Jumping Air Gaps

Nice profile of Mordechai Guri, who researches a variety of clever ways to steal data over air-gapped computers.

Guri and his fellow Ben-Gurion researchers have shown, for instance, that it's possible to trick a fully offline computer into leaking data to another nearby device via the noise its internal fan generates, by changing air temperatures in patterns that the receiving computer can detect with thermal sensors, or even by blinking out a stream of information from a computer hard drive LED to the camera on a quadcopter drone hovering outside a nearby window. In new research published today, the Ben-Gurion team has even shown that they can pull data off a computer protected by not only an air gap, but also a Faraday cage designed to block all radio signals.

Here's a page with all the research results.

BoingBoing post.

Posted on February 13, 2018 at 6:26 AM • 79 Comments

Comments

Peter LindFebruary 13, 2018 6:55 AM

"Guri and his fellow Ben-Gurion researchers have shown, for instance, that it's possible to trick a fully offline computer into leaking data to another nearby device via the noise its internal fan generates"

Would have been somewhat closer to the truth if the bit had contained the relevant bit of info that the air-gapped machine needs to be malware infected in the first place. Hence, the machine is not "being tricked" into leaking, it is running software that makes it transmit data.

Or, to be a bit more blunt about it. Someone had to have physical access to the machine in the first place. If that was the case, why bother fiddling with the fans.

RomanFebruary 13, 2018 7:11 AM

@Peter Lind: The point is you need to gain access to the airgapped computer network only once, to set it up, and then can exfiltrate the new data when it becomes available. It is much like putting a bug in an office, to make an analogy.

echoFebruary 13, 2018 7:13 AM

I thought this was pretty cool. I'm holding out for intercepted Russian data causes buffer overflow in cryptanalysis software giving arbitrary code excution and root access to the NSA for the past 20 years.

Security SamFebruary 13, 2018 8:24 AM

Of energy shifts and covert channels
And whatever else behind the panels
Pulling the wool over your eyes
The new paradigm of uncanny spies.

KhavrenFebruary 13, 2018 8:39 AM

Supply chain problem, make sure your systems are not infected on the way in, and that your suppliers have not been compromised and you don't have to worry about these attacks. Third Party management is the new frontier for security.

Clean New PantsFebruary 13, 2018 8:49 AM

@Peter Lind, thanks for pointing that out.

@Roman, it would have been nice to see that in the headline, or at least the quoted piece. I feel like I've had the crap scared out of me for nothing.

Also...

"... quadcopter drone hovering outside a nearby window."

The obvious solution here is to not use Windows. :D

Retired Secret SquirrelFebruary 13, 2018 10:10 AM

All of these air gap techniques this groups puts out are pointless

Every last one of them requires PHYSICAL access to the target computer either to install malware or be close enough to scan.

If you have that, then you don't need any of this garbage.

Completely worthless for their intended purpose of espionage

But hey I'm sure they'll end up in the next crap Hollywood script

MeFebruary 13, 2018 10:28 AM

"The malware could also make the hard drive LED blink so briefly, in fact, that it would be undetectable to human eyes, yet still registered by the light sensor. That means an attacker could even send invisible light signals to a faraway spy, albeit at a slower rate to avoid its covert blinks blurring into a visible signal."

That is the one that makes this interesting to me.

SethFebruary 13, 2018 11:12 AM

In new research published today, the Ben-Gurion team has even shown that they can pull data off a computer protected by not only an air gap, but also a Faraday cage designed to block all radio signals.
I would be more impressed if any of the methods listed right before this relied on radio signals... summaries by the reporter aside, the research page has quite a few interesting methods.


For those asking why it matters, getting malware onto an airgap system does not imply it's been physically compromised. Consider stuxnet. Iran's nuclear program had the centrifuges in an air gapped system. The malware still made it there by covertly spreading across devices and drives. This would give that same malware a way to communicate back across the airgap, not that stuxnet needed it.

Or it could be useful if you have physical access to the system before any of the interesting data is there. Maybe the technician setting it up, or the designer.

Mike BarnoFebruary 13, 2018 12:23 PM

@ Peter Lind, Retired Secret Squirrel :

Most of Thomas Edison's basic-level discoveries, and his prototypes of inventions implementing those discoveries, were derided as pointless. But knowing that the trick was possible, his team focused efforts toward finding the best materials and designs and methods to use the ideas more effectively, and combining them with other innovations, and developing new manufacturing techniques, until they spawned entire industries. Meanwhile, most of his detractors kept on with "the way we've always done it", and went nowhere and accomplished nothing.

As for "useless because they require physical access": For decades, most companies have presumed that their computers arrive pristine, and that (so long as they vet their employees with hands-on access) their security begins with preventing hostile access when they get plugged into a communication network. But anyone who didn't learn lessons from Stuxnet should now be clued in by the Intel ME and Spectre and Meltdown vulnerabilities, where the problem is in the heart of the CPU chips they were built with. You didn't need to be a suspected national-security threat who caught the NSA's attention for them to covertly slip compromised machines into your purchases; instead, everyone buying mainstream systems has brought the exploitable problems into their datacenters and offices.

When you combine these two patterns, it isn't hard to foresee these seemingly outlandish exfiltration methods (fan noise, blinking lights, audio, radio, etc.) getting refined and combined with other exploits into powerful attacks that have major effects. Once it was an absurd curiosity that a simple virus could remain resident on a desktop PC, or that its next variant could be spread by floppy-disk without someone intentionally copying it. Today, malware does things like hiding in storage-drive controllers, disabling antivirus, scrubbing logs, dynamically reconfiguring command-and-control networks, and far more. This came about because sufficiently motivated people worked to turn implausible ideas into effective tools. Meanwhile, the naysayers paid no attention, failed to implement even the trailing remediations developed by white-hat researchers, and got owned again and again and again.

Mike BarnoFebruary 13, 2018 12:38 PM

@ uh, Mike :

Replace that air gap with a saltwater gap.

But then we're back to the problem of being eaten by a kraken.
Not to mention the more prosaic problem of having computers eaten by rust.

albertFebruary 13, 2018 12:57 PM

@Seth,
"...Consider stuxnet. Iran's nuclear program had the centrifuges in an air gapped system. The malware still made it there by covertly spreading across devices and drives...."

Stuxnet was -physically installed- at the vendors shop, before the system was installed at the site. Whether deliberately or accidentally I don't recall.

Forget the academic lab exercises. They are as useless as tits on a boar hog.
. .. . .. --- ....

Who?February 13, 2018 12:59 PM

Don't tell anyone. I have discovered a way to exfiltrate information through QR codes displayed on the airgapped computer display.

Ben-Gurion researchers should have stopped after one or two papers. They are now just publishing the same research multiple times. I understand the "academic game," publish or die. This one is the very reason I think there is more valuable information in blogs like this one than on research publications.

What comes next? Data exfiltration by means of noise produced by HDD heads movement? Data exfiltration by means of noise produced by the computer internal speaker/buzzer? Keyboard LEDs? NIC LEDs? Webcam LED? Optical drive tray movement? Printer? Screen savers?

oldtimerFebruary 13, 2018 1:28 PM

by means of noise produced by HDD heads movement?

I thought that was for making music on nearby radios?

djFebruary 13, 2018 2:22 PM

If one could modify the amount of current a computer uses it may be possible to modulate the power supply pulse-width to send information acoustically as well as electromagnetically. Most common power supplys use switched power supplies that operate around 10KHz. In many circumstances it is possible to hear the tone or loudness of the power supply change with load whether by ear or by radio. It's one of the ways I can tell when a computer is working hard when it should be idle. Somewhat useful for intrusion detection.

Perhaps this method is already in use? It was something discussed on CompuServe in the late 80's.

(req'd)February 13, 2018 2:23 PM

" It is much like putting a bug in an office, to make an analogy. "

Except an office is an unprotected soft target compared to most real air-gap setups.

It's not actually "jumping the air gap" in that sense. It's only jumping BACK over it.

Getting that machine infected in the first place is the holy grail in this.


echoFebruary 13, 2018 2:37 PM

Guri is a one trick pony in the same way as a gold mine or most best selling authors. His ideas may not be readily appliable now and not everything is all the time until it is.

@dj

Detecting power use as an intrusion mechanism is cool. Maybe performance measurement too? How deeply could this be integrated with systems?

SethFebruary 13, 2018 3:15 PM

@albert, I'm not sure what your point is. If the malware was installed before the devices were put in place the air gap was still functioning as intended. As I said, even having physical access to the system doesn't mean the data an attacker wants will be there at the time they have access.

(req'd)February 13, 2018 3:37 PM

"If the malware was installed before the devices were put in place the air gap was still functioning"

A pre-infected airgap box maybe wasn't what folks envisioned as the attack scenario given the headline.

I think that's why people are seeming to say this seems like moving goalposts.
It's not a useless capability, just a narrower application than assumed.

albertFebruary 13, 2018 4:55 PM

@Seth,

Stuxnet in the centrifuge controllers is a special case. The intent was to destroy the units, and avoid detection at least until the damage was done. The only data collected was for it's own internal functions. It's the ideal operation for pre-loaded malware. I understand that Stuxnet is quite sophisticated and can function as a data collector as well.

I find it difficult to envision real-world applications of the techniques discussed, even by nation-states.

. .. . .. --- ....

John SmithFebruary 13, 2018 5:26 PM

from Mike Barno:

"... But anyone who didn't learn lessons from Stuxnet should now be clued in by the Intel ME and Spectre and Meltdown vulnerabilities, where the problem is in the heart of the CPU chips they were built with. You didn't need to be a suspected national-security threat who caught the NSA's attention for them to covertly slip compromised machines into your purchases; instead, everyone buying mainstream systems has brought the exploitable problems into their datacenters and offices..."

NSA has form in this regard: Crypto AG.

https://en.wikipedia.org/wiki/Crypto_AG
http://www.bbc.com/news/uk-33676028

Compromising Intel and AMD CPUs would fit very neatly with NSA's goal of Total Information Awareness. Means, motive, opportunity? NSA has all three.

https://en.wikipedia.org/wiki/Total_Information_Awareness

TatütataFebruary 14, 2018 10:23 AM

All that has a taste of "RFC 1149 meets Mission Impossible". Besides showing that a determined mind can find myriad ways to jump over an air gap, the attacks in themselves seem to have a limited value.

An actual attack would have to adapt to a real life situation, such as: how can I steal the master certificates from a signing authority. This is a situation where the payoff of leaking a few hundred bits is well worth the effort.

albertFebruary 14, 2018 11:08 AM

@Sancho_P,
I may have read that article:)

Well, USB and Autorun is still physical installation at the vendors site, is it not? Except for retribution purposes, whether the techs knew what they were doing is irrelevant. My opinion is they did not. Iran is not a country you want to screw over, for any price. As they say, Stuxnet is a very sophisticated program, and no doubt, there are even more advanced versions out there. IIRC, Stuxnet doesn't particularly care what its payload is. Finally, the centrifuge systems were a turnkey product, almost a 'black box'. Anyone at the site with PLC expertise could have found the bad code easily. This is a common problem everywhere. Companies don't understand (or even care) what kind of crap their contractors are selling them.
..
@echo,
Servers would be an ideal location for a Stuxnet-type infection.
..
With the CPUs themselves compromised, hunting season is now opened.

. .. . .. --- ....

Who?February 14, 2018 1:08 PM

@ oldtimer

I thought that was for making music on nearby radios?

No, just the clicking noise produced by the heads moving. Perfect to exfiltrate information.

The microprocessors on some poorly shielded PCs from mid-80s up to mid-90s—like the Amstrad PC 2086—were, in fact, able to affect nearby FM radios transmitting static white noise. TEMPEST at its best!

I have an old vinyl by Honeywell Bull that has some great music on it recorded from the electromagnetic field generated near the memory buses (for that old vinyl perhaps the right term would be "busses" instead!).

albertFebruary 14, 2018 2:24 PM

In the Olde Dayes, you could hear the memory 'singing' if conditions were right. A transistor radio was even better. Who would have thought....

. .. . .. --- ....

Sancho_PFebruary 14, 2018 6:44 PM

@albert

It depends how one understands the word “vendor”. The malware wasn’t installed at the HW - vendor (Siemens).
I agree that a competent technician would have found it when analyzing the ongoing problems.

HermanFebruary 14, 2018 11:25 PM

It is probably still easier to get data the old fashioned way: Pay a cleaner to bring you the waste paper basket.

echoFebruary 15, 2018 5:13 AM

@albert

I was wondering if it would be possible to place a server in a rack close to another server and monitor the magnetic signal across the airgap. Even if the victim server isn't compromised maybe the pattern detected would be of value to someone in banking or retail?

albertFebruary 15, 2018 10:39 AM

@Sancho_P,
The "vendor" was an Iranian company. Siemens was probably a supplier to the company that manufactured the centrifuge units. I don't know, but it's not that important. Siemens has a big footprint worldwide, and lots of folks know how to program their PLCs. PLCs are typically programmed with Windoz-based software on a PC. The PLC program is written then downloaded to the PLC. Nowadays, Ethernet connections to the PLC are common. (In my day, simple serial connections were common.) This means that -any- device connected to the PLC through a proper interface, and knowing the correct protocol, could download a program to the PLC. I'm guessing that the centrifuge system was a 'private' LAN administered by some PCs. Probably the easiest way to subvert the PLC program would be to work within the PC. That way the malware could use the latest version of the PLC code, and modify it at will. I would guess that the PLC code modifications were as simple as required to get the job done.

To pull this off, the Stuxnet malware is very sophisticated indeed. Maybe the details are in the book your Wired article cited.

I'm just too lazy to research this online, let alone buy a book!
..
@echo,
"...place a server in a rack close to another server..." It may be possible, but to what end? You already have physical access. Why not just add an extra unit, and tap the network? In a big facility, it may not even be noticed:)

. .. . .. --- ....

JG4February 15, 2018 11:05 AM


re: Stuxnet

I thought that I read many years ago that the delivery vector was the special HP inkjet cartridges for the giant printers used to make the modern equivalent of blueprints. as you might guess, if you were building an enrichment plant, you'd need some big plans. the story had it that the inkjet cartridges are made in Israel, who were happy to assist by incorporating a virus in the firmware of the cartridge. once the PCs using the printer were infected, it would go to the controllers connected to the PCs. it has been many years since I read that story, so I don't have the link handy. it may have been in wired news.

albertFebruary 15, 2018 5:57 PM

@JG4,
Last I checked, the ink cartridges have no smarts, though HP cartridges have 'security' chips to prevent use of non-HP products.

It would be headline news if a printer cartridge could infect a PC. Quite a feat, I'd say.

Those giant printers are remarkable, and they do color, too. Blueprints seem ancient now.
. .. . .. --- ....

echoFebruary 15, 2018 7:09 PM

@albert

Because eavesdropping the magnetic signals will give different information to the network. Knowing this different information may have a specific advantage.

markusFebruary 16, 2018 3:12 AM

I wonder that they didn't came up with manipulation of the computers powersupply to communicate directly over Powerline with special crafted "smart" devices (with access to the internet) in the same powergrid. Or did someone else worked out a PoC for this?

BartschFebruary 17, 2018 6:26 AM

Little it security joke regarding this topic: Millennials might call jumping the air gap by sound "hacking", but older people might remember it as acoustic coupling ;-)

BystanderFebruary 17, 2018 1:56 PM

Given the (in most cases) rather low data rate and the rather large file sizes except for plaintext, the information to be exfiltrated must be really worth the wait.

The drone example is kinda funny - you don't want to rely on something _this_ visible.

The malware opening such a channel must be tailored and the location of target data on the airgapped machine must be known in beforehand. You cannot just mirror the filesystem and look for the interesting bits afterwards.

A two-way communication would be desirable though..

There are many ifs making such an attack difficult, but not impossible.

rino19nyFebruary 18, 2018 3:41 AM

so with all these sophisticated techniques, it comes down to the initial problem of physical access. maybe some techniques need to be developed for that initial access to secure it in the first place?

JimFebruary 21, 2018 1:52 PM

As far as the blinking LED transmitting information, if you could crack the code that the malware is using to generate the blinks, you could generate phony information that you want the hacker to get rather than what is actually on the computer.

Seems that strong encryption is the best way to protect yourself against these threats.

Mind The Energy GapFebruary 22, 2018 8:04 PM

Well, there's air gaps and there's "energy gaps"(TM). I'm no expert at all on the subject, but as the esteemed Mr. Clive Robinson has commented somewhere here, you need to be in quite a deep chamber to perform effective "energy-gapping".

Being in sight of a window or without further non-EM protections such as acoustic foam and whatever cla$ifed materials/methods go into a proper SCIF... well, you're just a run-of-the-mill citizen without the necessary budget nor a hope in hell.

Not discounting the research of course, but it just shows the things that need to be considered.

So... even if you layer your best guesses as to materials/methods above the interdicted hardware and baked-in "management interfaces", well, you're decades and billions (trillions?) of dollars behind those who succeed in this field every day.

Secrets are only for those who can afford them. It makes Clive's "paper, paper, never data"(TM) seem very attractive for the citizen.

Clive RobinsonFebruary 23, 2018 8:45 PM

@ Ratio,

The vacuous term “energy gap” strikes again.

More of your "facts pulled from an empty vessel", how is your comprehension of the Bard going? I'm guessing you are still having to "Brush up your Shakespear" most other people would have got it word for word, measure for measure by now even six year olds, but you, what can we say...

RatioFebruary 23, 2018 8:59 PM

@Wael,

[The term “energy gap”] has a meaning in solid state physics.

True. It’s a vacuous term in the current context, though.

WaelFebruary 23, 2018 10:07 PM

@Ratio,

True. It’s a vacuous term in the current context, though.

Air-gap isn't any better, either. Better terminology is needed. I don't like the word "gap".

AnuraFebruary 23, 2018 10:15 PM

@Wael

What about a speed-of-light gap? If you need the data to be secure for 100 years, you should make sure it is at least 100 light years away from you. Now, there is a slight practicality problem here, but I see that as more of an implementation problem for the engineers (I'm more of an idea guy).

WaelFebruary 23, 2018 10:42 PM

@Anura,

@Anura,

Lol! Very funny :)

(I'm more of an idea guy).

You're half-way there! Give it the right spin and you may get partial funding from NSF :)

RatioFebruary 24, 2018 12:23 AM

@Wael,

Air-gap isn't any better, either.

How so? The issue with “air gap” is the way it’s used, not the term itself, IMHO.

Better terminology is needed.

To describe the goal or how to achieve it?

WaelFebruary 24, 2018 12:42 AM

@Ratio,

How so? The issue with “air gap” is the way it’s used, not the term itself, IMHO.

Like so: If the term itself were clear, you wouldn't have studies like the topic of this thread. What's an airgap? Off the grid? Shielded? Sitting in a vacuum? All of that? Plus more? We had a similar discussion a while back but I'm not in the mood to look for a link. The summary is: airgap means different things to different people at different times. Me? I would classify a WiFi connected device as air-gapped (based on the terminology.) I know it isn't a correct interpretation. Then again: what does air-gap mean to you?

To describe the goal or how to achieve it?

Both! Then find a descriptive term. It'll be clear that "air-gapped" isn't it. So: what's the goal? And how do we achieve it?

WaelFebruary 24, 2018 1:06 AM

@Ratio, @Clive Robinson,

Here's how some researchers defined air-gap:

where there is no physical connection between the internal network and the Internet.

Do you agree with that definition?

Wadda ya say about this observation?

Speaking of Hall effect devices, a magnet can be used to transmit the code to the hosting computer.

That's beyond "exfiltrating data" with magnetic field So! I'm describing a magnet (or magnetic field) as an infection tool. That was back in 2014. So I say to this research: ho-hum; you're not telling us something we didn't already know, or experiment with. The difference is oh, well...

By the way, these are all different forms of energy. I just object to the term "gap".

Clive RobinsonFebruary 24, 2018 5:15 AM

@ Wael,

Air-gap isn't any better, either. Better terminology is needed. I don't like the word "gap".

I don't like "gap" much either but it is accurate.

As for the definition of,

    where there is no physical connection between the internal network and the Internet.

I like that even less. Just have a real think about what "no physical connection" realy means[1], as even if in the doubtful case you could achive it, E and H fields would quite happily cross the likes of a vacuum, as would gravity etc. Hence my reason to use "energ"y gap. Because it is in reality all the side channels you want to stop, and they ONLY work by the movment of energy.

When you get into EmSec terminology you talk of both "segregation" and "seperation" as issolation mechanisms with any channel between them being in effect not just a constrained shannon channel, but also "strongly mediated" and "instrumrnted" which gives you a "mandated choke point".

It's an issue like that of law with "permiso and non permiso" theoretical doctrines".

You and I both know that Ratio has absolutly no clue as to how to deal with this kind of issue or even resolve it sensibly, and takes exception on a personal basis then looks for excuses to behave the way Ratio does. There is a clear history of such "challenge behaviour" usually without anything to back up the challenge. As has happened befor Ratio's challenges are false and based on any kind of knowledge or research, even a quick Internet search. Thus it's best that they are ignored unless accompanied by a positive contribution that indicates some real cognisence of the subject at hand, that is "non nhilist behaviour".

[1] Gravity would pull any device to the nearest significant mass centroid which means you would have to use somekind of force to hold it away. The nearest I can think of would be a super conductor in a strong magnetic field generated by another super conductor. I think you know the problem with that idea... But at lesser levels a physical disconnect would only stop conducted energy not radiant.

WaelFebruary 24, 2018 7:18 AM

@Clive Robinson,

I don't know who came up with the "air-gap" phrase. As for energy, Gravity and magnetism aren't strictly "Energy" -- they're forced.

About you and @Ratio:

Clearly you two have a fundamental difference in ideology. Perhaps that's the reason you butt heads often. This sort of thing isn't too unusual: @Dirk Praet and @Rolf Weber, me and @ianf, you and @Ratio, @Skeptical and many others . I think it's best to refrain from personal attacks and either discuss facts and data points or ignore reach other completely. I have done so with others, and others have done so with me. There are at least two or three individuals here that ignored my replies two or three times. I get it: they dislike engaging me for whatever reason. I respect that and make a mental note, then move on. Sometimes I forget, but... some things do not need to be brought to closure. You're both mature enough to handle this gracefully.

RatioFebruary 24, 2018 7:46 AM

@Wael,

Like so: If the term itself were clear, you wouldn't have studies like the topic of this thread.

This doesn’t answer the question how the term “air gap” isn’t any better than “energy gap”. That aside, unless it were definitionally impossible in this alternate reality, why wouldn’t people try to find ways to steal data from air-gapped computers (and publish their findings)?

Then again: what does air-gap mean to you?

The lack of physical network connection between two computers or networks.

If you want to extend this to wireless, you have to explicitly state what that means. For example, if you consider a device with a single, wireless NIC that is logically disabled to be air-gapped, I’d argue you would have to view a device with a single, wired NIC that is physically connected but logically disabled the same way.

So: what's the goal? And how do we achieve it?

The goal is to prevent unwanted transmission of information (or some such). It’s err… not clear if this can be done, much less how. And if we did know how to achieve it, I can guarantee you that the checklist won’t consist of a single checkbox and the text “energy gap”.

(Meanwhile, an energy-gapped computer is connected to a networked computer, using an inline encryptor/decryptor, and nobody bats an eyelid. And why would they? “Energy gap” doesn’t actually mean anything! The emperor has no clothes.)

WaelFebruary 24, 2018 8:28 AM

@Ratio,

how the term “air gap” isn’t any better than “energy gap”

One is genetic and subject to various interpretations and the other is specific in its meaning.

why wouldn’t people try to find ways to steal data from air-gapped computers (and publish their findings)?

Who said anything about limiting what people can publish? All I said is I'm not impressed. People can research and publish all they want. I've seen my share of worthless crap. Is that interests some...well: to each his own.

The lack of physical network connection between two computers or networks.

Do you count RF as "physical"?

The goal is to prevent unwanted transmission of information (or some such)

Then your definition fails to describe the goal.

not clear if this can be done, much less how.

It can be done. The how is also not hard to think of, and there are more than one way to achieve it.

PS: I'll be a bit busy the next few weeks. Got stuck on something pretty challenging (and intetesting) at work.

WaelFebruary 24, 2018 8:46 AM

@Ratio,

Dang! I had so many spelling mistakes!

“Energy gap” doesn’t actually mean anything!

To me it means: having the protected device within the confines of an energy barrier that prevents all forms of unwanted transmissions.

The word 'gap' could be replaced by 'barrier'.

RatioFebruary 24, 2018 9:47 AM

@Wael,

Who said anything about limiting what people can publish? All I said is I'm not impressed.

Nobody said anything about limiting what people can publish. I’m not sure why you ask.

You said: “If the term itself were clear, you wouldn't have studies like the topic of this thread.” I don’t think that’s true, and asked why people wouldn’t produce studies like this one if the term “air gap” was clear. You seem to be agreeing now, and thus disagreeing with the earlier sentence I just cited. What gives?

Do you count RF as "physical"?

No, hence the “if you want to extend this to wireless” earlier.

Then your definition fails to describe the goal.

What is my definition if not the description of the goal, and how is it flawed?

It can be done. The how is also not hard to think of, and there are more than one way to achieve it.

I assume by “it” you mean “having the protected device within the confines of an energy barrier that prevents all forms of unwanted transmissions”? Congrats on being filthy rich very soon, I guess.

To me [“energy gap”] means: having the protected device within the confines of an energy barrier that prevents all forms of unwanted transmissions.

Is this the problem statement or the proposed solution? People use “energy gap” as if it were the solution, but this sounds like a restatement of the problem to be solved.

I'll be a bit busy the next few weeks. Got stuck on something pretty challenging (and intetesting) at work.

[thumbs-up emoji here] :-)

WaelFebruary 25, 2018 7:11 AM

@Ratio,

I’m not sure why you ask.

It's a consequence of what you stated.

You seem to be agreeing now, and thus disagreeing with the earlier sentence I just cited. What gives?

The term is clear in some people's minds and ambiguous in other's. If air-gap means "off the grid", such as in a "cold crypto-currency wallet", then studies like this are valid. If air-gap means "energy-gap" or barrier, then studies like this need to take a different form. Here, the researchers discuss how to jump a "gap" using magnetism, which is supposedly not a viable attack doable against an energy-gapped system. And if it's doable, then the system isn't protected as claims: an implementation weakness that may apply to a proper subset of the sample space.

No, hence the “if you want to extend this to wireless” earlier.

Then you say that "air-gap" needs an extension to cover wireless. In other words: the term "air-gap" by itself isn't an expression that completely covers the meaning of the goal. Others, by the way, and rightly so, don't consider a wirelessly connected system to the internet as being "air-gapped". You can extend this argument to other methods: sonic and ultrasonic, sound through solids, light, static electricity, magnetism, ... See the BadBIOS discussion for the ultrasonic method.

What is my definition if not the description of the goal, and how is it flawed?

When a definition needs extensions to cover the intended goals, then it fails (by definition.) See above ;)

I assume by “it” you mean “having … prevents all forms of unwanted transmissions”?

Yes!

Congrats on being filthy rich very soon, I guess.

Guess again. Techniques like that do exist and are in place. Thye exist at the macro and micro levels. I don't want to digress off too far, but think of a system in an underground room underneath a mountain with several levels of protection layers: physical access control zones, passive shielding, active shielding, noise injection.... Someone else got filthy rich (same guy who sells the hammer for $500.)

Is this the problem statement or the proposed solution?

Neither: it's a description of a state, just like "air-gap" is. And there is where the confusion comes. Example Requirement: Air-gap this system. Solution: Unplug the Ethernet cable, and task accomplished (in some people's minds.) Example Requirement 2: "Energy-gap" (I have some reservations as I stated before on the terminology.) Solution: Stick the system in a controlled access zone, in a bunker underground with its own power supply, don't allow any devices near it (not even a watch, isolate it mechanically, optically, electromagnetically (which includes optical,) etc...

Clive RobinsonFebruary 25, 2018 9:17 AM

@ Wael,

The term is clear in some people's minds and ambiguous in other's. If air-gap means "off the grid"...

The problem is one of "jargon". After all what does TEMPEST or EmSec realy mean?

The answer is to a certain extent "what you want it to mean". Take for instance "Natutal Philosophy" it ment something at some point but the field of domain expanded into sub-domains that became domains in their own rights. So now we have a slightly narrow definition of "Physics" but the domains keep growing.

When "Air Gap" first came into usage, it applied to a relatively small and quite specialized field of domain. It has since expanded and now is effectively meaningless because of the number of specialised Shannon Channels there are. Thus you have to replace one term with another "energy gap" is certainly more acurate thsn "air gap" but you could also say "Shannon Channel gap" but it's mote unwieldy and will almost certainly get shortened and in time sow a great deal of confusion.

Thus you need a short snappy title that is sufficientlt different but still related to other and older names for continuity in understanding. It is a quite human need and seen in just about every field of endevor.

The fact some one individual does not like it does not make a handfull of beans let alone part of a hill. We've been through this with hacker / cracker before, you have to pander to those with pencils, and journalists like short and snapy because it sounds authoririve, thus they have a nail to hang their stories on.

Do you want it called "magic space effecting" or something equally as frivolous just because a journo thinks it's going to work well with their readers?

If people want to criticise then they need to offer alternatives that have a chance of succeeding, otherwise they become food for journos to write about disent in the ranks/proffession which they love to do because "Pie Fights" sell copy without having to have facts or research just out of context quotes so are money for old rope to wasteral type journalists.

I know several proffessional ICT journalists that do both research and fact finding read this blog, perhaps we should ask them.

WaelFebruary 25, 2018 10:19 AM

@Clive Robinson,

The problem is one of "jargon". After all what does TEMPEST or EmSec realy mean?

For starters, 'TEMPEST' is all caps. It must be an initialism, an acronym, or an abbreviation of some phrase that I don't wish to look up. EmSec? My first discussion about C-v-P started with "What does 'Security'" mean.

However, I agree with the rest to a certain extent. The point I'm raising isn't about a particular choice of words. We may call it 'Bullfrog' as far as I'm concerned [1]. We just need to agree on the meaning of the 'idiom'. "energy gap" is more descriptive than air-gap", though. I believe the term will be mainstream in the future although I dislike the word "gap" as I've stated repeatedly. Also note that magnets and gravity are not "Energy", strictly speaking. They are forces as you well know; part of the four forces of 'nature': Weak Nuclear, Strong Nuclear, Electromagnetic, and Gravitational.

Then there is energy which is the capacity for doing 'work'. There are Electrical, Chemical, Potential, Kinetic, Thermal, Nuclear, Magnetic, Electromagnetic, Acoustic (could be a form of kinetic) energies... And that's what you want to curtail and control in order to protect against side-channels / out of band emissions. Now we both know that energy cannot be created nor destroyed. The problem becomes then: dissipate the energy in a manner that's unusable by an adversary located within a certain distance of the protected device / system. Dissipate it in a manner that obfuscates the fingerprint of the operations to be protected... This will tangentially take us to the E-v-S discussion, I would imagine.

[1] If I say I'm hungry, you know what I mean. If I say I'm starving, well: it means I need to eat within the next 5 minutes or so. If I say it's 'air-gapped', well: perhaps I stuck a balloon in the system... who knows ;)

Clive RobinsonFebruary 25, 2018 2:52 PM

@ Wael,

This will tangentially take us to the E-v-S discussion, I would imagine.

Don't let @Nick P see "E-v-S" I remember he was not happy about "C-v-P" or "CvP" ;-)

Whilst both gravity and magnetism are forces, any delta in them is caused by work over time hence are ebergy. Which is also what an IBM Watson researcher concluded with his minimum energy per bit of information change.

Personally I'm not sure about the minimum energy for reasons it would take to long to go into.

Speaking of which have you had further thoughts on the entangled bit communications @Nick P linked to the other day? I've had a buzy weekend and have not had time to follow it up.

And it looks like this comming week will be a bit of a problem, the weather men are talking about four or more inches of snow over Eastern England and urban tempratures of -6C. Which if other years are anything to go by will mean civilisation as we know it around East London etc will come to a halt...

Apparently according to authorities we don't have snow in this country so they don't budjet for it. Apparently we only get "the wrong type of snow" thus it becomes a disaster. I can not help but think our political purse string holders are not just barking up the wrong tree but are compleatly barking mad[1], though why they would want to love Essex is another matter entirely ;-)

[1] Yup you don't have "to be compleatly barking" to go there, apparently the Chinese have a railway service that stops there now...

https://en.m.wikipedia.org/wiki/Barking

WaelFebruary 25, 2018 5:32 PM

@Clive Robinson,

have you had further thoughts on the entangled bit communication...

Didn't have the time... Stay warm :)

RatioFebruary 25, 2018 9:10 PM

@Wael,

[Limiting what people can publish is] a consequence of what you stated.

Saying, as I did, that if everybody was clear on what the term “air gap” meant, people would still try to find ways to steal data from air-gapped computers (and publish their findings) unless doing so were impossible by definition doesn’t imply that at all.

(That apparently was what prompted you to ask the question “who said anything about limiting what people can publish?”, so I’ll assume that’s what you’re referring to here.)

Here, the researchers discuss how to jump a "gap" using magnetism, which is supposedly not a viable attack doable against an energy-gapped system. And if it's doable, then the system isn't protected as claims: an implementation weakness that may apply to a proper subset of the sample space.

To me, “energy-gapped” doesn’t mean anything, so I’ll try to look at it from your point of view. What the researchers are trying to do is then definitionally impossible: a system is energy-gapped system if all forms of unwanted transmissions are prevented. Yes?

[...] you say that "air-gap" needs an extension to cover wireless.

Just to be clear, what I said was that you need to carefully explain what it would mean for the term “air gap” to extend to wireless, not that I’m in favor of such an extension.

In other words: the term "air-gap" by itself isn't an expression that completely covers the meaning of the goal.

Why would it? To me, “air gap” is part of the solution space, not the problem space.

When a definition needs extensions to cover the intended goals, then it fails (by definition.)

My definition of “air gap” doesn’t need any extension to cover what I intended for it to cover. Defining “air gap” to mean whatever is required to be a complete solution to some problem statement doesn’t strike me as particularly useful.

Techniques like that do exist and are in place.

The definition requires perfection. Do they still exist? Against all unknown future attacks?

[“Energy gap” is] a description of a state, just like "air-gap" is. And there is where the confusion comes. Example Requirement: Air-gap this system. Solution: [...] (in some people's minds.) Example Requirement 2: "Energy-gap" (I have some reservations as I stated before on the terminology.) Solution: [...], etc...

In both examples your “description of a state” refers to a goal state, using lingo of the solution space instead of the problem space.

WaelFebruary 25, 2018 9:24 PM

@Ratio,

Ok. Let's take it in steps:

Why would it? To me, “air gap” is part of the solution space, not the problem space.

What part of the solution-space does 'air-gap' cover and what does the solution space look like?

RatioFebruary 25, 2018 9:59 PM

@Wael,

What part of the solution-space does 'air-gap' cover and what does the solution space look like?

It covers “lack of physical network connection between two computers or networks”.

Just now you mentioned other measures, techniques, whatchamacallits that are also part of the solution space. (I don’t think me disagree on any of that.)

WaelFebruary 25, 2018 10:36 PM

@Ratio,

I believe I understand what you're saying. But let's continue:

Problem Space = {Intentional physical connection, Unintentional stray connections}

Solution Space = {Break physical network connections, Shield Sound, Shield stray Electromagnetic fields, Shield Electric Fields, Shield Magnetic Fields, Shield Acoustics, Control Access, Adopt best practice OpSec...}

Attack Surface Space (so-called techniques of jumping air-gapped systems:) = {Acoustics, Electromagnetic fields, Electric fields, Magnetic fields, Optical, Kinetic, ...}

Air-gaps cover the first element of the Solution Space. Agree? Also the term "Energy-gap" is part of the problem space (if you ignore the word 'shield'.) Agree?

Perhaps it's the reason I subconsciously disliked the word gap, but let's see...

Clive RobinsonFebruary 25, 2018 11:47 PM

@ Ratio,

First explain in detail what you mean by,

lack of physical network connection

Because it sounds very much like a weasle word definition, designed to give you vacuous argument space.

RatioFebruary 26, 2018 5:33 PM

@Wael,

Maybe it helps if you read “problem space” and “solution space” as “problem statement” (or “specification” or “goal”) and “solution” (or “implementation”), respectively. Those are the two parts I want to clearly separate.

How would you describe the problem to be solved? What should be achieved? (Don’t express the problem in terms of possible solutions.)

WaelFebruary 26, 2018 8:27 PM

@Ratio,

Maybe it helps if [...] (Don’t express the problem in terms of possible solutions.)

What would help immensely is that you apply your prescription to the term "air-gap" and I'll model "energy-gap" following your steps! How 'bout that?

RatioFebruary 26, 2018 9:21 PM

@Wael,

What would help immensely is that you apply your prescription to the term "air-gap" and I'll model "energy-gap" following your steps! How 'bout that?

For example, the problem is how to prevent unwanted communication of information between systems in some set A and systems not in A.

A solution to this problem might be to use an “air gap”, i.e. to make sure there is no physical network connection between systems in A and systems not in A.

Does that help?

WaelFebruary 26, 2018 10:23 PM

@Ratio,

For example, [...] Does that help?

Got it...

The Problem: How to prevent unwanted communication of information between systems in some set A and systems not in A.
A Solution: use an “air gap”, i.e. to make sure there is no physical network connection between systems in A and systems not in A.

The Problem: How to prevent unwanted communication via signal analysis and extratcion of information via light emissions, passive or active targeting information from systems in some set A to system(s) not in A.
A Solution: Isolate the system under protection from external devices that may collect any form of light emissions, such as Hard Drive lights, embedded LEDs, etc... Make sure there is no light communication path between systems in set A and systems not in set A

[...]

The Problem: How to prevent unwanted communication via signal analysis and extratcion of information via ultrasound, passive or active targeting information from systems in some set A to system(s) not in A.
A Solution: Isolate the system under protection from external devices that may collect any form of ultrasound emissions or reflections -- reception or transmissions between systems in set A and systems not in set A

The Problem: How to prevent unwanted communication via signal analysis and extratcion of information via xxx, passive or active targeting information from systems in some set A to system(s) not in A.
A Solution: Isolate the system under protection from external devices that may collect any form of xxx emissions or reflections -- reception or transmissions between systems in set A and systems not in set A

These 'xxx' are collectivley grouped under 'forms of energy'. Then 'Energy-gap' is the term defined to signify the creation of a barrier that stops all forms of information transfer / command and control opertaions that use the identified formss of "energy", just like 'air-gap' is defined to mean lack of physical network connections between systems in set A and systems not in et A.

The problem is "air" does not belong to the set of "energies".

RatioFebruary 26, 2018 11:30 PM

@Wael,

I don’t see “energy gap” anywhere in your examples. Wasn’t that the whole point?

[...] 'Energy-gap' is the term defined to signify the creation of a barrier that stops all forms of information transfer / command and control opertaions that use the identified formss of "energy", [...]

Where does “energy gap” go? Problem? Solution? It sounds like you’re using it as a solution, and defining it to mean something like “well, ya know, the barrier that solves the problem”. What am I missing here?

[...] like 'air-gap' is defined to mean lack of physical network connections between systems in set A and systems not in et A.

Note: “physical network connections”, not “communication of information” (as in the problem statement).

The problem is "air" does not belong to the set of "energies".

Why is that a problem?

RatioFebruary 28, 2018 12:26 AM

@Clive Robinson,

You have still not answere the question...

I have not responded to yet another accusation, no. It’s still boring.

Clive RobinsonFebruary 28, 2018 3:51 AM

@ Ratio,

I have not responded to yet another accusation,

I have not made an accusation, just made a valid response to one of your style of comments. After all if you say,

The vacuous term “energy gap” strikes again.

You real should expect to be challenged on it on a "Security Blog" and you were.

Then when you were, you then started to try to do the written equivalent of wave your arms around ineffectually. When gently pressed you ended up saying that you regard an "air gap" as,

lack of physical network connection

Using it apparently as your reasoning base, it received from me the valid challenge of,

    First explain in detail what you mean...

Your failure to do so is something that appears from previous occasions to be part of your commenting behaviour. As such it is not a particularly good one. As it makes your first comment look not just unreasoned, ill thought out or invalid but an ad hominem attack which is usually considered not a good style at all.

But then I guess your commenting style is why @Wael was one of the few people who actually was polite enough to continue to acknowledge your comments rationally these days. All be it mainly in subjects not related to this blogs theme. @Wael has shown over many years a level of kindness, politness and inclusiveness well over and above that of many others who come to this blog.

But as I said,

    First explain in detail what you mean by,

After you gave such an ill defined definition of what you think an "air gap" is you could easily argue it could mean anything or nothing. Such things are called "weasel words" or "squirrely words" for a reason. Thus if people are kind enough, you get given the choice of redefining your definition, defending it or recanting.

They were after all your words, now it's your choice or not to defend redefine or recant. But do not expect people to give you a pass on them on a "Security Blog" especially when you are using them as your reasoning base. And if you can not or will not defend your reasoning base... Well what does it say of you and your argument?...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.