SoS Musings #34 - Mind the Air Gap

SoS Musings #34 -
 

Mind the Air Gap

Is air-gapping an effective method of securing highly sensitive computer networks and systems? The idea behind air-gapping a computer is to ensure that it is not connected to the internet or any other internet-connected systems to protect it from unsecured networks. A computer is truly air-gapped when it can only accept data from a USB flash drive or other removable media. Air-gapped machines are often found in high-security environments such as those in the realms of military, government, financial services, and industrial control systems. Life-critical systems, including aviation computers, FADECs (Full Authority Digital Engine Control), and Avionics, as well as those used in nuclear power plants and medical facilities, are also often air-gapped. However, air-gapping gives organizations a false sense of security, as there have been studies that demonstrate the possibility of defeating this security strategy. Researchers have shown that even truly air-gapped networks can be compromised by determined adversaries.

Mordechai Guri, director of the Cybersecurity Research Center at Ben Gurion University (BGU), and his team of researchers have conducted many studies on how communication with air-gapped computers can occur through the development of covert channels. They created malware, called Fansmitter, to alter the speed at which a computer's internal fan rotates so that the sound it produces can be controlled, encoded, and picked up by any listening device such as a smartphone. Another proof-of-concept attack devised by BGU, called BitWhisper, uses heat emissions and an air-gapped computer's built-in thermal sensors to send commands to the computer or steal data from it. In a video demonstration of the BitWhisper attack, researchers showed one computer emitting heat and sending a command to an adjacent air-gapped computer to change the position of a missile-launch toy connected to the air-gapped system. BGU researchers also demonstrated the use of the Caps Lock, Num Lock, and Scroll Lock LEDs on a keyboard to exfiltrate data from a secure air-gapped system. The method, which they named CTRL-ALT-LED, was tested on a variety of different optical capturing devices, including smartphone cameras, security cameras, high-grade optical/light sensors. It involves the use of malware to make the LEDs of a USB-connected keyboard blink fast in a certain pattern, which could then be encoded, recorded, and decoded by hackers to get information from the air-gapped system. In another attack demonstrated by BGU researchers, a drone was used to capture and steal data from an air-gapped computer's blinking Hard-Disk Drive (HDD) and then decode the information from its blinking light. Another method, called MOSQUITOuses speakers to secretly transmit data via inaudible ultrasonic sound waves between air-gapped computers at a maximum distance of nine meters away from each other. An attack, dubbed aIR-Jumper, could be executed to jump an isolated network's air gap to exfiltrate data and send commands by controlling the infrared (IR) LEDs inside surveillance cameras. The BGU researchers also developed malware, called AirHopper, which is capable of decoding radio frequencies emitted from an isolated computer's monitor, video card, or cable to steal data. AirHopper picks up data from an air-gapped machine using the FM radio receivers contained by many mobile devices. Out of all of the covert channels developed by Guri and his team of researchers, MAGNETO is considered the most dangerous in that it can allow attackers to steal data from air-gapped computers in Faraday cages, which are metallic enclosures designed to block all radio signals. MAGNETO is performed by installing malware on an air-gapped computer to coordinate the operations of the computer’s CPU cores. These processes generate magnetic fields that could then be captured by a phone’s magnetometer via an app developed by BGU researchers, called ODINI. Security researchers' studies, focused on defeating air-gapped systems, are intended to raise awareness about the potential security vulnerabilities of this security strategy and the ways in which they can be avoided.

The ability to beat air-gaps poses a significant threat to critical systems such as those used to monitor and control industrial processes. Security researchers at CyberX, a major ICS security vendor, were able to exfiltrate sensitive data from an air-gapped ICS network by injecting specially-written ladder logic code into Programmable Logic Controllers (PLCs). The code, explicitly written to be injected into PLCs, converted radio signals into a coded form, which can then be received by regular AM radios, allowing sensitive data to be extracted from the air-gapped ICS network. According to researchers, PLCs ease the performance of data exfiltration because they run embedded real-time operating systems and have limitations in regard to processor and memory resources, making it difficult to run anti-malware programs. The execution of this attack relies on the abuse of the intrinsic characteristics of most modern industrial protocols that stem from insecure design, such as poor authentication. The technique demonstrated by researchers could be used by hackers to steal highly sensitive data such as proprietary formulas, nuclear blueprints, and other corporate trade or military secrets. Hackers could also gather reconnaissance data pertaining to ICS network topologies and device configurations that could later be used to execute damaging attacks. Operations supposedly conducted by Russian government hackers from 2016 to 2018 brought further attention to the potential dangers of jumping air-gapped networks. According to the US Department of Homeland Security (DHS), the Russian hackers allegedly were able to gain access into isolated air-gapped networks in control rooms at US electric utilities to gather confidential information and blueprints that would give them insight into the inner workings of America's power plants and grid. The Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu, India faced a cyberattack, which showed that air-gapped systems at nuclear facilities are still vulnerable to targeted attacks in which hackers exploit human weaknesses and supply chains. Critical infrastructures require more advanced protection from cyberattacks than isolation.

While isolated systems are more secure than others, air-gapping is not a silver bullet solution to protecting critical networks and systems from cyberattacks. Studies continue to prove that an attacker with the right resources, technical skills, and level of determination, can gain access to air-gapped systems. Therefore, defenses surrounding highly sensitive systems must go beyond the restriction of personal computers, laptops, and removable media. In addition to air-gapping, security experts are encouraged to implement advanced defenses for isolated systems such as performing deep packet inspection, deploying firewalls, using intrusions detection systems, applying layered authentication controls, and more.