Researchers at Ben Gurion University of the Negev in Beersheba, Israel have discovered a new attack in which data, including passwords and encryption keys, could be stolen from a computer isolated from the web by using an old phone, malware, a GSM network and electromagnetic waves.
The research is being led by Moradechai Guri, who is being helped by Gabi Kedma, Yisroel Mirsky, Ofer Hasson, Assaf Kachlon and Yuval Elovici. The same team of researchers have previous demonstrated proof-of-concept (POC) attacks against air-gapped machines, including ‘AirHopper' (exploiting a smartphone to wirelessly send out data) and ‘BitWhisper' (manipulating heat patterns between two malware-infected devices to steal data).
In this latest example, Guri and the team have shown how old and basic mobile phones, which are often allowed into sensitive business areas as they don't have any capacity to record or connect to the Internet, could be used in conjunction with an air-gapped machine to steal and exfiltrate sensitive information.
The team, using the nine-year-old Motorola C123 mobile phone (which has no camera, Wi-Fi- Bluetooth, Internet or cellular data capabilities) in the study, downloaded a particular but unspecified piece of malware onto both the phone and the PC. With the malware in place and presumably talking back to its controller, the researchers were able to send data to the phone owing to the computer's electromagnetic waves, and the phone's ability to receive these same signals.
These two factors combined to create an “invitation for attackers seeking to exfiltrate data over a covert channel,” the researchers said in a paper about their findings. A short version of the paper is available now via the Usenix website, with the full technical details to be detailed at the Usenix Security Symposium in Washington.
There are caveats to the attack, however, most notably that it will be stopped in its tracks if mobile phones are prohibited. Attackers can also only extract a small amount of data, although enough for passwords and encryption keys in a few minutes, while anything larger will require a dedicated receiver. A receiver of this nature could potentially receive the same signals wirelessly from up to 30m away, but again this would be based on the targeted business not having insulated walls or partitions.
Speaking to SCMagazineUK.com earlier today, Guri admitted that the attack would be tricky to carry out, while other researchers at the university admitted that it could nonetheless interest nation-states attackers targeting certain individuals.
“The chain of attack is sophisticated as it requires installation of malware on the target network and installing of a component on the baseband firmware of the mobile device. Both vectors are not trivial,” said Guri via email.
“We don't know [who could develop this],” added Dudu Mimran, chief technology officer of the Cyber Security Labs at the university. “Having said that, developing such technology requires deep domain experts and big funding so you need to have resourceful and highly motivated entities behind such an attack.
“I think even from the mere fact that air-gapped computers are prevalent in sensitive places you can deduce what kind of attacker it could be.”
Guri said that the “the main countermeasure is keeping mobile phones of any kind out of the perimeter of sensitive environments.”
Stephen Ward, senior director at cyber-threat intelligence company iSight Partners, applauded the research but said that the attack probability was low with getting malware on both devices a “significant hurdle for attackers in the wild.”
“An attacker would need to infect the air-gapped system (potentially through a malicious USB device) and be able to identify and infect a mobile device that will come within range of the infected system. We expect this would require attackers to be both sophisticated and conduct a targeted attack. Still, this could present a viable method of exfiltration from an air-gapped, compromised system."
The news has once again turned the attention to the security of air-gapped machines, although both Mimran and David Flower, managing director for Europe at Bit9 + Carbon Black, have said that it will never be a magic solution.
“What we proved is that air-gap cannot be considered as a magic solution any more for all the security problems,” said Mimran. “Organisations relying on air-gap need to re-assess their internal defences giving the scenario of data leakage…Re-think air-gap and its risks.”
Flower added: “Air gapped computers are regarded as unimpeachable by some, because they are kept separate from other unclean networks – it's essentially like keeping a computer in a sterile bubble.
“However, as this latest research shows, where there is a will there is a way. While there may not be a threat from the network, this does not mean they cannot be infected by other means.
“This demonstrates why a network-only security approach is no longer viable; endpoints themselves are increasingly the target of bold hackers intent on exfiltrating data. Companies need continuous monitoring and recording on each and every endpoint device – including mobile devices – if they are to detect and respond to unusual activity and prevent these kinds of attacks.”
Air-gapped machines have traditionally been used by governments and military to protect sensitive information, with journalists increasingly getting in on the act – NSA whistleblower Edward Snowden actively encouraged Glenn Greenwald to use an air-gapped machine, as documented in the latter's ‘No Place to Hide' book on the surveillance leaks.
Air-gap attacks, though rare, are not necessarily a new phenomenon – NSA detailed so-called TEMPEST attacks in 1972, which involved data leaks via electromagnetic emissions.