07:35 PM
Connect Directly

3 Steps To Solidifying Air-Gap Security

Your isolated systems may not be as secure from exfiltration or external control as you think.

The past year has challenged security assumptions about the almighty air gap, as several researchers have lately shown new and creative ways to facilitate attacks on systems and networks completely isolated from the Internet. Often viewed as the ultimate defense for the most sensitive systems, air-gap isolation is a way to make it much harder for attackers to communicate with machines, even if they still manage to infect it. But the technique may not be good enough protection in its own right. The research that has emerged since this time last year shows that, even with no Internet, Bluetooth, or other online connection, it is possible to use connections through peripherals, audio equipment, and even graphics cards to transmit information from these systems.

More importantly, the proofs of concept brought forward are not all farfetched. According to analysis done by a Symantec researcher last week on the work done against air gaps, at least a couple of them are pretty plausible, given the fact that attackers seeking out air-gapped systems are usually very motivated to crack these juicy targets.

"System administrators may choose to air gap military systems, computerized medical systems, and control centers of critical infrastructure in order to protect data from attacks," John-Paul Power, a researcher for Symantec, wrote in his analysis. "Unfortunately, no system is 100 percent secure and there will always be a way to chip away at defenses."

Understanding the emerging research should put administrators of air-gap systems on notice never to set and forget their isolated systems. As they monitor for new research, they should consider the following countermeasures to address weaknesses found in late 2013 and throughout 2014.

Turn off audio on all air-gapped systems
Around this time last year, researchers Michael Hanspach and Michael Goetz helped kick off recent breakthroughs in air-gap security research with a paper that showed how it was possible to transmit data between computers using sound sent through built-in microphones and speakers.

Using their proof of concept, if attackers were able to infect an air-gapped computer, they could send data through the speaker using maliciously manipulated sound waves inaudible to the human ear. That information could then be picked up by a non-air-gapped but similarly infected system using its internal microphone. It works up to 65 feet between two machines, but that can be extended using a mesh network The plausibility of the attack is high, says Power, particularly for exfiltration. The saving grace is that the bitrate is low, so we're talking sensitive password files and encryption keys, rather than huge data sets.

Nevertheless, if that kind of theft would be detrimental, enterprises should consider whether their systems could be vulnerable to this attack. The easiest way to do this is to disable audio on all air-gapped systems.

"Operators could employ the use of audio filtering to block sound in a specific frequency range on air-gapped computers to avoid attacks. Finally, the researchers suggest the use of an audio intrusion detection guard that would analyze audio input and output and raise a red flag if it detects anything suspicious."

Limit peripheral use on air-gapped machines
This fall, researchers at Black Hat Europe demonstrated how already infected air-gapped machines could be manipulated to receive malicious commands through a multi-function printer's scanner to which it is connected through infrared laser light pointed at the scanner.

Pulses of light sent in a pattern corresponding to a binary Morse code developed by researchers Yuval Elovici and Moti Guri of Ben-Gurion University in Israel would be interpreted by the malware to carry out certain commands. The research also worked on a rudimentary way to send data using light, but the receiving of commands showed the most promise. Researchers believe that this method could be used up to five kilometers away, though it was tested only at 1,200 kilometers. Power believes the need for decent visibility to the scanner, along with the fact that it needs to be running at the time of attack, makes this the least plausible among recent research.

"The most glaring problem with this attack technique is that if there is no window in the room where the isolated system is contained, it's back to the drawing board for our would-be attackers," Power explains.

However, if air-gapped systems are connected to a scanner anywhere near a window, attackers could program malware to turn it on at regular intervals.

Organizations worried about such an attack may well consider limiting peripheral use on these sensitive machines. This also makes sense for preventing infection in the first place, since one of the major sources of infection on air-gap systems is through infected USB devices and memory sticks. Stuxnet offers a great case study in how that can happen.

Ban cellphones near air-gapped machines
The most recent -- and arguably most creative -- method recently uncovered, also by researchers at Ben-Gurion University, is a technique that uses FM radio signals sent from an infected computer's graphics card and received by a smartphone either controlled by an insider attacker or infected with corresponding malware.

Researchers Mordechai Gur and Yuval Elovici created a proof-of-concept malware package called AirHopper that creates image patterns that don't necessarily look different to the human eye but create an FM carrier wave that can be modulated with a data signal. According to Symantec's Power, this method is the most plausible among these three for its exfiltration possibilities, though it also has limitations in transmission speed.

Nevertheless, a smartphone with AirHopper installed needs to be in range of the targeted system's monitor for only eight seconds to load a 100-byte password file.

Organizations serious about air-gap security may want to consider banning devices within a certain range of these systems, Power says. "If that is impractical, the use of electromagnetic shielding would stop any signals being transmitted from the isolated network."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-09-24
Multiple SQL injection vulnerabilities in the login page in RXTEC RXAdmin UPDATE 06 / 2012 allow remote attackers to execute arbitrary SQL commands via the (1) loginpassword, (2) loginusername, (3) zusatzlicher, or (4) groupid parameter to index.htm, or the (5) rxtec cookie to index.htm.
PUBLISHED: 2018-09-24
A skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges. This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable...
PUBLISHED: 2018-09-24
Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c in the HDF HDF5 through 1.10.3 library allows attackers to cause a denial of service (memory consumption) via a crafted HDF5 file.
PUBLISHED: 2018-09-24
A SIGFPE signal is raised in the function H5D__select_io() of H5Dselect.c in the HDF HDF5 through 1.10.3 library during an attempted parse of a crafted HDF file, because of incorrect protection against division by zero. It could allow a remote denial of service attack.
PUBLISHED: 2018-09-24
An issue was discovered in the HDF HDF5 1.10.3 library. There is a stack-based buffer overflow in the function H5S_extent_get_dims() in H5S.c. Specifically, this issue occurs while converting an HDF5 file to a GIF file.