It is incredibly interesting how many parts of a computer system are capable of leaking data in ways that is hard to imagine. Part of securing highly sensitive locations involves securing the computers and networks used in those facilities in order to prevent this. These IT security policies and practices have been evolving and tightening through the years, as malicious actors increasingly target vital infrastructure.
Sometimes, when implementing strong security measures on a vital computer system, a technique called air-gapping is used. Air-gapping is a measure or set of measures to ensure a secure computer is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. Sometimes it’s just ensuring the computer is off the Internet. But it may mean completely isolating for the computer: removing WiFi cards, cameras, microphones, speakers, CD-ROM drives, USB ports, or whatever can be used to exchange data. In this article I will dive into air-gapped computers, air-gap covert channels, and how attackers might be able to exfiltrate information from such isolated systems.
Many techniques presented here (but not all) would require a previous breach to have already compromised the isolated machine (usually installing some kind of malware in the process). This may have happened via a social engineering attack, an inside job, an undercover special operation or whatever James Bond scenario you have in mind, it’s not important for the current article scope. Although the malware delivery mechanism makes for an interesting problem and discussion, the scope of this article is on how to exfiltrate data after the breach (if a breach was, in fact, needed).
What is an Air-Gap Covert Channel?
An air-gap covert channel could be defined as any unintentional channel that is used to transmit and/or receive data between systems that are physically isolated and, by policy, not authorized to communicate with one another, in which air-gapping measures were taken at the emitter, receiver or both. Unintentional means that the channel was not originally designed to be used as a data channel, for example, the modem LEDs. Although there might me some additional software (malware) needed at the target system to make a particular covert channel viable, there is no additional hardware installed on such systems. In some cases there might be, however, specific hardware at the attacker’s end.
That being said, there are also ways so remotely monitor a system without any previous intervention. It has been shown in the past that it is possible to monitor the radiation emitted by a CRT monitor and even LCDs. Some of you might have heard of this form of computer surveillance, usually referred a Van Eck phreaking or as TEMPEST (although TEMPEST is a lot broader than just this form of surveillance). It’s possible to listen to computer keyboards, each key emits a slightly different noise when pressed so it’s possible to log key strokes without actually requiring logging software. Even the high frequency noise emitted by a CPU can include information about the instructions being executed.
There is a wide range of air-gap covert channels and one way to naturally organize them is by the physical channel that they use to achieve their goals. Currently researchers have been able to implement such channels using different mediums, such as:
- Physical Media
For the sake of the explanation, I will refer to using a channel as passive when there is no modification on the emitter/target side whatsoever and the receiver/attacker is essentially doing remote sniffing of a resource. In contrast, I will use the term active when there is the need for some kind of software to be running at the emitter/receiver, usually via a previous attack.
Spreading malware via physical media is old news. In a not so distant past, floppy disks were pretty much how viruses spread, when computer users exchanged
pirated games important information. The CD-ROM slowed down and almost killed that phenomenon but the USB drives brought it back again.
Stuxnet, Fanny and Gauss, are a family of computer worms that bridge the air-gap using USB drives as a carrier to send/receive requests to and from the operator via a hidden storage area created in raw FAT structure. Whenever the USB drive is connected to an infected computer that has an Internet connection, it connects to a C&C server and deploys additional components and commands to the hidden storage. When it get inserted back into an air-gapped system, it runs the commands and gathers intelligence again.
When it comes to acoustic covert channels, a lot of research has been done. There are probably two reasons for this: a computer (the emitter) makes or can be driven to make sounds in several different ways and the receiver is usually a normal microphone.
Computers make noise, a lot of noise. Printers make noise, keyboards make noise, the mouse, the cooling fans, even the capacitors on the motherboard emit ultrasonic noise. In 2004, Dmitri Asonov and Rakesh Agrawal used a neural network to analyse the sound produced by computer keyboards and keypads used on telephones and automated teller machines (ATMs) to recognize the keys being pressed.
Also in 2004, Adi Shamir, Eran Tromer and Daniel Genkin demonstrated that its possible to conduct timing attacks against a CPU performing cryptographic operations by analysing from ultrasonic noise emanating from capacitors and inductors on computer motherboards and implemented a successful attack on RSA on laptop running GnuPG.
A malware dubbed BadBios was reportedly uncovered by security consultant Dragos Ruiu in 2010, which used high-pitched sounds inaudible to the human ear in order to communicate. The existence of this malware is disputed, but the alleged method of communications is feasible.
In 2013, Michael Hanspach and Michael Goetz used the computer speakers and microphones to construct a covert channel utilizing audio modulation/demodulation on the near ultrasonic frequency range (17kHz-20kHz) and demonstrated how a covert acoustical mesh network can be conceived via ultrasonic audio communications. Fansmitter is a malware that can acoustically exfiltrate data from air-gapped computers, even when audio hardware and speakers are not present, because it utilizes the noise emitted from the CPU and chassis fans. DiskFiltration is another software that is able to exfiltrate data but it uses acoustic signals emitted from the hard drive by manipulating the movements of the hard drive actuator, using seek operations so that it moves in specific ways, generating sound.
Light can also be used for data exfiltration. The usual light emitting device on a computer (a.k.a. the monitor) can be the immediate choice but there are others, like the keyboard LEDs. Other equipment that have LEDs or displays might also be used for the purpose of implementing this kind of covert channels, such as printers or modems. On the input side, light reading sensors from smartphones or even scanners have been used to demonstrate how to send data to a compromised device.
In 2002, M.G. Kuhn, et al., proved it was possible to reconstruct the CRT screen’s contents analysing the light intensity of the displays diffuse reflection off a wall. This is possible because the light intensity of the last few thousand pixels drawn by a CRT leaked a low-pass filtered version of the video signal. LCDs were not vulnerable to this particular attack but Backes, et al., showed that the contents of liquid crystal display (LCD) screens could also be reconstructed by analysing diffuse reflections off objects in the environment (e.g., teapots, eyeglasses,bottles, spoons, and a wine glass). With telescopic lenses, it was shown to work from 30 meters away.
Again in 2002, J. Loughry and D. A. Umphress demonstrated that the LED status indicators on data communication equipment are shown to carry a modulated optical signal that is significantly correlated with information being processed by the device. Many different sorts of devices, including modems and routers, were found to be vulnerable. It is possible for an eavesdropper that can measure the LEDs light intensity to infer the information being sent/received through these devices.
Hasan, et al., shown that is is possible for a mobile phone’s ambient light sensor (ALS; used for auto-brightness and other features) to register changes in light emitted by screens (LCD/TV) and proved that a low bit-rate exfiltration channel could be implemented with the screen as the emitter (e.x. a laptop screen) and a mobile phone with ALS present in many smartphones nowadays as a receiver.
J. Loughry and D. A. Umphress implemented software that transmits ASCII data by modulating the Caps Lock LED with serial data at 50 bits/s. They show that at a high enough rate, a regular user would not notice the blinking LED. Transmissions using infrared (IR) light were also researched at some point, but interest was lost since most modern computers no longer include IR hardware.
At the Black Hat Europe conference in 2014, Adi Shamir, Yuval Elovici and Moti Guri showed how a malware infected computer on an air-gapped network could receive and send attack commands through a multi-function printer’s scanner that the computer is connected to. To transmit data, an attacker would need to shine light, visible or IR, into the room where the scanner is and while a scan is in progress. The slightly different shades of white in the scanned document represent the binary code for the issued command.
Seismic or vibrational communication is a process of exchanging information through mechanical vibrations. Under certain conditions, it’s possible to induce vibration through a computer speaker. Almost all phones and smartphones have the ability to produce seismic waves using the vibrator.
Marquardt, et al., were able to demonstrate a side-channel attack to reconstruct the keystrokes typed on a keyboard located in close proximity (a couple of inches maximum) to an accelerometer-equipped cell phone. The keystrokes were detected using only the vibration and not the sound of the key being pressed.
At CanSecWest in 2009, researchers showed how they used a laser pointed at the back of a laptop to infer keystrokes. The keystrokes would cause the laptop to vibrate which they could detect with the laser listening device and then use techniques similar to those in speech recognition to determine what sentences were being typed.
Hasan, et al., devised a way to explore the low-frequency sounds from the speakers to induce vibrations in the surroundings. Note that this is not using sound per-se as a medium (although sound is a mechanical wave) but using sound to make something vibrate. The vibrations could then be picked up by an accelerometer. Systems with subwoofers make this even easier as they are able to produce louder, low-frequency sounds which result in stronger vibrations.
Deshotels demonstrated that Android devices, in contact with one another, could communicate using vibration signals lasting as little as 1 ms and the vibrations would be imperceptible to humans. Halevi and Saxena demonstrated that the mobile phone’s vibrations produced an acoustic signal which could be picked up by a regular microphone from up to three feet away, a mix between seismic and acoustic channels.
It’s hard to find a smartphone these days that doesn’t have a compass. A chip with magnetometer capabilities is responsible for measuring the magnetic field and detecting the position of magnetic north. But it’s a sensor like any other we’ve seen, with a little imagination this too can be abused as a communication channel.
Hasan, et al. explored the hypothesis of a malware receiving commands via a magnetometer (for example, an electronic compass app). The signals to transmit to the device are modulated using a custom built electro-magnet to induce changes in the detected magnetic field of the magnetometer. They managed to prove error-free communication was possible over a distance of 3.5 inches, but a greater distance is likely possible with a stronger electromagnet. In any case, there are challenges in achieving large distances since a magnetic field’s strength is inversely proportional to the cube of the distance from the source.
All electronic devices generate excess heat and require thermal management to improve reliability and prevent premature failure. Computers are no exception. This is usually done with fans and we’ve already seen how they can be abused to provide an exfiltration channel. Changes in temperature are shown to be an effective, albeit painfully slow, data channel.
Mirsky, et al., demonstrated how an Internet-connected air-conditioning system could be remotely controlled by an attacker to send commands to malware on an air-gapped system using a one way thermal covert channel. Mordechai Guri, Matan Monitz, Yisroel Mirski, Yuval Elovici created BitWhisper, a software able to bridge the air-gap between adjacent compromised computers (up to 40cm) by using their heat emissions and built-in thermal sensors to create a covert bidirectional communication channel (up to 8 bits per hour).
Maybe the most known covert channel is via radio-frequency (RF) and because of that it’s likely to be the most researched. Bell Labs originally noted this vulnerability back in WWII when Bell Telephone provided the military an encryption device called a 131-B2. They had one working in their laboratories when, by accident, someone noticed that each time the machine stepped, a spike would appear on an oscilloscope in a distant part of the lab. They studied these spikes more carefully and found out that they could read the plain text of the message being ciphered by the machine. This was probably one source of inspiration for the TEMPEST program.
Side-band electromagnetic radiation emissions are present in pretty much all electronic equipment, especially if it is unshielded.
The popular Van Eck phreaking, named after Dutch computer researcher Wim van Eck who publish a paper about it back in 1985, allows an eavesdropper to clone a CRT monitor’s contents by remotely detecting its electromagnetic (EM) emissions. In an unshielded CRT monitor tests were successfully conducted from a distance of 1km as well as a distance of 200m for a shielded monitor. Furthermore, in 2005 Kuhn demonstrated that LCD screens are also vulnerable to a similar attack.
Wireless keyboard sniffing is widely known but wired keyboard sniffing… not so much. Martin Vuagnoux and Sylvain Pasini demonstrated that the electromagnetic emanations from wired USB and PS/2 keyboards could be recorded and keystrokes decoded from up to 5m distance. The same guys that showed how they used a laser pointed at the back of a laptop to record motion and recover keys also devised a way to sniff characters from a PS/2 keyboard by monitoring the ground line in an outlet 50 feet away. Last year a team of researchers, including Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer, managed to monitor the EM leakage of a laptop on a specific frequency while the laptop was decrypting a ciphertext using elliptic curve encryption (ECC). The signal contained information about the operands used in the ECC operation, enough to recover the secret key.
The video card leaks a lot of EM emissions and it turns out it can be manipulated to transmit in chosen frequencies. AirHopper is a software that turns a computer’s video card into an FM transmitter, which can be captured by a standard FM radio, even the ones that are built into a smartphone. William Entriken created a System Bus Radio — a C library that can make a computer emit radio waves even if the device doesn’t include any radio transmission hardware.
In 2015, Mordechai Guri, Assaf Kachlon, Ofer Hasson, Gabi Kedma, Yisroel Mirsky and Yuval Elovici managed to exfiltrate data from a computer over GSM by invoking specific memory-related instructions and utilizing the multi-channel memory architecture to amplify the transmission up to 30m. They used a basic low-end mobile phone with GSM network with modified firmware to receive the data. Last year, Mordechai Guri, Matan Monitz, Yuval Elovici disclosed a paper showing how a software can intentionally generate controlled electromagnetic emissions from the data bus of a USB 2.0/3.0 connector that can be detected with a SDR dongle.
The topic of air-gap covert channels is just fascinating. It keeps showing that sometimes reality can be even more interesting than a spy movie plot, with all those impossible gadgets. It speaks to the very essence of what hacking is all about, when you put together a seeming impossible problem, an incredible dose of imagination, and out of the box thinking to break and bend the rules and reach a working solution. To question everything, to accept no boundaries or limitations and to have an holistic view on what a system is and not what you’re told the system is, might very well be the key to finding other channels or methods to bridge the air-gap.
This article was not meant to feed the reader’s paranoia. Your computer can still be safe, just don’t go and plug the USB pen you found in the parking lot into your underground, acoustically isolated, randomly refrigerated, magnetic shielded, Faraday caged, turned off computer…