How to Hack Air-gapped Computers

Once upon a time, all computers were air-gapped. Even malware did not exist. Then, one day, the first computer virus was invented. However, since there was no internet, at least no internet as we know it today, the only way the virus could get onto a computer was through someone inserting an infected floppy disk. In those ancient times, malware was only designed to disrupt the operations of the infected machines. There was no monetary benefit in it.

The 1990s came with the first, true internet borne malware. Infections, it seemed, were everywhere, which led to the development of antivirus programs. Thus, began the long struggle between malware creators (hackers) and the antivirus developers who tried to stop them. This evolving battle has lead to the wide variety of cyber attacks that we see today. The cyber security landscape is, in fact, so complex, that, to many, the only way to protect truly sensitive data is to separate that data from the internet and other devices by air-gapping it. Interestingly, one of the most complex malware exploits ever developed, Stuxnet, could only carry out its mission by using a technique developed for the first viruses ever made. It used an infected USB drive to gain access to air-gapped computers.

Although most people believe that air-gapped computers are safe from attack, there are, in fact, a number of ways to attack air-gapped computers without physically contacting these computers. This is because one of the problems with computers is that they require electricity. They or their components, therefore, will emit or leak electronic signals which can be picked up through a technique called, Van Eck phreaking. Van Eck phreaking picks up on side-band electronic-magnetic emissions to spy on a device. It then recreates the original message from the stolen signals.

The first attempts at hacking air-gapped computers relied on intercepting signals from monitors, More recent attacks focus on capturing the signals emitted from keyboards, since each key will emit a distinct signal. Researchers have found that they could capture these signals from all types of keyboards from a distance of up to 20m (60ft) , and that they could even capture them through walls.

Last year, researchers from Ben Gurion University in Israel took air-gapped hacking to the next level. Realizing that cell phones have FM radio signal receivers, they were able to make a sort of keylogger which allowed a cell phone to intercept the FM signals emitted from an air-gapped computer’s video card from up to 7 meters (20ft) away. This so-called AirHopper technology could allow a phone to detect variations in the FM signals and use pre-installed software to decode these signals into texts. Although it was not 100% accurate and would be worthless for longer messages, it could still be used to steal passwords. The technique used was similar to a technique used by the NSA to extract information from air-gapped computers in Russia, China, and Iran. Those attacks, however, relied on a nearby, compromised computer, rather than a cell phone.

This year, the same researchers came up with another method for stealing information from air-gapped computers. The new BitWhisper technology was shown to extract information from an air-gapped computer by utilizing variations in a computer’s heat emissions and the computer’s built-in thermal sensors. Whenever your computer’s fan goes on, it is because its thermal detectors get information, or signals, that some components are overheating. The problem with this new hacking method is that both the air-gapped and nearby computer need to have malware installed on them. The only way the air-gapped computer could get this malware would be through the use of a USB or by someone at the manufacturing level installing it in the firmware. The malware would allow the air-gapped computer and a malware-enabled nearby computer to communicate using the thermal sensors. If the nearby computer was also connected to the internet, then it could be used to control remotely the air-gapped computer.

A few days ago, the same Ben Gurion University researchers came out with a new ploy which takes advantage of the electromagnetic signals in a GSM network. This means that even the most primitive cell phones can be used in a hack on an air-gapped computer. Some companies don’t allow smartphones near air-gapped computers that hold sensitive information. There is a prevailing belief that ‘dumb phones’ are a safer option. This hack shows that any cell phone, no matter how dumb, can be dangerous. However, for this system to operate, once again, malware would have to somehow be installed on both computers.

Given the variety of ways that air-gapped computers can be compromised, how is it possible to keep them safe? Of course, disabling audio input and output on air-gapped computers would always be a good first step. In addition, the room where the air-gapped computers are kept should not have windows, in case some type of laser-based attack was attempted. Next, all cell phones must be prohibited within a certain distance of these protected  computers. Keeping cell phones out of a room may not be enough as some signals can be read through walls. In the GSM exploit mentioned above, researchers found that they could use a dedicated receiver to pick up the necessary signals from over 30m (100ft) away. To prevent electromagnetic signal leakage, air-gapped computers, or even the room they are in, could be surrounded with a Faraday cage. This is simply a mesh of conductive metal that prevents signals from coming into or leaving the computer. Another way to subvert the weak signals coming from side band emanations on an air-gapped computer may be to use some sort of white noise generator as a masking device.

However, since some of these exploits require that malware be installed at the firmware level or at some point within the device production process, in order to feel completely safe, a business or enterprise would have to have complete control of the entire production process, which is easier said than done. I’ll have more to say on pre-installed malware in a future post.

For most people, air-gapped computers are quite safe, assuming they use good USBs to transfer data. However, if your profile grows, the air-gapped computers you possess may appear more tempting to attackers. Expect government and military institutions to be the main targets. But the main problem will be complacency and the idea that air-gapped computers are, by their very nature, safe. For this reason alone, such attacks may go completely undetected for a much longer time than a traditional attack would. In other words, good security begins with the awareness that air-gapped attacks are a true threat and must be part of the security infrastructure.

One thought on “How to Hack Air-gapped Computers

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s