Every CISO dreams of the unhackable computer. A common method of bullet-proofing a system is to disconnect it from the outside world.1 No Internet. No wireless. No modem. Then you surround the computer with guards and gates. This is called an air-gapped system and it is supposedly hack-proof.
In reality, it’s not.
In 2010, the Stuxnet malware was discovered to have jumped an air gap and compromised nearly a fifth of Iran’s nuclear centrifuges, causing significant setbacks.2 The Stuxnet malware was later credited to the United States and Israel working together to cripple the Iranian nuclear program.3 Indeed, hacking air-gapped systems is the realm of the advanced attacker.
While air-gapped systems are used in secure military agencies and related industries, they can be found elsewhere. Any critical systems that cannot be tainted or eavesdropped on are often air-gapped, as well. This includes life-sustaining medical equipment, critical stores of highly-valuable intellectual property, and the Supervisory Control And Data Acquisition (SCADA) systems that control water and power systems. Cryptocurrencies like Bitcoin and Ethereum also make use of air-gapped storage systems called cold wallets to securely store the private key that can unlock the currency.4
Penetrating an Air Gap
So, how does an attacker get into a computer with no connections to the outside world? One way is to do what attackers did in the olden days: put the malware on a floppy disk. I spent a good part of my early career cleaning the Stoned virus5 off campus computer lab systems. We don’t have floppy drives anymore, thank goodness. However, we do have the modern equivalent: the USB thumb drive. Stuxnet used USB-delivered malware to get its payload into the air-gapped centrifuges. This technique appears to be a common trick in the CIA repertoire for striking air-gap systems.6 Project Sauron, another advanced piece of malware, hides on a USB drive to get into air-gapped targets.7
Another way to compromise an air-gapped system is to “pre-penetrate” it before it ends up in the air gap by sabotaging it’s supply chain. It’s not unusual for an advanced attacker to study their victim and determine their technical infrastructure. Then the attacker can go after the easier targets—the suppliers—to hide booby traps in the hardware or software. There are several known cases of attackers hiding malware8 or secret back doors9 in software libraries that are later incorporated into production applications. We’ve also seen advanced attackers go after large service providers to get to their customers.10 Even anti-virus suppliers are not immune to being co-opted for use in attack against their customer’s systems.11 Some of the nastiest surprises can come from an attacker planting malware into the computer’s firmware itself and staying hidden until the time is right.12
If attackers can’t trick a technician or a user into a carrying an infected USB, they can always resort to bribing or coercing an insider to do it.
Exfiltrating from the Air Gap
Assuming the mission isn’t destruction (Stuxnet) or ransomware, then the real trick is getting the stolen data out. If the attacker used a USB stick to get the malware in, they could use the same method to get it out. The infamous leaker Chelsea Manning physically transported gigabytes of secret video files on a CD out of a Sensitive Compartmented Information Facility (SCIF), the US military’s version of an air-gapped system.13
An attacker can’t always count on an insider or someone else to unknowingly carry a USB with the data back out of a facility. But, there are many ways of sending information over a distance. Anyone who’s formally studied computer science has probably heard of information theory. Information theory postulates that anything that you can cause to vary can be used to transmit information. This is called “The difference that makes a difference.”14 As long as both sides of a conversation can interpret the message, lots of things can be used as a transmission medium— from dots and dashes over the radio15 to knocks against a wall.16
We know that the malware is in control of the air-gapped computer, so it can encode signals in any manner the attacker chooses. The attacker can then place a receiving device to make contact over a channel that can propagate across the air gap. Here’s the real twist: that receiving device can be nothing more than an ordinary smartphone running the attacker’s decoder software. This leaves a lot of possibilities for exfiltration.
The simplest is the one we humans use: sound. Computer speakers can easily produce sound at levels inaudible to human hearing (18-24hz) that can be decoded by a cellphone up to 25 feet away.17 No speakers on the air-gapped computer? Microphones can also work as speakers.18 No speakers or microphones? The hard drive actuator arm can be clacked to send audio signals, as well.19 Solid state drives with no moving parts? Then the fans on the computer also produce noise and can be altered by malware to transmit information.20
Obviously, an air-gapped computer isn’t going to have working Wi-Fi networking, but there are other ways to generate a radio signal. In fact, the first personal computers were notorious for generating extraneous radio emissions from their poorly shielded electrical components.21 The processors or even a long USB cable can be converted to a radio transmitter that can send signals on FM radio or cell phone frequencies that can even penetrate Faraday radio shielding.22
The electrical socket the computer is plugged into can also be used as a covert channel. The technique of sending signals over power lines was actually a common home automation method for decades.23 Even normal network packets can go over electrical lines. Somewhere in my basement, I have a pair of old Ethernet-over-powerline (EOP/Powerline) modems that were used in the era before Wi-Fi for in-house networking.24
A lot of these exfiltration techniques have been laboratory proven by Mordechai Guri, an academic researcher specializing in air-gap exfiltration. If you’re interested in how data can be leaked out of air-gapped systems, keep an eye on his Air-Gap Research Page at Ben-Gurion University of the Negev, Israel.25
Defending the Air Gap
How do you deal with this problem? Being aware of the specific threats and how they work is the first step. Defenders need to be aware that ordinary smart phones can be turned into spy tools. Banning mobiles anywhere near the air-gapped systems seems like a prudent policy. Consider also the plethora of “smart devices” that could be compromised and turned into covert channel receivers.
Protecting against the known attack vectors is also a good idea. If USB memory sticks need to be used, then they should be very thoroughly scrutinized first. Auditing of the supply chain is also a good idea. There will always be the possibility of malicious insiders, so it’s important to log and review their actions, looking for suspicious behavior.
Finally, defenders should always remember the assume breach principle. Advanced attackers targeting air-gapped systems may have superior capabilities, so it is prudent to expect them to get in one day. Assuming they did get in, how can you design your systems and your response processes? It’s better to expect the worst rather than deal with an unpleasant surprise.
Note that many of these defensive techniques are useful whether you use air-gapped systems or not. They are all good ideas for any organization looking to defend themselves against cyber-attack.