Despite Air Gap: How data theft is possible even without an internet connection
by Tina Siering
Why data theft is possible even without an internet connection
An "air gap" is a measure to seal off computer systems or networks to protect them from unauthorised access or infection by malware or other threats. The systems are configured in such a way that they have no connection to the Internet or other networks and are therefore not accessible from the outside. An "air gap" can be used, for example, in government facilities, military installations or companies to protect extremely sensitive data.
Without a permanent connection to the internet, there is no risk of cyber attacks, so much for the logical conclusion in theory. In practice, unfortunately, things can be different, as Israeli security experts recently proved.
Israeli security researcher Mordechai Guri of Ben Gurion University has published a study on another method for exfiltrating data from an air-gap network. A way was found to use the operating principle of voltage switching to exfiltrate data. In the scenario described, the examined computer was controlled with a malicious malware (called COVID-bit). By exploiting low-frequency electromagnetic radiation, it managed to penetrate airborne systems generated by the computer in question.
Guri and his team were able to modify the CPU load - and thus its frequency and voltage. The infected computer then emitted electromagnetic radiation in a low-frequency range of 0 to 48 kHz. The attacker does not have to be in the same room as the target system, as the electromagnetic radiation generated can penetrate a wall. A few metres away from the CPU was enough.
In summary: The malware was able to influence electromagnetic waves in such a way that they could have been misused to transport data. Attackers equipped with suitable receivers could evaluate the data directly on the smartphone over a short distance.
Source: https://arxiv.org/pdf/2212.03520.pdf
However, in order for COVID bit and other cyber attacks on shielded computers to work, customised malware must initially be infiltrated (e.g. by a fraudulent insider). Sometimes even a compromised USB stick is enough for this.
However, the simulated cyber attack by the Israeli researchers does not show the only way cyber criminals can gain access to air-gapped systems.
Other physical signals suitable for data theft
PCs or laptops inevitably generate physical signals through their operation, even if they are not connected to the internet. The electromagnetic signals that security researchers have exploited are only a small part of the physics that take place around a running computer quite unnoticed by human senses. Other possible attack vectors and channels are:
Ultrasound
Ultrasound is a high-frequency sound that ranges from 20 kHz to several gigahertz. Frequencies of more than 20 kHz can no longer be perceived by the human ear - but can be misused by cybercriminals for data transmission. This requires malware that can encrypt and compress data and transmit it via ultrasound. Another nearby device that is also infected, such as a tablet or smartphone, can receive and transmit this data.
Electromagnetism
Every electric current generates an electromagnetic field. If you control the current, you also control the field - as we saw with the COVID bit cyber attack by Israeli researchers, and manipulating the CPU is just one option. Also conceivable here would be malware that sends a sequence of signals to the computer's screen and converts the monitor cable into a radio antenna. By deliberately manipulating the frequencies, it is then possible to send data that can be received with an FM receiver. USB connections, power cables, GPIO interfaces (General-Purpose Input/Output) or the memory bus can also be used for electromagnetic data transmission with the corresponding malware.
Magnetism
In magnetism, forces are generated in magnetic fields by the movement of electrons in atoms. In the IT sector, it is mainly processors that emit high-frequency magnetic radiation. If the load of the processor is now manipulated by corresponding malware, the magnetic radiation can be controlled - and used for the transmission of data. All that is needed for reception is a magnetic sensor connected to the serial port of a neighbouring computer, for example.
Optics
Every computer has at least one, but usually several LEDs that signal different functions of the device. Cyber attackers can also use the small LEDs to steal data from highly secured computers. For this purpose, a surveillance camera can be hacked, for example, which captures the optical signals of the previously compromised target computer and transmits them to the outside. Since modern cameras also operate in the infrared range, which is invisible to the human eye, these attacks cannot be uncovered even by looking closely.
Thermodynamics
Every IT system generates heat during operation. Processors, graphics cards or hard drives heat up during use - a physical process that can also be used for cyber attacks. Malware stimulates the infected device to change its temperature, another device logs these changes, converts them into information and sends it to the hacker via the internet. However, communication via thermal signals is physically spatially limited - it only works over a distance of up to a maximum of 40 centimetres.
Seismic waves
Data can also be transmitted via vibrations. For this purpose, the speed of the computer fan was manipulated in an experiment. The emitted vibrations can be captured by accelerometers on the smartphone - as long as the smartphone is on the same surface as the compromised computer.
How organisations protect their Air Gap computers from data theft
The most effective way to protect shielded and unconnected computers from air gap attacks is to avoid using any USB memory sticks or hard drives from unknown sources. Because as interesting as the physical possibilities are: None of the attacks mentioned will work without malware introduced in advance. It is even safer to deactivate existing USB interfaces on the computer directly. In addition, the room in which the critical computer is located should be shielded from both people and other technical devices. Existing LEDs should either be taped off or removed immediately. The use of audio equipment of any kind in the vicinity of the computer should be prohibited and magnetic radiation should be measured regularly and monitored continuously. If the isolated computer is used for standard tasks - which is often the case with Air-Gap computers - we recommend the default deny mode. This mode automatically prevents all unexpected processes and the execution of unknown programmes.
Conclusion
Air Gap is a measure that is considered particularly secure. After all, Air Gap computers are completely isolated, not connected to the network and thus safe from cyber attacks. At least in theory, because as Israeli researchers have now proven, with sufficient criminal energy and basic physical laws, even the best protection can be undermined. Data theft is therefore possible even without an internet connection. All it takes is a USB stick from an unknown source or a good social engineer to tap data via ultrasound, electromagnetism or sound. The principle is all the more important: never use data storage devices from unknown sources!
Need help upgrading your IT security for 2023? Contact us!
Related articles
For several days now, there has been a strong accumulation of successful compromises by the "QakBot" malware (also known as "QBot" and "QuackBot") worldwide. We have also already identified successful attacks as part of our ACD monitoring. After infection, criminals can gain access to online banking accounts, leak user data, and reload further malware. As one measure to mitigate the risk, we urgently recommend adjustments to the Group Policy Objects (GPO).
Cybercriminals are true masters at constantly adapting their attack mechanisms to effective IT security measures. New tools and iterative changes to existing malware are used to mercilessly exploit security vulnerabilities. Among the numerous threats, ransomware stands out as one of the biggest. More and more companies have to face extortion Trojans. A completely new threat called LockFile now relies on intermittent encryption. LockFile not only encrypts much faster than previous ransomware, but also bypasses security solutions that work reliably. This article shows why criminals are increasingly relying on intermittent encryption and how companies should react to the new threat.
Read more … New ransomware trend: Why criminals increasingly rely on intermittent encryption
Due to the war in Ukraine, secion provides an assessment of the threat situation for companies and examines the question of whether increased Russian attacks on companies in Germany, Austria and Switzerland can be identified. There is currently no evidence of an acute increase in the threat posed by Russian state actors in Western Europe, but there is increased public awareness of these cyberattacks. In addition, "third-party actors" are creating a new dynamic.