In the world of network security, the term air gap refers to a situation in which the computer network is physically separated from other networks, particularly, less secure and public networks such as the internet. Today, air-gapped networks are widely used in military defense systems, critical infrastructure, the financial sector, and other industries.
The air gap isolation is maintained by enforcing strict policies in the organization, which include forbidding external unsecure devices and media from connecting to the network and by using advanced intrusion detection and prevention systems to eliminate intentional and accidental security breaches.
A well-known example of an air-gapped network is the Joint Worldwide Intelligence Communications System, a classified network belonging to the U.S. Defense Intelligence Agency. It is used to transmit classified documents among the U.S. departments of Defense, State, Homeland Security and Justice.
In the last decade it has been shown than even air-gapped networks are not immune to breaches. In order to break into such networks, attackers have used complex attack vectors, such as embedding access during the supply chain, use of malicious insiders, and social engineering. Using these methods, attackers can penetrate air-gapped networks while bypassing defense measures such as firewalls, antivirus programs, intrusion prevention, and intrusion detection systems.
For example, a classified network belonging to the U.S. military was compromised in 2008 by a computer worm known as Agent.Btz. According to reports, a foreign intelligence agency supplied infected thumb drives to retail kiosks near NATO headquarters in Kabul. A malicious thumb drive was inserted into a computer connected to U.S. Central Command. The worm spread to both classified and unclassified networks.
Another publicized air gap breach case is the Stuxnet worm that was found to have sabotaged Iran’s nuclear facility in Natanz in 2010.
Once an attacker acquires a foothold within an air-gapped network, he can extract information from it. For example, an attacker from a nation-state may want encryption keys, keylogging information, or certain files. But while infiltrating air-gapped systems has been shown feasible, the exfiltration of data from systems without internet connectivity is a challenging task.
Alternative, or out-of-band communication channels, have been suggested in the past. These communication channels allow attackers to pull data from isolated computers. When such a communication is also covert, it is typically referred to as air gap covert channels. Such covert channels have been the subject of academic research for the past 20 years. They can broadly be categorized as electromagnetic, acoustic, thermal, and optical methods.
In the case of electromagnetic covert channels, electromagnetic emissions generated by hardware components within the computer are used to carry the leaked sensitive data. One such exfiltration method discovered in the early 2000s, known as soft-tempest, involved hidden data transmission using electromagnetic waves emanating from video cables. A different piece of malware, known as AirHopper, can bridge the air gap between computers and mobile phones as far away as few meters by generating hidden FM radio signals from the computer’s video card. These signals can be picked up by a malicious app running on the mobile phone.
In another instance, a malware known as GSMem can generate electromagnetic emissions at cellular frequencies and transmit them to a nearby mobile phone. Similarly, a malware called USBee transforms the USB cable connected to a computer into an antenna to transmit data.
Attackers can use ultrasonic signals to transmit data between two disconnected computers. In this method, data is transmitted over noise in high frequencies above the hearing capability of an adult human. Ultrasonic methods require audio speakers in the transmitting computer and a microphone on the receiving computer. Last year, cyber security specialists discovered that air-gapped computers were transmitting data via the noise emitted from their cooling fans and hard-disk drives.
Heat can be used to transmit data between two air-gapped computers. A malware called BitWhisper can use a computer’s heat emissions and heat sensors to exchange data with an adjacent computer. Thermal covert channels, however, are fairly slow and can maintain only sluggish command and control channels between the computers.
Finally, optics can be used to jump the air gap, For example, LED status indicators on communication equipment can leak data to remote cameras. In 2002 researchers showed how data can be leaked from an isolated computer using the keyboard’s LEDs. A method called LED-it-GO enables data leakage from air-gapped networks via the hard-drive indicator LED, which exists in almost every computer. The injected malware blinks the LED at high frequencies of thousands of blinks per second. Outside the building, a small quadcopter drone with a camera could receive the Morse code-like transmission through a window.
However, while leaking data across the air gap has been demonstrated in research labs, it is considered largely a theoretical and academic topic. In real world situations, most data leakage is taking place over the internet, using emails, compromised media, or malicious mobile applications. With the advent of cloud storage and the Internet of Things, most data is stored online and is accessible via the internet, making the life much easier for attackers.
