One of the most useful tools in the network security toolkit is the use of an airgapped network to store and protect data from wide area networks like the Internet. “Airgapping” a network essentially means disconnecting that network from a gateway (router/modem) that bridges its connection to the larger internet. Essentially, it is a computer that can’t connect and/or never connects to the internet. If you’re not connected to the internet your chances of getting attacked drop considerably. Automated programs can still operate and propagate within an airgapped network but cannot connect to command and control entities to receive instructions or exfiltrate data. These networks operate with a gap of air between their networks and the networks connected to the internet, hence the name “airgap”. Jumping the airgap refers to the ability for malicious attacks to transverse this airgap, infect computers in separated networks, and exfiltrate data found on it.
What constitutes an airgapped network? A wifi connection to your laptop is not an airgap. It represents a bridge between between a transmitter (wireless router) and the receiver (wifi antenna in a laptop). An airgapped laptop would have it’s wireless receiver removed and be connected to isolated networks via an Ethernet cord. A laptop with secured wifi credentials is not a airapped machine in the sense that it is one exploit away from bridging the gap to the wider internet. A computer connected to a LAN which is connected at one point to the larger internet is not airgapped. A computer sitting in a soundproof room, running on a generator or some other mechanism to defeat ethernet over power attacks, behind the NATO recommended wall thickness to prevent radiation leakage, and without any windows to communicate any visual cues would be considered a conceptually perfect airgap. That is, until the next technique is discovered, possibly including some kind of defeat of the computer/biologic barrier.
What kind of situations would an airgapped network be appropriate? According to wikipedia. Military, government, banking, industrial, aviation, and medical networks all would benefit from the security of an airgapped network. Let’s say the US military was using a supposedly secure network running Windows 7 PCs to manage data associated with troop locations and documented strategy policies. This network is locked down from a systems admin standpoint, all the programs are up to date, all the group policies are set correctly, access is audited. Let’s say a Windows 7 exploit is found which allows attackers to maliciously subvert the security measures that are in place. All that work is for naught when the system is exploited to behave like a public node on the larger internet. The point of the airgap is to assure that these exploits aren’t devastating for the security of the data and the users. Essentially a computer on a traditional, nonairgapped network, is one misconfiguration or one exploit away from being bidirectionally compromised.
Unidirectional networks are a large part of operational security when dealing with airgapped networks. Similar to how classified information is moved within an organization, data can move relatively inscrutably onto the airgapped system compared to being moved off of it, similar to how information can be transferred to higher levels of security clearance with minimal concern compared to the extremely restricted act of declassifying data to lower levels of security clearance. This unidirectional flow creates a fail-safe in a situation where a computer is compromised because the malicious actor fails to exfiltrate data back to the attacker simply because the medium to transport that data is not there. The unidirectional flow is necessary because computers need to be updated and need to have data moved to them, both of these require data from that has been connected to the outside internet to be moved onto the machine. The idea is that once data is on these airgapped machines, it never returns to machines that maintain an external internet connection. Imagine a spy that gets into a vault containing state secrets. The idea is that once the spy is inside the vault he may never leave, rendering him unable to report back what he’s found and ultimately rendering his services useless. The creation of airgap jumping malware is essentially the creation of unorthodox methods that allow this spy from communicate what he’s found without leaving the vault. The most intense conditions of airgapping may include policies against transferring this data to internet capable machines at all, choosing to use human elements to interpret, query, curate, and move this data to its applicable uses. Unidirectional data flow does allow malicious activity to enter an airgapped machine. However, unidirectional networks mitigate this by preventing the exfiltration of data by keeping the malicious software and all the data it desires to communicate to its handler on the airgapped network, isolated from the internet.
Imagine being in a room and two dogs were communication via a dog whistle. You would be unaware of this communication going on. This is the case when people employ acoustic measures to exfiltrate and infiltrate data. Recall the movie inception, someone’s dreams would be technically airgapped. The premise of the movie is that data in the dream state can be easily exfiltrated from the dreaming person but data cannot be easily infiltrated or “incepted”. Exfiltrating data and infiltrating data are often two different conceptual problems when considering an approach to an airgapped network. Within an airgapped network data is not easily exfiltrated. So imagine the process of moving data off the system as “EXception”, or the opposite of of the premise of the Inception movie.
Using acoustic elements from the computers operations, malicious attackers can exfiltrate data that exists in an airgapped machine. You’ve likely heard a computer and the noises it makes. These noises can be controlled and interpreted by a listener to convey information beyond traditional means. The idea of moving data using acoustic methods is not new and you may recall the noises used to convey data when picking up a phone that was sharing a line with the internet back in the days of dial-up. However, the methods that are being used today are getting more and more sophisticated. Of course these methods require malware to be on an airgapped computer in the first place. Getting malware onto an airgapped computer that employs a unidirectional data flow is not difficult today. Once on the airgapped machine the malware begins creating sounds a malicious receiver can then pick up. Diskfiltration is one of these acoustic exfiltration methods. The malware uses the hard drive movement to create sounds that can be picked up by a receiver. This is useful for a situation where an airgapped machine is sitting next to another machine with internet connectivity and a microphone. The malware, once it has been dropped onto an airgapped machine uses this technique to exfiltrate data to a machine capable of phoning home. This method is useful when an airgapped machine does not have speakers an attacker could use to transmit audio, typically beyond the range of human hearing, to a receiver.
What if the airgapped computer uses solid state drives which can be practically silent? The diskfiltration method would be defeated before it could even begin its operation. This is an important reason to keep the technical specs of an airgapped system private and employ good operational security when communicating them. If an attacker manages to compromise a system with diskfiltration, the lack of exfiltrated data will let him know the attack was unsuccessful but he won’t be sure whether the issue is with the listening device, the method of exfiltration, or the incompatibility with the hardware. Keeping attackers in the dark like this grants security professionals an advantage.
Fansmitter is capable of defeating the airgap in systems that are immune to diskfiltration. The method uses the computers fan to communicate acoustically. This, like other acoustic methods, creates an bridge across the “audio gap” to exfiltrate data from the airgapped machine. By controlling the speed of the fans and, as a result, the sound waves emitted from them, a malicious receiver, such as a smartphone or compromised internet capable computer can relay data off an airgapped system. This method was slow at 900 bits per hours (0.25 bytes/second) but is enough to slowly transfer passwords, encryption keys, and other sensitive information stored in text files.
AirHopper is another acoustic exfiltration technique that turns monitors and video components into FM transmitters, capable of transmitting data 1 to 7 meters away. This might not seem like a long distance but it could mean the difference between transmitting data between rooms if an airgapped machine is kept in a room by itself, away from computers with internet connectivity. This technique only allows 60 bytes of information to be transferred per second, due to the nature of sound waves. However, 60 bytes a second is 3.6 kilobytes a minute, enough to transfer txt files with hundreds of passwords or expansive excel documents in a matter of hours.
GSMem is an additional acoustic technique that communicates data from a compromised airgapped machine with a compromised cell phone which is then able to use the cell network to phone home the information. Using cellphone frequencies allows much more data to be transferred, making this method exceptionally dangerous. Attacks like this are responsible for the policies disallowing people from carrying cellphones into sensitive areas.
Recently visual elements have been proven capable of bridging the airgap. We’ve all seen the LEDs used for identifying disk activity and power status on desktop and laptop computers. Recently, at Ben-Gurion University in Beersheba, Israel, researchers were able to interpret the communications expressed by malicious software on computers where LEDs were present, effectively exfiltrating data from an airgapped machine through a window on the 3rd floor of an office building using a drone. This may seem like an extreme method but could be useful in exfiltrating data where acoustic and other options are not available. It only requires a view of the computers LEDs directly or indirectly. A view of the LED itself is not necessary. All that is required is a change in light which conveys a message in a binary code that the receiver can understand. This method can easily be defeated by eliminating windows from an airgapped environment. Even stranger is malware like BitWhisper that communicates by using thermal elements to exfiltrate data.
The most advanced attacks will always require the use of airgap jumping to execute, simply because the most advanced security applications will include airgaps to protect sensitive data. We’ve entered an era where creating an airgap doesn’t ensure protection for data. With the advent of IoT devices and the philosophy of constant connectivity, the industry seems set on eliminating the airgap for practical and pragmatic reasons. I remain unfazed until malware can jump the airgap between a computer and a physical notebook.