What's a Long Length of LAN cable? A transmitter, of Course
LAN cables can be sniffed to reveal network traffic with a $30 setup, says researcher
What's a long length of electrical wire? A transmitter, of course
An Israeli researcher has demonstrated that LAN cables' radio frequency emissions can be read by using a $30 off-the-shelf setup, potentially opening the door to fully developed cable-sniffing attacks.
Mordechai Guri of Israel's Ben Gurion University of the Negev described the disarmingly simple technique to The Register, which consists of putting an ordinary radio antenna up to four metres from a category 6A Ethernet cable and using an off-the-shelf software defined radio (SDR) to listen around 250MHz.
His experimental technique consisted of slowing UDP packet transmissions over the target cable to a very low speed and then transmitting single letters of the alphabet. The cable's radiations could then be picked up by the SDR (in Guri's case, both an R820T2-based tuner and a HackRF unit) and, via a simple algorithm, be turned back into human-readable characters.
Nicknamed LANtenna, Guri's technique is an academic proof of concept and not a fully fledged attack that could be deployed today. Nonetheless, the research shows that poorly shielded cables have the potential to leak information which sysadmins may have believed were secure or otherwise air-gapped from the outside world.
He added that his setup's $1 antenna was a big limiting factor and that specialised antennas could well reach "tens of metres" of range.
One obvious further research technique would be to look at sniffing information over network cables at their full operational speeds, Guri having acknowledged that slowing live network traffic down to levels used in his experiment would be impractical. His full paper, however, noted: "Transmitting UDP packets doesn't require higher privileges or interfering with the OS routing table. In addition, it is possible to evade detection at the network level by sending the raw UDP traffic within other legitimate UDP traffic."
The academic's previous research included a technique for turning DRAM into a form of wireless transmitter, as part of his work looking at ways of pwning air-gapped networks.
How to leak data via Wi-Fi when there's no Wi-Fi chip: Boffin turns memory bus into covert data transmitter
Spoof an Ethernet adapter on USB, and you can sniff credentials from locked laptops
GCHQ and Cable and Wireless teamed as Masters of the Internetâ„¢
NSA coughs up secret TEMPEST specs
TEMPEST, as we reported 20 years ago, was originally a US government scheme for reducing the amount of RF emissions generated by computer equipment. Today it's been adopted as a NATO standard, with the UK's National Cyber Security Centre having a public webpage about it.