Exploiting air gaps allows bad actors to extract information using unexpected methods
Most of us are familiar with the primary methods for moving data into and off of our computers: think Wi-Fi networks, USB ports, and Bluetooth connections. However, there are additional, lesser known ways in which data can be retrieved from a device. An elite group of cyber researchers from Ben-Gurion University (BGU) in Beersheva, Israel, have made it their mission to figure out more than a dozen different ways that bad actors with lots of time can extract information, even if you think your PC isn’t connected to anything obvious.
Cybercriminals do this using various parts of the electromagnetic spectrum, including light, radio, and sound waves. On top that, they employ some very clever tricks to steal your data. Granted, these are above and beyond what one would expect — this is precisely why you should familiarize yourself with these attack methods.
We recently wrote about their latest exploits that uses a pattern of flickering LED lights on the computer, called Glowworm. And last year, we covered this class of problems, called air gaps. In both cases, the signal patterns can be captured with the right tools and without any suspicion that the target computer is being monitored. Of course, your office or home needs to be a high enough profile for someone to go through the trouble of one of these attacks. That being said, you're not necessarily off the hook — there are plenty of situations where someone would bother.
Here are some of the BGU team's research on air gaps, along with a brief description of the methods utilized in each exploit:
- LED-it-Go, CTRL-ALT-LED and xLED use the hard disk activity LEDs, keyboard LEDs and router or switch activity LEDs as the signal
- USBee forces a USB connector's data bus to give out electromagnetic emissions
- Air-Fi uses Wi-Fi frequency variations
- AirHopper uses the local GPU card to emit electromagnetic signals to a nearby mobile phone, also used to steal data
- Fansmitter steals data from air-gapped PCs using sounds emanated by a computer's GPU fan
- DiskFiltration uses controlled read/write HDD operations to steal data via sound waves
- BitWhisper uses patterns of changes in temperature
- This unnamed attack uses flatbed scanners to relay commands to malware infected PCs
- aIR-Jumper uses a security camera's infrared capabilities
- HVACKer uses HVAC systems to control malware on air-gapped systems
- MAGNETO and ODINI steal data from Faraday cage-protected systems
- MOSQUITO uses attached speakers and headphones
- PowerHammer uses fluctuations in electrical power
- BRIGHTNESS uses screen brightness variations
- AiR-ViBeR uses a computer's fan vibrations
- POWER-SUPPLaY turns the power supply into a speaker
- GSMem uses communication over cellular frequencies
How to better protect your data
Several years back, BGU professor Mordechai Guri gave a presentation at Black Hat in which he mentioned an example of a relatively simple attack: A USB flash drive was left in the parking lot of a US military base in the Middle East. The drive was inserted into a laptop and spread across various networks. The Pentagon took a year to clean the malware from all the infected computers. Guri's presentation contains links to some of the other so-called “air gap jumper” exploits listed above.
In order to avoid these types of attacks, it's important for put a variety of protective measures in place:
- Use diskless workstations without any USB ports or other media slots
- Keep your phone far away from your computer
- Use virtual desktops or secure browser sessions.
What's more, there are various endpoint protection programs that can monitor USB activities and create policies to block their use if you can’t eliminate them entirely. Lastly, take a moment to examine your environment: Your risk increases if your computers are near windows or you are connecting to rogue Wi-Fi networks.