8 Ways Hackers Can Game Air Gap Protections
Isolating critical systems from connectivity isn't a guarantee they can't be hacked.
May 11, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt05a430fae955f063/64f0d649923ffe65cc577608/01-airgap.jpeg?width=700&auto=webp&quality=80&disable=upscale)
The almighty air gap has long been critical systems' go-to last resort - the idea being if you pull the plug of connectivity on these systems and don't allow them any kind of access to the outside world, you'll eliminate the bad guys' ability to remotely carry out their attacks.
While it's true that air gaps can drastically shrink attack surface, they're far from infallible. Security researchers - particularly a few from Ben-Gurion University in Israel - have worked over the last five to 10 years to show that even the most meticulously isolated air gap can be overcome with some clever uses of side channels. Here are some of the most effective end-arounds of air gap defense.
The most obvious and simple of attacks is also one of the longest-lived air-gap busters with the most dramatic example of real-world use. If an attacker can find even a momentary opportunity to get an infected USB device stuck into an air-gapped machine, they can do a lot of damage. Stuxnet offered up some of the earliest and most vivid examples of the dangers of USB autorun attacks. It's widely known now that US intelligence was able to use Stuxnet to compromise air-gapped Iranian nuclear reactors via USB. With the use of USB ports the opportunities are endless. One such developed by the NSA and leaked to the public in 2014 is COTTONMOUTH, a USB hardware hack that provides software persistence and over-the-air communication through RF link to bridge air gaps.
Since then, quieter uses of USB as a channel of attack have been refined. For example, four years ago, researchers Karsten Nohl and Jakob Lell demonstrated at Black Hat how to maliciously alter firmware on a compromised USB device to infect a computer with no hardware modification and little chance of forensic detection at the system level.
(Image by Oleksandr Delyk, via Adobe Stock)
In 2016, air gap researcher Mordechai Guri and his colleagues at Ben-Gurion took the use of USB devices to jump the air gap to another level. At that time they unveiled the USBee malware, which can use an unmodified USB device as an RF transmitter to pass data back and forth between an air-gapped system and an attacker's receiver. This includes loading up exploits and other goodies and exfiltrating data off the machine. The receiver can work up to nine feet away from the target system, and even farther with an antenna. The trick is that the attacker must find a way to get the initial malware on the machine and the air-gapped system must be using a USB device.
Robert Callan, Alenka Zajic and Milos Prvulovic at Georgia Institute of Technology have been studying for over five years about how they can use electromagnetic signals leaked out by system CPUs to set up covert channels that can be used against air-gapped systems. For example, in in 2013 they demonstrated how this channel could be used by a connected system in the same room as an air-gapped system to pick up keystroke information from the isolated machine. Most recently they and colleague Baki Berkay Yilmaz have been measuring just how much information can be leaked through electromagnetic signals generated by CPU instruction processing and providing a way to estimate the capacity of side channels so that hardware and software designers have a metric by which to measure the effectiveness of future countermeasures to this kind of attack.
A security person's response to the electromagnetic channel threat would likely be to put the most sensitive air-gapped systems into a Faraday cage. But that might not always be enough. The most recent research from Guri and his team at Ben-Gurion show that they've come up with an exfiltration channel that can beat Faraday cages around both the target system and mobile devices receiving electromagnetic transmission signals. The target machine would need to be compromised initially to make this possible, but the way the researchers modulated CPU workloads made it possible for them to force it to generate stronger magnetic leakages that break through a Faraday cage's defenses.
Imagine a scenario in which a critical system is air-gapped and is also monitored by a remote IP camera. Not outside the bounds of normal operating conditions, right? That scenario could provide the perfect channel for attackers to exfiltrate information off of a system isolated from Internet connectivity.
Last year, several researcher teams offered up a number of breakthroughs in demonstrating how the blinking of LED status indicators could be used to transmit information from an unconnected system to an IP camera. Guri, Boris Zadov, and Yuval Elovici at Ben-Gurion showed in their LED-it-GO research that it's possible to leak data through hard drive LEDs to IP Camera infrared sensors. And Zhong Zhou and researchers from University of Science and Technology of China upped the ante by creating software that would modulate on-off switching on keyboard lights to flicker them at a rate nearly imperceptible to the human eye but which could be picked up by an IP camera. Both of these attacks would require the monitoring camera to be compromised and require malware to be placed on the target system.
Zhou's team at University of Science and Technology of China took the LED monitoring connection to a whole new level earlier this year with further research. They built a covert channel called IREXF that made it possible to establish a channel that wouldn't require implantation of malware on the air-gapped machine and used a much wider range of IoT devices, not just an IP camera.
The foothold on the air-gapped machine in this scenario would be established by placing a small hardware module in a standard keyboard - one which they suggest could be pushed out into the target organization through a supply chain attack. Meanwhile, the channel uses infrared remote control receivers that come standard on many IoT devices to transmit data back and forth.
Did you know that graphics cards emit FM radio signals each time you hit your keyboard letters? Researchers with Ben-Gurion used this system quirk to develop AirHopper. Demonstrated in 2014 this technique shows how it is possible to use FM receivers found in cell phones to pick up signals sent by the graphics card in an air-gapped machine that are sent out at every keystroke. This digital Rube Goldberg setup essentially then becomes an over-the-air keylogger that can steal typed information from some of the most isolated critical systems.
Guri's team at Ben-Gurion are tireless and the most recent reveal shows they're not letting up. This spring they came out with a new air gap end-around called MOSQUITO, which uses ultrasonic waves to create a line of communication between two or more air-gapped machines. The researchers show how attackers can use speakers and headphones to act as microphones even when standard microphones are not present or disabled. These sound devices can be used to communicate, effectively setting up a bidirectional mode of transmission. https://thehackernews.com/2018/03/air-gap-computer-hacking.html
This research builds off the work of Michael Hanspach and Michael Goetz from Germany's Fraunhofer Institute for Communication, Information Processing and Ergonomics, who were among the first to offer a proof-of-concept of the possibility of covert acoustical networking. In that case, they used microphones and speakers.
Guri's team at Ben-Gurion are tireless and the most recent reveal shows they're not letting up. This spring they came out with a new air gap end-around called MOSQUITO, which uses ultrasonic waves to create a line of communication between two or more air-gapped machines. The researchers show how attackers can use speakers and headphones to act as microphones even when standard microphones are not present or disabled. These sound devices can be used to communicate, effectively setting up a bidirectional mode of transmission. https://thehackernews.com/2018/03/air-gap-computer-hacking.html
This research builds off the work of Michael Hanspach and Michael Goetz from Germany's Fraunhofer Institute for Communication, Information Processing and Ergonomics, who were among the first to offer a proof-of-concept of the possibility of covert acoustical networking. In that case, they used microphones and speakers.
The almighty air gap has long been critical systems' go-to last resort - the idea being if you pull the plug of connectivity on these systems and don't allow them any kind of access to the outside world, you'll eliminate the bad guys' ability to remotely carry out their attacks.
While it's true that air gaps can drastically shrink attack surface, they're far from infallible. Security researchers - particularly a few from Ben-Gurion University in Israel - have worked over the last five to 10 years to show that even the most meticulously isolated air gap can be overcome with some clever uses of side channels. Here are some of the most effective end-arounds of air gap defense.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024