Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:35 PM
Connect Directly

3 Steps To Solidifying Air-Gap Security

Your isolated systems may not be as secure from exfiltration or external control as you think.

The past year has challenged security assumptions about the almighty air gap, as several researchers have lately shown new and creative ways to facilitate attacks on systems and networks completely isolated from the Internet. Often viewed as the ultimate defense for the most sensitive systems, air-gap isolation is a way to make it much harder for attackers to communicate with machines, even if they still manage to infect it. But the technique may not be good enough protection in its own right. The research that has emerged since this time last year shows that, even with no Internet, Bluetooth, or other online connection, it is possible to use connections through peripherals, audio equipment, and even graphics cards to transmit information from these systems.

More importantly, the proofs of concept brought forward are not all farfetched. According to analysis done by a Symantec researcher last week on the work done against air gaps, at least a couple of them are pretty plausible, given the fact that attackers seeking out air-gapped systems are usually very motivated to crack these juicy targets.

"System administrators may choose to air gap military systems, computerized medical systems, and control centers of critical infrastructure in order to protect data from attacks," John-Paul Power, a researcher for Symantec, wrote in his analysis. "Unfortunately, no system is 100 percent secure and there will always be a way to chip away at defenses."

Understanding the emerging research should put administrators of air-gap systems on notice never to set and forget their isolated systems. As they monitor for new research, they should consider the following countermeasures to address weaknesses found in late 2013 and throughout 2014.

Turn off audio on all air-gapped systems
Around this time last year, researchers Michael Hanspach and Michael Goetz helped kick off recent breakthroughs in air-gap security research with a paper that showed how it was possible to transmit data between computers using sound sent through built-in microphones and speakers.

Using their proof of concept, if attackers were able to infect an air-gapped computer, they could send data through the speaker using maliciously manipulated sound waves inaudible to the human ear. That information could then be picked up by a non-air-gapped but similarly infected system using its internal microphone. It works up to 65 feet between two machines, but that can be extended using a mesh network The plausibility of the attack is high, says Power, particularly for exfiltration. The saving grace is that the bitrate is low, so we're talking sensitive password files and encryption keys, rather than huge data sets.

Nevertheless, if that kind of theft would be detrimental, enterprises should consider whether their systems could be vulnerable to this attack. The easiest way to do this is to disable audio on all air-gapped systems.

"Operators could employ the use of audio filtering to block sound in a specific frequency range on air-gapped computers to avoid attacks. Finally, the researchers suggest the use of an audio intrusion detection guard that would analyze audio input and output and raise a red flag if it detects anything suspicious."

Limit peripheral use on air-gapped machines
This fall, researchers at Black Hat Europe demonstrated how already infected air-gapped machines could be manipulated to receive malicious commands through a multi-function printer's scanner to which it is connected through infrared laser light pointed at the scanner.

Pulses of light sent in a pattern corresponding to a binary Morse code developed by researchers Yuval Elovici and Moti Guri of Ben-Gurion University in Israel would be interpreted by the malware to carry out certain commands. The research also worked on a rudimentary way to send data using light, but the receiving of commands showed the most promise. Researchers believe that this method could be used up to five kilometers away, though it was tested only at 1,200 kilometers. Power believes the need for decent visibility to the scanner, along with the fact that it needs to be running at the time of attack, makes this the least plausible among recent research.

"The most glaring problem with this attack technique is that if there is no window in the room where the isolated system is contained, it's back to the drawing board for our would-be attackers," Power explains.

However, if air-gapped systems are connected to a scanner anywhere near a window, attackers could program malware to turn it on at regular intervals.

Organizations worried about such an attack may well consider limiting peripheral use on these sensitive machines. This also makes sense for preventing infection in the first place, since one of the major sources of infection on air-gap systems is through infected USB devices and memory sticks. Stuxnet offers a great case study in how that can happen.

Ban cellphones near air-gapped machines
The most recent -- and arguably most creative -- method recently uncovered, also by researchers at Ben-Gurion University, is a technique that uses FM radio signals sent from an infected computer's graphics card and received by a smartphone either controlled by an insider attacker or infected with corresponding malware.

Researchers Mordechai Gur and Yuval Elovici created a proof-of-concept malware package called AirHopper that creates image patterns that don't necessarily look different to the human eye but create an FM carrier wave that can be modulated with a data signal. According to Symantec's Power, this method is the most plausible among these three for its exfiltration possibilities, though it also has limitations in transmission speed.

Nevertheless, a smartphone with AirHopper installed needs to be in range of the targeted system's monitor for only eight seconds to load a 100-byte password file.

Organizations serious about air-gap security may want to consider banning devices within a certain range of these systems, Power says. "If that is impractical, the use of electromagnetic shielding would stop any signals being transmitted from the isolated network."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...