Air-gapped Computers Research Articles

Bit Sufi-Dance: Covert Data Exfiltration from Air-Gapped Networks via Electricity Meter

To protect important data and files, people often use air gap isolation, also known as air gap separation, to block external threats. However, internal networks may still introduce pollution due to supply chain contamination, human error, or social engineering. Although internal devices cannot directly communicate with the outside world. This paper proposes a new technology called Bit Sufi-Dance that utilizes electricity meters and optical devices to detect exfiltrated data. Most electricity meters have power indicator mechanical turntables or LED lights which can be indirectly controlled by the device’s power consumption oscillation. This allows for information encoding and the extraction of data from the air-gapped computer. It is important to note that this exfiltration channel does not require any hardware or firmware modifications and cannot be detected by existing Data Leakage Prevention (DLP) systems. The article discusses its design and implementation issues while evaluating it using different types of electricity meters. Our experiment demonstrates that data can be exfiltrated from the air-gap isolated computer through an electricity meter at a bit rate of 101 b/h. Finally, we assess this security threat and discuss defense mechanisms and preventive measures.

Analysis on Hacking the Secured Air-Gapped Computer and Possible Solution

Abstract The world today runs on data, every minuscule task to the large one requires data. All the data is stored in the various technologies that we use. And to keep data safe, air gaps are introduced. Air gaps are a network security measure where secure computer networks are physically isolated from unsecured networks. Yet, different methods to hack the air gap have come forth. The paper analyzes the problem of hacking an air gap via screen brightness modulations. The proposed solution is a software program used to alert the user of a change in the brightness level of the screen. The concept of Windows Management Instrumentation (WMI) has been used to put forth the software. Applied to an air-gapped computer, the program displays an alert box immediately, as the screen brightness changes. The solution is an easy and efficient way to counter the attack. The program can be further implemented in different testing environments and the WMI concept can be applied to various other cyber hacks.

Air-gapped networks: the myth and the reality

On the face of it, air-gapped computer systems seem to offer airtight protection from a cyber security standpoint. After all, being physically isolated from unsecured networks like the public Internet and local area networks should mean that a computer network is wholly inaccessible to remote threat actors. But are they as secure as most people think?

AIR-FI: Leaking Data from Air-Gapped Computers Using Wi-Fi Frequencies

This paper presents a new attack allowing attackers to exfiltrate data from isolated, air-gapped computers via Wi-Fi frequencies. We show that malware in a compromised air-gapped computer can generate signals in the Wi-Fi frequency bands. The signals are generated through the memory buses - no special hardware is required. Sensitive data can be modulated and secretly exfiltrated on top of the signals. We show that nearby Wi-Fi-capable devices (e.g., smartphones, laptops, and IoT devices) can intercept these signals, decode them, and send them to the attacker over the Internet. We utilized the physical layer information exposed by the Wi-Fi chips to extract the signals. We further implemented the transmitter and receiver and discussed design considerations and implementation details. We evaluated this covert channel in terms of bandwidth and distance and presented a set of countermeasures. Our evaluation shows that data can be exfiltrated from air-gapped computers to nearby Wi-Fi receivers located meters away at bit rates of 16 b/sec.

Exfiltrating data from air-gapped computers via ViBrAtIoNs

Air-gap covert channels are special types of covert communication channels that enable attackers to exfiltrate data from isolated, network-less computers. Various types of air-gap covert channels have been demonstrated over the years, including electromagnetic, magnetic, acoustic, optical, and thermal.In this paper, we introduce a new type of vibrational (seismic) covert channel. We observe that computers vibrate at a frequency correlated to the rotation speed of their internal fans. These inaudible vibrations affect the entire structure on which the computer is placed. Our method is based on malware’s capability of controlling the vibrations generated by a computer, by regulating its internal fan speeds. We show that the malware-generated covert vibrations can be sensed by nearby smartphones via the integrated, sensitive accelerometers. Notably, the accelerometer sensors in smartphones can be accessed by any app without requiring the user permissions, which make this attack highly evasive. We implemented AiR-ViBeR, malware that encodes binary information, and modulate it over a low frequency vibrational carrier. The data is then decoded by malicious application on a smartphone placed on the same surface of the air-gapped computer (e.g., on a desk). We discuss the attack model, provide technical background, and present the implementation details and evaluation results. Our results show that using AiR-ViBeR, data can be exfiltrated from air-gapped computer to a nearby smartphone on the same table, or even an adjacent table, via vibrations. Finally, we propose a set of countermeasures for this new type of attack.

MAGNETO: Covert channel between air-gapped systems and nearby smartphones via CPU-generated magnetic fields

This papers shows that attackers can leak data from isolated, air-gapped computers to nearby smartphones via covert magnetic signals. The proposed covert channel works even if a smartphone is kept inside a Faraday shielding case, which aims to block any type of inbound and outbound wireless communication (Wi-Fi, cellular, Bluetooth, etc.). Malware is implemented to control the magnetic fields emanating from the computer by regulating workloads on the CPU cores. Sensitive data such as encryption keys, passwords, or keylogging data is encoded and transmitted over the magnetic signals. A smartphone located near the computer receives the covert signals with its magnetic sensor. I present technical background, discuss signal generation, data encoding, and signal reception. The proposed covert channel works from a user-level process, without requiring special privileges, and can successfully operate from within an isolated virtual machine (VM).

A novel method for detecting disk filtration attacks via the various machine learning algorithms

Disk Filtration (DF) Malware can attack air-gapped computers. However, none of the existing technique can detect DF attacks. To address this problem, a method for detecting the DF attacks based on the fourteen Machine Learning (ML) algorithms is proposed in this paper. First, we collect a number of data about Power Spectral Density (PSD) and frequency of the sound wave from the Hard Disk Drive (HDD). Second, the corresponding machine learning models are trained respectively using the collected data. Third, the trained ML models are employed to detect whether a DF attack occurs or not respectively, if given pair of values of PSD and frequency are input. The experimental results show that the max accuracy of detection is greater than or equal to 99.4%.

Speaker-to-speaker covert ultrasonic communication

In this paper we show how two or more air-gapped computers in the same room, equipped with passive speakers, headphones, or earphones can covertly exchange data via ultrasonic waves. Microphones are not required. Our method is based on the capability of a malware to exploit a specific audio chip feature in order to reverse the connected speakers from output devices into input devices - unobtrusively rendering them microphones. We discuss the attack model and provide technical background and implementation details. We show that although the reversed speakers/headphones/earphones were not originally designed to perform as microphones, they still respond well to the near-ultrasonic range (18 kHz to 24 kHz). We evaluate the communication channel with different equipment, and at various distances and transmission speeds, and also discuss some practical considerations. Our results show that the speaker-to-speaker communication can be used to covertly transmit data between two air-gapped computers positioned a maximum of 9 m away from one another. Moreover, we show that two (microphone-less) headphones can exchange data from a distance of 3 m apart. This enables ‘headphones-to-headphones’ covert communication, which is discussed for the first time in this paper.

Fansmitter: Acoustic data exfiltration from air-Gapped computers via fans noise

Computers that contain sensitive information are often maintained in air-gapped isolation. In this defensive measure, a computer is disconnected from the Internet - logically and physically - preventing accidental or intentional leakage of sensitive information outward. In recent years it has been shown that malware can leak data over an air-gap by transmitting sonic and ultrasonic signals from a computer speaker. In order to eliminate such acoustic covert channels, current best practice recommends the elimination of speakers in secured computers, thereby creating a so-called ‘audio-gapped’ system.In this paper, we present ‘Fansmitter,’ a malware that can acoustically exfiltrate data from air-gapped computers, even when audio hardware and speakers are not present. Our method utilizes the noise emitted from the CPU, GPU, and chassis fans. We show that a software can regulate the internal fans’ rotation speed in order to control their acoustic signal, known as blade pass frequency (BPF). Binary data can be modulated and transmitted over these audio signals to a remote microphone (e.g., a nearby smartphone). We present design considerations, including acoustic waveform analysis, data modulation and demodulation, and data transmission and reception. We evaluate the acoustic covert channel with various fans at different distances and present the results. We also discuss issues such as stealth, interference, and countermeasures. Using our method we successfully transmitted data from audio-less, air-gapped computers, to a mobile phone in the same room. We demonstrated an effective transmission at distances of 1–8 m, with a maximum bit rate of 60 bit/min per fan.

PowerHammer: Exfiltrating Data From Air-Gapped Computers Through Power Lines

In this article, we provide an implementation, evaluation, and analysis of PowerHammer - an attack that uses power lines to exfiltrate data from air-gapped computers. A malicious code running on a compromised computer intentionally controls the utilization of the CPU cores. The CPU utilization is electromagnetically conducted and propagated through the power lines in the form of a parasitic signal that is modulated, encoded, and transmitted on top of the current flow fluctuations. This electromagnetic phenomenon is known as ‘ conducted emission ’. In this attack, the attacker taps the indoor electrical power wiring that is connected to the electrical outlet of the compromised computer. The conducted electromagnetic emission of the compromised computer is analyzed and the exfiltrated data is decoded. The proposed attack is then experimentally evaluated and characterized. The communication performance is discussed and a set of defensive countermeasures is presented. A crucial aspect of the proposed covert communication scheme is that it fully conforms to civilian and military conductive emission standards.

ODINI: Escaping Sensitive Data From Faraday-Caged, Air-Gapped Computers via Magnetic Fields

Air-gapped computers are devices that are kept isolated from the Internet, because they store and process sensitive information. When highly sensitive data is involved, an air-gapped computer might also be kept secluded in a Faraday cage. The Faraday cage prevents the leakage of electromagnetic signals emanating from various computer parts, which may be picked up remotely by an eavesdropping adversary. The air-gap separation, coupled with the Faraday shield, provides a high level of isolation, preventing the potential leakage of sensitive data from the system. In this paper, we show how attackers can bypass Faraday cages and air-gaps in order to leak data from highly secure computers. Our method is based on exploitation of the magnetic field generated by the computer's CPU. Unlike electromagnetic radiation (EMR), low frequency magnetic fields propagate through the air, penetrating metal shielding such as Faraday cages (e.g., a compass still works inside a Faraday cage). Since the CPU is an essential part of any computer, the magnetic covert channel is relevant to virtually any device with a CPU: desktop PCs, servers, laptops, embedded systems, and Internet of Things (IoT) devices. We introduce a malware codenamed `ODINI' that can control the low frequency magnetic fields emitted from the infected computer by regulating the load of the CPU cores. Arbitrary data can be modulated and transmitted on top of the magnetic emission and received by a magnetic `bug' located nearby. We implement a malware prototype and discuss the design considerations along with the implementation details. We also show that the malicious code does not require special privileges (e.g., root) and can successfully operate from within isolated virtual machines (VMs) as well. Finally, we propose different types of defensive countermeasures such as signal detection and signal jamming to cope with this type of threat (demonstration video: https://www.youtube.com/watch?v=h07iXD-aSCA).

Optical air-gap exfiltration attack via invisible images

In this paper, we evaluate an optical covert channel in which sensitive information (textual or binary) is exfiltrated from air-gapped computers through the LCD screen. Our experiments show that low contrast and fast blinking images which are invisible to human subjects, can be recovered from photos taken by a local camera. Consequentially, we show that malware on a compromised computer can obtain sensitive data (e.g., files, images, encryption keys, passwords), and project it onto a computer LCD screen, invisible and unbeknownst to users. An attacker can reconstruct the hidden data using a photo taken by a local camera. In order to demonstrate the feasibility of this type of attack and evaluate the channel's stealth, we conducted a battery of tests with 40 users. We also examined the channel’s boundaries under various parameters, with different types of encoded objects, at several distances, and using several kinds of cameras.

Air Gap Penetration

The issue of data security is very paramount for any organization now a day So through this project we will show how an attacker can steal data from the air �gapped channels and also provide some measures in order to protect data from such type of attacks. Now a day attackers can leak data from isolated, air-gapped computers to nearby smart phones via covert magnetic signals. Attacks have been demonstrated on eavesdropping computer displays by utilizing these emissions as a side-channel vector. The accuracy of producing a screen pic depends on the emission sampling rate and bandwidth of the attackers signal hardware. The cost of radio frequency hardware increased with supported frequency range and bandwidth. A number of affordable software defined radio equipment solutions are currently available satisfying a number of radio-focused attacks at a proper price point. This work investigates that the accuracy influencing factors, other than the sample rate and bandwidth, which are noise removal, image blending, and image quality adjustments, that affect the perfection of monitor image reconstruction through electromagnetic side-channel attacks.

Powermitter: Data exfiltration from air-gapped computer through switching power supply

Air-gapped computers are isolated both logically and physically from all kinds of existing common communication channel, such as USB ports, wireless and wired networks. Although the feasibility of infiltrating an air-gapped computer has been proved in recent years, data exfiltration from such systems is still considered to be a challenging task. In this paper we present Powermitter, a novel approach that can exfiltrate data through an air-gapped computer via its power adapter. Our method utilizes the switched-mode power supply, which exists in all of the laptops, desktop computers and servers nowadays. We demonstrate that a malware can indirectly control the electromagnetic emission frequency of the power supply by leveraging the CPU utilization. Furthermore, we show that the emitted signals can be received and demodulated by a dedicated device. We present the proof of concept design of the power covert channel and implement a prototype of Powermitter consisting of a transmitter and a receiver. The transmitter leaks out data by using a variant binary frequency shift keying modulation, and the emitted signal can be captured and decoded by software based virtual oscilloscope through such covert channel. We tested Powermitter on three different computers. The experiment results show the feasibility of this power covert channel. We show that our method can also be used to leak data from different types of embedded systems which use switching power supply.

Data Exfiltration from Air-Gapped Computers based on ARM CPU

Air-gapped Network is a network isolated from public networks. Several techniques of data exfiltration from air-gapped networks have been recently proposed. Air-gap malware is a malware that breaks the isolation of an air-gapped computer using air-gap covert channels, which extract information from air-gapped computers running on air-gap networks. Guri et al. presented an air-gap malware “GSMem”, which can exfiltrate data from air-gapped computers over GSM frequencies, 850 MHz to 900MHz. GSMem makes it possible to send data using the radio waves leaked out from the system bus between CPU and RAM. It generates binary amplitude shift keying (B-ASK) modulated waves with x86 SIMD instruction. In order to efficiently emit electromagnetic waves from the system-bus, it is necessary to access the RAM without being affected by the CPU caches. GSMem adopts an instruction that writes data without accessing CPU cache in Intel CPU. This paper proposes an air-gap covert channel for computers based on ARM CPU, which includes a software algorithm that can effectively cause cache misses. It is also a technique to use NEON instructions and transmit B-ASK modulated data by radio waves radiated from ARM based computer (e.g. Raspberry Pi 3). The experiment shows that the proposed program sends binary data using radio waves (about 1000kHz ~ 1700kHz) leaked out from system-bus between ARM CPU and RAM. The program can also run on Android machines based on ARM CPU (e.g. ASUS Zenpad 3S 10 and OnePlus 3).

Hacking Heats Up.

The article reports that a team of doctoral students developed a method by which information can be obtained from an air-gapped computer (AGC) using signals encoded into the heat given off by its processors. It states AGC is a security method by which secure computers are disconnected from the Internet and other computer networks. It mentions the researchers were able to develop malware that could infect an Internet-connected machine, while a USB drive would be required to infect the AGC.