Attacks/Breaches

12/8/2014
07:35 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

3 Steps To Solidifying Air-Gap Security

Your isolated systems may not be as secure from exfiltration or external control as you think.

The past year has challenged security assumptions about the almighty air gap, as several researchers have lately shown new and creative ways to facilitate attacks on systems and networks completely isolated from the Internet. Often viewed as the ultimate defense for the most sensitive systems, air-gap isolation is a way to make it much harder for attackers to communicate with machines, even if they still manage to infect it. But the technique may not be good enough protection in its own right. The research that has emerged since this time last year shows that, even with no Internet, Bluetooth, or other online connection, it is possible to use connections through peripherals, audio equipment, and even graphics cards to transmit information from these systems.

More importantly, the proofs of concept brought forward are not all farfetched. According to analysis done by a Symantec researcher last week on the work done against air gaps, at least a couple of them are pretty plausible, given the fact that attackers seeking out air-gapped systems are usually very motivated to crack these juicy targets.

"System administrators may choose to air gap military systems, computerized medical systems, and control centers of critical infrastructure in order to protect data from attacks," John-Paul Power, a researcher for Symantec, wrote in his analysis. "Unfortunately, no system is 100 percent secure and there will always be a way to chip away at defenses."

Understanding the emerging research should put administrators of air-gap systems on notice never to set and forget their isolated systems. As they monitor for new research, they should consider the following countermeasures to address weaknesses found in late 2013 and throughout 2014.

Turn off audio on all air-gapped systems
Around this time last year, researchers Michael Hanspach and Michael Goetz helped kick off recent breakthroughs in air-gap security research with a paper that showed how it was possible to transmit data between computers using sound sent through built-in microphones and speakers.

Using their proof of concept, if attackers were able to infect an air-gapped computer, they could send data through the speaker using maliciously manipulated sound waves inaudible to the human ear. That information could then be picked up by a non-air-gapped but similarly infected system using its internal microphone. It works up to 65 feet between two machines, but that can be extended using a mesh network The plausibility of the attack is high, says Power, particularly for exfiltration. The saving grace is that the bitrate is low, so we're talking sensitive password files and encryption keys, rather than huge data sets.

Nevertheless, if that kind of theft would be detrimental, enterprises should consider whether their systems could be vulnerable to this attack. The easiest way to do this is to disable audio on all air-gapped systems.

"Operators could employ the use of audio filtering to block sound in a specific frequency range on air-gapped computers to avoid attacks. Finally, the researchers suggest the use of an audio intrusion detection guard that would analyze audio input and output and raise a red flag if it detects anything suspicious."

Limit peripheral use on air-gapped machines
This fall, researchers at Black Hat Europe demonstrated how already infected air-gapped machines could be manipulated to receive malicious commands through a multi-function printer's scanner to which it is connected through infrared laser light pointed at the scanner.

Pulses of light sent in a pattern corresponding to a binary Morse code developed by researchers Yuval Elovici and Moti Guri of Ben-Gurion University in Israel would be interpreted by the malware to carry out certain commands. The research also worked on a rudimentary way to send data using light, but the receiving of commands showed the most promise. Researchers believe that this method could be used up to five kilometers away, though it was tested only at 1,200 kilometers. Power believes the need for decent visibility to the scanner, along with the fact that it needs to be running at the time of attack, makes this the least plausible among recent research.

"The most glaring problem with this attack technique is that if there is no window in the room where the isolated system is contained, it's back to the drawing board for our would-be attackers," Power explains.

However, if air-gapped systems are connected to a scanner anywhere near a window, attackers could program malware to turn it on at regular intervals.

Organizations worried about such an attack may well consider limiting peripheral use on these sensitive machines. This also makes sense for preventing infection in the first place, since one of the major sources of infection on air-gap systems is through infected USB devices and memory sticks. Stuxnet offers a great case study in how that can happen.

Ban cellphones near air-gapped machines
The most recent -- and arguably most creative -- method recently uncovered, also by researchers at Ben-Gurion University, is a technique that uses FM radio signals sent from an infected computer's graphics card and received by a smartphone either controlled by an insider attacker or infected with corresponding malware.

Researchers Mordechai Gur and Yuval Elovici created a proof-of-concept malware package called AirHopper that creates image patterns that don't necessarily look different to the human eye but create an FM carrier wave that can be modulated with a data signal. According to Symantec's Power, this method is the most plausible among these three for its exfiltration possibilities, though it also has limitations in transmission speed.

Nevertheless, a smartphone with AirHopper installed needs to be in range of the targeted system's monitor for only eight seconds to load a 100-byte password file.

Organizations serious about air-gap security may want to consider banning devices within a certain range of these systems, Power says. "If that is impractical, the use of electromagnetic shielding would stop any signals being transmitted from the isolated network."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8030
PUBLISHED: 2018-06-20
A Denial of Service vulnerability was found in Apache Qpid Broker-J versions 7.0.0-7.0.4 when AMQP protocols 0-8, 0-9 or 0-91 are used to publish messages with size greater than allowed maximum message size limit (100MB by default). The broker crashes due to the defect. AMQP protocols 0-10 and 1.0 a...
CVE-2018-1117
PUBLISHED: 2018-06-20
ovirt-ansible-roles before version 1.0.6 has a vulnerability due to a missing no_log directive, resulting in the 'Add oVirt Provider to ManageIQ/CloudForms' playbook inadvertently disclosing admin passwords in the provisioning log. In an environment where logs are shared with other parties, this cou...
CVE-2018-11701
PUBLISHED: 2018-06-20
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x005cb509, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
CVE-2018-11702
PUBLISHED: 2018-06-20
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00578cb3, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.
CVE-2018-11703
PUBLISHED: 2018-06-20
FastStone Image Viewer 6.2 has a User Mode Write AV at 0x00402d6a, triggered when the user opens a malformed JPEG file that is mishandled by FSViewer.exe. Attackers could exploit this issue for DoS (Access Violation) or possibly unspecified other impact.