Sunday, July 8, 2012

Modulation and Data Loss Prevention (DLP) Solutions

Last year, my colleague Iftach (Ian) Amit and I gave a talk called 'Sounds Like Botnets' at DEFCON 19 and BSides Las Vegas conferences. Here is a link to the slides [PDF].
In the talk, we demonstrated how a combination of modulation and VoIP can be used to bypass enterprise security controllers. Here are the links to the poc #1, and poc #2.
This year, I won't be able to make it to Las Vegas for any of the conferences. Dwelling on the past, I have decided to revisit the 'Sounds Like Botnets' talk and add some content to it.

Data loss prevention (DLP) solutions are designed to detect and prevent potential data breach incidents. There are many types of DLP systems, the one that I'll address is the Endpoint DLP software.
Endpoint DLP software runs on an end-user workstations and monitors and controls access to physical devices (e.g. mobile devices) among other things. But does it monitor the sound card?
It is possible to modulate data into sound, and than to play it out from the workstation (using the sound card) to a 3rd party such as a voice recorder or any mobile with external microphone input.

Modulation vs. DLP #1:

Keep in mind that this is a proof of concept, so it's not going to work 100% of the time. If it's not working, try: (a) a smaller document/payload or (b) a different recording device.

To modulate:
  • Download data2sound.py
  • Pick a file
  • Modulate the file
  • $ ./data2sound.py -i secret.txt -o foobar.wav
  • Connect the recording device to the workstation sound card (Headphones output)
  • Start recording on the recording device
  • Play the generated WAV file (i.e. foobar.wav)
  • Stop the recording on the recording device
To demodulate:
  • Download sound2data.py

  • Then, if possible, copy the file "AS IT IS" from the recording device to the computer, and demodulate it:
    $ ./sound2data.py -i foobar.wav -o secret.txt
    If not, try the following steps:
    • Connect the recording device to the workstation sound card (Microphone input)
    • Start recording on the workstation
    • Play the file on the recording device
    • Stop the recording on the workstation
    • Demodulate the file
Try this (at home, and at your own risk) and post a comment with what file and sound card equipment you tried, and whether it worked for you or not. Now, the next method is really more theory than practice.

Modulation vs. DLP #2:

By bridging between the computer soundcard and a smart phone broadband modem, it is possible to upgrade the previous method to be an on-line, or real time one. In other words, Build Your Own Modem.

The setup:
  • Connect the computer headphone output into the smart phone external microphone input. This way, the computer can output signal to the smart phone.
  • Connect the smart phone headphone output into the computer external microphone input. This way, the smart phone can output signal to the computer.
This should (in theory) make sure that a signal can go from side to side. Now, let's see what each side should do.

On the smart phone:
  • Call to the remote site
  • (The caller signal should be sent to the computer via headphone output, if not, try playing with the settings)
  • (The calle signal should be received from the computer via microphone input, if not, try playing with the settings)
There's also the option of pairing (via Bluetooth) the computer and the smart phone: The computer identifies as a headset and gains access to smart phone speaker/microphone. But it's preventable by DLP.

On the computer:
  • Modulate the file you wish to trasnfer
  • Play the generated WAV file
That's the basic idea, of course, you can install a software on the computer which will modulate-demoulate (i.e. MODEM) on the fly, making it possible to get transmission from the remote site and respond to it.

Before wrapping up this post, I'd like to give a big shout out to Mickey Shaktov and Iftach (Ian) Amit, each of them will be presenting this year at Blackhat USA. Go see their talks, you won't be disappointed!