Exploiting air gaps allows bad actors to extract information using unexpected methods
Most of us are familiar with the primary methods for moving data into and off of our computers: think Wi-Fi networks, USB ports, and Bluetooth connections. However, there are additional, lesser known ways in which data can be retrieved from a device. An elite group of cyber researchers from Ben-Gurion University (BGU) in Beersheva, Israel, have made it their mission to figure out more than a dozen different ways that bad actors with lots of time can extract information, even if you think your PC isn’t connected to anything obvious.
Cybercriminals do this using various parts of the electromagnetic spectrum, including light, radio, and sound waves. On top that, they employ some very clever tricks to steal your data. Granted, these are above and beyond what one would expect — this is precisely why you should familiarize yourself with these attack methods.
We recently wrote about their latest exploits that uses a pattern of flickering LED lights on the computer, called Glowworm. And last year, we covered this class of problems, called air gaps. In both cases, the signal patterns can be captured with the right tools and without any suspicion that the target computer is being monitored. Of course, your office or home needs to be a high enough profile for someone to go through the trouble of one of these attacks. That being said, you're not necessarily off the hook — there are plenty of situations where someone would bother.
Here are some of the BGU team's research on air gaps, along with a brief description of the methods utilized in each exploit:
LED-it-Go,CTRL-ALT-LED andxLED use the hard disk activity LEDs, keyboard LEDs and router or switch activity LEDs as the signal
USBee forces a USB connector's data bus to give out electromagnetic emissions
Several years back, BGU professor Mordechai Guri gave a presentation at Black Hatin which he mentioned an example of a relatively simple attack: A USB flash drive was left in the parking lot of a US military base in the Middle East. The drive was inserted into a laptop and spread across various networks. The Pentagon took a year to clean the malware from all the infected computers. Guri's presentation contains links to some of the other so-called “air gap jumper” exploits listed above.
In order to avoid these types of attacks, it's important for put a variety of protective measures in place:
Use diskless workstations without any USB ports or other media slots
What's more, there are various endpoint protection programs that can monitor USB activities and create policies to block their use if you can’t eliminate them entirely. Lastly, take a moment to examine your environment: Your risk increases if your computers are near windows or you are connecting to rogue Wi-Fi networks.