Recent research has suggested several ways air-gapped networks could be compromised, but how realistic are these attack scenarios?
Twitter Card Style:
summary
Contributor: Candid Wueest
Industries that deal with sensitive information rely heavily on air-gapped systems to protect their critical data. However, while these systems are more secure than most others, there are ways to compromise them, potentially allowing attackers to steal the affected organizations’ highly sensitive data. From radio signal-emitting graphics cards to computers communicating through their speakers, are air gaps, once considered the Fort Knox of security measures, beginning to show cracks?
An air gap is a security measure that protects critical data by keeping one or more computers isolated from other unsecured networks, such as the internet, for example. System administrators may choose to air gap military systems, computerized medical systems, and control centers of critical infrastructure in order to protect data from attacks. Unfortunately, no system is 100 percent secure and there will always be a way to chip away at defenses. Several research reports have been making the news recently concerning ways in which air-gapped systems can be breached. Although some of the methods sound like they were taken straight out of a science fiction story, security researchers have definitely taken up the challenge of bridging the air gap.
Problems for would-be attackers
If an attacker wishes to breach an air-gapped system, they face three major hurdles:
- Compromising a computer within the isolated network
To breach an air-gapped system, the attacker needs to infect at least one of the air-gapped computers with malware. This could be done by using an insider in the targeted firm or an outsider, such as a consultant, who may be able to get access to the isolated area and use a malware-infected USB drive to compromise the computer. Air-gapped computers could also be compromised in supply chain attacks, where the computer’s components are intercepted and tampered with during the manufacturing or shipping processes.
- Sending commands to the compromised computer
Once a computer has been compromised, the attacker has to figure out how to send commands and updates to the malware. Normally, this would be conducted over the internet; however, anyone interested in taking on an air-gapped system needs to use a little more creativity.
- Exfiltrating data from the compromised computer
Unless the attacker only wants to cause some damage, they’ll need to find a way to exfiltrate the stolen data from the air-gapped network.
Let’s get creative
In light of these challenges, let’s take a look at some of the recent air-gap attack research reports and talk about how much of a realistic threat, if any, each method poses and what can be done to stay protected.
Turn on, tune in, get the data out
Researchers have recently proved how it’s possible to exfiltrate data from an air-gapped network by using FM radio signals sent from a computer’s graphics card. The researchers’ created proof-of-concept malware called AirHopper that uses the computer’s video display adapter to broadcast FM-compatible radio signals to a device with an FM receiver. The researchers were able to create an image pattern that generates a carrier wave modulated with a data signal. The image sent to the computer monitor looks indistinguishable from regular visual output but contains extra data that is transmitted as FM radio signals.
Attackers using this technique could infect computers with malware using USB devices or by way of supply-chain tampering. As for the receiver, this could be any modern smartphone, as most contain built-in FM receivers. The smartphone could belong to someone involved in the attack or someone who has had their device compromised. As smartphones are connected to the internet, they would be easier to compromise than a computer in an air-gapped network through a range of techniques like compromised websites or malicious emails.
The receiver needs to be within eight yards (seven meters) of the broadcasted radio signals in order to work. The researchers say they can transmit about 13 to 60 bytes a second in their tests, which is more than enough data to include login credentials and other sensitive information. For instance, an attacker with a receiver would only need to be in range of the compromised computer’s monitor for roughly eight seconds to download a 100-byte password file.
The technique is similar to how TEMPEST attacks are carried out; however, a TEMPEST attack only allows the attacker to spy on what is being displayed on the computer’s monitor.
Real world implications and mitigation
This technique is the most plausible for data exfiltration. Compromising smartphones is something that is well within the capabilities of cybercriminals and nation states, so exfiltrating the stolen data would not be a major hurdle. When it comes to mitigation, banning the use of mobile devices within a certain range of the air-gapped system may be one solution. However, if that is impractical, the use of electromagnetic shielding would stop any signals being transmitted from the isolated network.
Whispering malware
A recent research report detailed a system that uses inaudible sound as a means of communication, allowing data to be passed between computers that have no network connection. The researchers developed a proof-of-concept program that uses the built-in microphones and speakers found in many computers to transmit small amounts of data over a distance of roughly 65 feet (20 meters). However, this distance could be extended by a great deal using what the researchers call an acoustical mesh network of compromised computers that effectively relay the data to each other.
As most adults can hear sounds between 100Hz and 20kHz, anything outside of this range should be inaudible. According to the researchers, most commercial soundcards operate at a frequency of 48kHz though in their tests, most speakers wouldn’t work above 23kHz. This meant that the researchers needed to transmit at a frequency somewhere in the rage of 20kHz to 23kHz.
The scientists experimented with several different methods to send data between two laptops using only sound. The most effective method used a system originally developed to acoustically transmit data under water, called the adaptive communication system (ACS) modem. Bridging air-gapped systems using this method, however, only provides a bitrate of about 20 bits per second. As with the other method described in this blog, this relatively tiny transmission rate rules out the exfiltration of large files such as documents and images but does feasibly allow for sensitive data to be sent, such as passwords or encryption keys.
Real world implications and mitigation
Depending on whether or not computers within the air-gapped network are fitted with speakers and microphones, this technique could pose a moderate threat. However, as the researchers themselves note, there are several possible ways in which this type of attack vector can be mitigated. Disabling audio output and input devices is perhaps the most obvious countermeasure. The researchers recommend that system administrators should not fit air-gapped computers with audio output hardware to begin with. If needed, users could use headphones; however, these would need to be disconnected when not in use as they too can be used to transmit.
Operators could employ the use of audio filtering to block sound in a specific frequency range on air-gapped computers to avoid attacks. Finally, the researchers suggest the use of an audio intrusion detection guard that would analyze audio input and output and raise a red flag if it detects anything suspicious.
A more elaborate air-gap compromise: Dots, dashes, drones, and printers
Recent research presented at the 2014 Black Hat Europe conference showed how a malware-infected computer on an air-gapped network could receive and send attack commands through a multi-function printer’s scanner that the computer is connected to. To transmit data, an attacker would need to shine light, visible or infrared, into the room where the scanner is and while a scan is in progress.
The researchers devised a system to send and receive binary data using Morse code and say that several hundred bits can be sent during one scan, plenty to contain commands for the malware. Detecting the light from far away would be a problem but the researchers say this can be made easier with the use of a quadcopter drone.
An attacker could use a laser to send data from up to five kilometers away, although the researchers only tested the method up to 1,200 meters. An infected computer could be made to initiate a scan at a certain time or the attacker could wait until someone uses the scanner.
Real world implications
This method doesn’t pose much of a threat to air-gapped networks as it relies on several conditions being just right for it to work. Firstly, a successful breach would rely on there being a multifunction printer with a scanner connected to the isolated network and secondly, the scanner would need to be open or at least in use. But the most glaring problem with this attack technique is that if there is no window in the room where the isolated system is contained, it’s back to the drawing board for our would-be attackers.
Mind the gap
Air gaps are considered to be a reliable way to secure sensitive data and systems but no system is without its weaknesses. The examples discussed in this blog are all related to work carried out by security researchers in an effort to raise awareness around potential security weaknesses in air-gapped networks. Luckily, these researchers present their work to the public so that relevant measures can be put in place to protect against the weaknesses they highlight. Unfortunately, cybercriminals don’t publish their work in scientific journals or give talks at security conferences, so we have no way of countering their attack techniques until they’re uncovered. If there’s one thing we can be sure of, it’s that the bad guys are always hard at work figuring out new ways to get to the stuff we don’t want them to reach.
Your database has been breached, malware has infected your systems and sensitive records are available for anyone to download on the internet. Your first action is to launch an investigation to find out more about the breach. The report shows that the vulnerability has been exploited for months and all forensic logs have been deleted. 
