Air-gapped networks are isolated, separated both logically and physically from public networks. For example, military, industrial, and financial networks. Although the feasibility of invading such systems has been demonstrated in recent years, communication of data to/from air-gapped networks is a challenging task to attackers to perpetrate, an even more difficult threat to defend against. New methods of communicating with air gapped networks are currently being exposed, some advanced and difficult to mitigate. These new found vulnerabilities have wide reaching implications on what we considered to be a foolproof solution to network security –the placement of a physical air gap. But it doesn’t stop there – new techniques of covertly getting information in and out of air gapped networks are being exposed. Thus it is important not only to publicize these vectors of attack, but their countermeasures and feasibility as well. In this talk, we will outline the steps an attacker must take in order to bridge an air gapped network. We will review the state-of-the-art techniques over thermal, radio, and acoustic channels, and discuss each one’s countermeasures and feasibility. Most of techniques in this talk were discovered in our labs by researcher Mordichai Guri under the supervision of Prof. Yuval Elovici. --- Mordechai Guri Mordechai Guri is an accomplished computer scientist and security expert with over 20 years of practical research experience. He earned his Bsc and Msc Suma Cum Laude, from the computer science department at the Hebrew University of Jerusalem. --- Yisroel Mirsky Yisroel Mirsky is a Ph.D. candidate supervised by Prof. Bracha Shapira and Prof. Yuval Elovici, in the department of Information Systems Engineering in Ben-Gurion University. --- Yuval Elovici Yuval Elovici is the director of the Telekom Innovation Laboratories at Ben-Gurion University of the Negev (BGU), head of BGU Cyber Security Research Center, and a Professor in the Department of Information Systems Engineering at BGU.

1. Bridging Air-Gapped Networks
Primary Author: Mordechai Guri
Presenter co-author: Yisroel Mirsky
Supervisor: Prof. Yuval Elovici

2. What is an Air-Gapped Network?

3. The Typical Approach to Securing a Network

4. The Air-Gap Approach
Definition
An air-gap is a cyber security measure for
securing a computer network by physically
isolating it from other networks, such as the
public Internet or another unsecured local area
network.

5. Air-Gapped Network The Internet
Air Gap

6. Examples of networks or systems
that may be air-gapped
• Military defense systems
• Financial Systems (stock exchange)
• Industrial control (SCADA…)
• Critical Infrastructure
• Power Plants
• Refineries
• Traffic Control – Airports
• Command and Control Centers
• Computerized medical equipment
• …etc

7. Air-Gapped Networks
…Not a perfect solution

8. The Adversarial Attack Model
Initial Infection Perform Action

9. Initial Infection
Malicious / Deceived
Insider
Supply Chain Attack

10. Perform Action
• Steal Sensitive Data
• Manipulate Control
Systems
• Delete Records
• Deactivate Subsystem
• DDoS
• Self-Destruct

11. What to do about the air-gap after the initial infection?
Air-gapped Network The Internet
Air Gap
Outbound
Inbound

12. Usage of the In/Outbound Channels
Inbound
• Send Commands
• Flexibility in controlling the attack
• “When” act
• Update Malware
• New Modules
• Fixes…
• Change encryption key
Outbound
• Exfiltration
• Receive recorded information
• Reports
• Acks on commands
• Progress of lateral movement

13. Methods of
Bridging
Air-Gapped
Networks
Thermal
Channels
Radio
Channels
Acoustic
Channels
Optical
Channels

14. Thermal
Channels

16. Introduction to HVACKer
• Modern PCs have embedded thermal sensors.
• These sensors can be used to detect temp. changes in
the environment.
• By manipulating the room temperature of the isolated
network, we can communicate with the PC.

17. Q: How do you remotely change the
room temperature?
A: Hack the HVAC!
• Insecure networks may overlap the same
space as an air-gapped network.
• One such network is the HVAC (heating
ventilation and Air Conditioning) system.

18. Many HVACs provide an internet
portal for remote management
E.g. Tridium Niagara AX platform
There are
• 36,287 Niagara
web portals
exposed
• Only 269 of
them
protected
wuith HTTPS

20. The Attack Model
Inbound
Isolated
Network
Internet
Air Gap

21. Communication Protocol L1/L2

22. Example High level Protocol

23. Experimental Results
• Small office
scenario
• 40 bits/hour
What about internal interference?

24. What about internal interference?

25. HVACKER - Countermeasures
• Disable / Secure HVAC Web portals
• Monitor environmental temperature
• Malware signatures

28. Introduction to Bitwhisper
• Computers emit heat into their environment
• Computers can detect changes in the env.’s temp
…let’s make a bidirectional channel
between neighboring computers!

29. But why?...
• In some cases, air-gapped machines are placed in close proximity
with connected ones
Example: leased computing space
• A thermal channel between two end-points would provide the
attacker the ability both send commands and receive information
• Can be achieved from within a VM

30. The Attack Model
Isolated
Network
Internet
Air Gap
Inbound
Outbound

31. The Heat Transfer Process

32. The Possible Setups We Examined

33. The Thermal Line Encodings Tested

34. BitWhisper - Countermeasures
• Physically distancing air-gapped
computers from other networks
• Strong AC
• Malware Signature (API calls…)
• Environment sensing

35. Video Demo

37. Methods of
Bridging
Air-Gapped
Networks
Thermal
Channels
Radio
Channels
Acoustic
Channels
Optical
Channels

38. Acoustic
Channels

40. Overview
Covert Acoustic Mesh Networks
Transmitter: speaker – ultra sonic
Receiver: microphone
(laptop, smartphone…)

42. Attack Model
Air Gap
Inbound
Outbound

43. Acoustic Mesh - Countermeasures
• Ultra sonic noise emitters
• Strict zoning policies

44. Acoustic
Channels

46. Overview
Fansmitter: Acoustic Data Exfiltration from
(Speakerless) Air-Gapped Computers
Transmitter:
PC Cooling fan –
(power supply, CPU, chassis, …)
Receiver:
Microphone –
(laptop, smartphone…)

47. Why is Fansmitter Interesting?
Speakerless machines can now be
exploited as acoustic transmitters!

48. Attack Model
Outbound
Air Gap

49. Modulation
Capability:
15 bits per minute at
a distance of 8 meters

50. Carrier frequency is dependent on two factors:
1) Fan speed (rpm)
2) Blasé pass frequency (bpf)
RPM-BPF relationship for a standard 7-blade fan

52. Programmatically Speaking…
• Bios level Rootkit
• Driver / OS API – (more plausible)
e.g., WMI – Windows management interface

53. Fansmitter - Countermeasures

55. Acoustic
Channels

57. Overview
Data Exfiltration from Speakerless Air-Gapped
Computers via Covert Hard Drive Noise
Transmitter: Hard Drive
Receiver: Microphone –
(laptop, smartphone… etc)

58. Attack Model
Outbound
Air Gap

59. How is it Done?
Acoustic Sources
• Motor
• Actuator

60. Spectograms
The write and seek operations generate the best signal

61. Modulation
Rate: 180 bits/min
Distance: 2 meters

62. Diskfiltrator - Countermeasures

64. Acoustic
Channels

65. Methods of
Bridging
Air-Gapped
Networks
Thermal
Channels
Radio
Channels
Acoustic
Channels
Optical
Channels

66. Optical
Channels

68. Overview
Indicator lights leak information!
Transmitter: Device LED
Receiver: Camera, sensor,…
Information Leakage from Optical Emanations
JOE LOUGHRY, and DAVID A. UMPHRESS
What if these
LEDs where
used to actively
exfiltrate data?

69. Attack Model
Air Gap
Outbound

70. Open CV for
image tracking

73. Tempest - Countermeasures
• Zoning policies
• Malware signature (if via OS API)
• A piece of tape!

74. Optical
Channels

76. Overview
Bridging the Airgap with a scanner
Office scanners can receive and transmit light…
…how can we exploit that?

77. Attack Model
Air Gap

78. Optical
Channels

80. Overview
An Optical Covert-Channel to
Leak Data through an Air-Gap
Transmitter: LCD/LED Screen
Receiver: Video Recorder: Phone,
Google Glass…

81. Attack Scenarios
OR
OR
OR…
OR…
Air Gap
Outbound

83. Experimental Results
40 Volunteers found the
“invisibility threshold”
Video Devices:
Simple DSLR
Pro DSLR
GoPro
Webcam
Smartphone
Google Glass

85. VisiSploit - Countermeasures
• Zoning Policies (who and what devices can go where)
• Malware signatures (detect that DLL!)

87. Methods of
Bridging
Air-Gapped
Networks
Thermal
Channels
Radio
Channels
Acoustic
Channels
Optical
Channels

88. Radio
Channels

90. AirHopper - Introduction
• Many workplaces have a BYOD policy
• Smartphones can be used to receive radio signals
• If we can get ordinary PCs to emit radio signals,
then we have an outbound channel

91. The Attack Model
Air Gap
Outbound

92. The Big Question

93. How do antennas work?
• Antennas emit radio waves (EMR) by oscillating
current through their Terminals
• Radio waves are characterized by their frequency
(oscillation in Hz) and amplitude (strength in dBm)

94. One way to emit EMR…
…is to get the display to
send specific signals
over the cable

95. The Modulation of Binary Data
over Analog FM

96. Experimental Results

97. AirHopper - Countermeasures
• Strict zoning: No smartphones within a proximity of
20 meters of an air gapped computer with a screen.
• Insulation: Shield the display cables better.
• Jamming: Emit noise in the 87.5-108 MHz band
• Signature: Scan for related graphics manipulations

101. GSMem - Introduction
• Feature phones (mobiles with no wifi, Bluetooth…) are
allowed into restricted zones.
• Feature phones can be used to receive other
transmissions broadcasted over cellular frequencies.
• The CPU-Memory BUS of an ordinary computer can be
exploited to transmit signals over cellular frequencies.

103. How GSMem Works
Transmitter Receiver

104. Emitting a Signal
• Observation 1: A large CPU-RAM
transfer builds up oscillating current in
the configuration. – bypass the cache
• Observation 2: The BUS transfers bits
at the FSB speed, emitting the energy
around that frequency (e.g. 800 MHz)

105. Sending a Bit (modulation)
To send a bit,
We use a variant of B-ASK:
Send(“0”):
Do nothing for T seconds
Send(“1”):
Raise amplitude for T seconds
We then place all the bits into frames…

106. Transmitter Properties
• Only has a 4KB memory footprint
• No root/admin required
• No APIs are used
• Affects Intel and AMD architectures…
• Works on Windows/Linux…

107. Receiving the Signal
To read the raw signals (our modulation), one
must modify the firmware of the baseband chip.
This will not deter highly motivated, and resourceful threats
…as we’ve seen in the past.
In our tests we used an open source baseband
software (OsmocomBB) and a compatible
Motorola C123 GSM phone.
We also used a Universal Software Radio
Peripheral (USRP B210) for a higher quality analysis

108. Receiving a bit, and some more…
A Very Simplistic Approach:
1. Listen on “best” frequency
2. Search for the ‘1010’ preamble (each bit T seconds long)
• Threshold based (dynamically changed)
3. Extract 12 bit payload if preamble found

109. Experimental Results
• More channels = more power!
• Orientation effects results

111. GSMem - Countermeasures
• Interference
• Shielding
• Stricter zoning
• Signatures

115. Overview
Air-Gap Covert-Chanel via
Electromagnetic Emissions from USB
2014: Edward Snowden leaks the NSA’s
COTTONMOUTH

117. USBee: Covert USB transmissions
without additional hardware

118. The Attack Model
Air Gap
Outbound

119. A sequence of ‘0’ bits to a USB device generates a
detectable emission between 240MHz and 480MHz
(The USB 2.0 clock speed)
USBee uses B-FSK
encoding to
modulate data:
Binary w.r.t. the
NRZI encoding is
written to the
USB device
accordingly
The malware on the Host does not require any
special permissions to write to the USB!

120. Experimental Results
Distance:
with cable – 9m
without cable – 4m
Data rate: 80 Bytes/second

121. USBee - Countermeasures
• EMR Shielding
• Distancing Policies
• Jamming
• Malware detection : /

124. Methods of
Bridging
Air-Gapped
Networks
Thermal
Channels
Radio
Channels
Acoustic
Channels
Optical
Channels

126. Who should be worries about
these “CREATIVE” attacks?
“Desperate times call for desperate measures”
If your air-gapped network is…
• A plausible target for an APT
• Limited with regards to “insider” activity
• Part of a restricted zone that allows visitors

127. The Most Plausible Attacks
Exfiltration by EMR: GSMem, AirHopper, USBee
Stealthy, while being easy and practical for an
attacker to implement and execute.

128. ConclusionSummary:
• We reviewed the 4 types of channels that can bridge air-gaps.
• Reminder: the assumption is that the target network has been
infected prior!
Take-aways:
• Air-gapping a network does not provide a guaranteed
disconnect.
• Not everybody is a target!
• If you are a target, consider precautions (e.g. zoning)
depending on the sensitivity of your network

129. Thank you for listening!
Questions?