Black Hat Keynoter: Beware of Air Gap RisksDrone, Laser Attack Penetrate Secure Environment
Using an air gap - a computer network that's disconnected from other local networks and the Internet - has long been a recommended defensive strategy for use in highly secure environments.
But at the opening keynote on Oct. 16 for the Black Hat Europe conference in Amsterdam, cryptographer Adi Shamir described how a malware-infected, all-in-one printer could be used to infiltrate and exfiltrate data from air-gapped networks, using a long-distance laser to send data into the environment and the video camera on a drone to get it out. He dubbed the vulnerability "Scangate."
Shamir is a professor of applied mathematics at Israel's Weizmann Institute of Science, as well as a co-inventor of the RSA algorithm - he's the "S." And his warning to anyone relying on an air-gapped network is simple: Don't connect a multi-function printer to the network, because its built-in scanner could be hacked to send and receive data from other devices.
Air Gaps: Good in Theory
Air gaps have long been used for systems that store top-secret information - for example in military and intelligence circles - as well as in critical environments, such as nuclear power plants, medical environments and for avionics. From a practical standpoint, however, they're difficult to use. "Air gaps might be conceptually simple, but they're hard to maintain in practice," cryptographer Bruce Schneier said in a recent blog post.
"The truth is that nobody wants a computer that never receives files from the Internet and never sends files out into the Internet," he said. "What they want is a computer that's not directly connected to the Internet, albeit with some secure way of moving files on and off. But every time a file moves back or forth, there's the potential for attack."
One example of the difficulty of keeping air-gapped environments secure involved the nuclear enrichment centrifuges at Iran's secure Natanz facility, which were reportedly crippled by the Stuxnet virus despite the centrifuges being connected only to an air-gapped network. The culprit: malware that was stored on a USB thumb drive that got smuggled into the facility. But that was a one-way attack.
Shamir decided to test whether there might be ways of retrieving data from - and sending data to - a malware-infected, air-gapped system.
For his tests, Shamir - with fellow Israeli crypto researchers Yuval Elovici and Moti Guri - targeted a building in Beersheba, which the Israeli government has designated as being the country's "cybersecurity" city. In particular, they focused on an all-in-one printer - which happened to be a HP Officejet Pro 8500 - and found that by using a blue laser, they could send signals from more than 1 kilometer away, or about two-thirds of a mile, that could be read by any malware that was already resident on the printer, using the device's built-in scanner.
Furthermore, that range could likely be extended to at least 5 kilometers or more, using a high-power infrared laser - which would make the attack virtually undetectable - but the researchers were wary of accidentally blinding anyone nearby.
Laser Pulses Send Bits
The laser broadcast the equivalent of Morse code, sending binary instructions - zeros and ones - by pulsing at different intervals. The system is analogous to television remote controls, which send infrared pulses that get received by a television and translated into commands. "Typically, when the laser is operating, you see it as a white line and when it is shut off, you see it as a dark line," Shamir says in an interview at Black Hat Europe. By analyzing these patterns, malware could decode the bits, which would translate into data. These might be instructions for the malware, for example, to seize a copy of "top_secret.pdf," or even additional malicious code, to give the malware more functionality.
For the attack, ideally the lid of the all-in-one printer's scanner would be in a raised position. But Shamir said he found that even when scanning a book, the scanner would still pick up the laser light as spill in the margins. Furthermore, the malware could be written to watch for these patterns, decode them and also delete them from scanned images.
Stealing Data with a Drone
To exfiltrate data, meanwhile, the scanner light can pulse in a similar manner, and attackers could record those pulses and decode the information being transmitted. But because the light source is relatively weak, Shamir said recording the flickering from a safe distance - say, several kilometers away - proved impossible. So the researchers purchased a $1,000 Phantom 2 Vision Quadcopter, or drone, that includes a video camera with image stabilization and has the ability to hover at predefined GPS coordinates. The researchers found that by having the drone hover about 100 meters above the building, they were able to record decodable signals from the scanner.
While these attacks are experimental, Shamir said they demonstrate a "side channel" attack that can be used to compromise data from air-gapped environments. "All-in-one printers can be the most dangerous components of an air-gapped system," he said, warning that anyone who was using an all-in-one printer in an air-gapped environment should "throw it away."