone carrying around a 40' dish to tempest monitor)
LOL - neither do I.  :) :D  ;D
(Smart ass)  ;)
Quote
2. more transmit power.

Don't forget about unshielded transmissions from the cables going to the monitor, plus the keyboards and mice.  ;)

https://www.allaboutcircuits.com/news/hackers-device-electromagemissions-side-channel-attacks-cybersecurity/

http://www.cialfor.com/2016/04/21/van-eck-phreaking-a-hack-using-eradiations/

(There's more than one way to skin a cat.)
(Sorry Spookcat - :D - just a figure of speech)   ;)


Add to that the general insecurity of wireless keyboards and mice. (Different attack, but still highly effective.)
https://threatpost.com/mousejack-attacks-abuse-vulnerable-wireless-keyboard-mouse-dongles/116402/

So, I still have to disagree with you.
(This is getting some good info out there though.)  ;)
Bloodsuckers, trolls and shills,       ...Beware !

wr250

  • Drone Pilot
  • *****
  • Posts: 530
  • Karma: 197
  • tux the magic penguin
    • https://mastodon.social/@wr250
Re: Exploits And Mitigation
« Reply #19 on: September 15, 2018, 06:17:16 AM »

" - some companies use silver, aluminum, ceramic, and diamonds which are ground to a very fine powder and mixed with the bonding compound. The final mixture of the thermal paste is often kept as a secret recipe.""

From:
https://www.ekwb.com/blog/thermal-compound-guide/
from what ive seen in 30 years of building computers, the thermal paste used by OEM's is shit. its not in the interests of a OEM to take the chance of over application of a electrically conductive paste to short something out.
 arctic silver has silver in it. arctic silver claims its electrically non conductive.
http://www.arcticsilver.com/as5.htm

Quote
BUT, you are forgetting something; the cpu is electrically grounded to the cooler through the cooler mounting screws. ;)

consumer intel cpus use a plastic mounting system. many amd processors do as well. however there are some that bolt to a metal backplate which is shielded with plastic/rubber to prevent shorting the board.
server processors usually use a metal backplate, which has the rubber/plastic shield on it to prevent shorting the board.
aftermarket heatsinks use the stock intel mounting holes, or the aforementioned metal backplate.
Quote
Add to that the general insecurity of wireless keyboards and mice. (Different attack, but still highly effective.)
https://threatpost.com/mousejack-attacks-abuse-vulnerable-wireless-keyboard-mouse-dongles/116402/

So, I still have to disagree with you.
(This is getting some good info out there though.)  ;)
as far as kb insecurities, nothing beats a hardware inline dongle to intercept keystrokes. but then again, that requires physical access. with physical access, its game over.
intercepting the (usually) unencrypted wireless communications from a kb/mouse is always a possibility.

/*edit*/
i added "electrically" to the the arctic silver claim for clarity
i can haz  a social media.
https://mastodon.social/@wr250

EllGab™️

Re: Exploits And Mitigation
« Reply #19 on: September 15, 2018, 06:17:16 AM »