Pages

19 December 2014

Even Air-Gap Networks are Vulnerable

3/9/2014

Researchers succeeded in demonstrating that data and commands may be conveyed from a PC to a smartphone even in a sterile environment

In the world of information security it is the norm to distinguish between networks that are connected to the Internet and networks that are isolated from the Internet. This concept assumes that isolated networks are islands of information cut off from the rest of the world by ”air” – an “air wall” or “air gap”. Hence the expression “Air Gap” that is used to define such networks. This defensive concept may be likened to the moat – the water ditch excavated around medieval castles to provide them with a line of defense. This concept has remained valid as long as it was impossible to prove that the air gap can be passed and that the information in the isolated network can be accessed – and that is precisely what they managed to do at Ben-Gurion University. 

“The objective of the study was to find a way to leak information from computers to smartphones in air-gap networks,” explains Mordechai Guri, a PhD student in the field of cyber from Ben-Gurion University, who found a way to convey data from a PC to a smartphone in an isolated network. The study was conducted at the University’s Cyber Security Labs, under the management of Professor Yuval Elowitz. 

“The technological concept in question is known by the code name TEMPEST – it offers the option of converting the GPU (Graphics Processing Unit) of the computer into a radio wave transmitter,” explains Guri. “The idea surfaced after we had noticed that a major percentage of smartphones feature an FM reception chip, enabling the user to listen to radio stations. During the experiment, we attempted to generate specialized FM waves that would affect this chip in the smartphone. We reverse-engineered the FM chip on the smartphone side and managed to modulate information in a manner that enabled the transmission of data from the computer to that chip in the smartphone from a range of 6 meters. In some of the cases, the smartphone was in an isolated network behind a wall, and even then we managed to transmit data to it.” 

Before we continue, it should be noted that the code name TEMPEST had been coined by the NSA, the US espionage agency that is the equivalent of Israel’s Unit 8200, as far back as the 1960s. According to a document available on the NSA website, as far back as the mid-1950s the Russians had understood that radio wave emanations can be utilized in order to read or convey data, for example – by remotely listening to the sounds of the operation of the American encryption machines and interpreting the keys or the transmissions. 

“In order for the conveyance of information to work, the hacker should infect the PC and the smartphone with a malicious code,” explains Guri. “After infection, the PC can be used to send commands or information to the smartphone, which activates the malicious code on the other side. In other words, if until now information security executives have believed that an isolated computer is necessarily a safe computer, we demonstrated that it is not necessarily so. This can be accomplished from any laptop or desktop computer that has a GPU.”

One of the scenarios Guri describes involves the stealing of patents from a pharmaceutical company. Assuming the members of a development team bring their smartphones into a laboratory where an isolated communication network is installed, those members will feel confident enough to speak to one another, to lay their smartphones where blueprints or formulae may be photographed, to speak on their smartphones during work and log into the “safe”, isolated network of the company. The members of that team will not be aware, however, of the fact that just a few meters away from the laboratory, the PC of a certain secretary is connected to the Internet and that that computer had been infected and is remotely controlled by a hacker. 

The members of the team will also be unaware of the fact that their smartphones had been infected, a few days earlier, by a malicious code through such measures as infected E-Mail messages, infected applications, infected games or infected files. From that moment on, when both ends (computer and smartphone) are infected, the hacker has access into the laboratory of the pharmaceutical company, despite the fact that the communication network in that laboratory is isolated. 

By the end of the working day, the members of the development team will return home and use their smartphones to log into the Internet. Then, the hacker will be able to easily transfer the contents of their smartphones to a server he owns somewhere around the world. 

No comments:

Post a Comment