back to article Checkpoint chap's hack whacks air-gaps flat

Checkpoint malware men Yaniv Balmas and Lior Oppenheim have developed an air gap-hopping malware system that can quietly infect, plunder, and maintain persistence on networked and physically separated computers. Yaniv Balmas. The Israel-based duo pried apart and compromised KVMs (keyboard video mouse) units such that they …

  1. Christian Berger

    I've seen the talk

    First of all, if the discovery process really happened as described... that was the teams first attempt at hardware reverse engineering... and they obviously had nobody to ask. If they had asked someone they could have skipped several time consuming steps.

    Then again, running your own firmware on a device is not a security bug, it's a vital feature to keep you from having such bugs. Only then can you develop alternative versions without vendor induced back doors. The KVM manufacturer did everything correctly by enabling firmware updates only via the serial port. It may actually even be impossible to update the firmware via USB as the microcontroller needs to run the USB stack which it might not be able to do while flashing firmware. (in short on those boxes you cannot update the code you run so you are limited to a small "bootloader" memory)

    So the only problem would be IP-KVMs, which they haven't looked at. Obviously you shouldn't connect them to a public network, just like you shouldn't connect your normal KVM to a public network. The whole point of having such a device is to have a separate channel to your servers from the network.

    And please don't link to ackward to use websites like Youtube when there's a perfectly simple download link at the official video location:

  2. Dafyd Colquhoun

    If there are common cables it's not an air gap!

    If you really want machines to be secure then the only bit of wire/cable in common should be the power (and avoid that if you can). Connecting a USB (or even PS/2) device to two computers breaks the barrier.

    The stupid things people will do (not calling the researchers stupid, just those that do use a KVM to in this way) in the name of convenience. Much like hooking the SCADA system of a factory to the corporate LAN so executives can look at the pretty graphs...

    1. chivo243 Silver badge

      Re: If there are common cables it's not an air gap!

      That's what I was thinking when looking at the diagram. Thanks for verifying my thoughts. Have an up vote.

    2. Anonymous Coward
      Anonymous Coward

      Re: If there are common cables it's not an air gap!

      You beat me to it. The moment they mentioned connecting one machine to the internet they ceased to have an air gaped system.

      Just what is it about management that they can't understand that air gaped systems are those that live and work in their own little independent world, free of outside influence including that of the accountants to supposedly allow them to 'monitor' everything.

      This sort of stupidity is what we get by allowing MBAs to take over the jobs of engineers.

  3. Anonymous Coward
    Anonymous Coward


    Hiding keyloggers inside keyboards has been around for years. Automating the process of flipping these from capturing data to sending data (to enter a password and perform some malicious action) is easy too. Hiding this process in firmware is a neat trick.

  4. Anonymous Coward
    Anonymous Coward

    Managment LAN vs comms LAN

    "the KVM performs a wget to get the malware from the cloud into the internet-connected computer."

    I may be mistaken, but I was under the impression that people with clue had a separate and intentionally secure (e.g. no Interweb) LAN for management purposes (HPQ LightsOut remote stuff and Dell equivalent (iDRAC) and Intel's related vPro stuff, plus management ports on storage stuff, and maybe even IPKVM stuff and IP power switches).

    But what do I know.

    1. Robert Helpmann??

      Re: Managment LAN vs comms LAN

      I may be mistaken, but I was under the impression that people with clue had a separate and intentionally secure... LAN for management purposes

      You are correct. As noted above, there are a number of things that would have to be done incorrectly for this exploit to work, but that does not mean that it is either impossible or unlikely to be used in the wild. There are many, many security failures that people fall prey to. The Checkpoint folks' work highlights the need to consider all parts of the security puzzle. KVMs are something many people are likely to overlook as they are insufficiently paranoid educated on the subject. It's good that they are addressing the issue.

  5. allthecoolshortnamesweretaken

    Reads a bit like "how to get nasty stuff like Stuxnet on your boxes".

  6. Anonymous Coward
    Anonymous Coward

    One of a series of theoretical but demonstrable attacks that use 'simpler' interfaces that exist to allow an attacker to undertake malicious activity in the absence of an IP connection. Others include removable media, hi-res cameras, mic+speakers, emissions, displays, flashing capslock and numlock keys etc (low bitrate), but all demonstrate an ability to where necessary conduct malicious activity beyond the reach of an IP connection.

    Stuxnet being the daddy of them all.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon