Rom Ogen, Omer Shwartz, Kfir Zvi, and Yossi Oren, Ben-Gurion University of the Negev
Listening devices, tracking devices, and other covert implants have to send any data they collect to a central command and control (C&C) server. This task can be difficult, since implants typically have a restricted power budget and cannot connect directly to the Internet. Several works have attempted to exfiltrate data in this setting by taking advantage of a nearby networked device, such as a computer or a mobile phone. To achieve this, the implant uses a covert channel to send the data to the networked device, that performs the exfiltration. Several constructions have been proposed for this covert channel between implant and target device, using sensors such as the microphone, magnetometer and gyroscope. In this work, we implement this covert channel using Wi-Fi micro-jamming, a new approach to jamming the 802.11 Wi-Fi protocol in a low-power, minimally intrusive manner. Our construction, which extends the work of Shah and Blaze from WOOT '09, does not attempt to overwhelm the Wi-Fi channel with a high-power transmission, but instead takes advantage of the high sensitivity of the 802.11 protocol's Clear Channel Assessment (CCA) mechanism to introduce very brief delays to the channel. A JavaScript program, which can be embedded in an attacker-controlled website or online advertisement, is then used to measure these delays and upload them to the C&C server. Our channel works at a distance of over 15 meters between implant and target device, achieves a bit rate of 40 bits per second with minimal errors, and has a very low power requirement. We even show how the implant can be made completely passive by replacing the transmit antenna with a backscattering antenna, making its location very hard to detect. Most importantly, since our attack uses only Wi-Fi communications, it works on a wide variety of devices with different form factors and requires no extra permissions on the receiver's side. This makes it very difficult to defend against this attack using existing information flow control countermeasures.
