3 Steps To Solidifying Air-Gap Security
Your isolated systems may not be as secure from exfiltration or external control as you think.
December 8, 2014
The past year has challenged security assumptions about the almighty air gap, as several researchers have lately shown new and creative ways to facilitate attacks on systems and networks completely isolated from the Internet. Often viewed as the ultimate defense for the most sensitive systems, air-gap isolation is a way to make it much harder for attackers to communicate with machines, even if they still manage to infect it. But the technique may not be good enough protection in its own right. The research that has emerged since this time last year shows that, even with no Internet, Bluetooth, or other online connection, it is possible to use connections through peripherals, audio equipment, and even graphics cards to transmit information from these systems.
More importantly, the proofs of concept brought forward are not all farfetched. According to analysis done by a Symantec researcher last week on the work done against air gaps, at least a couple of them are pretty plausible, given the fact that attackers seeking out air-gapped systems are usually very motivated to crack these juicy targets.
"System administrators may choose to air gap military systems, computerized medical systems, and control centers of critical infrastructure in order to protect data from attacks," John-Paul Power, a researcher for Symantec, wrote in his analysis. "Unfortunately, no system is 100 percent secure and there will always be a way to chip away at defenses."
Understanding the emerging research should put administrators of air-gap systems on notice never to set and forget their isolated systems. As they monitor for new research, they should consider the following countermeasures to address weaknesses found in late 2013 and throughout 2014.
Turn off audio on all air-gapped systems
Around this time last year, researchers Michael Hanspach and Michael Goetz helped kick off recent breakthroughs in air-gap security research with a paper that showed how it was possible to transmit data between computers using sound sent through built-in microphones and speakers.
Using their proof of concept, if attackers were able to infect an air-gapped computer, they could send data through the speaker using maliciously manipulated sound waves inaudible to the human ear. That information could then be picked up by a non-air-gapped but similarly infected system using its internal microphone. It works up to 65 feet between two machines, but that can be extended using a mesh network The plausibility of the attack is high, says Power, particularly for exfiltration. The saving grace is that the bitrate is low, so we're talking sensitive password files and encryption keys, rather than huge data sets.
Nevertheless, if that kind of theft would be detrimental, enterprises should consider whether their systems could be vulnerable to this attack. The easiest way to do this is to disable audio on all air-gapped systems.
"Operators could employ the use of audio filtering to block sound in a specific frequency range on air-gapped computers to avoid attacks. Finally, the researchers suggest the use of an audio intrusion detection guard that would analyze audio input and output and raise a red flag if it detects anything suspicious."
Limit peripheral use on air-gapped machines
This fall, researchers at Black Hat Europe demonstrated how already infected air-gapped machines could be manipulated to receive malicious commands through a multi-function printer's scanner to which it is connected through infrared laser light pointed at the scanner.
Pulses of light sent in a pattern corresponding to a binary Morse code developed by researchers Yuval Elovici and Moti Guri of Ben-Gurion University in Israel would be interpreted by the malware to carry out certain commands. The research also worked on a rudimentary way to send data using light, but the receiving of commands showed the most promise. Researchers believe that this method could be used up to five kilometers away, though it was tested only at 1,200 kilometers. Power believes the need for decent visibility to the scanner, along with the fact that it needs to be running at the time of attack, makes this the least plausible among recent research.
"The most glaring problem with this attack technique is that if there is no window in the room where the isolated system is contained, it's back to the drawing board for our would-be attackers," Power explains.
However, if air-gapped systems are connected to a scanner anywhere near a window, attackers could program malware to turn it on at regular intervals.
Organizations worried about such an attack may well consider limiting peripheral use on these sensitive machines. This also makes sense for preventing infection in the first place, since one of the major sources of infection on air-gap systems is through infected USB devices and memory sticks. Stuxnet offers a great case study in how that can happen.
Ban cellphones near air-gapped machines
The most recent -- and arguably most creative -- method recently uncovered, also by researchers at Ben-Gurion University, is a technique that uses FM radio signals sent from an infected computer's graphics card and received by a smartphone either controlled by an insider attacker or infected with corresponding malware.
Researchers Mordechai Gur and Yuval Elovici created a proof-of-concept malware package called AirHopper that creates image patterns that don't necessarily look different to the human eye but create an FM carrier wave that can be modulated with a data signal. According to Symantec's Power, this method is the most plausible among these three for its exfiltration possibilities, though it also has limitations in transmission speed.
Nevertheless, a smartphone with AirHopper installed needs to be in range of the targeted system's monitor for only eight seconds to load a 100-byte password file.
Organizations serious about air-gap security may want to consider banning devices within a certain range of these systems, Power says. "If that is impractical, the use of electromagnetic shielding would stop any signals being transmitted from the isolated network."
About the Author
You May Also Like