back to article Air gaps: Happy gas for infosec or a noble but inert idea?

Last year Michael Sikorski of FireEye was sent a very unusual piece of malware. The custom code had jumped an air gap at a defence client and infected what should have been a highly-secure computer. Sikorski's colleagues from an unnamed company plucked the malware and sent it off to FireEye's FLARE team for analysis. "This …

  1. Lusty

    Timing is everything

    Coincidence that this comes at just the moment lots of security people are talking about air gapping their legacy 2003 systems to mitigate end of life trouble? Given the lack of security updates, 2003 will become particularly susceptible to this as there will be plenty of unpatched vulnerabilities.

    1. Anonymous Coward
      Anonymous Coward

      Re: Timing is everything

      Er... Maybe I'm not thinking about this correctly, but would this air gap jumping scheme be thwarted if things like USB sticks were always "use twice (once to write, once to read), wipe & physically destroy"? Seems small price to pay if it works.

      1. Justin Clift

        Re: Timing is everything

        Well, if the once-off writing is done on the external "internet connected" side of the air gap, that's a source of new commands for the malware. The reading would then take place on the "disconnected" side of the air gap, and do the passing of those commands to the malware.

        Same in reverse too... if the once-off writing is done on the "disconnected" side of the air gap, that's when the exfiltrated data get written to the USB stick, ready to be sent off to the attacker when the USB stick is plugged into the internet connected side.

        So, not good.

    2. Anonymous Coward
      Anonymous Coward

      Re: Timing is everything

      Do you mean Microsoft DOS 2003?

      If a company has any important data on a closed-source system, particularly one from Microsoft, they've already lost.

      How can somebody get a job in computing that's involved with security, and know nothing about Edward Snowden or Regin?

  2. Ragequit

    A layered approach...

    "It isn't all physical, however. Organisations should implement security controls on air gap machines as if it were connected to the internet, a move Sokorski and Dudu say could help knock-out some of the laboratory attacks."

    The above was the first thing to come to mind when I started reading this article. I mean even without air gaps per say you can have any number of devices attached to your PCs or network. No one security technique is the end all be all. Even when it comes to physical security. Therefore you need a layered approach and some vigilance.

  3. Sokolik

    Back To The Future*

    If I've got this right (by no means certain!), this reminds me of the old days. It was shouted at us, "NEVER INSERT A FLOPPY FROM AN UNKNOWN OR UNTRUSTED SOURCE".

    "Floppy". How quaint.

    *apologies to Robert Zemeckis, et al

    1. Bob Wheeler
      Pirate

      Re: Back To The Future*

      Back in the day of 'sneaker net', we used to have a few dedicated PC's dotted around for running an AV scan on floppies before they could (Sould) be used on proper work machines.

  4. Anonymous Coward
    Anonymous Coward

    Seriously?

    How could you not spot this a mile away?

    As for airgapping 2003 boxes. Why bother even having them running?

    I have a client that still uses XP and 2003 due to hardware compatibility...specifically drivers, they cant replace the hardware because it is way to expensive...anyone familiar with Dektec? They only run those boxes when they need them and ive made sure that they are frozen. Meaning every reboot reverts the machines to their pre-use state. The data that these machines use is stored on a file server on the same airgapped network which can only have data transferred to it using a known and trusted USB hard disk which is wiped prior to use. The files to be placed on that disk are scanned prior to being copied and the files can only be copied from a locked down BSD fileserver that generates the files directly to a folder that only the tool has write access to.

    The airgapped boxes are also in a room that requires a pass to enter which has to be signed out by an individual to use and has a fixed expiry time on it.

    Its also possible via GPO to restrict USB devices down to only allow specific devices to be plugged in to prevent anyone trying to cheat the process. There are pre-built policies designed by Microsoft et al specifically for this purpose. I think it used to be referred to as "Flapjack". Locked down by default, to the point where you have to wind it back to allow things to work.

    It sounds long winded and painful but its actually not that tedious and in the event that some security breach may occur ive at least had a damn good shot at preventing it.

    This malware has just demonstrated some half baked thinking and lax security policy.

  5. Anonymous Coward
    Joke

    You really need a vacuum gap...

    ... so nobody with an USB device or the like can survive nearby the machine - unless walking aroud with a mask and a tank. Cooling could be performed using a closed circuit liquid system....

    Jokes aside, if someone can plug uncontrolled devices from uncontrolled systems into an "air gapped" system, it's not really an "air gap" - you just have a slower connection.

    Moreover. any line of defense is always as strong as its weakest point.

    1. Ole Juul

      Re: You really need a vacuum gap...

      "if someone can plug uncontrolled devices from uncontrolled systems into an "air gapped" system, it's not really an "air gap" - you just have a slower connection."

      Indeed, these guys are just using their own specialized definition of air gap so as to make their point. Sneakernet has always been a perfectly functional way to connect computers.

      1. Anonymous Coward
        Anonymous Coward

        Re: You really need a vacuum gap...

        I got my very first virus when I owned my first computer in the first 3 months via floppy drive back in 1992, that's how viruses used to be transmitted... next thing they will find is boot sector viruses lols and as per badbios the sound/mic bit is novel although that is kinda how modems work.... I know, I know most people today don't remember the screeching sounds belching out of the box but that is how the internet started for some of us. The firmware infection part isn't so novel though it's kinda old school, I remember having to clean a system in the mid to late 1990's (95/96) that had volatile firmware infection. Lucky though it only infected award bios and not every firmware on the host like badbios supposedly does.

  6. Velv
    Facepalm

    D'oh!

    Building bridges between two systems substantially increases the risk of infection being passed from one system to another. Rats crossed rivers on ferries, barges and bridges and the plague spread across Europe. So if you're going to plug a device from one system to the next you no longer have an air gap and you need to put protections in place. Gates, guards, immigration controls and quarantine.

    It's not rocket science, we've been doing it for hundreds of years.

  7. DropBear
    FAIL

    There is a strong stench of woo-woo lingering around the article. I'd like to know where "malware could slowly spread between nearby computers using microphones and speakers" comes from, considering even the linked article doesn't go further than "Adam Kujawa, a security researcher at antivirus firm MalwareBytes, reckons the research shows that it's possible for malware-infected machines to chat to each other across an air gap. But he's far from convinced any infection is possible via the method."

    Unless we live in an alternate universe, you can't just infect a machine through sound, radio waves or anything else unless the said hardware either already actively samples and processes said data (so you can attempt some form of data execution) or is already infected (which means the battle has been lost long ago). And I don't care if Turing himself says otherwise, until he presents adequately extraordinary proof for such extraordinary claims, I'll simply laugh him out of existence.

    Note that communication over an air-gap (as opposed to infecting) is an entirely different ball-game; but if one could infect a machine by physical access first, it kinda follows that any number of further physical accesses might be possible so all the OTA wizardry really does is just speed up the exfiltration process...

    1. annodomini2

      "Note that communication over an air-gap (as opposed to infecting) is an entirely different ball-game; but if one could infect a machine by physical access first, it kinda follows that any number of further physical accesses might be possible so all the OTA wizardry really does is just speed up the exfiltration process..."

      Only requires one access rather than several, much lower risk of being detected.

  8. keithpeter Silver badge
    Windows

    Costs

    Air gapped laptop with wifi card removed, network card disabled, microphone removed, no webcam, speakers removed, usb sockets glued, runs from batteries when booted, chargers and removable parts (keyboard, ram &c) rotated regularily. Boots from an optical drive that has a CD-ROM containing appropriate OS with known checksums &c. Possibly using LibreBoot (checksums again, reflashed from optical drive weekly or something). Connected to a thermal printer of unusual design. Operated in a central room with stainless steel walls (like you have in commercial kitchens) without windows at least 30m from premises outer wall. Result: not far short of a mechanical typewriter but quieter (at least at audio frequencies).

    It is all about cost and hassle VS likely degree of interest of material I imagine.

    If you have the misfortune to be on a nation state's list, well, just use notebooks and burn them now and again. The obvious XSCD cartoon about password security springs to mind.

    1. Anonymous Coward
      Anonymous Coward

      Re: Costs

      ... doubtless with phone still in pocket inaudibly recording output from laptops CPU fan, HDD motor and optical drive motor oscillations.

      Your welcome Dave.

      1. keithpeter Silver badge
        Windows

        Re: Costs

        ... doubtless with phone still in pocket inaudibly recording output from laptops CPU fan, HDD motor and optical drive motor oscillations.

        Your welcome Dave.

        Which part of "Operated in a central room with stainless steel walls..." did you not understand? Mr Faraday had the central idea a couple of centuries ago.

        Seriously: the point I'm making is that this is all cost-benfit tradeoff not absolutes.

        1. Anonymous Coward
          Anonymous Coward

          Re: Costs

          Who says the phone has to transmit the data straight away?

  9. Jerren
    Coat

    More of a wetware problem....

    One point I think the article doesn't drive home among the others mentioned is most of these attacks that span the air gaps require a bad actor to physically touch the systems. The malware doesn't magically materialize out of "thin air" some one had to put it that environment, weather it is hidden in the hardware at the factory, typed in from memory or uploaded by a flash drive there is a human behind it and there are well documented process and methods for protecting against these types of attacks, primarily by limiting access, requiring a minimum number of people to be in the room at any given time, division of labor, mandatory access controls, rotating the employees assignments and shifts to prevent collusion, monitoring of employees activities inside and outside of work, and limiting what is and is not allowed into the environment (e.g. no cell phones, electronics, paper, pens, etc.).

    When the proper controls are in place and and properly managed the risk of data ex-filtration across an air gap is greatly reduced. Most incidents of this type that I have investigated are failures in physical security, and lets face it once you have physical access to the box it's essentially game over, there is no limit to what you can do at that point.

    Mine's the one with the usb cufflinks.

  10. MasterofDisaster

    Watch those cameras!

    As physical security also is part of the network (IP cameras, access control, etc), those systems also become part of the threat profile. Just like no one thinks of the HVAC system (that lead to the Target breach), too often people are forgetting that any "touchpoint" can be used (that's why even the pixels on screen, captured by IP camera connected to network, could be used in an air gap situation). Services like Viakoo that monitor/diagnose issues in security video IP streams have been finding more cases of digital tampering of surveillance camera footage, in part because if you're able to infect/hack computers, you also will hack into the security video to erase your tracks. While this article may not be "real-world", the lesson should be taken to heart that with IoT expanding rapidly, so are the potential points of entry/infection.

  11. rolmbo

    Air Gap

    I’ve never heard of a stainless steel lined room to keep signals from leaking out. I have seen Gypsum (sheetrock) lined with a thin sheet of lead that really keeps signals from leaking in or out. They're commonly used when installing x-ray machines in hospitals or doctors’ offices. I would think that stainless steel would or could be used like an antenna. Am I way off here, does anyone know? I don’t know but agree it seems to me that in order for someone to remove data from an airgap system in a secure environment. Someone would have to have physically accessed the target machine to implant the tx/rx software via keyboard since the thumb drive is disabled. The Wi-Fi card removed to have access to the target machine the data is going to be stolen from via frequencies etcetera.

    1. Andy Taylor

      Re: Air Gap

      Have you ever tried to get a decent mobile signal inside an Apple store? The stainless steel walls work pretty well as a shield.

    2. Anonymous Coward
      Anonymous Coward

      Re: Air Gap

      Probably not stainless steel, aluminium is more likely.

      Back in the day before everything in govt wasn't outsourced to India anyway the "interesting" projects had all the CAD machines in a metal room with an interlock on the door. If you opened the door all the monitors turned off. Annoying because in the days of 19" Illyama it took them a minute to come back on and stabilize.

      This was to avoid them leaking video to Russian spies, hiding outside a heavily patrolled perimeter fence several miles away. Which suggests that the security chaps weren't quite as good at physics as the chaps using the machines.

    3. Ashton Black

      Re: Air Gap

      It doesn't need to be steel lined room. Tempest shielding (basically a Faraday cage), can be done at rack or room level. It's basically conductive material, well earthed and there are a number of companies who specialise in this.

      eg: http://www.euro-emc.co.uk/Products/TEMPEST-EMSEC-Protected-Areas.aspx

    4. marturion

      Re: Air Gap

      ok, "Air Gap" or "Vacuum Gap" means nothing to electromagnetic energy--I thought THe Reg reader had a modicum of physics knowledge. The US Military for many years had "Tempest" standards that specify that NO electromagnetic energy could escape from machines. This means keyboards, cables, displays, anything. You have to wrap up your machines in a Faraday Cage (look it up) if you want to prevent this kind of attack.

  12. Stevie

    Bah!

    And here I thought that anyone needing an air-gapped computer would understand that the air gapping would need to be at the *computer* network level, and the said computer would still need elementary protections such as not executing code from external devices by default and firewalling them until they passed AV testing.

    I mean, once upon a time all desktop computers were air-gapped and the savvy companies still had warnings about sneakernet AV practices pasted to the support columns to properly indoctrinate the workforce.

    But then, I'm an old person who was once a mainframe Cobol programmer and so by default a dimwit. What do I know about the exciting world of modern IT?

  13. Christian Berger

    Seriously...

    in most instances the air gap will be bridged by a fake license key your software needs to run in order to function. Also air gaps sound good in theory, but you'll also cut of your machine from software updates. And without software updates most versions of Windows can be brought to execute arbitrary code via diskette drive or CD-ROM. The lnk-feature along with its cousin the pif-feature hasn't been fixed on installation media.

  14. Cynic_999

    Gluing up the USB slots? Surely its quicker and easier to unplug the USB sockets from the motherboard, then physically lock the case so the MB cannot be accessed by any unauthorised person.

    1. hayzoos

      Glued USB slots are visually inspect-able as were foil taped IR port windows. Having visual inspection items on the checklist bring the warm and fuzzy feel for the non-tech security bureaucrats. You know the same ones who pick up the thumb drive in the parking lot and plug it into the computer at their desk.

  15. hayzoos

    Infection by microphone

    It may not be impossible to infect a machine via the microphone. It would require complex target systems with feature bloat and security measures added on instead of baked in and numerous vulnerabilities for code execution and maybe privilege elevation. Oh, wait we have that. Even if the microphone is "disabled" in software it may cause a change in the intended functioning. These changes could cause memory or processing changes. I'm not saying this would not be highly difficult, but not impossible.

    The telly listens all the time, what could go wrong?

  16. dsuden

    Boffins Boffins Boffins

    Anybody tired of that word on The Register yet?

  17. Anonymous Coward
    Anonymous Coward

    The TEMPEST requirements

    and SATYR and Theremins 'great seal bug', make for interesting and relevant reading ;)

  18. Conundrum1885

    Re. TEMPEST

    Ages ago I recall reading of a high value target being compromised using off-the-shelf commonplace mains brick adapters with hidden radio transmitter and unijunction/capacitor based long duration timer so it only transmitted during the weekly board meetings.

    Took months for the company to find how their competitor seemed to know they were in financial difficulty because a key part discussed in earlier meetings mysteriously went out of stock just before a large order thanks to some well timed advance orders by another company that normally never used this supplier.

    Sad to say they got bought out shortly thereafter with lots of needless job losses..

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like