SoS Musings - Jumping the Air Gap in Security

By grigby1 

The question remains as to whether air-gapping effectively secures highly sensitive computer networks and systems. The purpose of air-gapping a computer is to guarantee that it remains disconnected from the Internet and any other Internet-connected systems, in order to safeguard it from unsecured networks. A computer achieves true air-gapping when it exclusively allows data input solely from a USB flash drive or any other form of removable media. Air-gapped machines are commonly used in environments requiring high security, including military, government, financial services, and Industrial Control Systems (ICS). Systems considered life-critical, such as aviation computers, nuclear power plant systems, and medical facility systems, are also often air-gapped. Nevertheless, air-gapping is still not a silver-bullet security solution for organizations, as research has proven that this security strategy can be defeated by threat actors. Due to the fact that air-gapped networks are designed to safeguard highly sensitive information, they are attractive to highly motivated adversaries, such as nation states, that possess the resources necessary to launch attacks against these isolated systems. Studies have demonstrated that determined adversaries can successfully compromise air-gapped systems and networks.

Mordechai Guri, head of Offensive Cyber Research Lab, in the Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev, Israel, and his team of researchers have conducted many studies on communicating with air-gapped computers through covert channels. In a paper titled "Air-Gap Electromagnetic Covert Channel" Guri and his team present a covert channel attack in which an insider or spy with a mobile phone or laptop can intercept information from the air-gapped computer. Malware on an air-gapped computer can generate radio waves by executing specially crafted code on the system of interest. The malicious code exploits modern computers' dynamic power consumption and manipulates the momentary loads on CPU cores, thus enabling the malware to control the computer's internal utilization and generate low-frequency electromagnetic radiation in the 0 - 60 kHz band. A nearby mobile phone can receive sensitive data like files, encryption keys, and biometric data modulated over the signals. Guri and his team demonstrated that a malicious insider or visitor can use a smartphone or laptop with a $1 antenna as a covert receiver. The attack is highly evasive because it runs from a user-level process, does not require root privileges, and works in Virtual Machines (VMs). In another study, Guri and his team present "AirKeyLogger," a novel Radio Frequency (RF) keylogging attack for air-gapped computers. The team's keylogger exploits radio emissions from a computer's power supply, exfiltrating real-time keystroke data to a remote attacker. No physical hardware is needed for the AirKeyLogger attack. Alternatively, it can be executed through a software supply chain attack and is exclusively dependent on software manipulations. By applying global hooking techniques or injecting malicious code into a running process, malware on a sensitive, air-gapped computer can intercept keystroke logging. In order to leak data, the processor's frequencies are manipulated, generating a pattern of electromagnetic emissions from the power unit modulated by keystrokes. An RF receiver or smartphone with an antenna can receive keystroke information at distances of several meters. Another recent study by Guri and his team titled "GPU-FAN: Leaking Sensitive Data from Air-Gapped Machines via Covert Noise from GPU Fans" showed that attackers can leak data from air-gapped networks through covert acoustic signals. Their method works without speakers on infected computers. Malware on the computer can use the Graphics Processing Unit (GPU) fan and control its speed. Although slight changes in Rotation Per Minute (RPM) speed are imperceptible to users, they can be used to modulate and encode binary information. Nearby compromised smartphones or laptops can receive the covert acoustic signals as well as demodulate and decode the binary information.

Defeating the air-gapping strategy poses a significant threat to critical systems, including those used for monitoring and controlling industrial processes. For example, during the investigation of cyberattacks against Industrial Control Systems (ICS) and critical infrastructure in Eastern Europe, researchers found a novel second-stage malware that bypasses air-gapped data security. Threat actors wanted to achieve persistent presence on target networks to steal data. To gain initial ICS network access, attackers used known remote access and data collection tools. They then launched modular malware against the air-gapped ICS networks, infecting removable storage drives with a worm capable of exfiltrating data. The malware, designed to exfiltrate data from air-gapped systems by infecting removable drives, had at least three modules that profile removable drives, capture screenshots, plant second-step malware on newly connected drives, and more.

Although isolated systems offer higher levels of security compared to other methods, air-gapping alone is not a foolproof solution for safeguarding critical networks and systems against cyberattacks. Research continues to show that an attacker equipped with adequate resources, technical expertise, and a high level of determination can successfully breach air-gapped systems. Security measures for sensitive systems need to extend beyond limiting access to personal computers, laptops, and removable media. Furthermore, security professionals are advised to employ sophisticated measures to protect isolated systems, including conducting Deep Packet Inspection (DPI), enforcing Multi-Factor Authentication (MFA), and more. 

To see previous articles, please visit the Science of Security Musings Archive.