HACKING THE AETHER: HOW DATA CROSSES THE AIR-GAP
It is incredibly interesting how many parts of a computer system are capable of leaking data in ways that is hard to imagine. Part of securing highly sensitive locations involves securing the computers and networks used in those facilities in order to prevent this. These IT security policies and practices have been evolving and tightening through the years, as malicious actors increasingly target vital infrastructure.
Sometimes, when implementing strong security measures on a vital computer system, a technique called air-gapping is used. Air-gapping is a measure or set of measures to ensure a secure computer is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. Sometimes it’s just ensuring the computer is off the Internet. But it may mean completely isolating for the computer: removing WiFi cards, cameras, microphones, speakers, CD-ROM drives, USB ports, or whatever can be used to exchange data. In this article I will dive into air-gapped computers, air-gap covert channels, and how attackers might be able to exfiltrate information from such isolated systems.
Many techniques presented here (but not all) would require a previous breach to have already compromised the isolated machine (usually installing some kind of malware in the process). This may have happened via a social engineering attack, an inside job, an undercover special operation or whatever James Bond scenario you have in mind, it’s not important for the current article scope. Although the malware delivery mechanism makes for an interesting problem and discussion, the scope of this article is on how to exfiltrate data after the breach (if a breach was, in fact, needed).
WHAT IS AN AIR-GAP COVERT CHANNEL?
An air-gap covert channel could be defined as any unintentional channel that is used to transmit and/or receive data between systems that are physically isolated and, by policy, not authorized to communicate with one another, in which air-gapping measures were taken at the emitter, receiver or both. Unintentional means that the channel was not originally designed to be used as a data channel, for example, the modem LEDs. Although there might me some additional software (malware) needed at the target system to make a particular covert channel viable, there is no additional hardware installed on such systems. In some cases there might be, however, specific hardware at the attacker’s end.
That being said, there are also ways so remotely monitor a system without any previous intervention. It has been shown in the past that it is possible to monitor the radiation emitted by a CRT monitor and even LCDs. Some of you might have heard of this form of computer surveillance, usually referred a Van Eck phreaking or as TEMPEST (although TEMPEST is a lot broader than just this form of surveillance). It’s possible to listen to computer keyboards, each key emits a slightly different noise when pressed so it’s possible to log key strokes without actually requiring logging software. Even the high frequency noise emitted by a CPU can include information about the instructions being executed.
There is a wide range of air-gap covert channels and one way to naturally organize them is by the physical channel that they use to achieve their goals. Currently researchers have been able to implement such channels using different mediums, such as:
- Physical Media
For the sake of the explanation, I will refer to using a channel as passive when there is no modification on the emitter/target side whatsoever and the receiver/attacker is essentially doing remote sniffing of a resource. In contrast, I will use the term active when there is the need for some kind of software to be running at the emitter/receiver, usually via a previous attack.