The air gap or air wall technique implies isolating one or more computers from unsecured networks. It can be implemented physically or theoretically, in the second case the isolation being realized only at a cryptographic level. Used in order to protect classified information, payment networks and control systems that operate critical infrastructure (or by privacy protection fanatics), air-gapping represents one of the maximum protection #measures.
This until recent #security specialists exploits demonstrated how computers secured via this method can in fact be vulnerable.
#stuxnet
The Stuxnet virus notoriously surpassed air-gapping. This breach, dating from 2010, with origins in 2007, deserves a special mention, because of the precedent created.
The Stuxnet worm aimed at Iran’s nuclear power program, carried by the Bushehr nuclear power plant. Qualified as a US and Israeli military-grade piece of malware, it proved that the bridge between the virtual and the real world could be crossed to affect public systems and nations.
The attack mechanism implied a worm entering the Windows computer via USB sticks. The spread was also targeting the machines that were not internet connected (first module). Secondarily the worm looked for a certain model of Programmable Logic Controller (PLC) made by Siemens (or, as the press called them, SCADA systems). This system operated by coded signals over communication channels providing control of remote equipment, specific to factory floors, chemical plants, oil refineries, pipelines and nuclear plants. The second module consisted of a link file that executed the spread. The third module was a rootkit component, which ensured detection prevention.
The number of infected computers was over 60,000.
Side channel signals
Side channels are described as “vectors of information leakage that arise as a byproduct of system design, rather than an explicit feature”. They allow sensitive information exfiltration when the VM isolation boundary is breached. The attack would have to be a sophisticated one, but once the precedent was created, it generates inspiration for other cyber attackers.
ElectroMagnetic (EM) side-channels are relevant, since software activity manifests itself in EM variations. Once the RF signals are separated from noise and enhanced, the potential attack becomes feasible. A Georgia Tech team also conducted research on this subject, but researchers in Israel carried the actual demonstration recently. The Georgia Institute of Technology team captured and analyzed data at up to six meters away. The only counter measure for such attacks would be a Farraday Cage – not at hand for any private users, which care for their privacy.
#air-hopper demonstration(s)
In 2015, the researchers from Ben Gurion University used a GSM network, electromagnetic waves and a basic cellphone. They showed that any mobile device could become an attack vector. The malware set to extract data from the air-gapped computer has to be installed both on the phone and on the targeted computer. Once this condition is met, the attackers can exfiltrate data from the target. There were two case studies, on a laptop LCD, and on a desktop LCD connected to the PC graphics card with a DVI cable – the cable being the primary leaking signal source.
Interestingly enough, this recent breakthrough shows that unrestricted basic devices can become a threat for isolated, #sensitive data VR machines. Current security policies allow employees to carry basic communication devices that could be used in such attacks. Even more, close proximity is not necessary. A receiver works up to 30 meters from the isolated target. Previously, the range for the experiments extended only at 23 feet (approx. 7 meters) – in 2014.
In summary, an unsuspecting employee receives a text message on his phone, and the malware installs itself on the cellular device. What the malware does is building a network connection out of the EM waves at his disposal, installing a virus onto a computer or server via FM frequencies. Passwords and data are siphoned to the designated nearby mobile phone (the receiver).
On the up side, physical access to the computer proximity is still necessary – even if the virus “carrier” is unaware of his part in the exploit.
NSA #tempest Program
The NSA TEMPEST program also explored this technique in extracting data about screens, fax/printers, audio devices and keyboards. Their exploit did not involve installing any agent on the VR target, and the bugs used belong to the ANGRYNEIGHBOR family. The NSA method involved a piece of hardware called Cottonmouth-I, and the receiver was a relay station situated up to 8 miles distance.
It is rumored that the program was around since the 80s. Actually the first unclassified published analysis pertained to Wim van Eck and dated from 1985. Because of this, the potentially vulnerable emanations are sometimes called “van Eck radiations”. Previous to the computer era, such emanations were used to leak information from the teleprinter screens.
#bitwhisper demonstration
The same team of researchers explored in early 2015 a covert bi-directional communication channel between two close air-gapped computers. Dubbed BitWhisper, the experiment used heat emissions as the means of inter VR communication.
Small bits of information (8 bits per hour) could be extracted via this method, in order to be used for sending malicious commands to the targeted computer.
BitWhisper used the CPU or GPU thermal sensors from an infected device to determine its positioning in relation with the targeted air-gapped computer. A sequence of thermal “pings” establishes an interconnection. Bridging the two VR terminals, the isolated, targeted one, and the infected one, was the next step of the attack. The initial range for bridging was 40 centimeters/about 15 inches, but the researchers reported being able to increase the active distance.
On the up side again, the proof-of-concept attack needs the previous installation of malware on both VRs involved. In addition, the proximity condition requires physical intervention, willingly or not.
Useful measures in air gapping
When trying to establish and maintain a secured air-gapped computer, these measures might help:
• (operating measures) Minimizing installed software – the less the better; all operating system services that are not necessary should be disabled; all installations should be made off-network;
• (configuration measures) If possible, the initial configuration should be made without connecting to Internet, and this should remain the rule all through using the isolated computer – again, take precautionary measures and disable all connecting capabilities;
• (transfer measures) Scan any type of files before transferring them onto your secured computer to make sure they are not infection carriers; use the smallest storage device possible when transferring files and do not connect directly to other computers; encrypt everything you move to and from your computer;
• (physical measures) Limit the use of peripherals; turn off audio systems to avoid manipulation of inaudible sound waves; ban cellphones and other devices in the proximity of the protected computer
Extreme measures can involve the use of a Faraday cage or isolating the computer room against electronic field transmissions.
The assumption of security for air-gapping is obviously no longer valid; therefore additional protection means are justified. Precautionary methods may vary once the cyber security community processes the new studies and builds a reaction.
