Electromagnetic field vs Cyber Security field

Poles apart?  Not entirely. The inherent issues electromagnetism presents to the cyber security industry and how we can mitigate the risk.

Understanding the cyber security risks from electromagnetic (EM) energy requires an understanding of physics.  I’m no physicist, never studied it past high school, but my natural curiosity got the better of me and led me down an EM rabbit hole.

What’s the issue?

Starting with the basics, the movement of electrons through a medium such as a wire produces frequencies. So if a wire gets hot it will emit infrared radiation.  And here’s the thing, essentially anything on the EM spectrum including the visible range produces frequencies that could be sniffed / intercepted.

IMAGE em-scale.png

EM disruption is something that we have been trying to mitigate pretty much since Michael Faraday first discovered the principle of E shielding back in 1836.  In modern technology, Faraday cages are used in many industries such as military, medical, and telecommunications. Faraday cages are a critical component in technological advancement, providing protection against harmful electrical fields and ensuring the reliable operation of electronic devices.

Faraday cages are commonplace. They are used in cars to protect infotainment systems, some prisons are designed in a particular way to act as a giant faraday cage, and if you can’t get a mobile phone signal in the supermarket it’s because they’re metal prefab buildings, unintentionally acting as Faraday cages. Shoplifters use Faraday bags to smuggle out RFID tagged items, and stolen mobile phone signals can be concealed with a Faraday bag too:

IMAGE em-rf-bag.png

EM shielding is vital in the automotive world and transport in general because of the many electronic systems they use. As technology evolves and the world gets increasingly more connected, this presents some unique challenges to industry.

Electromagnetic interference, also called Radio Frequency (RF) interference can cause these systems to malfunction, disrupting the electronic circuit functions. In the case of a car hurtling down the motorway at 70mph, having technology systems malfunction is clearly problematic. Thankfully properly installed EM shielding helps to protect these systems from this interference and is a consideration during the design, engineering, and manufacturing of vehicles.

How do these risks relate to me?

Again, I feel we need to take a step back and understand the science behind EM (this time even touching on astrophysics – who do I think I am?!). You may well be aware that a solar flare or coronal mass ejection produces radiation across the EM spectrum which can disrupt communications and damage electronic systems here on Earth. This is an example of an EM pulse (EMP), a brief burst of EM energy.

The origin of an EMP can be natural or artificial, other examples of a natural EMPs are lightning strikes and electro-static discharges.

An artificial example… well, without wanting to catastrophise, a nuclear explosion high in the atmosphere would produce an EMP which could cause widespread damage to electronic systems across a vast area.  MITRE published a fascinating  article on this a few years ago.

But although these risks may affect us, they are all risks which  we can’t feasibly do much about.  What about the risks that could affect us that we can mitigate?  The ability to generate EM disruption in a non-nuclear environment is now highly sophisticated, doesn’t cost much, is accessible to many and requires little technical prowess. And it is these manifestations that we should think more carefully about. Portable radios can saturate a local frequency, effectively blocking other signals. This includes the frequencies that car keys work on. So real world attack: prevent someone gaining access/starting their car.

Eavesdropping isn’t new

Where there is competition there is always the possibility that an entity may try to gain an advantage through nefarious means – a good example of this is doping in sport.  In the world of geopolitics, an early example of eavesdropping is The Thing, one of the first examples of a covert listening device.

Fast forward a few decades, in 1985 Dutch computer scientist Wim van Eck published the first unclassified technical analysis of the security risks of emanations from computer monitors.  This attack vector became known as Van Eck radiation interception or ‘phreaking’ and is still a risk today.  Effectively, an eavesdropper can detect and analyse digital signals using equipment that can pick up the EM emissions from a computer screen. The electron current used to produce photons can be intercepted from distance.

If we fast forward again to the current day, new eavesdropping technologies present potential new attack vectors. What was once a technology solely reserved for the military, laser microphone listening devices with a range of ~600m are now available online.  We decided to conduct our own research into this to understand how much one of these would cost, and therefore whether they would be a realistic attack vector, so we reached out to one of the organisations who market these online for a quote.

At a “special discounted price” of $40,000 a pop this isn’t exactly pocket change however this would be a very useful tool for a malicious threat actor with enough of a motive and enough money.

< DEF CON 21 2013 Cheap Software Defined Radio (SDR) https://www.youtube.com/watch?v=ZuNOD3XWp4A>

Do It Yourself

How to build an RF scanner at minimal cost (also requiring minimal technical prowess… see where we are going with this?)

It’s not difficult to find the parts needed to build an RF scanner. Given a clear set of instructions (Google ‘DIY RF scanner’) most of us could build our own RF scanner using parts sold in high street electrical stores for ~£100. Alternatively you could spend a bit more and just buy one. This is an older model but you can pick these up for ~£200:

IMAGE em-rf-analyzer.png

Considering how easy it is to build or buy a scanner this opens us up to a wider array of possible risks. Everything connected has an RF signature, from an RF profiling perspective you could theoretically scan a building from across the street and identify the technology an organisation is using.  Potentially even down to the make and model of each individual part.  A person with nefarious intent could potentially use the scanner to sniff VoIP traffic for example and if they are able to decrypt it – bingo! They’ve got access to potentially some very sensitive information.

Risks we accept and risks we mitigate

For those working in information security, you are likely to already be accustomed to the thinking that everything needs to be measured by risk; likelihood multiplied by impact.

For high-risk environments in which there are real concerns about the impact of an attack, EM / RF assurance is worth exploring.  Increased likelihood (via targeted Nation State attacks / Hacktivists for example) and increased chance of impact (theft of IP or state secrets / intelligence, or even injury/death).

For environments considered lower risk I’d say it is still absolutely worthwhile understanding about EM/RF attacks, however it is fair to say if the environment is considered lower risk this will therefore give you a degree of confidence that this particular attack vector is less likely to affect you, and will be less damaging if it does happen (in comparison to higher risk environments at least – everything is relative!).

Mitigating the threat

TEMPEST is the framework to prevent this type of attack.  In the UK, HMG, HMG customers, and CNI entities can work with NCSC to understand and manage the level of signals emanating from ICT equipment, which may run the risk of unintentionally emitting sensitive data.

For organisations looking to protect classified data, NCSC provide TEMPEST consultancy and testing via approved vendors, along with certification schemes used to assess certifying products and mobile platforms. TEMPEST and EMS services help ensure that appropriate countermeasures are in place to mitigate this level of risk. This gives end users confidence that the products meet the UK National TEMPEST requirements.

I don’t need TEMPEST but I am still concerned about EM / RF risks

For those of you that don’t necessarily handle classified data, or for those that have other concerns such as protecting your intellectual property from competitors or journalists for example, there are still some lighter touch EM / RF assurance activities you could consider.

Some possible attack vectors and how you could remediate them:

• Is your shielded room really shielded? – Scan wall to wall to see if there is any RF leakage.
• Is there a chance you are being watched / listened to? – Conduct a bug sweep of a room to look for hidden cameras or listening devices.
• Require further assurance? – You could consider creating a “clean room” procedure mandating a checklist of items to be reviewed and confirmed against a known safe state which can be inspected visually prior to a meeting (for example) to ensure no tampering or adjustments have been made.
• Is my Wi-Fi coverage appropriate? – Review how wide the range is on your WiFi access points and manage/reduce power as appropriate to minimise signal leakage outside the building.
• Is my supply chain secure? – RF scanning of hardware to investigate whether the device is omitting any rogue frequencies.  Could be done as part of logistics – scan before the hardware leaves manufacturing then another scan when it arrives at destination to make sure the RF output matches as expected for example.
• Concerned about data in transit? – Make sure you have strong encryption in place across any sensitive communication channels.
• Still concerned? – collaborate with industry / NCSC.

OK so you’re not responsible for securing a high-risk environment. Why should you care?

Well, there are still some important lessons that can be learnt here.  Understanding the level of risk that must be considered and mitigated in high-risk environments can help contextualise your own understanding of the risks pertinent to you and your business.

For many businesses EM/RF assurance could be deemed overkill, however if you are aware of your own risk (likelihood x impact) this will put you in a much better place to secure your environment to a suitable level, from perimeter security to defence in depth measures – not only from a technology perspective but also your processes and ‘security of people’.

The likelihood and impact of an attack will of course vary for each organisation based on company size, the information you process or hold, your industry sector and the organisations you work with.  And of course, the level of risk to the business and your own risk acceptance is likely to change over time as the organisation grows, shrinks, moves into new markets, or even as a result of bad press for example.

Identifying and protecting your ‘crown jewels’ through defence in depth measures and being able to demonstrate to your clients that you understand the risks pertinent to your business and have taken appropriate action to secure their data is vital as the world increasingly becomes more connected.

Should the worst happen and you suffer from a data breach, being able to demonstrate to the ICO that you have assured your systems to a suitable level will prevent substantial fines of up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher.

There is a vast amount of resource available online to help you to understand the risks pertinent to you and your organisation, such as information security frameworks and/or certifications like ISO27001, NIST and Cyber Essentials which you could consider aligning to.  Industry is here to help provide support if you need assistance understanding and applying each of the controls to the challenges specific to your environment.

Security partners can also assist with OSINT-led Attack Surface Assessments to help you understand visible information relating to your organisation (such as suppliers, breached credentials, etc.) that your threat actors might be able to see publicly.  In addition, annual cyber security maturity assessments can also be used for benchmarking against yourself and in some cases your peers, to facilitate a gradual security improvement programme to improve your cyber security maturity over time to a level that is suitable considering your industry, company size and risks pertinent to you.