USBee Air-Gap Hacking Tool

Multi Purpose Hacking/ Pentesting Tools

Our list of classic Hacking Tools suddenly looks rather pale compared to this new exciting data exfiltration tool called ‘USBee’.

Called ‘USBee’ because it functions in a similar fashion to a bee flying through the air, this blackhat tool (we can’t see a whitehat use for it…) does feel like the start of a new era. The Cyber Security community has known about this for a while now, indeed, several years ago (one of many) documents leaked by former National Security Agency contractor Edward Snowden specifically described how a modified USB device allowed hackers to remove data out of targeted computers, even when they were physically disconnected from the Internet or other networks (‘Air-Gapped’). What Edward Snowden revealed was code named ‘CottonMouth’.

Researchers have been able to reverse engineer this technology and develop software that actually goes a step further by turning unmodified USB devices into transmitters that can send large amounts of data out of similarly ‘air-gapped’ boxes.

It’s worth mentioning that this is not the first time these researchers from Ben-Gurion University; have exploited a USB devices to make air-gapped computers secretly communicate data BitWhisper, AirHopper, GSMem, and Fansmitter, but the difference here is that their previously examples, the hackers had to introduce a malicious USB device that already contained modified hardware. With USBee, the team (Mordechai Guri, Matan Monitz and Yuval Elovici) – created software that tricks the infected host into using an average and ‘clean’ USB drive as a transmitter. USBee sends data at about 80 bytes per second, which is sufficient enough to steal 4096-bit encryption key in under ten seconds. Once transmitted, the data is read by a GNU-radio-powered receiver and demodulator.

How does it work?
The malware works by using the “USB data bus in order to create electromagnetic emissions from a connected USB device” which then [is able to] “modulate any binary data over the electromagnetic waves and transmit it to a nearby receiver.” Here is the official white paper.

There are limitations
This cyber attack does have its’ restrictions however, the host (target) must first be infected somehow, and to intercept the code, the hacker would need to place a receiver close by (the range is about 9-26 feet).