Air-gapped PCs compromised with mobile malware

Researchers in Israel say that it is possible to use a mobile phone loaded with malware to pilfer data stored on air-gapped computers.

New security concerns on air-gapped laptops, smartphones
New security concerns on air-gapped laptops, smartphones

Air-gapping has often been used for protecting classified documents in the military, at nuclear power stations and at critical infrastructure like water plants and gas stations. Most famously, The Guardian journalist Glenn Greenwald revealed in his autobiography how he used an air-gapped PC when flying to Hong Kong to peruse the leaked NSA documents sent by former contractor Edward Snowden.

Air-gapped systems are physically isolated from insecure networks and have no access to local area networks (LANs) or the public Internet. However, the security around such systems has been brought into question after Professor Yuval Elovici, head of BCU Cyber Security Lab at the Ben Gurion University, detailed (via Times of Israel) how air-gapped networks can be compromised by using the electrical impulses sent out by the targeted device, and a nearby mobile phone loaded with malware.

In a meeting with Israeli president Shimon Peres earlier this month, Elovici demonstrated how the mobile phone can be used to pilfer data from air-gapped PCs. This is only possible if the phone is within six metres and relies on the device scooping up the electromagnetic waves which hardware devices – like video monitors and video cards – transmit.

In a move that looks similar to SMS phishing, hackers could send the unsuspecting user a text message that looks legitimate, but which actually directs them to install malware on their phone.

Once installed, this malware – which Snowden claims is the result of collaboration between the US and Israeli governments - will scan for the electromagnetic waves “which can be manipulated to build a network connection using FM frequencies to install a virus onto a computer or server.” The phone then connects the system via the FM frequency, siphons the information out the server and uses the phone's network connection to transmit the stolen data back to hackers.

Elovici said that a similar technique was used for the Stuxnet virus attack on Iranian nuclear programmes three years, where an infected USB flash drive was believed to have been used to damage the country's nuclear centrifuges, while Snowden's leaks on the NSA TEMPEST programme shed light on how government agencies can sniff data leaked in electromagnetic frequencies. This data could include unintentional radio and electric signals, sound and vibrations from hardware, including video monitors, keyboards, memory chips and network cards.

However, this latest attack method goes beyond Stuxnet as it does not require physical access to the system, instead relying on the electromagnetic frequencies from the air-gapped machine and the mobile phone. Elovici demonstrated how this is done with computer video cards and monitors.

The researcher says that users should turn their phone off although he admits that this is not the most practical solution.

Jon Butler, chief security researcher for MWR InfoSecurity, told SCMagazineUK.com said that this type of attack brings back memories of NSA's TEMPEST programme and Stuxnet, but disputed whether if it would be possible to build a network using FM frequencies.

“Whilst it would be possible to build such a network, it would require some software on the target machine to be able to respond to any requests that were sent over this network,” he said.

“A far more likely scenario is that a mobile phone's FM transmitter can be used to pick up frequencies leaked from the monitors of air-gapped machines. Reconstructing this into useful data is likely to be as difficult as doing so for TEMPEST, and as such should require the same protections. These forms of data leakage are extremely difficult to carry out, and therefore need only be considered against an extremely capable and determined attacker or for extremely high-value targets."

Massimo Cotrozzi, assistant director for EY's fraud investigation & dispute services, added: "This is not a new threat and the fact that a computer is detached doesn't make it less vulnerable if there is a way to move data from it to another computer.

“However it does highlight the evolving nature of the cyber security threat and the importance for business to ensure their cyber intelligence programmes are able to continually monitor unauthorised software within highly sensitive systems. The ultimate challenge is to ensure IT security programmes are able to adapt and evolve to detect those future unknown threats."