The revolutionary methods to attack air-gapped devices

In the last few years, the Cyber-Security Research Center of Israel’s Ben Gurion University of the Negev coordinated by Dr. Mordechai Guri, has developed and tested several new types of malware that allow to covertly steal highly sensitive data from air-gapped and audio-gapped systems. Here we will briefly analyse some of the most surprising techniques that they have successfully tested.     


What air-gapped systems are and the difficulty of hacking them

The term “air-gapping” indicates a network security measure employed on one or more computers to ensure that a certain computer system is physically isolated from unsecured networks, such as the public Internet or an unsafe local area network. Air-gapped systems are considered a necessity in environments where sensitive data is involved, because they can highly reduce the risk of data leakage. The devices in these systems sometimes are also audio-gapped, which means that their audio hardware is disabled in order to prevent potential attackers from leveraging the built-in speakers and microphones to steal information via sonic or ultrasonic waves.

It’s practically impossible to subtract data from this kind of devices, because there is no way to transmit the desired information outside of the system. Nonetheless the group of researchers guided by Dr. Guri has demonstrated that certain malwares and highly innovative ways of transmission can allow you to steal data even from these air-gapped devices.   


Three of the most innovative hacking methods      

Lately the research center of dr. Guri has worked on many different projects, all very innovative, even if not equally effective. Here we are going to summarize the details about three of their most revolutionary techniques. It’s important to note in advance that practically all of these methods work after the installation of very specific malwares into the targeted device or system.

Using Power Supply as an Out-of-Band Speaker

Named “POWER-SUPPLaY”, the latest research is based on the use of a new malware that can exploit the computer power supply unit (PSU) to play sounds and use it as an out-of-band, secondary speaker with limited capabilities. Essentially, the air-gap malware regulates the workload of modern CPUs to control its power consumption and the switching frequency of the PSU to emit an acoustic signal in the range of 0-24kHz and modulate binary data over it. The acoustic signals can then be intercepted by a nearby receiver, such as a smartphone, which demodulates and decodes the data and then sends it to the attacker via the Internet.

To make this method work, both the transmitting and the receiving machines must be located in close physical proximity to one another and they have to be infected with the appropriate malware to establish the communication link.

Subtracting data by modulating the device’s screen brightness

The researchers also invented a new method called “BRIGHTNESS”, basically a covert optical channel that allows to steal data by altering the levels of brightness of the targeted device’s screen. This covert channel is invisible, and it works even while the user is operating on the computer. Malware on a compromised pc can obtain sensitive data (e.g., files, images, encryption keys, and passwords), and modulate it within the screen brightness.

The small changes in the brightness are absolutely invisible to humans but can be recovered from video streams taken by cameras such as a local security camera, a smartphone camera or even a webcam. The fundamental idea behind encoding and decoding of data is practically the same for all these methods, because the malware encodes the collected information as a stream of bytes and then modulate it as ‘1’ and ‘0’ signal.

Stealing information from faraday cage air-gapped computers via magnetic fields

The Cybersecurity Research Center has also developed two techniques that allowed them exfiltrate data from devices placed inside a Faraday cage. Dubbed “MAGNETO” and “ODINI”, both the techniques work even if the device is kept inside a Faraday shielding case, which blocks any type of inbound and outbound wireless communication (Wi-Fi, cellular, Bluetooth, etc.), and they even work if the smartphone or the pc is set on airplane mode.

These methods make use of proof-of-concept (PoC) malware installed on an air-gapped computer inside the Faraday cage to control the magnetic fields emanating from the computer by regulating workloads on the CPU cores and use it to transmit sensitive data over the magnetic signals. The magnetic sensor of a smartphone located near the device can then receive the covert signals.


A cybersecurity’s challenge for the future

The Research Center has also tested many similar techniques that exploit other means of transmission, such as vibrations, audio-waves and even thermal signals. It’s clear that all of these innovative methods represent a real challenge for the cybersecurity of the future, because only new and more advanced security systems will allow companies to defend against these new types of cyber-attacks.

It’s true that many of these techniques are quite fanciful and not completely viable in the real world, but they all bring to mind a consideration that has become a famous maxim in the world of IT security: the only safe PC is a switched off PC.


For more related articles, check our blog.