07:35 PM
Connect Directly

3 Steps To Solidifying Air-Gap Security

Your isolated systems may not be as secure from exfiltration or external control as you think.

The past year has challenged security assumptions about the almighty air gap, as several researchers have lately shown new and creative ways to facilitate attacks on systems and networks completely isolated from the Internet. Often viewed as the ultimate defense for the most sensitive systems, air-gap isolation is a way to make it much harder for attackers to communicate with machines, even if they still manage to infect it. But the technique may not be good enough protection in its own right. The research that has emerged since this time last year shows that, even with no Internet, Bluetooth, or other online connection, it is possible to use connections through peripherals, audio equipment, and even graphics cards to transmit information from these systems.

More importantly, the proofs of concept brought forward are not all farfetched. According to analysis done by a Symantec researcher last week on the work done against air gaps, at least a couple of them are pretty plausible, given the fact that attackers seeking out air-gapped systems are usually very motivated to crack these juicy targets.

"System administrators may choose to air gap military systems, computerized medical systems, and control centers of critical infrastructure in order to protect data from attacks," John-Paul Power, a researcher for Symantec, wrote in his analysis. "Unfortunately, no system is 100 percent secure and there will always be a way to chip away at defenses."

Understanding the emerging research should put administrators of air-gap systems on notice never to set and forget their isolated systems. As they monitor for new research, they should consider the following countermeasures to address weaknesses found in late 2013 and throughout 2014.

Turn off audio on all air-gapped systems
Around this time last year, researchers Michael Hanspach and Michael Goetz helped kick off recent breakthroughs in air-gap security research with a paper that showed how it was possible to transmit data between computers using sound sent through built-in microphones and speakers.

Using their proof of concept, if attackers were able to infect an air-gapped computer, they could send data through the speaker using maliciously manipulated sound waves inaudible to the human ear. That information could then be picked up by a non-air-gapped but similarly infected system using its internal microphone. It works up to 65 feet between two machines, but that can be extended using a mesh network The plausibility of the attack is high, says Power, particularly for exfiltration. The saving grace is that the bitrate is low, so we're talking sensitive password files and encryption keys, rather than huge data sets.

Nevertheless, if that kind of theft would be detrimental, enterprises should consider whether their systems could be vulnerable to this attack. The easiest way to do this is to disable audio on all air-gapped systems.

"Operators could employ the use of audio filtering to block sound in a specific frequency range on air-gapped computers to avoid attacks. Finally, the researchers suggest the use of an audio intrusion detection guard that would analyze audio input and output and raise a red flag if it detects anything suspicious."

Limit peripheral use on air-gapped machines
This fall, researchers at Black Hat Europe demonstrated how already infected air-gapped machines could be manipulated to receive malicious commands through a multi-function printer's scanner to which it is connected through infrared laser light pointed at the scanner.

Pulses of light sent in a pattern corresponding to a binary Morse code developed by researchers Yuval Elovici and Moti Guri of Ben-Gurion University in Israel would be interpreted by the malware to carry out certain commands. The research also worked on a rudimentary way to send data using light, but the receiving of commands showed the most promise. Researchers believe that this method could be used up to five kilometers away, though it was tested only at 1,200 kilometers. Power believes the need for decent visibility to the scanner, along with the fact that it needs to be running at the time of attack, makes this the least plausible among recent research.

"The most glaring problem with this attack technique is that if there is no window in the room where the isolated system is contained, it's back to the drawing board for our would-be attackers," Power explains.

However, if air-gapped systems are connected to a scanner anywhere near a window, attackers could program malware to turn it on at regular intervals.

Organizations worried about such an attack may well consider limiting peripheral use on these sensitive machines. This also makes sense for preventing infection in the first place, since one of the major sources of infection on air-gap systems is through infected USB devices and memory sticks. Stuxnet offers a great case study in how that can happen.

Ban cellphones near air-gapped machines
The most recent -- and arguably most creative -- method recently uncovered, also by researchers at Ben-Gurion University, is a technique that uses FM radio signals sent from an infected computer's graphics card and received by a smartphone either controlled by an insider attacker or infected with corresponding malware.

Researchers Mordechai Gur and Yuval Elovici created a proof-of-concept malware package called AirHopper that creates image patterns that don't necessarily look different to the human eye but create an FM carrier wave that can be modulated with a data signal. According to Symantec's Power, this method is the most plausible among these three for its exfiltration possibilities, though it also has limitations in transmission speed.

Nevertheless, a smartphone with AirHopper installed needs to be in range of the targeted system's monitor for only eight seconds to load a 100-byte password file.

Organizations serious about air-gap security may want to consider banning devices within a certain range of these systems, Power says. "If that is impractical, the use of electromagnetic shielding would stop any signals being transmitted from the isolated network."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
One in Three SOC Analysts Now Job-Hunting
Kelly Jackson Higgins, Executive Editor at Dark Reading,  2/12/2018
Encrypted Attacks Continue to Dog Perimeter Defenses
Ericka Chickowski, Contributing Writer, Dark Reading,  2/14/2018
Can Android for Work Redefine Enterprise Mobile Security?
Satish Shetty, CEO, Codeproof Technologies,  2/13/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: One agent too many was installed on Bob's desktop.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.