1,377 research outputs found

    xLED: Covert Data Exfiltration from Air-Gapped Networks via Router LEDs

    Full text link
    In this paper we show how attackers can covertly leak data (e.g., encryption keys, passwords and files) from highly secure or air-gapped networks via the row of status LEDs that exists in networking equipment such as LAN switches and routers. Although it is known that some network equipment emanates optical signals correlated with the information being processed by the device ('side-channel'), intentionally controlling the status LEDs to carry any type of data ('covert-channel') has never studied before. A malicious code is executed on the LAN switch or router, allowing full control of the status LEDs. Sensitive data can be encoded and modulated over the blinking of the LEDs. The generated signals can then be recorded by various types of remote cameras and optical sensors. We provide the technical background on the internal architecture of switches and routers (at both the hardware and software level) which enables this type of attack. We also present amplitude and frequency based modulation and encoding schemas, along with a simple transmission protocol. We implement a prototype of an exfiltration malware and discuss its design and implementation. We evaluate this method with a few routers and different types of LEDs. In addition, we tested various receivers including remote cameras, security cameras, smartphone cameras, and optical sensors, and also discuss different detection and prevention countermeasures. Our experiment shows that sensitive data can be covertly leaked via the status LEDs of switches and routers at a bit rates of 10 bit/sec to more than 1Kbit/sec per LED

    Towards a Trustworthy Thin Terminal for Securing Enterprise Networks

    Get PDF
    Organizations have many employees that lack the technical knowledge to securely operate their machines. These users may open malicious email attachments/links or install unverified software such as P2P programs. These actions introduce significant risk to an organization\u27s network since they allow attackers to exploit the trust and access given to a client machine. However, system administrators currently lack the control of client machines needed to prevent these security risks. A possible solution to address this issue lies in attestation. With respect to computer science, attestation is the ability of a machine to prove its current state. This capability can be used by client machines to remotely attest to their state, which can be used by other machines in the network when making trust decisions. Previous research in this area has focused on the use of a static root of trust (RoT), requiring the use of a chain of trust over the entire software stack. We would argue this approach is limited in feasibility, because it requires an understanding and evaluation of the all the previous states of a machine. With the use of late launch, a dynamic root of trust introduced in the Trusted Platform Module (TPM) v1.2 specification, the required chain of trust is drastically shortened, minimizing the previous states of a machine that must be evaluated. This reduced chain of trust may allow a dynamic RoT to address the limitations of a static RoT. We are implementing a client terminal service that utilizes late launch to attest to its execution. Further, the minimal functional requirements of the service facilitate strong software verification. The goal in designing this service is not to increase the security of the network, but rather to push the functionality, and therefore the security risks and responsibilities, of client machines to the network€™s servers. In doing so, we create a platform that can more easily be administered by those individuals best equipped to do so with the expectation that this will lead to better security practices. Through the use of late launch and remote attestation in our terminal service, the system administrators have a strong guarantee the clients connecting to their system are secure and can therefore focus their efforts on securing the server architecture. This effectively addresses our motivating problem as it forces user actions to occur under the control of system administrators

    Marine data collection based on embedded system with wired and wireless transmission

    Get PDF
    A great interest of boat manufacturers is to improve their products by knowing how the boats are used after sale. In order to gather information about the condition of usages, a system needs to be developed in order to collect data from different marine electronics mounted on the boat. Through this thesis work, we developed such data collecting system for leisure boats which support CAN Bus the message-based protocol. The data collection system has been developed and installed on a Linux-based embedded system connected to the CAN Bus network through a gateway in our laboratory. Through the data collection system, all data generated from different marine electronics in the network can be captured, filtered, transmitted, displayed and then stored in the system. For data transmission and access, we have implemented three methods through wired or wireless networks, i.e., the fixed Internet, 3G/LTE cellular networks and Wi-Fi networks. Furthermore, the prototype implementation has been extensively tested in both lab and real-life environment

    Cryptographic Protection of Removable Media with a USB Interface for Secure Workstation for Special Applications, Journal of Telecommunications and Information Technology, 2012, nr 3

    Get PDF
    This paper describes one of the essential elements of Secure Workstation for Special Applications (SWSA) to cryptographic protection of removable storage devices with USB interface. SWSA is a system designed to process data classified to different security domains in which the multilevel security is used. The described method for protecting data on removable Flash RAM protects data against unauthorized access in systems processing the data, belonging to different security domains (with different classification levels) in which channel the flow of data must be strictly controlled. Only user authenticated by the SWSA can use the removable medium in the system, and the data stored on such media can be read only by an authorized user by the SWSA. This solution uses both symmetric and asymmetric encryption algorithms. The following procedures are presented: creating protected a file (encryption), generating signatures for the file and reading (decryption) the file. Selected elements of the protection systems implementation of removable Flash RAM and the mechanisms used in implementation the Windows have been described

    Raspberry Pi VPN Travel Router

    Get PDF
    Consumers are increasingly relying on public wireless hotspots to access the internet from a growing number of devices. Usage of these hotspots has expanded from just laptops to everything from iPhones to tablets, which are expected to be internet-connected for full functionality. It has become common for one to check if there’s an open wireless hotspot connection available at places like coffee shops, hotels, restaurants, or even a doctor’s waiting room. The issue that arises is that these public connections present an inherent security risk, as anyone can connect and gain access to the network. For increased security, the use of a Virtual Private Network (VPN) is often recommended while connected to a public network, especially for sensitive data. Individuals can choose from a variety of VPN providers today, but are usually required to download a software client for each of their devices they want to connect to the VPN. My project involves the use of a Raspberry Pi serving as a VPN router to provide secure internet access for connected devices. The Pi is connected to the internet via either a wireless or wired ethernet interface, and in turn provides a VPN connection through a wireless access point. When a computer or mobile device connects to the Pi, all traffic is routed through the VPN tunnel before reaching the internet. No software client is required for devices to connect as the Pi handles connecting to the VPN service and all required routing. Any number of devices with different operating systems can utilize the Pi’s secure network, as the process is no different than accessing a standard wireless access point

    Implementation of a Microsoft Windows embedded standard system.

    Get PDF
    Many dedicated-use computer systems sold as complete products require a turn-key design delivered to the customer. This requires a system which is stable, secure, and serviceable. Adaptability of the system to existing software applications is a key consideration for many vendors. This thesis attempts to establish and gather best practices for designing, configuring, and building a Microsoft Windows Embedded Standard 2009 system. An existing real-world system will be used as a case study and example implementation. The end result will be a relatively compact, secure, and efficient Microsoft Windows Operating System image to support the target software application

    Real-time data acquisition, transmission and archival framework

    Get PDF
    Most human actions are a direct response to stimuli from their five senses. In the past few decades there has been a growing interest in capturing and storing the information that is obtained from the senses using analog and digital sensors. By storing this data it is possible to further analyze and better understand human perception. While many devices have been created for capturing and storing data, existing software and hardware architectures are aimed towards specialized devices and require expensive high-performance systems. This thesis aims to create a framework that supports capture and monitoring of a variety of sensors and can be scaled to run on low and high-performance systems such as netbooks, laptops and desktop systems. The proposed architecture was tested using aural and visual sensors due to their availability and higher bandwidth requirements compared to other sensors. Four different portable computing devices were used for testing with a varied set of hardware capabilities. On each of the systems the same suite of tests were run to benchmark and analyze CPU, memory, network, and storage usage statistics. From the results it was shown that on all of these platforms capturing data from multiple video, audio and other sensor sources was possible in real-time. Performance was shown to scale based on several factors, but the most important were CPU architecture, network topology and data interfaces used
    corecore