Jumping Air Gaps

Nice profile of Mordechai Guri, who researches a variety of clever ways to steal data over air-gapped computers.

Guri and his fellow Ben-Gurion researchers have shown, for instance, that it's possible to trick a fully offline computer into leaking data to another nearby device via the noise its internal fan generates, by changing air temperatures in patterns that the receiving computer can detect with thermal sensors, or even by blinking out a stream of information from a computer hard drive LED to the camera on a quadcopter drone hovering outside a nearby window. In new research published today, the Ben-Gurion team has even shown that they can pull data off a computer protected by not only an air gap, but also a Faraday cage designed to block all radio signals.

Here's a page with all the research results.

BoingBoing post.

Posted on February 13, 2018 at 6:26 AM • 42 Comments

Comments

Peter LindFebruary 13, 2018 6:55 AM

"Guri and his fellow Ben-Gurion researchers have shown, for instance, that it's possible to trick a fully offline computer into leaking data to another nearby device via the noise its internal fan generates"

Would have been somewhat closer to the truth if the bit had contained the relevant bit of info that the air-gapped machine needs to be malware infected in the first place. Hence, the machine is not "being tricked" into leaking, it is running software that makes it transmit data.

Or, to be a bit more blunt about it. Someone had to have physical access to the machine in the first place. If that was the case, why bother fiddling with the fans.

RomanFebruary 13, 2018 7:11 AM

@Peter Lind: The point is you need to gain access to the airgapped computer network only once, to set it up, and then can exfiltrate the new data when it becomes available. It is much like putting a bug in an office, to make an analogy.

echoFebruary 13, 2018 7:13 AM

I thought this was pretty cool. I'm holding out for intercepted Russian data causes buffer overflow in cryptanalysis software giving arbitrary code excution and root access to the NSA for the past 20 years.

Security SamFebruary 13, 2018 8:24 AM

Of energy shifts and covert channels
And whatever else behind the panels
Pulling the wool over your eyes
The new paradigm of uncanny spies.

KhavrenFebruary 13, 2018 8:39 AM

Supply chain problem, make sure your systems are not infected on the way in, and that your suppliers have not been compromised and you don't have to worry about these attacks. Third Party management is the new frontier for security.

Clean New PantsFebruary 13, 2018 8:49 AM

@Peter Lind, thanks for pointing that out.

@Roman, it would have been nice to see that in the headline, or at least the quoted piece. I feel like I've had the crap scared out of me for nothing.

Also...

"... quadcopter drone hovering outside a nearby window."

The obvious solution here is to not use Windows. :D

Retired Secret SquirrelFebruary 13, 2018 10:10 AM

All of these air gap techniques this groups puts out are pointless

Every last one of them requires PHYSICAL access to the target computer either to install malware or be close enough to scan.

If you have that, then you don't need any of this garbage.

Completely worthless for their intended purpose of espionage

But hey I'm sure they'll end up in the next crap Hollywood script

MeFebruary 13, 2018 10:28 AM

"The malware could also make the hard drive LED blink so briefly, in fact, that it would be undetectable to human eyes, yet still registered by the light sensor. That means an attacker could even send invisible light signals to a faraway spy, albeit at a slower rate to avoid its covert blinks blurring into a visible signal."

That is the one that makes this interesting to me.

SethFebruary 13, 2018 11:12 AM

In new research published today, the Ben-Gurion team has even shown that they can pull data off a computer protected by not only an air gap, but also a Faraday cage designed to block all radio signals.
I would be more impressed if any of the methods listed right before this relied on radio signals... summaries by the reporter aside, the research page has quite a few interesting methods.


For those asking why it matters, getting malware onto an airgap system does not imply it's been physically compromised. Consider stuxnet. Iran's nuclear program had the centrifuges in an air gapped system. The malware still made it there by covertly spreading across devices and drives. This would give that same malware a way to communicate back across the airgap, not that stuxnet needed it.

Or it could be useful if you have physical access to the system before any of the interesting data is there. Maybe the technician setting it up, or the designer.

Mike BarnoFebruary 13, 2018 12:23 PM

@ Peter Lind, Retired Secret Squirrel :

Most of Thomas Edison's basic-level discoveries, and his prototypes of inventions implementing those discoveries, were derided as pointless. But knowing that the trick was possible, his team focused efforts toward finding the best materials and designs and methods to use the ideas more effectively, and combining them with other innovations, and developing new manufacturing techniques, until they spawned entire industries. Meanwhile, most of his detractors kept on with "the way we've always done it", and went nowhere and accomplished nothing.

As for "useless because they require physical access": For decades, most companies have presumed that their computers arrive pristine, and that (so long as they vet their employees with hands-on access) their security begins with preventing hostile access when they get plugged into a communication network. But anyone who didn't learn lessons from Stuxnet should now be clued in by the Intel ME and Spectre and Meltdown vulnerabilities, where the problem is in the heart of the CPU chips they were built with. You didn't need to be a suspected national-security threat who caught the NSA's attention for them to covertly slip compromised machines into your purchases; instead, everyone buying mainstream systems has brought the exploitable problems into their datacenters and offices.

When you combine these two patterns, it isn't hard to foresee these seemingly outlandish exfiltration methods (fan noise, blinking lights, audio, radio, etc.) getting refined and combined with other exploits into powerful attacks that have major effects. Once it was an absurd curiosity that a simple virus could remain resident on a desktop PC, or that its next variant could be spread by floppy-disk without someone intentionally copying it. Today, malware does things like hiding in storage-drive controllers, disabling antivirus, scrubbing logs, dynamically reconfiguring command-and-control networks, and far more. This came about because sufficiently motivated people worked to turn implausible ideas into effective tools. Meanwhile, the naysayers paid no attention, failed to implement even the trailing remediations developed by white-hat researchers, and got owned again and again and again.

Mike BarnoFebruary 13, 2018 12:38 PM

@ uh, Mike :

Replace that air gap with a saltwater gap.

But then we're back to the problem of being eaten by a kraken.
Not to mention the more prosaic problem of having computers eaten by rust.

albertFebruary 13, 2018 12:57 PM

@Seth,
"...Consider stuxnet. Iran's nuclear program had the centrifuges in an air gapped system. The malware still made it there by covertly spreading across devices and drives...."

Stuxnet was -physically installed- at the vendors shop, before the system was installed at the site. Whether deliberately or accidentally I don't recall.

Forget the academic lab exercises. They are as useless as tits on a boar hog.
. .. . .. --- ....

Who?February 13, 2018 12:59 PM

Don't tell anyone. I have discovered a way to exfiltrate information through QR codes displayed on the airgapped computer display.

Ben-Gurion researchers should have stopped after one or two papers. They are now just publishing the same research multiple times. I understand the "academic game," publish or die. This one is the very reason I think there is more valuable information in blogs like this one than on research publications.

What comes next? Data exfiltration by means of noise produced by HDD heads movement? Data exfiltration by means of noise produced by the computer internal speaker/buzzer? Keyboard LEDs? NIC LEDs? Webcam LED? Optical drive tray movement? Printer? Screen savers?

oldtimerFebruary 13, 2018 1:28 PM

by means of noise produced by HDD heads movement?

I thought that was for making music on nearby radios?

djFebruary 13, 2018 2:22 PM

If one could modify the amount of current a computer uses it may be possible to modulate the power supply pulse-width to send information acoustically as well as electromagnetically. Most common power supplys use switched power supplies that operate around 10KHz. In many circumstances it is possible to hear the tone or loudness of the power supply change with load whether by ear or by radio. It's one of the ways I can tell when a computer is working hard when it should be idle. Somewhat useful for intrusion detection.

Perhaps this method is already in use? It was something discussed on CompuServe in the late 80's.

(req'd)February 13, 2018 2:23 PM

" It is much like putting a bug in an office, to make an analogy. "

Except an office is an unprotected soft target compared to most real air-gap setups.

It's not actually "jumping the air gap" in that sense. It's only jumping BACK over it.

Getting that machine infected in the first place is the holy grail in this.


echoFebruary 13, 2018 2:37 PM

Guri is a one trick pony in the same way as a gold mine or most best selling authors. His ideas may not be readily appliable now and not everything is all the time until it is.

@dj

Detecting power use as an intrusion mechanism is cool. Maybe performance measurement too? How deeply could this be integrated with systems?

SethFebruary 13, 2018 3:15 PM

@albert, I'm not sure what your point is. If the malware was installed before the devices were put in place the air gap was still functioning as intended. As I said, even having physical access to the system doesn't mean the data an attacker wants will be there at the time they have access.

(req'd)February 13, 2018 3:37 PM

"If the malware was installed before the devices were put in place the air gap was still functioning"

A pre-infected airgap box maybe wasn't what folks envisioned as the attack scenario given the headline.

I think that's why people are seeming to say this seems like moving goalposts.
It's not a useless capability, just a narrower application than assumed.

albertFebruary 13, 2018 4:55 PM

@Seth,

Stuxnet in the centrifuge controllers is a special case. The intent was to destroy the units, and avoid detection at least until the damage was done. The only data collected was for it's own internal functions. It's the ideal operation for pre-loaded malware. I understand that Stuxnet is quite sophisticated and can function as a data collector as well.

I find it difficult to envision real-world applications of the techniques discussed, even by nation-states.

. .. . .. --- ....

John SmithFebruary 13, 2018 5:26 PM

from Mike Barno:

"... But anyone who didn't learn lessons from Stuxnet should now be clued in by the Intel ME and Spectre and Meltdown vulnerabilities, where the problem is in the heart of the CPU chips they were built with. You didn't need to be a suspected national-security threat who caught the NSA's attention for them to covertly slip compromised machines into your purchases; instead, everyone buying mainstream systems has brought the exploitable problems into their datacenters and offices..."

NSA has form in this regard: Crypto AG.

https://en.wikipedia.org/wiki/Crypto_AG
http://www.bbc.com/news/uk-33676028

Compromising Intel and AMD CPUs would fit very neatly with NSA's goal of Total Information Awareness. Means, motive, opportunity? NSA has all three.

https://en.wikipedia.org/wiki/Total_Information_Awareness

TatütataFebruary 14, 2018 10:23 AM

All that has a taste of "RFC 1149 meets Mission Impossible". Besides showing that a determined mind can find myriad ways to jump over an air gap, the attacks in themselves seem to have a limited value.

An actual attack would have to adapt to a real life situation, such as: how can I steal the master certificates from a signing authority. This is a situation where the payoff of leaking a few hundred bits is well worth the effort.

albertFebruary 14, 2018 11:08 AM

@Sancho_P,
I may have read that article:)

Well, USB and Autorun is still physical installation at the vendors site, is it not? Except for retribution purposes, whether the techs knew what they were doing is irrelevant. My opinion is they did not. Iran is not a country you want to screw over, for any price. As they say, Stuxnet is a very sophisticated program, and no doubt, there are even more advanced versions out there. IIRC, Stuxnet doesn't particularly care what its payload is. Finally, the centrifuge systems were a turnkey product, almost a 'black box'. Anyone at the site with PLC expertise could have found the bad code easily. This is a common problem everywhere. Companies don't understand (or even care) what kind of crap their contractors are selling them.
..
@echo,
Servers would be an ideal location for a Stuxnet-type infection.
..
With the CPUs themselves compromised, hunting season is now opened.

. .. . .. --- ....

Who?February 14, 2018 1:08 PM

@ oldtimer

I thought that was for making music on nearby radios?

No, just the clicking noise produced by the heads moving. Perfect to exfiltrate information.

The microprocessors on some poorly shielded PCs from mid-80s up to mid-90s—like the Amstrad PC 2086—were, in fact, able to affect nearby FM radios transmitting static white noise. TEMPEST at its best!

I have an old vinyl by Honeywell Bull that has some great music on it recorded from the electromagnetic field generated near the memory buses (for that old vinyl perhaps the right term would be "busses" instead!).

albertFebruary 14, 2018 2:24 PM

In the Olde Dayes, you could hear the memory 'singing' if conditions were right. A transistor radio was even better. Who would have thought....

. .. . .. --- ....

Sancho_PFebruary 14, 2018 6:44 PM

@albert

It depends how one understands the word “vendor”. The malware wasn’t installed at the HW - vendor (Siemens).
I agree that a competent technician would have found it when analyzing the ongoing problems.

HermanFebruary 14, 2018 11:25 PM

It is probably still easier to get data the old fashioned way: Pay a cleaner to bring you the waste paper basket.

echoFebruary 15, 2018 5:13 AM

@albert

I was wondering if it would be possible to place a server in a rack close to another server and monitor the magnetic signal across the airgap. Even if the victim server isn't compromised maybe the pattern detected would be of value to someone in banking or retail?

albertFebruary 15, 2018 10:39 AM

@Sancho_P,
The "vendor" was an Iranian company. Siemens was probably a supplier to the company that manufactured the centrifuge units. I don't know, but it's not that important. Siemens has a big footprint worldwide, and lots of folks know how to program their PLCs. PLCs are typically programmed with Windoz-based software on a PC. The PLC program is written then downloaded to the PLC. Nowadays, Ethernet connections to the PLC are common. (In my day, simple serial connections were common.) This means that -any- device connected to the PLC through a proper interface, and knowing the correct protocol, could download a program to the PLC. I'm guessing that the centrifuge system was a 'private' LAN administered by some PCs. Probably the easiest way to subvert the PLC program would be to work within the PC. That way the malware could use the latest version of the PLC code, and modify it at will. I would guess that the PLC code modifications were as simple as required to get the job done.

To pull this off, the Stuxnet malware is very sophisticated indeed. Maybe the details are in the book your Wired article cited.

I'm just too lazy to research this online, let alone buy a book!
..
@echo,
"...place a server in a rack close to another server..." It may be possible, but to what end? You already have physical access. Why not just add an extra unit, and tap the network? In a big facility, it may not even be noticed:)

. .. . .. --- ....

JG4February 15, 2018 11:05 AM


re: Stuxnet

I thought that I read many years ago that the delivery vector was the special HP inkjet cartridges for the giant printers used to make the modern equivalent of blueprints. as you might guess, if you were building an enrichment plant, you'd need some big plans. the story had it that the inkjet cartridges are made in Israel, who were happy to assist by incorporating a virus in the firmware of the cartridge. once the PCs using the printer were infected, it would go to the controllers connected to the PCs. it has been many years since I read that story, so I don't have the link handy. it may have been in wired news.

albertFebruary 15, 2018 5:57 PM

@JG4,
Last I checked, the ink cartridges have no smarts, though HP cartridges have 'security' chips to prevent use of non-HP products.

It would be headline news if a printer cartridge could infect a PC. Quite a feat, I'd say.

Those giant printers are remarkable, and they do color, too. Blueprints seem ancient now.
. .. . .. --- ....

echoFebruary 15, 2018 7:09 PM

@albert

Because eavesdropping the magnetic signals will give different information to the network. Knowing this different information may have a specific advantage.

markusFebruary 16, 2018 3:12 AM

I wonder that they didn't came up with manipulation of the computers powersupply to communicate directly over Powerline with special crafted "smart" devices (with access to the internet) in the same powergrid. Or did someone else worked out a PoC for this?

BartschFebruary 17, 2018 6:26 AM

Little it security joke regarding this topic: Millennials might call jumping the air gap by sound "hacking", but older people might remember it as acoustic coupling ;-)

BystanderFebruary 17, 2018 1:56 PM

Given the (in most cases) rather low data rate and the rather large file sizes except for plaintext, the information to be exfiltrated must be really worth the wait.

The drone example is kinda funny - you don't want to rely on something _this_ visible.

The malware opening such a channel must be tailored and the location of target data on the airgapped machine must be known in beforehand. You cannot just mirror the filesystem and look for the interesting bits afterwards.

A two-way communication would be desirable though..

There are many ifs making such an attack difficult, but not impossible.

rino19nyFebruary 18, 2018 3:41 AM

so with all these sophisticated techniques, it comes down to the initial problem of physical access. maybe some techniques need to be developed for that initial access to secure it in the first place?

JimFebruary 21, 2018 1:52 PM

As far as the blinking LED transmitting information, if you could crack the code that the malware is using to generate the blinks, you could generate phony information that you want the hacker to get rather than what is actually on the computer.

Seems that strong encryption is the best way to protect yourself against these threats.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.