Air gaps aren’t a fool proof way to keep your computer secure. Learn how to protect your most sensitive information
One of the things that I miss in these Covid times is the ability to travel regularly to Israel, where my daughter and her family have been living for many years. Often on these visits I would take the opportunity to check in with several security researchers. One such group is a research lab at the Ben Gurion University (BGU) in BeerSheva, with a team that has dedicated itself to trying to compromise various kinds of air gaps.
Air gaps are a funny thing because they give folks a false sense of security. The basic concept is to have two computers: one is connected online, and one isn’t. Information that resides on the latter PC is supposed to be “air gapped” – meaning that it is unreachable because it isn’t connected to anything other than its source of electric power. There are many secure installations that I have visited over the years where I have seen the two computers sitting side-by-side on someone’s desk.
The most infamous air gap situation surrounded the use of the Stuxnet worm. Iwrote about its creation for ReadWrite here and weblogged about its implications here. It was specifically designed to get inside the Iranian nuclear facility at Natanz. It contained specialized code to take over the nuclear centrifuges that were running in this plant and deliberately overspin and damage them. It was accomplished by infecting an Internet-attached PC that was looking for USB thumb drives attached to the infected PCs.
Even though the centrifuges were controlled by air-gapped PCs, Stuxnet’s designers knew that eventually the firmware for the controllers had to be updated, and to do that required the code to be first downloaded to a USB drive from an Internet-connected PC and then carry the USB drive into the plant's protected area. Obviously, someone went to great lengths to create Stuxnet – which only worked under these limited circumstances and only could cause harm to a particular Siemens centrifuge controller – but still it is an example of how even the best planned air gaps can have their weaknesses.
If you want to learn more about Stuxnet, you can rent the movie called ZeroDays that was written and produced by Alex Gibney. It was released in 2016 and goes into a lot more detail about how the worm came to be created. In the movie, one of the NSA analysis claims that they could always find a way around air gaps, and Stuxnet is a good example of how hard they had to work to do so.
The BGU researchers have come up with more than a dozen different ways to bridge these air gaps by using other ways to transmit data over the air, typically by using light, sound and radio frequencies. The most recent subject of their research wasusing ordinary light bulbs. The lights would flicker at specific rates and these flickers could transmit data that could be seen by a telescope-like instrument from outside the lab. Other methods of past research include using the disk drive activity light, sending information by using a sound card, changes in the brightness of an LCD monitor, and sounds from the variations in the cooling fan’s frequency. ZDnet has documented all these research efforts in this piece.
Now these lab methods are extreme: they involve running some software on the air gapped computer to set up the information transfer. But if you are a target and the data is valuable enough, it isn’t outside the realm of possibility that this could happen. So don’t just assume that air gaps are secure. I have listed below ways that you can make your computer more secure, but no method is absolute.
Ways to truly isolate your PC
If you want better-than-air-gap security and truly isolate your computers, use one or more of the following methods:
Disable any removable USB ports and other media slots such as CD drives (some IT managers use superglue, others use diskless workstations or set up limits with their endpoint protection software) so that no external media can be attached to your computer to infect or exfiltrate anything else.
Install special TEMPEST-style radio frequency protection, to trap any errant RF monitoring from your most sensitive computers.
Keep cellphones physically far away from your PCs. Many of the BGU activities leverage their proximity to facilitate data transfer.
Think about using virtual desktops if you are going to be running a lot of apps across the Internet. This isolates the desktop session.