acm-header
Sign In

Communications of the ACM

Review articles

Bridgeware: The Air-Gap Malware


Bridgeware, illustrative photo

Credit: Greg Epperson

Many organizations store and process sensitive information within their computer networks. Naturally, such networks are the preferred targets of adversaries due to the valuable information they hold. Securing computer networks is a complex task involving the installation of endpoint protection, maintaining firewalls, configuring intrusion detection and intrusion prevention systems (IDSs and IPSs), and so on. However, regardless of the level of protection, a persistent attacker will eventually find a way to breach a computer network connected to the Internet. Consequently, if a network stores sensitive or classified information, an 'air-gap' approach is often used to prevent such a breach.

Back to Top

Key Insights

ins01.gif

Air-gapped networks have no physical or logical connection to public networks (such as, the Internet). Such networks are often used in cases where the information stored in, or generated by, the system is too sensitive to risk data leaks, for example, military networks such as the Joint Worldwide Intelligence Communications System (JWICS).12 Air-gapped networks are also commonly used in critical infrastructure and control systems where breaching incidents can have catastrophic results, however such networks are not limited to military or critical infrastructures. Stock exchanges, insurance companies, biomedical manufacturers, and a wide range of industries use isolated networks in their IT environments.30 These networks maintain intellectual property, financial data, trade secrets, confidential documents, and personal information, and air-gap isolation is aimed at protecting this data.

Breaching the air-gap vs. bridging the air-gap. Despite the physical isolation and lack of external connectivity, attackers have successfully compromised such networks in the past. The most famous cases are Stuxnet and Agent.btz,38 although other incidents have been reported from time to time.43 Motivated attackers can breach air-gapped networks in different ways. In recent years, some of the tactics attackers have used in order to achieve this goal have been exposed. A supply chain attack is a method in which attackers load malware onto computer systems in the supply network. Other tactics include infecting a USB drive, which is then used within the targeted network by a deceitful or malicious insider with the appropriate credentials. Several recent incidents have shown that these types of breaches are feasible.14

Breaching the internal network is only the first phase of an attack. After infiltrating the network, the attacker must maintain a communication channel with the malware in order to receive data. To that end, the attacker must move beyond breaching the air-gap and bridge the air gap that separates the attacker from the targeted network in which the malware is operating or is present. Although a onetime breach into an air-gapped network is evidently possible, continuous bridging of the air-gap in order to facilitate the exfiltration of data is a significantly more challenging task.

Back to Top

TEAPOT, TEMPEST, and EMSEC

The threat of exfiltrating data through the air-gap has been the subject of public research since the 1990s, but investigation actually began much earlier with governmental research conducted by the U.S. Department of Defense. The basic idea behind this research is based on the fact that computer systems are electronic devices that emanate electromagnetic radiation at various wavelengths and strengths. By intentionally manipulating the emanated radiation, information can be modulated and leaked out of the system despite the physical isolation of an air-gap.

The fact that the U.S. defense research community has considered the malicious potential of such techniques for a long period of time is reflected by the presence of a definition for a code word for this field of study in an NSA document that was partially declassified in 1999:

"TEAPOT: A short name referring to the investigation, study, and control of intentional compromising emanations (i.e., those that are hostilely induced or provoked) from telecommunications and automated information systems equipment."34 Also related are the terms 'TEMPEST' and 'compromising emanation' which refer to the threat posed by emissions that unintentionally leak from electronic devices:

"Compromising Emanations: Unintentional data-related or intelligence-bearing signals that, if intercepted and analyzed, disclose the information transmitted, received, handled, or otherwise processed by any information processing equipment. See TEMPEST."33

The term TEMPEST is now commonly used in modern academic literature and publications to generally describe any threat or defense related to compromising emanation. EMSEC (Emanation/Emission Security) refers to countermeasures used to defend against TEAPOT and TEMPEST threats.

Issues related to TEMPEST, TEAPOT, and EMSEC began to attract public attention in 1985 when Dutch computer researcher Wim van Eck published the first paper on the topic.42 Van Eck successfully eavesdropped content from a CRT screen at a range of tens of meters, using just $15 worth of equipment. Since the beginning of this century, various academic research and publications have introduced new techniques to compromise emanation and data leakage from air-gapped facilities. Interestingly, in 2014 documents leaked by NSA contractor, Edward Snowden, mentioned a product code-named Cottonmouth (CM)—hidden radio transmitters physically installed in USB equipment in order to maintain a bi-directional communication channel to malicious software running on air-gapped facilities.37

* Leakage Scenarios

In attacks that involve data leakage, malware is typically used to gather sensitive data (for example, passwords, documents, keystrokes, and personal records) and send it back to the attacker. The data is sent over the Internet, usually in an encrypted form. To evade detection by firewalls and anti-virus software, the malware may also hide the information within so-called covert channels. For example, malware may leak a password file within an innocent looking HTTP request. Many types of covert channels have been investigated over the years, including email protocols, DNS requests, and VoIP traffic.44 More recently, covert channels for devices such as smartphones and smart-watches,9 3D printers,10 and IoT devices11 have been also studied.

In an air-gapped network, a malware does not have access to an Internet connection, and hence special types of covert channels must be used. In order to leak out data, the malware exploits the emanations from different components of the computer to establish an out-of-band covert communication channel with the outer world. Similar to any other communication channel, these covert channels have two communicating ends, the transmitter and the receiver. In the context of air-gap bridging, there are three different scenarios for air-gap communication, each involving different types of transmitters and receivers (depicted in Figure 1):

f1.jpg
Figure 1. Three scenarios of bridging the air-gap between an isolated network and an attacker.

  1. Computer-to-computer. In this scenario the malware is capable of transferring data between two closely positioned air-gapped computers, one of which has Internet connectivity. As illustrated, a computer (A) leaks data to a nearby computer (B). (B), in turn, transfers the information to the attacker (E) over the Internet. Such a scenario is likely in modern offices where computers from different networks may be positioned alongside one another, for practical purposes or due to space limitations.
  2. Computer-to-mobile. In this scenario the malware is capable of transmitting data from an air-gapped computer to a nearby mobile phone. As illustrated, a computer (A) leaks data to a nearby mobile phone carried by an employee/visitor (C). (C), in turn, transfers the information to the attacker (E) over the Internet via cellular data or Wi-Fi. This scenario has become more realistic with the new bring-your-own-device trend, where employers commonly bring their personal mobile devices (smartphones, tablets, and mini-tablets) to the workplace.
  3. Computer-to-equipment. In this scenario the malware is capable of transmitting data from an air-gapped computer to dedicated equipment such as a sound recorder, RF receiver, or remote camera. As illustrated, a computer (A) leaks data to a receiver located some distance away (D). (D), in turn, transfers the information to the attacker (E) over the Internet.

Non air-gapped networks. In addition to the aforementioned air-gap scenarios, the covert channels discussed in this article are relevant to regular, non air-gapped networks as well. In this scenario, the target network—despite having a connection to the Internet—is highly secured, with heavy monitoring of inbound and outbound traffic. As a result, an attacker may choose not to use Internet traffic for exfiltration, but instead resort to another tvype of out-of-band covert communication. By doing so, the attacker can bypass security measures such as firewalls, traffic analyzers, and network monitors, remain stealthy, and evade detection.

Covert channels vs. side channels. In light of the leakage scenarios, air-gap covert channels are correlated with TEAPOT attacks in which a malware intentionally generates comprising emanation from computer components in order to leak data. Side channels, on the other hand, are correlated with TEMPEST attacks in which attackers make use of the emissions that unintentionally leak from a computer. By using side channels, an adversary may be able to obtain knowledge about the data being processed by some devices including CRT displays25 or communication devices.28

* Types of Covert Channels

Over the years, various techniques have been proposed, enabling covert communication over an air-gap separation. These techniques can be classified into four main groups: acoustic/ultrasonic, electromagnetic, thermal, and optical methods. Here, we review these techniques and describe their primary characteristics.

An extensive amount of research has been conducted on a wide range of covert communication channels.44 More related to this work, Carrara provides a thoughtful analysis of non-conventional, out-of-band covert channels.7 Our work differs from other work in the field (for example, Carrera7) in terms of focus, coverage, and discussion.

Focus. We focus on covert channels used by attackers to exfiltrate data from highly secure, air-gap networks. Therefore, we don't discuss topics such as side channels and mobile-to-mobile communication that are less relevant to the attack model.

Coverage. We comprehensively survey both new and existing air-gap covert channels. Notably, a major segment of these covert channels have been developed in recent years and have not yet been covered in previous work (for example, methods found in the following references:3,4,6,15,16,18,20,21,22,23,32,36,39)

Discussion. Our discussion takes place in the context of cybersecurity. We discuss an attack model and various leakage scenarios in air-gap environments. We also examine its relevance in the modern IT environment, considering such areas as hardware availability, virtualized environments, and the required credentials.

Acoustic methods are based on leaking data over sound waves at sonic and ultrasonic frequencies. Madhavapeddy et al.29 first introduced data transmission over audio in 2005 when they discussed audio-based communication between two computers. Two computers, equipped with speakers and a microphone, can exchange data over audio waves in the same way an old dial-up modem works. Obviously, in its original form, acoustic communication is not covert, since people in the room can easily hear the transmission noise. To prevent this, attackers may resort to ultrasonic communication.

Ultrasonic. The main idea in ultrasonic covert channels is to use a computer speaker to produce audio waves at frequencies that are beyond or at the limit of human hearing capabilities. Humans with perfect hearing can perceive sound frequencies within the range of 20Hz to 20,000Hz. However, sometime around the age of eight, sensitivity to the upper frequency limit begins to decrease, and most adults cannot hear frequencies above 17,000Hz.5

In 2013, Hanspach et al. showed how to construct a covert channel between isolated computers over ultrasonic sound waves.24 They observed that an ordinary speaker and microphone can produce and sense sound waves at up to approximately 24,000Hz, well above the range of human hearing. Consequentially, two computers equipped with speakers and microphones can communicate covertly over ultrasonic sound. They extended the idea and established multi-hop communications to create a wireless network over an air-gap. Each computer in the network receives the data though the microphone, and in turn, broadcasts it to the next computer in the hop. Once a computer with an Internet connection receives the packet, it sends the data to the attacker. Their method could maintain communication between computers at distance of 19.7 meters with a bandwidth of 20 bit per second (bit/sec). In the same way, O'Malley and Choo examined different exfiltration scenarios using laptop speakers and microphones at high-frequency sounds up to approximately 23kHz.35 The concept of an air-gap communication over inaudible sounds has been comprehensively examined by Lee et al.27 and also in Deshotels.8

Interestingly, in 2013, security researcher, Dragos Ruiu, claimed to find a malware that he dubbed, "BadBIOS." This malware can communicate between instances of itself across air-gaps using ultrasonic communication between a laptop's speakers and microphone. This is the first reported instance of air-gap malware reported in the wild.13

Speakerless computers. Acoustic covert channels rely on the presence of audio hardware and a speaker in the transmitter computer. To that end, common practices and security policies prohibit the use of speakers and microphones in a secure computer, in order to create a so-called "audio-gap."1 Motherboard audio support may also be disabled to cope with the accidental attachment of speakers to the line out connectors. Obviously, disabling audio hardware and keeping speakers disconnected from sensitive computers can effectively mitigate the acoustic and ultrasonic covert channels presented thus far.40

Fansmitter is an acoustic covert channel introduced in 2016 that does not require speakers or audio hardware.21 This method utilizes the noise emitted from the CPU and chassis fans that are present in virtually every computer. A malware can regulate the internal fans' speed in order to control the acoustic waveform emitted from a computer. Binary data can be modulated and transmitted over these audio signals to a nearby mobile phone at eight meters away. A video demonstrating Fansmitter can be viewed online.a DiskFiltration, also introduced in 2016, is a covert channel that allows leaking data from speakerless air-gapped computers via acoustic signals emitted from the hard disk drive (HDD).22 A malware installed on a compromised machine can generate acoustic emissions at certain audio frequencies by controlling the movements of the HDD's actuator arm. Digital information can be modulated over the acoustic signals and then be picked up by a nearby receiver located a distance of two meters away. A demonstration video of DiskFiltration can also be viewed online.b Table 1 provides details about the various acoustic covert channels discussed.

t1.jpg
Table 1. Acoustic/ultrasonic air-gap covert channels.

Electromagnetic radiation (EMR) is a form of energy that is emitted from certain electronic components. EMR consists of electromagnetic (EM) waves that propagate through space in a radiant manner. Put very simply, wireless communication is based on the transmission and reception of these electromagnetic waves between a transmitter and receiver, where the waves are modulated to carry information. In many cases, electronics, such as wiring, computer monitors, video cards, and communication cables, emit EMR in the radio frequency spectrum. In some cases, these casual emissions can be modulated to carry information to other nearby receivers.

AM and FM radio frequencies. Computer screens receive images from the graphics card continuously through the video cable. The signal strength passed through the video cable is determined by the image presented on the screen. The current flow through the metal wires causes the video cable to emit electromagnetic radiation where the cable acts like an antenna. In 1998, Kuhn and Anderson released the first publications related to TEMPEST,26 demonstrating that EMR originating from a graphics card of a desktop computer can be manipulated by appropriate software to produce controllable AM radio transmissions. They showed that whenever specially generated images are displayed on the screen, AM radio signals are emitted from the video cable. The basic idea is the pattern of pixels on the screen influences the frequency and amplitude of the electromagnetic waves. By intentionally generating images with specially calculated patterns and displaying it on the screen, the required AM signals are emitted from the video cable.

In 2001, Thiele provided an open source program dubbed "TEMPEST for Eliza,"41 utilizing the computer monitor to transmit radio signals at AM radio frequencies modulated with specific audio tones. In his demonstration, the basic music of Mozart's "Letter for Alice" was modulated over AM radio. The signals generated can be heard by listening to a cheap radio receiver placed in the same room.

More than a decade later, in 2014, Guri et al. introduced a new type of attack utilizing TEMPEST to exfiltrate data from air-gapped computers.17,19 The malware, called, "AirHopper," bridges the air-gap between an isolated network and nearby infected mobile phones using FM signals. During the attack, the malware within the air-gapped network starts the exfiltration of sensitive data such as keylogging, passwords, and encryption keys. This sensitive data is transferred to a nearby mobile phone over FM radio signals intentionally emitted from the screen cable. AirHopper is capable of transmitting up to 60 bytes per second to a mobile phone located seven meters away from the leaking computer. A demonstration video of AirHopper can be viewed online.c

Cellular frequencies. Smartphones with Wi-Fi, Bluetooth, and FM receivers might be physically banned from classified or sensitive areas of an organization. However, in many cases simple mobile devices with limited capabilities are not considered a threat and are hence permitted in secured facilities. In 2015, researchers introduced a malware that can turn an ordinary PC into a cellular transmitting antenna.16 The malware, codenamed "GSMem," transmits electromagnetic signals at cellular (GSM, UMTS, and LTE) frequencies by invoking specific memory-related CPU instructions. The researchers showed that transmitted signals can be intercepted by a nearby low-end, GSM mobile phone. A demonstration video of GSMem can be found online.d

Other techniques. SAVAT (Signal Available to the Attacker) presents a new metric that measures the electromagnetic signal created during execution of a program.6 The researchers observed that each basic instruction consumes a slightly different amount of voltage when executed in the CPU. The voltage fluctuations create EMR that can be captured some distance away from the computer. Programs on the computer can generate electromagnetic signals from the CPU by alternating between pairs of instructions. The attacker can measure the EMR levels over an air-gap and utilize the SAVAT metrics in order to distinguish between "0" and "1" and decode the exfiltrated data.

Funtenna, introduced in 2015, is malware that intentionally causes compromising emanation from embedded devices.4 Its researchers describe it as a software payload that intentionally causes its host hardware to act as an improvised RF transmitter using existing hardware that is typically not designed for electromagnetic emanation. The method exploits the output pins (GPIO) commonly seen in embedded systems in order to create EMR at a range of 10Mhz to 5Mhz. Data encoded over the emission can be intercepted remotely by an attacker with an RF receiver and antenna. A demonstration video of Funtenna can be viewed online.e

In 2013, the NSA catalog leaked by Edward Snowden, exposed Cottonmouth, a tool that allows air-gap communication with a host software, over a USB dongle implanted with an RF transmitter and receiver.37 The USBee malware18 presented in 2016 can be seen as an improvement of the Cottonmouth tool. USBee can render an unmodified USB connector into a RF transmitter utilizing just software, by the generation of controlled electromagnetic emissions from its data bus. Using this technique, one can leak information from an air-gapped computer to a simple receiver located over nine meters away. A demonstration video of USBee can be viewed online.f Table 2 provides details about the various electromagnetic covert channels discussed.

t2.jpg
Table 2. Electromagnetic air-gap covert channels

Thermal. More recently, heat emission for air-gap communication has also been proposed. BitWhisper, introduced in 2015, uses heat to transfer data between two adjacent computers.20 A typical scenario consists of adjacent computers from two different networks, one of which is connected to the Internet, while the other is air-gapped. The basic idea is to establish a bi-directional communication channel over thermal manipulation (Figure 2). The transmitter computer intentionally emits heat for a specified amount of time (for example, by performing intensive calculations). The receiver computer uses the standard motherboard temperature sensors to measure the environmental temperature changes. Binary data can be modulated over the heat fluctuation to establish a link between the two air-gapped computers. A video demonstrating BitWhisper can be viewed online.g

f2.jpg
Figure 2. An exchange of 'thermal pings' between two air-gapped computers.

Using the same techniques, researchers have shown that attackers can broadcast messages to a group of computers located in the same room or building, by infecting the air conditioning control systems with malicious code.32 These systems are commonly connected to the Internet for purposes of remote control and monitoring. The attacker can regulate the temperature, while encoding binary information over the temperature changes. Computers can monitor the temperature changes in the room and decode the covert broadcast messages.3 Covert thermal channels between two isolated cores in the same computer case are discussed in Bartoloni.3 It has been shown that two neighboring cores on the same server platform can communicate at a speed of 12.5bit/sec. Table 3 provides details about the various thermal covert channels discussed.

t3.jpg
Table 3. Thermal air-gap covert channels.

Optical. Using optical emanation as a covert communication channel was also proposed in various forms. In the general form, two components are involved in the covert channel: a light-emitting source that exfiltrates the information and a remote camera that records the optic signals.

LEDs. Loughry and Umphress28 built a malware that manipulates the LED indicators of keyboards to encode sensitive information. They found that activity on a single keyboard's LED can take place at a speed of 150bit/sec. Alternatively, two or even three LEDs could be used in parallel, increasing the bandwidth of the covert channel to approximately 450bit/sec. An attacker with a line of sight to the keyboard can record the LED activity using a high-speed video camera. In another attack proposed by Stepansky et al, the on/off LED indicator of a computer screen is used to exfiltrate information.39 Using this technique, the data can be leaked at a bandwidth of 25bit/sec. In 2017, Guri el al. demonstrated how data can be leaked from air-gapped computers by controlling the blinks of the hard drive activity LED.23,h They achieved a maximum bit rate of 4000 bits per second—a blinking rate that exceeds the visual perception capabilities of humans. Note that some LEDs (for example, routers and hard drive LEDs) routinely flicker, and therefore the user may not be suspicious of changes in their behavior.

Covert optical methods. A unique infiltration attack proposed in 2015 by Shamir et al. demonstrated how to establish a covert channel with a malware over the air-gap using a standard all-in-one printer.36 In this case, a remote beam of blue laser blinked information in binary code; the laser was sent to the target building (aimed at a room in the building housing an all-in-one-printer) from a distance greater than one kilometer away. Malware located within the air-gapped network utilized the scanner sensors to receive the signals. The malware could also send out signals by turning the scanner lamp on and off to encode binary data. The researchers demonstrated how a drone with a laser beam and camera positioned outside a window could perform the transmission and reception tasks successfully.

VisiSploit, which was introduced in 2016, is a stealthy optical covert channel.15 This method exploits the limitations of human visual perception in order to leak sensitive information through the computer's LCD screen. A malware in the compromised computer conceals sensitive information and embeds it on the screen image in a covert manner (for example, by fast blinking), invisible and unbeknownst to the user. This research further demonstrated that an attacker was able to reconstruct the concealed data using a photo taken by a hidden camera located a distance of eight meters away. Table 4 provides details about the various optical covert channels discussed.

t4.jpg
Table 4. Optical air-gap covert channels.

* Attack Metrics

Most of the air-gap related covert channels have been demonstrated in experimental environments in research laboratories. However, in addition to considering a method's theoretical feasibility, it is important to examine its practical applicability and the likelihood that it may occur in a real cyberattack. Here, we examine six characteristics related to the relevance of such covert channels in realistic attack scenarios.

Stealth. There are two aspects regarding the stealth of the attack, and both are related to detection. The first is the method's ability to evade detection by software. If the malicious code consumes CPU at high levels, uses special system calls, or utilizes unique resources, it might be easier to detect by antivirus or host intrusion detection products. The second aspect is the ability to evade detection by humans (for example, people in the room). Naturally, some optical and thermal methods can be sensed by people, and hence are more likely to be noticed during the workday, while electromagnetic and ultrasonic methods are considered more covert.

Channel availability. Another characteristic is the communication channel's level of availability during the day. In some methods, transmission or reception is available only when the computer is idle or the workload is low. This is particularly relevant to EMc methods such as AirHopper and SAVAT. Optical attacks might, in practice, only be used when there is no user in the room (for example, data exfiltration via blinking LEDs).

Virtualization and cloud environment. Modern IT environments may consist of personal workstations and servers running on top of virtual machines (VMs). Electromagnetic methods depend on precise timing of the CPU and GPU, which may be disrupted when multiple VMs are running on the same physical machine. In addition, in situations in which malware is executed in a VM, it may have no access to the system resources enabling the covert-channel. For instance, acoustic methods require access to the audio system that can be disabled in the VMs.

Hardware availability. Methods for bridging the air-gap have been proposed since the 1990s. Given this, some of the attacks have been conducted on hardware that has since become outdated. The TEMPEST-AM relay attack was conducted on CRT monitors and VGA connectors and is less relevant in today's environment. In contrast, other attacks such as GSMem, Funtenna, and USBee utilize components that are an indispensable component of modern systems. Ultrasonic channels require speakers and microphones, which might not be available in all setups. Notably, thermal sensors, and CPUs and GPUs (heat emitters) exist in every system, making thermal attacks relevant to nearly all off-the-shelf computers.

Channel quality. Another measure is the quality of the communication channel. Most electromagnetic methods suffer from erratic or low signal quality, which directly affects the bandwidth and effective distance. Attacks such as AirHopper and GSMem are prone to interruptions due to the transitionary nature of the receiver: whenever the user carrying the mobile phone moves, signals may be interrupted. In the same manner, the acoustic channel is interrupted by environmental noises. Finally, thermal channels are affected by changes in the environmental temperature.


In addition to considering a method's theoretical feasibility, it is important to examine its practical applicability and the likelihood that it may occur in a real cyber attack.


Required privileges. The covert channel may operate on the system with ordinary user privileges, or it might require an administrator or root privileges. Attacks that require root privileges are more challenging to conduct, since gaining high privileges requires exploiting special vulnerabilities in the system (for example, zero-day) without triggering IDS and AV systems.

Table 5 presents the six characteristics of covert channels (rows), and the four main types of channels (columns), and indicates for each pair, the level of feasibility and challenge they pose as real threats.

t5.jpg
Table 5. Main characteristics of covert channels by channel type.

* Countermeasures

Defensive countermeasures for air-gap covert-channel threats can be categorized as follows: physical insulation and red/black separation; hardware based countermeasures; and, software-based countermeasures.

Physical insulation and red/black separation. Many of the U.S. and NATO standards concerning air-gap and TEMPEST related threats are classified. Over the years, some of the standards have been declassified, but even these were released in a heavily redacted form.31 The prevailing standards such as NATO SDIP-27 are aimed at limiting the level of information-bearing signals and maintaining a certain distance from possible eavesdroppers. Red/black terminology, adopted from NSA jargon, refers to a physical separation between systems that may carry classified information in plain form (red) and encrypted form (black). In this way, certified equipment is classified by zones that refer to the perimeter that must be controlled to prevent signal leakage. For example, as a countermeasure against the electromagnetic and acoustic attacks examined in this article, the zones approach would be used to define the physical areas inside the organization in which carrying a mobile phone or other type of radio and audio receiver is prohibited.

Hardware-based countermeasures. An essential hardware-based counter-measure scheme involves shielding devices and wires with metallic materials to prevent electromagnetic radiation from leaking out of the shielded equipment.2 Shielding can limit the effective range of many electromagnetic-based attacks. However, shielding is less suitable for internal computer components (for example, CPU and memory). Another approach is to limit the emitted signals by inserting signal filters into communication and interface cables. Such filters can block signals outside a specified frequency range, preventing unwanted electromagnetic radiation. Signal jamming is another countermeasure technique aim at overriding electromagnetic or acoustic signals at specified frequencies. In this method, a specialized hardware transmitter continuously generates random electromagnetic or acoustic noises that overlay other transmissions in the area.

Software-based countermeasures. Anti-virus and behavioral detection techniques may be used to detect and block covert channel activities. For example, it is possible to monitor the program running in order to identify intentional electromagnetic, acoustic, thermal, or optic transmissions. In this case, behavioral analysis, machine learning, or anomaly detection may be used to alert on suspicious processes. Kuhn and Anderson proposed the "soft tempest" technique, an interesting software-based solution for electromagnetic attacks. The general idea is to filter out, at a software level, the information that is causing the component (for example, video cable) to emanate RF signals. The different types of countermeasures along with their relevancy to different types of covert channels and cost are provided in Table 6.

t6.jpg
Table 6. Types of countermeasures.

* Conclusion and Outlook

Air-gap isolation is currently used in a wide range of industries and organizations. Although the exfiltration of information from air-gapped networks is still considered a challenging task, it is no longer dismissed as a sensational anecdote, as the last decade has shown that nothing is impossible for hackers. Over the years, a wide range of covert channels have been revealed that demonstrate the feasibility of data leakage by malware, despite a lack of network connection. These methods exploit the electromagnetic, acoustic, thermal, and optical emanation from various system components.

Three factors make air-gap isolation vulnerable to attacks. RF technologies have dramatically improved, allowing attackers to acquire high-quality RF receivers, audio recording devices, and remote cameras at affordable prices. This, coupled with emerging trends of multisensors, smartphones, HD cameras, versatile drones, and wearable devices, make the modern IT environment a source rich in potential covert communication channels. Finally, cyber security threats continuously develop, with hackers constantly raising the bar with sophisticated attack campaigns and innovative ways of achieving their goals. In the future, we expect to see the emergence of new types of covert channels that challenge air-gap security, making this threat an interesting topic for academia and the cyber security community.

Back to Top

References

1. Air Gap Computer Network Security; http://abclegaldocs.com/blog-Colorado-Notary/air-gap-computer-network-security/.

2. Anderson, R.J. Emission security. Security Engineering, 2nd Ed. Wiley Publishing, 2008, 523–546.

3. Bartolini, D.B., Miedl, P. and Thiele, L. On the capacity of thermal covert channels in multicores. EuroSys, 2016.

4. Black-Hat. Emanate like a boss: Generalized covert data exfiltration with Funtenna. (2015); https://www.blackhat.com/us15/briefings.html#emanate-like-a-boss-generalized-covert-data-exfiltration-with-funtenna.

5. Bornstein, M.H. and Lamb, M.E. Cognitive Development: An Advanced Textbook. Psychology Press, 2011.

6. Callan, R., Zajic, A. and Prvulovic, M. A practical methodology for measuring the side-channel signal available to the attacker for instruction-level events. In Proceedings of the 47th Annual IEEE/ACM International Symposium on Microarchitecture. IEEE, 2014, 242–254.

7. Carrara, B. And Adams, C. Out-of-band covert channels—A survey. ACM Computing Surveys 49, 2, (2016).

8. Deshotels, L. Inaudible sound as a covert channel in mobile devices. In Proceedings of the USENIX Workshop for Offensive Technologies, 2014.

9. Do, Q., Martini, B. and Choo, K-K.R. Exfiltrating data from Android devices. Computers & Security 48 (2015), 74–91.

10. Do, Q., Martini, B. and Choo, K-K.R. A data exfiltration and remote exploitation attack on consumer 3D printers. IEEE Trans. Information Forensics and Security 11, 10 (2016), 2174–2186.

11. D'Orazio, C.J., Choo, K-K.R. and Yang, L.T. Data exfiltration from Internet of Things devices: iOS devices as case studies. IEEE Internet of Things J. 99, 2327–4662.

12. Federation of American Scientists. Joint Worldwide Intelligence Communications System, 1999; http://fas.org/irp/program/disseminate/jwics.htm.

13. Goodin, D. Meet 'badBIOS,' the mysterious Mac and PC malware that jumps airgaps. 2013; http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/.

14. Goodin, D. How 'omnipotent' hackers tied to NSA hid for 14 years—and were found at last. 2015; https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/.

15. Guri, M., Hasson, O., Kedma, G. and Elovici, Y. An optical covert-channel to leak data through an air-gap. In Proceedings of the 14th Annual Conference on Privacy, Security and Trust (Auckland, 2016).

16. Guri, M., Kachlon, A., Hasson, O., Kedma, G., Mirsky, Y. and Elovici, Y. GSMem: Data exfiltration from air-gapped computers over GSM frequencies. In Proceedings of the USENIX Security Symposium, (Washington, D.C., 2015).

17. Guri, M., Kedma, G., Kachlon, A. and Elovici, Y. AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies. In Proceedings of the 9th International Conference on in Malicious and Unwanted Software: The Americas. IEEE, 2014, 58–67.

18. Guri, M. Monitz, M. and Elovici, Y. USBee: Air-gap covert-channel via electromagnetic emission from USB. In Proceedings of the 14th Annual Conference on Privacy, Security and Trust, (Auckland, 2016).

19. Guri, M. Monitz, M. and Elovici, Y. Bridging the air gap between isolated networks and mobile phones in a practical cyber-attack. ACM Trans. Intelligent Systems and Technology 8, 4 (2017), 50.

20. Guri, M. Monitz, Mirski, M. and Elovici, Y. BitWhisper: Covert signaling channel between air-gapped computers using thermal manipulations. In Proceedings of the 28th IEEE Computer Security Foundations Symposium, (Verona, 2015).

21. Guri, M., Solewicz, Y., Daidakulov, A. and Elovici, Y. Fansmitter: Acoustic data exfiltration from (speakerless) air-gapped computers. 2016, arXiv:1606.05915.

22. Guri, M., Solewicz, Y., Daidakulov, A. and Elovici, Y. Acoustic data exfiltration from speakerless air-gapped computers via covert hard-drive noise ('DiskFiltration'). In Proceedings of the European Symposium on Research in Computer Security, (Oslo, 2017).

23. Guri, M., Zadov, B. and Elovici, Y. LED-it-GO: Leaking (a lot of) data from air-gapped computers via the (small) hard drive LED. In Proceedings of the 14th International Conference on Detection of Intrusions and Malware and Vulnerability Assessment, (Bonn, 2017).

24. Hanspach, M. and Goetz, M. On covert acoustical mesh networks in air. 2014; arXiv:1406.1213, 2014.

25. Kuhn, M. Optical time-domain eavesdropping risks of CRT displays. In Proceedings of the IEEE Symposium on Security and Privacy, 2002.

26. Kuhn, M.G. and Anderson, R.J. Soft TEMPEST: Hidden data transmission using electromagnetic emanations. Information Hiding, Springer-Verlag, 1998, 124–142.

27. Lee, E., Kim, H. and Yoon, J.W. Attack, various threat models to circumvent air-gapped systems for preventing network. Information Security Applications 9503 (2015), 187–199.

28. Loughry, J. and Umphress, D.A. Information leakage from optical emanations. ACM Trans. Information and System Security (2002), 262–289.

29. Madhavapeddy, A., Sharp, R., Scott, D. and Tse, A. Audio networking: The forgotten wireless technology. IEEE Pervasive Computing 4, 3 (2005), 55–60.

30. McAfee. Defending critical infrastructure without air gaps and stopgap security, 2015; https://blogs.mcafee.com/executive-perspectives/defending-critical-infrastructure-without-air-gaps-stopgap-security/.

31. McNamara, J. The complete, unofficial TEMPEST information page, 1999; http://www.jammed.com/~jwa/tempest.html.

32. Mirsky, Y., Guri, M. and Elovic, Y. HVACKer: Bridging the air-gap by manipulating the environment temperature. deepsec, 2015.

33. National Computer Security Center. NCSC-TG-004 Glossary of Computer Security Terms, 1988; http://fas.org/irp/nsa/rainbow/tg004.htm.

34. NSA/CSS. NSA/CSS Regulation 90–6: Technical Security Program. Fort George G. Meade, MD. Partially declassified transcript, 1999; http://cryptome.org/nsa-reg90-6.htm.

35. O'Malley, S.J. and Choo, K-K.R. Bridging the air gap: Inaudible data exfiltration by insiders. In Proceedings of the Americas Conference on Information Systems, 2014.

36. SC Magazine. Light-based printer attack overcomes air-gapped computer security, 2014; http://www.scmagazineuk.com/light-based-printer-attack-overcomes-air-gapped-computer-security/article/377837/.

37. Schneier, B. Schneier on Security: COTTONMOUTH-III: NSA exploit of the day; https://www.schneier.com/blog/archives/2014/03/cottonmouth-iii.html.

38. Securelist. Agent.btz: A Source of inspiration? 2014; https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/.

39. Sepetnitsky, V., Guri, M. and Elovici, Y. Exfiltration of information from air-gapped machines using monitor's LED indicator. In Proceedings of the Intelligence and Security Informatics Conference, (The Hague, The Netherlands, 2014).

40. Symantec. Mind the gap: Are air-gapped systems safe from breaches? 2014; http://www.symantec.com/connect/blogs/mind-gap-are-air-gapped-systems-safe-breaches.

41. Tempest for Eliza; http://www.erikyyy.de/tempest/.

42. van Eck, W. Electromagnetic radiation from video display units, 1985; https://cryptome.org/emr.pdf.

43. The Washington Post. Powerful NSA hacking tools have been revealed online; https://www.washingtonpost.com/world/national-security/powerful-nsa-hacking-tools-have-been-revealed-online/2016/08/16/bce4f974-63c7-11e6-96c0-37533479f3f5_story.html.

44. Zander, S., Armitage, G. and Branch, P. A survey of covert channels and countermeasures in computer network protocols. IEEE Communications Surveys & Tutorials 9, 3 (2007), 44–57.

Back to Top

Authors

Mordechai Guri ([email protected]) is head of R&D of the Cyber Security Research Labs at Ben-Gurion University of the Negev, Beer-Sheva, Israel.

Yuval Elovici ([email protected]) is a professor in the Department of Information Systems Enginnering and director of Deutsche Telekom Laboratories at Ben-Gurion University of the Negev, Beer-Sheva, Israel.

Back to Top

Footnotes

Air-gap research page: https://cyber.bgu.ac.il/advanced-cyber/airgap

a. https://www.youtube.com/watch?v=v2_sZIfZkDQ

b. https://www.youtube.com/watch?v=H7lQXmSLiP8

c. https://www.youtube.com/watch?v=2OzTWiGl1rM

d. https://www.youtube.com/watch?v=RChj7Mg3rC4

e. https://www.youtube.com/watch?v=1H1Lv9DAJPg

f. https://www.youtube.com/watch?v=E28V1t-k8Hk

g. https://www.youtube.com/watch?v=EWRk51oB-1Y

h. https://www.youtube.com/watch?v=4vIu8ld68fc


Copyright held by authors/owners. Publication rights licensed to ACM.
Request permission to publish from [email protected]

The Digital Library is published by the Association for Computing Machinery. Copyright © 2018 ACM, Inc.


 

No entries found