Meet NFCdrip – a New Security Concern for Air-Gapped Systems

by Haidee LeClair on October 18, 2018

Air-gapping means physically isolating a secure computer from unsecured networks, such as the public Internet or an unsecured local area network. The concept of air-gapping represents just about the maximum protection one network can have from another, other than actually turning off the device. Typically, military or governmental computer systems, financial computer systems, industrial control systems, and nuclear power plants employ air-gapping as a way to maximize the security of these sensitive systems.

What Is Acceptable Risk?

For sensitive and highly secured systems, simply being connected to a network poses an unacceptable risk. To maintain a high level of protection against data leaks necessitates an air-gap. However, technology is an ever-changing field, leading to larger attack surfaces. As the attack surface expands, it makes the air-gaps more difficult to maintain.

Exfiltrating sensitive data from sensitive air-gapped systems is serious business, and the Checkmarx security research team spent some time investigating new and unexpected ways to do it. We can demonstrate the exfiltration of sensitive data by abusing vulnerable IoT objects and Android’s NFC design.

A Little Background on NFC

Near field communication (NFC) is a set of protocols that enables two electronic devices to establish communication by bringing them very close – usually within 4 centimeters (that’s 1.5748 inches, or about the width of four pencils laid next to each other). NFC is actually a subset of radio-frequency identification, which you probably know better as RFID.

RFID allows us to identify things through radio waves; a couple of examples include scanning items in the grocery store or luggage in baggage claim. RFID has been used for decades, while NFC was introduced in 2002 and it uses a specific RFID frequency, 13.56MHz.

Sponsorships Available

Using the specific frequency, the NFC-enabled reader and the device pass encrypted information back and forth to complete the payment in just a few seconds. Most of us use NFC regularly – in our identification cards. It gets us into our office buildings and private garages. It’s also used to power something called “contactless” payments – that’s when you just tap, hover or hold up your mobile device to pay for something. We also use NFC for social networking, for sharing contacts, photos, videos or files. Another way we use NFC is for authentication in secure laptops and smartphones.

Examining the Attack Surfaces

Our security research team tried (and succeeded) in carrying out several attacks on air-gapped systems. All of them are cool, at least from a technical hacking viewpoint, but we think this one is really innovative –what our team dubbed NFCdrip.

Why We’re Calling It NFCdrip

By abusing the way the we can configure the NFC radio and changing the pooling strategy between different types of NFC, we can induce controllable and noticeable changes in the NFC radio behavior. A malicious application can take advantage of this to exfiltrate data via the NFC frequency, at a distance much bigger than previously thought it possible, even with cheap, off-the-shelf components: a simple AM radio is enough to receive the signal. Adding the USB dongle, we could reliably decode the signal at 40 meters, a 99,900% increase. Visually, that’s the difference between four pencil widths and an Olympic swimming pool.

Don’t Lose Your Data to NFCdrip

Experts assume NFC only works usefully at very short ranges, and security experts generally disregard it as a potential channel for data exfiltration. This research shows that NFC-enabled devices must definitely be on the data-egress point list. They must be taken more seriously when it comes to threat analyses and policies to prevent data exfiltration. Imagination knows no boundaries, and hackers with time, energy and interest will find ways to exfiltrate data from any device that’s turned on.

Stay tuned for more technical updates about this exploit.

Background vector created by D3images – Freepik.com

Haidee LeClair

Haidee LeClair helps the Checkmarx team share their security research and application security testing and software exposure management expertise worldwide via blogs, social media, PR and more.