USBee: how to spy on an isolated system with a USB

In recent years we’ve seen increasing numbers of attacks designed to affect systems which are isolated from the network and cannot be attacked using conventional methods. Almost all research into this has been carried out by experts in Israel – that comes as no great surprise since this is a country at the forefront of cybersecurity. The latest – USBee – is no exception.

Techniques for attacking isolated computers

If a system is isolated from the network, not directly connected, or “air gapped”, the chances of it being affected by an IT attack are fairly limited. There’s no real threat from remote attacks (at least not from any executed from more than a few meters away) and in most cases the attacker has to get physically close enough to capture the information.

“Transmission speeds are not fast, but can be sufficient to obtain passwords within a few seconds.”

In recent years we’ve seen the development of data exfiltration techniques using some unconventional methods. A number of researchers have demonstrated how to obtain data from computers that are isolated from the network by using the sound output from the hard drive, processor or fan, for example. USBee, which was developed by researchers in Israel, joins a new variety of these exfiltration techniques, known as “air gap attacks”.

Using USB devices as data transmitters

The way USBee works is relatively simple, but it requires certain conditions in order for it to be effective. The first and most important condition is that it manages to infect the target computer with malware specially designed for such an attack. Bearing in mind that the computer in question will be in an isolated environment, this can be difficult to achieve. That said, there’s always the possibility of getting someone to connect an infected USB device – if we’ve learned anything from Mr. Robot and a certain university study it’s that if someone finds a USB device, they tend to plug it in…

If the attacker achieves the goal of infecting the computer, there’s another important factor which can determine the attack’s success or failure: the cable connecting the device to the computer. Just as some devices use a cable as an antenna for receiving information, USBee uses one to transmit it. That doesn’t mean that using a cable is critical, but it does ensure that the stolen information can be sent over a wider range.


Not all USB devices can be used to carry out this attack: some camera models, for instance, are useless as they do not receive any data flow from the computer. But these exceptions aside, USBee can work with any USB device that meets the specifications of USB 2.0.

When the malware successfully executes itself on the target computer and detects that there’s a USB device which can be used to transmit the information the attacker wants to steal, it starts sending the device a sequence of zeros. This causes the device to transmit sound at detectable frequencies between 240 and 480 Mhz.

These transmissions can be captured by a nearby receiver which – while it cannot be far away – can be positioned in an adjacent room so the attacker can avoid arousing suspicion. While the transmission speed isn’t very fast (approximately 80 bytes per second), it can be sufficient to obtain confidential information like passwords within a few seconds.

Furthermore, one of the benefits of the USBee attack is that there’s no need to modify the hardware used. Neither the USB device acting as the transmitter, nor the receiver antenna need to be modified, making this kind of attack very cheap to carry out.

As you might expect, the name “USBee” was inspired by bees. Why? Because they fly through the air carrying pollen from one place to another. In this case, though, the package being delivered is information.

A good countermeasure against this and other attacks based on USB drives are security solutions, which allow users to block USB drives and only accept those that the system administrators previously authorized.

Conclusion: USBee is an attack that can be effective in very specific situations

Like the vast majority of attacks designed with isolated systems in their sights, USBee’s effectiveness is limited to very specific environments and situations. It would be difficult for an attack such as this to be carried out on a mass scale. However, for certain operations carried out by some governments and security agencies, or indeed any form of espionage, it could be a valuable technique.

And for that reason, we should see USBee for what it really is: yet another demonstration of how a system doesn’t need to be connected to a network to become the target of an attack. Other techniques that have been around for some time have proved their effectiveness, but in many cases they are nothing more than experiments to get IT security devotees excited.

Author , ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.