More and more organisations today have some airgapped computers, physically isolated from other systems with no Internet connection to the outside world or other networks inside their company.
Security teams may have disconnected from other networks in order to better protect them, and the data they have access to, from Internet attacks and hackers.
Of course, a computer which can’t be reached by other computers is going to be a lot harder to attack than one which is permanently plugged into the net. But that doesn’t mean it’s impossible.
Take, for instance, the case of the Stuxnet worm, which reared its ugly head in 2010. Stuxnet is thought to have caused serious damage to centrifuges at an Iranian uranium enrichment facility after infecting systems via a USB flash drive and a cocktail of Windows vulnerabilities.
Someone brought an infected USB stick into the Natanz facility and plugged it into a computer allowing it to spread and activate its payload.
And it’s not just Iran. In the years since, we have heard of other power plants taken offline after being hit by USB-aware malware spread via sneakernet.
So, we accept that although it may be more difficult to infect isolated airgapped computers, it isn’t impossible.
But what about exfiltrating data from computers which have no connection with the outside world?
Researchers from Ben-Gurion University in Israel think they have found a way to do it, hiding data in radio emissions surreptitiously broadcast via a computer’s video display unit, and picking up the signals on nearby mobile phones.
And, to prove their point, they have released a YouTube video, demonstrating their proof-of-concept attack in action:
In the video, which has no sound, the researchers first demonstrate that the targeted computer has no network or Internet connection.
Next to it is an Android smartphone, again with no network connection, that is running special software designed to receive and interpret radio signals via its FM receiver.
Proof-of-concept malware, dubbed “AirHopper”, running on the isolated computer ingeniously transmits sensitive information (such as keystrokes) in the form of FM radio signals by manipulating the video display adaptor.
Meanwhile, AirHopper’s receiver code is running on a nearby smartphone.
“With appropriate software, compatible radio signals can be produced by a compromised computer, utilizing the electromagnetic radiation associated with the video display adapter. This combination, of a transmitter with a widely used mobile receiver, creates a potential covert channel that is not being monitored by ordinary security instrumentation.”
As the researchers revealed in their white paper, the phone receiving the data can be in another room.
Now, you may think that if AirHopper is fiddling with the targeted computer’s screen that this could be noticed by any operator in front of the device. However, the researchers say they have devised a number of techniques to disguise any visual clues that data may be being transmitted, like waiting until the monitor is turned off, waiting until a screensaver kicks in, or determining (like a screensaver does) that there has been no user interaction for a certain period of time.
It’s all quite ingenious—and although I have explained before how high frequency sound can be used to exfiltrate data from an airgapped computer, this new method could work even if a PC’s speaker has been detached.
No sound on a computer you can live with, but removing monitors seems impractical.
Of course, it’s important that no-one should panic. The technique is elaborate, and at the moment—as far as we can tell—only exists within research laboratories.
It’s important to understand the various steps that have to be taken to exfiltrate data from an airgapped computer.
Firstly, malware has to be introduced to the isolated PC—not a simple task in itself, and a potential hurdle that may prove impossible if proper defences are in place.
Secondly, a mobile device carrying the receiver software needs to be in close proximity to the targeted computer (this would require either an accomplice, or infection of an employee’s mobile device with the malware).
The data then has to be transmitted from the mobile phone itself, back to the attackers.
Finally, this may not be the most efficient way to steal a large amount of data. The AirHopper experiment showed that data could be transmitted from targeted isolated computers to mobile devices up to 7 metres (23 feet away), at a rate of 13-60 bytes per second. That’s equivalent to less than half a tweet.
Despite that, it’s still easy to imagine that a determined hacker who has gone to such lengths would be happy to wait for a sizeable amount of data to be transmitted, perhaps as the isolated computers are left unattended overnight or at weekends.
If this all sounds like too much of an effort, think again. Because the researchers’ paper says although complex, the attack isn’t beyond modern attackers:
“The chain of attack is rather complicated, but is not beyond the level of skill and effort employed in modern Advanced Persistent Threats (APTs)”
Which leads us to what you should do about it, and there is a familiar piece of advice to underline: tightly control who has access to your computers, and what software they are able to install upon them, and what devices they are permitted to attach.
The AirHopper attack cannot steal any data from your airgapped computers at all, if no-one ever manages to infect them in the first place.
It will be interesting to see if others take this research and devise more methods to counter this type of attack in the future.
This article first appeared on the Tripwire State of Security blog.
