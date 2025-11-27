If you want to protect a system from being hacked, a great way to do that is with an airgap. This term specifically refers to keeping a system off any sort of network or external connection — there is literally air in between it and other systems. Of course, this can be limiting if you want to monitor or export logs from such systems. [Nelop Systems] decided to whip up a simple workaround for this issue, creating a bespoke one-way data extraction method.
The concept is demonstrated with a pair of Raspberry Pi computers. One is hooked up to critical industrial control systems, and is airgapped to protect it against outside intruders. It’s fitted with an optocoupler, with a UART hooked up to the LED side of the device. The other side of the optocoupler is hooked up to another Raspberry Pi, which is itself on a network and handles monitoring and logging duties.
This method creates a reliable one-way transmission method from the airgapped machine to the outside world, without allowing data to flow in the other direction. Indeed, there is no direct electrical connection at all, since the data is passing through the optocoupler, which provides isolation between the two computers. Security aficionados will argue that the machine is no longer really airgapped because there is some connection between it and the outside world. Regardless, it would be hard to gain any sort of access through the one-way optocoupler connection. If you can conceive of a way that would work, drop it down in the comments.
Optocouplers are very useful things; we’ve seen them used and abused for all sorts of different applications. If you’ve found some nifty use for these simple parts, be sure to drop us a line!
12 thoughts on “One-Way Data Extraction For Logging On Airgapped Systems”
Old 10-base-T Ethernet cards had a 15-pin D connector to attach a “media access unit” (MAU). You could get them for thicknet (RG8 CoAx), thinnet (RG58 CoAx), 10BaseT (RG45) or fiber optic.
We needed to be able to send commands to a classified system from an unclassified system.
We used fiber optic MAUs, disconnected the TX fiber on the classified device and sent commands to it using UDP. Point to point there was no risk of collision, so UDP was reliable for our purpose.
I’m all in favor of HaD taking up the mantle of 2600 magazine, so this isn’t a complaint, but obviously this does defeat the (questionable) concept of an air gap, which is to make access physically impossible.
There could be information leaked in the log data or a side channel that was supposed to be secret, or perhaps could be used to acces the Raspberry Pi through the wifi interface that it has, and from there access the target system, etc. It’s unlikely, but you can’t rule it out, and then why not just make life easier by networking the thing and hoping your firewall is up to the job?
It still goes through an air gap, you see.
Even more pedantic perhaps, but most optocouplers I’ve cracked open are actually an epoxy moulding around a solid lump of some sort of optical plastic so there’s no air inside them.
If this optocoupler setup breaks the air gap, then so does attaching a monitor to the machine does so as well. Heck, by your logic, if a computer has any way to affect the outside world (i.e do anything), then it isn’t air gapped.
The receiving system still needs to be correctly designed for this to be secure. Think Little Bobby Drop tables.
If you design an airgapped protocol, maybe not sending commands along the sensor data and not executing arbitrary data might help. It’s easy to tokenize, set max length, check if data is float or integer and then save it. I really find this bothersome to assume that the creator would even design such an implied footgun.
If you really think this is not enough and need more airgap then have a display on the safe machine and a camera with OCR on the logger. You can even separate the two machines with bullet proof & water proof glass…..
Used an opto isolator? He took the term air gap to literally. Anyone who actually knows anything about electronics would know that using a UART aka RS232 IC TX pin is an output only pin. The opto did nothing to help the matter.
B-b-but muh ruspbery pie! It’s a PROJECT you dumb hater.
You can still exfiltrate/leak sensitive data. During the LED ON phase any fluctuation on the power line due to e.g. cryptography in another task can be detected on the receiver side.
Meh. Did this about 20 years ago with a 2313 and an opto, but mostly for monitoring a system that required galvanic iso.
In any case, is this some sort of company’s ad?
