Skip to content ↓ | Skip to navigation ↓

More and more organisations today have some airgapped computers, physically isolated from other systems with no Internet connection to the outside world or other networks inside their company.

Security teams may have disconnected from other networks in order to better protect them, and the data they have access to, from Internet attacks and hackers.

Of course, a computer which can’t be reached by other computers is going to be a lot harder to attack than one which is permanently plugged into the net. But that doesn’t mean it’s impossible.

Take, for instance, the case of the Stuxnet worm, which reared its ugly head in 2010. Stuxnet is thought to have caused serious damage to centrifuges at an Iranian uranium enrichment facility after infecting systems via a USB flash drive and a cocktail of Windows vulnerabilities.

Someone brought an infected USB stick into the Natanz facility and plugged it into a computer – allowing it to spread and activate its payload.

And it’s not just Iran. In the years since, we have heard of other power plants taken offline after being hit by USB-aware malware spread via sneakernet.

So, we accept that although it may be more difficult to infect isolated airgapped computers, it isn’t impossible.

But what about exfiltrating data from computers which have no connection with the outside world?

Researchers from Ben-Gurion University in Israel think they have found a way to do it, hiding data in radio emissions surreptitiously broadcast via a computer’s video display unit, and picking up the signals on nearby mobile phones.

And, to prove their point, they have released a YouTube video, demonstrating their proof-of-concept attack in action:

In the video, which has no sound, the researchers first demonstrate that the targeted computer has no network or Internet connection.

Next to it is an Android smartphone, again with no network connection, that is running special software designed to receive and interpret radio signals via its FM receiver.

Proof-of-concept malware, dubbed “AirHopper,” running on the isolated computer ingeniously transmits sensitive information (such as keystrokes) in the form of FM radio signals by manipulating the video display adaptor.

Meanwhile, AirHopper’s receiver code is running on a nearby smartphone.

“With appropriate software, compatible radio signals can be produced by a compromised computer, utilizing the electromagnetic radiation associated with the video display adapter. This combination, of a transmitter with a widely used mobile receiver, creates a potential covert channel that is not being monitored by ordinary security instrumentation.”

As the researchers revealed in their white paper, the phone receiving the data can be in another room.

Now, you may think that if AirHopper is fiddling with the targeted computer’s screen that this could be noticed by any operator in front of the device. However, the researchers say they have devised a number of techniques to disguise any visual clues that data may be being transmitted, like waiting until the monitor is turned off, waiting until a screensaver kicks in, or determining (like a screensaver does) that there has been no user interaction for a certain period of time.

It’s all quite ingenious—and although I have explained before how high frequency sound can be used to exfiltrate data from an airgapped computer, this new method could work even if a PC’s speaker has been detached.

No sound on a computer you can live with, but removing monitors seems impractical.

Of course, it’s important that no-one should panic. The technique is elaborate, and at the moment—as far as we can tell—only exists within research laboratories.

It’s important to understand the various steps that have to be taken to exfiltrate data from an airgapped computer.

Firstly, malware has to be introduced to the isolated PC—not a simple task in itself, and a potential hurdle that may prove impossible if proper defences are in place.

Secondly, a mobile device carrying the receiver software needs to be in close proximity to the targeted computer (this would require either an accomplice, or infection of an employee’s mobile device with the malware).

The data then has to be transmitted from the mobile phone itself, back to the attackers.

Finally, this may not be the most efficient way to steal a large amount of data. The AirHopper experiment showed that data could be transmitted from targeted isolated computers to mobile devices up to 7 metres (23 feet away), at a rate of 13-60 bytes per second. That’s equivalent to less than half a tweet.

Transmission rate

Despite that, it’s still easy to imagine that a determined hacker who has gone to such lengths would be happy to wait for a sizeable amount of data to be transmitted, perhaps as the isolated computers are left unattended overnight or at weekends.

If this all sounds like too much of an effort, think again. Because the researchers’ paper says although complex, the attack isn’t beyond modern attackers:

“The chain of attack is rather complicated, but is not beyond the level of skill and effort employed in modern Advanced Persistent Threats (APTs)”

Which leads us to what you should do about it, and there is a familiar piece of advice to underline: tightly control who has access to your computers, and what software they are able to install upon them, and what devices they are permitted to attach.

The AirHopper attack cannot steal any data from your airgapped computers at all, if no-one ever manages to infect them in the first place.

It will be interesting to see if others take this research and devise more methods to counter this type of attack in the future.

 

RELATED ARTICLES:

RESOURCES:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Hacking Point of Sale
  • darylms

    Neal Stephenson's 1999 speculative novel Cryptonomicon discusses this issue. The prescience of science fiction eh?

  • Buguroo

    Very interesting! No computer is completely safe.

  • Coyote

    "No sound on a computer you can live with, but removing monitors seems impractical."
    I don't know. Indeed for most uses a monitor is needed. But let's also keep in mind that there are headless systems. The only reason I have a monitor attached (rarely on as I login from my primary computer on the subnet) to my server is it is right here and sometimes it is convenient (but that is rare indeed). At same time, virtual machines (e.g., for a server) don't have monitors and neither (or I assume not) do remote servers (although they could). In the end it is the environment (physical and otherwise) that decides how to manage with or without a monitor (including what the computer does and how).

    "Which leads us to what you should do about it, and there is a familiar piece of advice to underline: tightly control who has access to your computers, and what software they are able to install upon them, and what devices they are permitted to attach."

    I was thinking this the entire time reading through it. It is interesting to note, though, that one way to get in is often something that so many are used to (expecting) that they forget that it might not be honest: utility workers. Of course, an utility worker in such environment is… well, you know. But the point is the same: physical security is just as important as remote security and in fact more important. The amount of harm one can do remotely is nothing compared to physically exactly because physical access is complete access, in the end. If they are determined enough to get physical access then they are determined enough to succeed.

  • Sansabelt

    TEMPEST for the civilian market, perhaps?

  • SJLyons50

    @Sansabelt – Was also thinking of TEMPEST! Had some exposure to it back in 1985/1986.