Louise Taggart: Hello and welcome to this special bonus episode of The New Realities of Cyber Security podcast series. My name is Louise Taggart and I am a Threat Intelligence Analyst here at PwC. Today I am very happy to say that we are joined by Matt Wixey who works in our Threat & Vulnerability Management Team and he is here to discuss some cutting edge research he has been working on about air gap systems and security. So thank you Matt for joining us today on the podcast, I am very much looking forward to hearing about some of the research you have been doing around air gapping. Could you maybe give us a short intro to yourself? Maybe talk about some of your experience and background before joining PwC.
Matt Wixey: Sure, so I’ve been at PwC for about a year. Prior to that I worked in the Metropolitan Police for eight years, three years of that I led a Technical Research & Development Team in a specialist operations department, so that was looking at cyber security, software development, that kind of thing. Since joining PwC I have worked on the Threat & Vulnerability Management Team (TVM), and we do kind of ethical hacking, red teaming, and I lead the research capability on that team. So part of my role aside from client engagements is trying to look at ways that we can enhance our capabilities, promote the research that we are doing and really try and push the boundaries of cyber security and what that means for our clients.
Louise: How interesting, sounds like you’ve got some interesting projects on your hand there. So what kind of research do you do at a sort of high level?
Matt: So it’s kind of a mixture really, part of it is trying to enhance our red teaming capabilities, so red teaming is when we do a client engagement, we do kind of penetration testing but the client will kind of commission a red team engagement specifically to test out the response capabilities of their SOC (Security Operating Centre), and it may be that kind of only one or two people in that organisation actually know that a red team engagement is going on, and we will start with very limited information about that organisation, perhaps just the name of the company in some cases, we’ll then perform reconnaissance, gather email addresses, we’ll do social engineering attacks and eventually try and get into the network.
So part of my role is to look at ways that we can kind of enhance those capabilities, so part of the research I’ve been doing is like advanced online social engineering to try and get into networks more effectively, and some of it is looking at the malware that we deploy, and we do red team engagements obviously with a contract, legally.
Louise: Of course.
Matt: But it’s looking at how to get past defence mechanisms, so security kind of sound boxes, anti-virus systems, that kind of stuff, and then the other side of it is the experimental research which is kind of what I’m going to talk about today, so it’s the stuff that’s a bit weird and wonderful, it does have some implications for security but it’s kind of less practically used day to day, it’s more for the kind of interest factor of it.
Louise: Oh fascinating, so your team as a whole kind of replicates what the bad guys would do when they’re trying to compromise a system or a company.
Matt: Try to.
Louise: Yeah. Really interesting. So when you’re talking about the more cutting edge and experimental research, what kind of areas do you dabble in?
Matt: So part of the research I’ve been doing recently is around jumping air gaps, so an air gapped network is typically used in clients that have very sensitive information, very sensitive resources, and it’s a means to try and prevent internet based attacks, remote attack. Essentially you physically isolate a machine or a set of machines from untrusted networks, the biggest untrusted network would be the internet of course, but there might be kind of local Wi-Fi as well and other networks in your corporation, and they would be kind of physically separated so they have got no internet access, typically you can’t write to disc, to DVD or CD or write to USB stick, that kind of thing. You can’t upload information, so if you’re a malicious insider it’s that much more difficult to try and get information out of network.
Louise: Yeah, OK, and are these air gap systems quite common? Are there specific sectors that tend to use them more?
Matt: It tends to be government sectors. So organisations or agencies that have to deal with protectively marked information, whether that’s kind of a government marking scheme or a proprietary marking scheme, defence contractors will often have them as well. Really any organisation that deals with information that is of really high value.
Louise: Yeah, so it’s a way of keeping it separate and limiting access to it.
Matt: Exactly, absolutely.
Louise: So what kind of research are you doing around this air gap technology?
Matt: So I’ve been concentrating on two aspects, light and sound. So from a light perspective what I’ve been looking at are ambient light sensors on laptops, they were also found on monitors and smartphones and tablets, even smartwatches, and the idea behind an ambient light sensor is quite benign, it’s to automatically adjust the screen brightness depending on the amount of ambient light that hits it, and that’s to reduce eyestrain and save battery power. But what you can do as an attacker is write malware that reads in values from that ambient light sensor and executes particular commands based on the sequence and the values of light, and you can also exfiltrate data with light as well. So the way you would do that might kind of proof of concept malware – it reads in a file, it converts that file down to its basic data and then it makes tiny changes in the screen brightness which you can pick up with a very sensitive light sensor and then reconstruct the data. So there has been research done on this before in terms of smartphones, but as far as I’m aware this is the first proof of concept that’s been used for workstations and laptops.
Louise: Fascinating. So would the malware have to be installed on the air gap system in order for that to work?
Matt: It would yes, so there are some caveats with any research with air gap systems, there is kind of three caveats you have to take into account. The first is that you always assume the machines are already infected, because as researchers the area we want to focus on is jumping the air gap not infecting the system. As someone who has supported red team engagements it’s not kind of a trivial task at the best of times to get malware onto a system, but yeah so that’s the first caveat.
The second caveat would be that the attacker has to have physical or near physical access to the infected machine, and the third caveat is, because you’re looking at natural inputs and outputs through a computer, so heat, noise, light, sound, the kind of exfiltration rate is very slow, so typically you’re not talking about gigabytes worth or data you’re talking about encryption keys, passwords, maybe small images, that kind of thing.
Louise: Small pieces of information …
Matt: Exactly yeah.
Louise: … rather than huge, yeah?
Louise: So are you looking at research in a similar way when it comes to sound vulnerabilities?
Matt: Yes absolutely. So I’ve also developed proof of concept malware that uses near ultrasonic tones to control malware and to exfiltrate data. So the idea behind this is that typically humans can hear between 20 hertz and 20 kilohertz. So to give you an idea of scale, the lowest note on a concert grand piano is 27 hertz so I’m told, and on the other end of the scale bats communicate with each other at about 45 kilohertz. So as humans we can maximum … the kind of maximum range we’ve got is up to 20 kilohertz, in practice it’s about 15 or 16 kilohertz. However, laptops, the kind of standard laptop sound cards can transmit and receive up to 22 kilohertz, so what you can do as an attacker to jump air gaps is to write malware that uses that to transmit tones and received input from microphone at kind of say 18/19 kilohertz, beyond the range of human hearing, but fully within the capability of those soundcards. So it essentially means it's silent.
Louise: Fascinating, so audible to dogs and bats but not to humans?
Louise: Are these techniques being seen in real life attack situations at the moment or is this still sort of in the research?
Matt: That’s a really interesting question, the light one I’m not sure, I haven’t seen any reports of that being used. With sound there are kind of anecdotal reports that this has been used before in the wild to attack a lab, a research lab, but as far as I’m aware that hasn’t been confirmed, but it’s very viable, very easy to do.
Louise: So then is this something that our clients should be worried about or taking into consideration when they are thinking about their own security practices?
Matt: I definitely think it’s an area that they should be aware of at least. Typically attacks against air gap systems are not going to affect all of our clients and all of our customers, but if you do have sensitive data on a system you do have an air gap network, even if you don’t and you have particularly sensitive data it’s something to be aware of that this is a potential technique that hackers can use.
Louise: And is this the kind of attack that could be anticipated or defended against?
Matt: Mitigation would be difficult, not impossible, so with a light attack the best option would be to … well what you would have to do would be somehow disable the ambient light sensor if it’s present, or kind of cover it up. In terms of exfiltration, screen filters would work to kind of mute the changes in screen brightness. With ultrasonic tones there are a couple of things you could do, the easiest would be to just disable the speakers and the microphones on laptops if they are not required, you could also have white noise filters to filter out ultrasonic tones, or you could have some kind of detector that detects ultrasonic sounds.
Louise: And how are we using this research at the moment to help our clients?
Matt: So we’re telling clients about this research, we’re kind of using it as an illustration of the fact that attackers can be very creative, they can go that extra step. It’s not just about attackers running automated tools and scripts, they can use their imagination and come up with very creative ways to bypass security mechanisms.
Louise: Absolutely, and when you’re looking and sort of spending time researching these really cutting edge attacker threats, do you get worried about your own cyber security?
Matt: Yeah, cursed with the burden of knowledge. Yeah you do, you’re kind of very conscious of the different ways that attackers can compromise the system, the length that some attackers will go to. So yeah, it is something that kind of everyone on the ethical hacking team keeps in mind, and we try and convey that to colleagues as well.
Louise: That’s really fascinating. Thank you very much indeed Matt.
Matt: No problem at all.
Louise: So a big thank you to everybody who’s been listening and enjoying our New Realities of Cyber Security podcast series. If you would like to find out more about what we do then feel free to visit us at pwc.co.uk/cybersecurity.
Cyber Threat Operations - Manager, PwC United Kingdom
Tel: +44 (0)7841 803680