Researchers Describe New Air-Gap Threat
Demonstrate How Smart Phones Could Be Used to Grab DataAir-gapped networks promise data security by disconnecting PCs from the Internet. But malware-infected systems connected to air-gapped networks can be made to broadcast data via FM radio - using a PC's graphics card - to nearby smart phones, researchers warn.
Researchers from the cybersecurity labs at Ben-Gurion University in Israel on Oct. 29 demonstrated new proof-of-concept "AirHopper" malware that can use a PC's monitor to exfiltrate data to a nearby smart phone, without using Wi-Fi or Bluetooth. The researchers are presenting their findings at this week's International Conference on Malicious and Unwanted Software - better known as MALCON - in Fajardo, Puerto Rico.
Air gaps are used in many government and military facilities, including the White House, which recently disclosed a breach of an unclassified, Internet-connected network. But security experts have warned that attackers may target non-secure networks to then launch attacks against air-gapped networks.
"The White House is an obvious espionage target, so I would not at all be surprised to find that state-sponsored hackers were trying to use the soft underbelly of the White House networks to get as close as possible to the data of real interest - after all, the smaller you can make the gap, the easier it is to jump," says University of Surrey computing professor Alan Woodward.Circumventing Precautions
Many organizations that use air-gapped networks take extra precautions, the Ben-Gurion University researchers note. For example, they require everyone to leave their smart phones or other electronic devices in lockers before entering computer rooms.
But the researchers found that these devices might still be used to steal data from air-gapped systems, at a distance of up to about 23 feet, using a combination of two attack techniques. First, the air-gapped computer needs to be infected with malware, which can then be made to broadcast FM-compatible radio signals via the video display adapter. "Given the graphic card standards, it is possible to construct an image pattern that while being sent to the display will generate a carrier wave modulated with a data signal," the researchers say in their related paper.
Second, an attacker would also need to sneak a device with a built-in FM radio receiver to within one to seven meters (about one to eight yards) of the malware-infected system, or else infect the smart phone of someone who will come within range of the infected system. For their demonstration, the researchers used a Samsung Galaxy S3 running the manufacturer's stock 4.1.2 Android distribution. That device includes a built-in FM receiver, and would run software that can intercept the radio transmissions and decode them.
Using this setup, the researchers say they achieved an effective bandwidth of 13 to 60 bytes per second, which would be sufficient to surreptitiously steal small batches of sensitive information, such as usernames and passwords. "This combination of a transmitter with a widely used mobile receiver creates a potential covert channel that is not being monitored by ordinary security instrumentation," the researchers say.
AirHopper Demonstration
Malware Infection Vectors
For getting malware onto the targeted, air-gapped system, the researchers say an attacker would typically use an infected, removable USB storage device, or else find another way to "hop" the malware onto the system. "Eventually, air-gapped computers are connected with others in an internal network which is air-gapped, so the infection can arrive from multiple sources," Dudu Mimran, CTO of Ben-Gurion University's cybersecurity labs, tells Information Security Media Group. Another option, however, would involve installing the malware into the chipset - BIOS - of the system.
Such "supply chain tampering" is reportedly practiced by the U.S. National Security Agency. Reports suggest the agency has the ability to intercept computer-equipment shipments, divert them to a facility where they can be bugged or the BIOS potentially re-flashed with NSA firmware, and then return them for delivery to the intended recipients.
Beyond Smart Phones: Lasers, Drones
This isn't the only research being conducted into stealing data from systems connected to air-gapped networks. In fact, one of the researchers on the project has also been collaborating with two other researchers, including RSA algorithm co-inventor Adi Shamir, on creating a system that can use multifunction printers - and lasers - to steal data from air-gapped networks from up to 1 kilometer away, or about two-thirds of a mile. Shamir, who's a professor of applied mathematics at the Weizmann Institute of Science in Israel, demonstrated that style of attack earlier this month at the annual Black Hat Europe conference in Amsterdam (see Black Hat Keynoter: Beware of Air Gap Risks).
Mimran says he's also aware of research into transmitting data - using frequencies that people can't hear - using air-gapped PCs' speakers. But of the three attack techniques, "our method is the most probable and useful for attackers since it is very hard to detect it," he contends.
Furthermore, mitigating attacks involving malware that leaks data via short-range FM broadcasts is challenging. "Our approach, which is based on radio, is very difficult to detect and thus to prevent," Mimran says. "The problem is the fact such a receiver - as we demonstrated in the smart phone - can come in other smaller forms which can be hard to identify."
Sizing Up the Risk
The Israeli researchers contend that their graphic-card-malware attack could be used to potentially compromise any air-gapped system.
"Of course it is not straightforward since it requires the infection of the computer, as well as the location of the receiver, which needs to be nearby - but still, targeted attacks are never easy," Mimran says. "The people over there [in the White House] should be smart enough to understand how to relate to research like ours," he says, and to devise suitable ways to block such a threat.
Woodward, who's also a cybersecurity adviser to Europol, says the attack method demonstrated by the Ben-Gurion University researchers might well be put into play. "It is feasible and increasingly so," he says. "We have known for decades that electromagnetic radiation from computers can be used for eavesdropping."