Zhengxiong Li (University at Buffalo, SUNY), Baicheng Chen (University at Buffalo), Xingyu Chen (University at Buffalo), Huining Li (SUNY University at Buffalo), Chenhan Xu (University at Buffalo, SUNY), Feng Lin (Zhejiang University), Chris Xiaoxuan Lu (University of Edinburgh), Kui Ren (Zhejiang University), Wenyao Xu (SUNY Buffalo)

Covert channels are a method of communication that is used to exfiltrate information from computing devices and break the security policy of computer systems. Any shared resource can be potentially leveraged as a covert channel, and conventional wisdom of cyber-security believes that air-gapped computing devices, disconnected from the Internet, are highly secured. Recent studies show that advanced covert channel attacks using acoustic, thermal, and electromagnetic effects can only work under a limited proximity constraint (e.g., within 2 meters). In this work, we present SpiralSpy, a new covert channel to attack air-gapped computing devices through millimeter-wave (mmWave) sensing technologies. SpiralSpy can be stealthily launched and circumvent strongly isolated computing devices from a practical distance (up to 8 meters). Specifically, we demonstrate that ordinal cooling fans can be leveraged for covert channel attacks. A malicious software inside air-gapped computing devices can saliently encode confidential data into the fan control signals, and modulated status on fan motions can be remotely decoded by a commodity mmWave sensor. SpiralSpy can be adopted on multiple-fan systems and enable a scalable capacity for multi-channel and high-speed information transfer. We evaluate SpiralSpy with 71 computing devices with cooling fans. Experimental results demonstrate that SpiralSpy can achieve up to 6 bps that is 6-24X faster than existing covert channels on air-gapped computing devices. We evaluate the usability and robustness of SpiralSpy under different real-world scenarios. Moreover, we conduct in-depth analysis and discussion on countermeasures for SpiralSpy-based covert channel attacks to improve computer and information security.

View More Papers

Reflections on Artifact Evaluation

Dr. Eric Eide (University of Utah)

Read More

PHYjacking: Physical Input Hijacking for Zero-Permission Authorization Attacks on...

Xianbo Wang (The Chinese University of Hong Kong), Shangcheng Shi (The Chinese University of Hong Kong), Yikang Chen (The Chinese University of Hong Kong), Wing Cheong Lau (The Chinese University of Hong Kong)

Read More

EMS: History-Driven Mutation for Coverage-based Fuzzing

Chenyang Lyu (Zhejiang University), Shouling Ji (Zhejiang University), Xuhong Zhang (Zhejiang University & Zhejiang University NGICS Platform), Hong Liang (Zhejiang University), Binbin Zhao (Georgia Institute of Technology), Kangjie Lu (University of Minnesota), Raheem Beyah (Georgia Institute of Technology)

Read More

GPSKey: GPS based Secret Key Establishment for Intra-Vehicle Environment

Edwin Yang (University of Oklahoma) and Song Fang (University of Oklahoma)

Read More