No connection, no problem, right? Unfortunately, that is not entirely true — some cunning ways exist to exfiltrate data even from an air-gapped device. A group of researchers at Israel’s Ben-Gurion University, headed by Mordechai Guri, specializes in such data-theft methods. We explain what they’ve found and whether you (and we) need to worry.
How to jump an air gap
That air-gapped systems are vulnerable is not news — supply-chain attacks and bribed insiders are still entirely possible. The simplest attacks use an infected flash drive, for example; that’s how the legendary Stuxnet began. Okay, so the computer gets infected, but how can someone exfiltrate data without an Internet connection?
That’s where inventiveness meets physics. A computer may be physically isolated and not transmit any signals outside over networks, but it still generates heat, magnetic fields, and noise. It is through such nonobvious channels that someone can siphon off information. Even a computer without speakers or audio equipment is capable of making sounds in the 20 Hz–24 kHz range (if, for example, you change the frequency of the power supply). What’s more, even a device without a separate microphone can eavesdrop, because speakers or headphones can be manipulated to perform the role. A significant portion of the abovementioned range (18 kHz–24 KHz, to be precise) is outside the limits of human hearing, a quality that can be of use in various interesting ways. At home, for example, using that range can activate a smart speaker.
More relevant in this case, someone can infect a computer with malware that encodes the target information and transmits it by ultrasound. This in turn gets picked up by another infected device nearby (for example, a smartphone), and transferred to the outside world. Other methods researchers have discovered exploit the sounds made by computer fans and hard drives. Do not forget good old electromagnetism. An electric current creates an electromagnetic field that can be picked up and converted back into an electric signal. By controlling the current, you can control this field. Armed with this knowledge, attackers can use malware to send a sequence of signals to the display and transform the monitor cable into a kind of antenna. By manipulating the number and frequency of the bytes sent, they can induce radio emissions detectable by an FM receiver. That, ladies and gentlemen, is the modus operandi behind AirHopper.
Another method uses GSMem malware to exploit emissions from the computer’s memory bus. Similar to AirHopper, the malware sends a certain set of zeros and ones along the bus, causing variations in its electromagnetic radiation. It’s possible to encode information in these variations and pick them up using a regular mobile phone operating in the GSM, UMTS, or LTE frequency band — even a phone without a built-in FM radio. The general principle is clear: Almost any computer component can be an antenna. Other research includes methods for transmitting data using radiation from the USB bus, GPIO interface, and power cables.
A particular feature of magnet-based methods is that in some cases they can even work in a Faraday cage, which blocks electromagnetic radiation and is thus considered very reliable protection. Using magnetism for exfiltration exploits high-frequency magnetic radiation that CPUs generate and that seeps through the metal casing. That radiation, for example, is basically why a compass works inside a Faraday cage. The researchers found that by manipulating the load on a processor’s cores through software, they were able to control its magnetic radiation. They merely had to place a receiving device near the cage — Guri’s team reported a range of 1.5 meters or about 5 feet. To receive the information, the researchers used a magnetic sensor connected to the serial port of a neighboring computer.
All computers, even air-gapped ones, have LEDs, and by controlling their blinking, again through malware, an attacker can pull secrets out of an isolated machine. This data can be captured, for example, by hacking a surveillance camera in the room. That is how LED-it-GO and xLED work, for example. As for aIR-Jumper, well, cameras can work both as infiltration and exfiltration mechanisms; they’re capable of both emitting and capturing infrared radiation, which is invisible to the human eye.
Another unexpected channel for transmitting data from an isolated system is heating. The air inside a computer is heated by the CPU, video card, hard drive, and numerous peripheral devices (it would be easier to list the parts that don’t generate heat). Computers also have built-in temperature sensors to ensure that nothing gets too hot. If one air-gapped computer is instructed by malware to alter the temperature, a second (online) machine can log the changes, convert them into intelligible information, and send out the data. For computers to be able to communicate with each other by thermal signals, they must be fairly close — no more than 40 centimeters, or about 16 inches, apart. An example using this method is BitWhisper.
Vibration is the last type of data-transmitting radiation the researchers investigated. Malware again manipulates the speed of the computer’s fans, but in this case, it encodes the target information in vibrations, not sounds. An accelerometer app on a smartphone lying on the same surface as the computer captures the waves. The disadvantage of this method is the very low speed of reliable data transfer — about 0.5 bps. Therefore, transferring just a few kilobytes can take a couple of days. However, if the attacker is in no hurry, the method is perfectly doable.
Is it time to worry?
First, some good news: The data-theft methods we list above are very complex, so it’s unlikely that anyone will use them to snag your financial statements or client database. However, if the data you work with is of potential interest to foreign intelligence agencies or industrial spies, you should at least be aware of the danger.
How to stay protected
A simple but effective way to prevent the theft of classified information is to ban all extraneous devices, including any kind of mobile phones, on business premises. If you can’t, or if you want additional security measures, consider the following:
In addition, the researchers note that in almost all cases better protection at the software level improves the level of isolation. In other words, be sure to install reliable security solutions to catch malicious activity. If an isolated machine is used for standard tasks (a fairly common scenario in the case of air-gapped computers), switch the protection system to Default Deny mode, which automatically blocks the execution of unexpected programs or processes.