An air gap – meaning, a computer without direct network access of any kind – seems like the perfect solution to the gossamer threads of connectivity. You can’t hack something you can’t connect to. But air gapped systems aren’t unhackable.
That’s not to say air gaps don’t have their place. They can make life hard for hackers. Some really important servers – such as those that run power plants, train switches, backend banking systems or perform as command and control for nuclear weapons systems – don’t need persistent network connectivity. But isolating networks won’t keep them safe from data breach or disruption.
When hackers imagine how to breach these systems, they look for a method that will allow: regular, even if intermittent, access; a vehicle to execute code and extract data; and an opportunity to proliferate throughout a network.
Most people tend to think that the only way to jump an air gap is to use “close access operations,” a government parlance for putting an asset on the ground. This is only sexy in the movies. Good hacks don’t require climbing into the bowels of a supercomputer to hang upside down in order to get data. Finding an agent for penetration is not easy. There are a lot of reasons why recruiting an insider, witting or not, isn’t ideal.
Developing a close access operative counterintuitively takes a lot longer than other approaches. Its biggest problem is that it is only effective once. What you really want is a persistent method of gaining access, such as a backdoor you open and walk through again and again.
Some hackers have touted “side channel attacks,” which pry open access with elaborate, Rube Goldberg-like methods involving strings of sensors and listening devices. The first of these was probably Van Eck phreaking, which used radio signals from video cards to clone what was displayed on CRT screens used in computer monitors. Since then, people have considered hacks from mice, keyboards and other devices with frequencies. These hacks fall short when it comes to executing code. Also, while a lot of them are theoretically possible, they’re a bit like planning a helicopter heist to grab someone’s wallet. The simplest method is often the best.
The truth is, social engineering, or manipulating people, is the best way into an air gapped network. Unsurprisingly, the technique is the root cause in more than 95 percent of all data breaches. Security vulnerabilities are routinely found with well-meaning employees and standard operating procedures.
Social engineering works because computers inevitably need new software, an update, or a patch. They may need new data or require data to be removed from them. Air gapped computers may eventually end up connected to outside networks as part of routine operating procedures. In fact, true air gaps are a myth.
Hackers are most successful when they go after people with access and use them to pivot unwittingly to the closed system. In 2008, the Department of Defense found that its classified computer networks had been infected by the Russian government when an individual inserted a USB thumb drive into the classified network. This simple act created a digital beachhead that allowed the agent.btz worm to spread throughout the network. It took 14 months and a full counter operation named Operation Buckshot Yankee to resolve the breach. Ultimately the episode was a turning point for the U.S. military.
Ironically, the United States spent the years after Buckshot Yankee terrified of Chinese hacking, only to have Russia pull off what may have been the hack of the century – last year’s intrusion into the U.S. election. Hackers look left when everyone else is looking right. It’s our failure of imagination that provides the greatest opportunities for attackers.
The tactic still works. A recent study showed that when presented with an unidentified thumb drive, 50 percent of people plugged it in, out of a mix of curiosity and altruism. In other words, they assumed the device had been lost, so they plugged it in, hoping to locate the owner.
As this study shows, the easiest way to jump the air gap is via phishing attacks, which can take on various other forms, such as emails with fake login pages to steal credentials or booby-trapped websites. A hacker might go after employees with access to a target server at home or at a different workstation and use them to gain access to a closed system.
The bottom line: super high-tech snooping and black bag intrusions are overkill as long as you can manipulate the weakest part of the system – people.
