TEMPEST-LoRa Breaches Air-Gapped Systems with Video Cables

Considering how tightly integrated computers are into every facet of our daily lives, cybersecurity is important to everyone these days. So when firewalls, malware detectors, and multi-factor authentication schemes are not enough — as may be the case with systems containing corporate or state secrets — more drastic measures need to be taken. The most certain way to keep data on a computer private is to air gap it. An air-gapped computer has no network interfaces whatsoever, either wired or wireless. As such, it can only be accessed in-person, making the job of would-be attackers exceedingly difficult.

Exceedingly difficult, but not impossible. Despite not intentionally generating any signals for networking purposes, a variety of components, from monitors to disk drives, inside every air-gapped computer leak electromagnetic (EM) radiation. These leaked signals have been exploited by a number of attacks to infer what the machine is doing, or what data is stored within. However, the attacks generally work over very short distances, and require complex, specialized equipment to serve as the receiver.

In practice, these requirements render most such attacks impractical for real-world use. But a clever group led by researchers at Xi’an Jiaotong University has described a new attack called TEMPEST-LoRa that should put owners of air-gapped systems on high alert. Using their approach, normal emissions from video cables, either HDMI or VGA, can be exploited to transmit data over relatively long distances via LoRa packets. And these packets can be received by standard LoRa nodes or gateways.

TEMPEST-LoRa builds on a concept known as Cross-Technology Covert Communication, in which EM emissions from one technology are modulated to be compatible with another. In this case, malicious software on the air-gapped computer generates precisely timed pixel patterns that manipulate the electrical signals passing through the video cable. These manipulated signals leak EM radiation at specific frequencies that can be interpreted as LoRa data packets.

This data can be received by commercial, off-the-shelf LoRa receivers that are already deployed across cities, campuses, and rural areas around the world. In a series of experiments, the researchers successfully transmitted data at rates up to 21.6 bits per second at a range of nearly 90 meters. This could potentially be even farther when using sensitive SDRs like the HackRF One.

The odd graphical patterns might tip someone off that something is wrong, but the researchers demonstrated that they could disable the computer’s monitor while still keeping the video cable active. This allows data to be exfiltrated with the screen turned off, offering no visual indication that anything is happening.

While TEMPEST-LoRa shows that even air-gapped systems can be exploited from a distance, it does require compromised software to first be installed on the target system to produce the modulated video signals. So as concerning as this may be, good physical security can prevent TEMPEST-LoRa attacks before they ever happen.