Air-gapped computer: A superhero in disguise
By Mohammed Oosman - April 29, 2018
A superhero in disguise
So, we all know how powerful the computers have become nowadays. They have become a daily necessity in today’s fast evolving, competent, techno-maniac era. But, do you know that there are superheroes in the world of technology who hide their identity from rest of the world? Yes, I know it sounds somewhat crazy. But, yeah, it is a fact that there exists superheroes in world of computers, they are called “THE AIR-GAPPED COMPUTERS”.
Before you get very excited, let me tell you that these superheroes unlike our fictious superheroes do not always think about the betterment of everyone. Yep, you got that, just like most of the devices present among us, even these machines are susceptible to our famous villains “THE HACKERS”.
So, before we get to know how hoe is that possible, let us first try to understand our superhero “Air-gapped computer”
What are air-gapped computers?
Air gapped computers are systems/computers that are kept isolated from internet or any other computers that are connected through the internet.
Where are air-gapped computers used?
These superheroes are mainly deployed in fields which require tremendous additional layer of security to the confidential data such as military networks, nuclear power plants, payment networks that process credit and debit card transactions for retailers and industrial control systems that operate critical infrastructure. To maintain security, payment and industrial control systems should only be on internal networks that are not connected to the company's business network, thus preventing intruders from entering the corporate network through the internet and working their way to sensitive systems.
Attacks on air-gapped computers:
There are group of security researchers from Israel's Ben Gurion University of the Negev who are very interested in these air-gapped computers and are keen to find different ways to extract data from these tightly security packed computers.
Some of the attacks that were recently discovered are as follows:
Let's have a look at each one of them.
We all know how cryptocurrency are becoming popular among techno-society day-by-day. This attack directly focuses on stealing the private cryptocurrency wallet keys. In order to understand this clearly, let’s have a look at some of the terms which we need to know in order to understand the attack.
Cold storage:This is basically a device which is entirely offline and is used to store the cryptocurrency wallet keys. In our attack scenario, cold storage is our very own air-gapped computer.
Hot storage:Devices which are connected to the internet and the cryptocurrency network in order to complete the transactions.
In order to proceed with the attack, the attacker should infect the air-gapped computers with malware in order to get hold of the private keys. According to the researcher, this can be achieved by the following two scenarios:
Although air-gapped wallets are kept offline, there are occasions when external media is inserted into the air-gapped host. This media might be a USB flash drive, an optical disk (CD/DVD), or a memory card (SD card). The most common scenario of introducing removable media to air-gapped wallets involves signing and broadcasting transactions. Signing transactions and distributing them online is commonly done through an external USB flash drive. The removable media transfers between online and offline wallets can be used by attackers to infiltrate air-gapped wallets and infect them with malware.
The air-gapped computer might be compromised even before the wallet is installed, via an infected operating system (OS) or compromised image of the wallet software.
Post infecting the air-gapped system with the malware, the attacker can now make use of it to gain the private keys of the cryptocurrency wallet.
This attack is clearly shown in this video link:
Have you ever imagined someone stealing data using power lines/cables? Yes, security researchers have found a method of stealing data through power lines. Dubbed PowerHammer, is a malware (bridgeware) that uses power lines to exfiltrate data from air-gapped computers.
The attack basically comprises of 4 different phases:
In this phase, the air-gapped system is infected with the malware using the methods discussed earlier in order to collect the data from the air gapped computer which can be transmitted to the attacker’s device.
The receiver is a non-invasive probe connected to a small computer (for the signal processing). The probe is attached to the power line feeding the computer or the main electric panel (shown in figure below). It measures the current in the power line, process the modulated signals, decodes the data and sends it to the attacker (e.g., with Wi-Fi transceiver)
Image: Implementation of the Receiver
In this phase, the data collected by the malware in the air-gapped system is transmitted to the attacker’s device. The data may be any confidential detail such as encryption keys, credential tokens and passwords.
In the last phase of the attack, the malware starts the data leak by encoding the data and transmitting it via signals injected to the power lines. The signals are generated by changing the workload on the CPU cores. The transmissions may take place at predeﬁned times or in response to some trigger inﬁltrated by the attacker. The signal is received by the power line probe and delivered to the attacker (e.g., via Wi-Fi).
This attack focuses on how two (or more) airgapped computers in the same room, equipped with passive speakers, headphones, or earphones can covertly exchange data via ultrasonic waves.
Even in this attack scenario like other scenarios mentioned above should have both the air-gapped computers malwares installed in them in order to carry out this attack, the malware can be introduced into the system through USB devices while installing some wares, social engineering mechanisms and the methods described earlier.
Image: Methods used to transmit data through ultrasonic waves between 2 air-gapped computers
In this attack, the researchers have found that data between 2 air-gapped computers can be transmitted through ultrasonic waves using any of the methods described in the figure.
The researchers have also released a proof of concept video which demonstrates how air-gapped computers communicate with each other using ultrasonic waves.
Video Link is here
So keeping the above attacks in mind, we can see that how some of the systems which are kept super secretive from the world of other devices connected to the internet can be fooled to leak out the information into wrong hands. The air gapped computers are not ordinary systems, they contain sensitive and highly confidential information as discussed earlier in this article. Hence, if any information in these system falls into the wrong hands, it’s definitely going to bring lot of problems to the country and the entire humanity can be at stake as these systems are also used in nuclear power stations. These attacks prove a point that no device on this planet is completely safe and it can be tricked to leak out information.