We will learn about Hacking Air-Gapped Networks in this article.
Introduction to Hacking Air-Gapped Networks
Air-gapped networks are not completely secure, there are several ways to exfiltrate information from computers isolated from the Internet. Each technique relies on a different vector to acquire data, from acoustic to electromagnetic waves.
These methods can also be used to exfiltrate information from Internet-connected systems whose network traffic is carefully monitored and controlled to prevent theft of sensitive data.
March 2105 – BitWhisper – Hacking Air-Gapped Computers via Heat Emissions
In 2015, security researchers from Israel’s Ben Gurion University (Mordechai Guri, Matan Munitz, and Professor Yuval Elovici) devised a method to create a covert channel that can be used to steal information from computers in air-gap networks using heat detection from one computer to a nearby machine.
The technique was called BitWhisper and it can be exploited to steal sensitive data like encryption keys and more, generally any kind of data.
The method makes it possible to create a bridge between two computers, the BitWhisper, and researchers have shown how to use it to transmit information between two air-gapped systems. The channel relies on something called “heat pings,” a term used by experts to identify the repeated connection of two networks through proximity and heat.
The BitWhisper technique makes it possible to create a two-way communication channel between two computers using the heat emitted by various internal components. Experts explained that to steal information from an isolated PC, it is necessary to infect a computer on the same network with an air gap.
“BitWhisper provides a feasible covert channel, suitable for delivering command and control (C&C) messages and for leaking short pieces of sensitive data such as passwords,” the document continues.
The researchers published a paper titled “BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations” that describes the BitWhisper technique and the findings of their experiment.
“At this stage, an attacker can communicate with the previously isolated network, issue commands and receive responses,” the report said.
The experts placed two computers up to 15 inches apart and then tried to transfer up to 8 bits of data per hour, an amount of information that could be enough to steal sensitive data such as user credentials, secret keys or send commands to any agent , which listens on the target computer.
In their experimental scenario, the researchers placed two computers parallel to each, one of the machines connected to the Internet and the other connected to an air-gap network.
The researchers installed malicious code on both computers, on the sender side, the heat generated by the workload of the internal components (i.e. CPU, GPU) is transferred to the receiver, which monitors the temperature changes.
“BitWhisper creates a hidden channel by sending heat from one computer to another in a controlled manner. By regulating the heating patterns, the binary data is modulated into thermal signals. On the other hand, the neighboring computer uses its built-in thermal sensors to measure environmental changes. These changes are then sampled, processed and demodulated into binary data,” the researchers explained.
The BitWhisper attack is very complex, but it is very interesting because it does not require any dedicated or modified hardware.
Below is a BitWhisper video proof of concept.
June 2015 – Theft of crypto-keys from PCs using leaked radio emissions
Researchers Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer of Tel Aviv University built on research Genkin and his colleagues conducted on the possibility of exfiltrating data from an isolated PC by analyzing the sound the CPU makes during the decryption routine.
Genkin demonstrated how to crack 4096-bit RSA and explained with his new team that encryption keys could be accidentally leaked from a computer via radio waves.
At the time of Genkin’s first research, experts were demonstrating how to extract private decryption keys from GnuPG on laptops in seconds by analyzing electromagnetic emanations during the decryption of selected ciphertext.
In their second experiment, Genkin and his colleagues measured emissions in the 1.6 and 1.75 MHz range using a Funcube Dongle Pro+ connected to a Rikomagic MK802 IV Android computer.
Details of the experiment the group performed were presented in a paper titled “Stealing keys from computers using radio: Inexpensive electromagnetic window amplification attacks”.
Using a standard AM radio with output audio recorded by an Android mobile device, the researchers successfully extracted keys from several models of laptops running GnuPG within seconds.
“We demonstrate the extraction of secret decryption keys from laptop computers by non-intrusively measuring electromagnetic emissions for several seconds from a distance of 50 cm. The attack can be performed using cheap and readily available equipment: a consumer radio receiver or a software-defined radio USB key. The setup is compact and can work without a connection; it can be easily hidden, e.g. inside pita bread. Common notebooks and popular implementations of RSA and ElGamal encryption are vulnerable to this attack, including those that implement decryption using modern exponentiation algorithms such as sliding window or even its side-channel-resistant variant, fixed window (m-ary). amplification.” the paper states.
“We have successfully extracted keys from notebooks of various models with GnuPG (a popular open source encryption software implementing the OpenPGP standard) within seconds. The attack sends several carefully crafted ciphertexts, and when the target computer decrypts them, it triggers the occurrence of specially structured values in the decryption software. These special values cause an observable fluctuation in the electromagnetic field surrounding the notebook in a way that depends on the keybit pattern (specifically, the keybit window in the exponentiation routine). The secret key can be derived from these fluctuations through signal processing and cryptanalysis.
The technique used by experts was not new at the time of the study, despite the success of the attack, the researchers stressed that it can be difficult to implement because computers process multiple tasks at the same time, making it impossible to analyze emissions related to a specific activity, such as executing a decryption routine.
July 2015 – Hacking Air-gapped networks using a basic low-end phone.
Almost every sensitive work environment has strict security measures, the use of air-gapped computers is very common, such as prohibiting internal employees from inserting any USB key into the computers. Security policies prohibited employees from carrying their smartphones, especially when the work involved sensitive trade secrets or the management of classified information.
How to hack an extremely secure computer device isolated from the internet?
You might be surprised that you don’t need any technical skills or equipment to do this. To hack into an Air-Gapped computer, you’ll need a simple cell phone. Even an old fashioned, dumb cell phone from last decade should work for you too.
A team of Israeli security researchers has devised a new attack to exfiltrate data from a computer device that is isolated from the web.
Capable of stealing data from a highly secure computer, this hack uses:
Basic low-end mobile phone
Moradechai Guri is the lead security researcher behind this interesting study, working with colleagues Gabi Kedma, Yisroel Mirsky, Ofer Hasson, Assaf Kachlon and Yuval Elovici.
The team of experts used a nine-year-old Motorola C123 mobile phone to carry out the attack. The expert installed specific malware on both the target computer and mobile phone. The data was exfiltrated through computers that normally emit electromagnetic waves, these waves were intercepted by the researchers using malware they developed.
This means that attackers first need to hack the target computer to install malicious code, and then steal all the data from the isolated PC.
Unlike some other “recent work in this area, [this latest attack] uses components that are guaranteed to be present on any desktop/server computer and mobile phone,” the researchers explain in their research.
August 2015 – Funtenna can remotely steal data from an air-gap network using sound waves
Another method of sending data from a computer on an isolated network uses sound waves. A group of experts has developed an innovative hacking technique called Funtenna that an attacker could use to exfiltrate data from a targeted computer even if it is Air-gapped in the network.
“Funtenna is a software-only technique that causes intentional compromising emissions across a wide range of modern computing hardware to covertly and reliably exfiltrate data through secure and air-separated networks. We present a generalized Funtenna technique that reliably encodes and emits arbitrary data across broad parts of the electromagnetic spectrum, from subacoustic to RF and beyond.
“Funtenna technology is hardware agnostic, can work in almost all modern computing systems and embedded devices, and is specifically designed to operate within hardware that is not designed to function as an RF transmitter.” provides a description of a talk at the Black Hat conference.
The significance of this discovery is huge, as explained by researcher Ang Cui from Red Balloon Security. Funtenna’s radio signal hack could allow attackers to abuse IoT devices to spy on any target. Game consoles, printers, washing machines and refrigerators could steal data from computers even if they are isolated from the Internet.
Also in this case, it is necessary that the target computer is compromised, the attackers have to install malware that is used to control the electronic circuit of the device (universal input/output circuits), data is sent through signals created by their vibrations at specific frequencies.
The attacker then picks up the signals generated by the vibrations using the Funtenna’s AM radio antenna, which can be placed over a short distance.
The Funtenna hacking method allows the attack to bypass any network security solution, the researchers also provided a Video PoC of the attack scenarios.
“You have network detection, firewalls… but this is transmitting data in a way that none of those things monitor, which fundamentally challenges how we can be sure our network is secure,” Cui explained.
Jun 2016 – How to steal encryption keys out of thin air via PC sounds
A team of Israeli researchers (Daniel Genkin, Lev Pachmanov, Itamar Pipman, Adi Shamir, Eran Tromer) demonstrated how to steal a 4096-bit encryption key using acoustics from a distance of about 10 meters (33 ft) from an air-gapped system. . The technique is also very fast, experts eliminated the key in seconds.
The same team demonstrated in 2015 that encryption keys could be accidentally leaked from a computer via radio waves, and then demonstrated that it was possible using a low-cost consumer kit.
Now researchers have taken advantage of the fact that the processor emits a high-frequency “coil whine” from the changing electrical current passing through its components.
“The power consumption of the CPU and associated chips varies drastically (by many watts) depending on the calculation being performed at any given moment. The electronic components in the computer’s internal power supply, which try to provide a constant voltage to the chips, are subjected to mechanical forces due to fluctuations in voltage and current. The resulting vibrations transmitted to the surrounding air create a high-pitched acoustic noise known as “coil whine”, although it often originates from capacitors. Because this noise is correlated with the computation in progress, information is leaked about what applications are running and what data they are processing,” reads the article published by the experts.
“Most dramatically, secret keys can be acoustically leaked during cryptographic operations. By recording such noise when the target uses the RSA algorithm to decrypt ciphertexts (sent by the attacker), the RSA secret key can be extracted within one hour for a high-quality 4096-bit RSA key.
The main disadvantage of this technique is that the device is difficult to hide, so the researcher tried to get the same results from a mobile phone microphone placed 30 centimeters (12 inches) from the target machine.
“We experimentally demonstrated this attack from a distance of up to 10 meters using a parabolic microphone (see Figure 5) or from a distance of 30 cm using an ordinary mobile phone placed next to a computer.” states the paper.
“In some cases, it’s even enough to record a target using a mobile phone’s built-in microphone placed near the target and the attacker’s mobile app running.”
The team is able to obtain a 4,096-bit RSA key in an hour of listening, even using a mobile phone.
“Side-channel leakage can be mitigated by such physical means as sound-absorbing enclosures against acoustic attacks, Faraday cages against electromagnetic attacks, isolation enclosures against chassis and touch attacks, and photoelectric isolation or fiber optic splicing against ‘far end of the cable’ attacks.” said the experts.
The researchers provided recommendations on how to prevent this kind of side-channel attack, specifically suggesting the use of acoustic dampening inside the PC.
They also suggest that coders insert “blinding” routines into their software that perform dummy calculations on cryptographic operations, thereby preventing a wide variety of side-channel attacks, including acoustic ones.
June 2016 – Fansmitter – Exfiltrating data from Air-Gapped devices via fan sounds
Researchers at Ben-Gurion University of the Negev, led by Mordechai Guri, have once again introduced an acoustic method of data exfiltration that uses a mobile phone placed near a target machine to monitor computer fans (i.e. CPU and chassis fans), hence the technique was named Fansmitter.
Experts have developed malicious code capable of controlling fans of data exfiltration devices, a technique that allows bits of data to be sent to a mobile phone or other nearby computer equipped with a microphone.
“Past research has shown that malware can infiltrate information through an air gap by transmitting audio signals from internal or external desktop speakers.” reads Fansmitter magazine published by experts.
“Using Fansmitter, attackers can successfully exfiltrate passwords and encryption keys from an air-gapped computer without speakers to a mobile phone in the same room from different distances,” the researchers wrote in their paper. “In addition to desktop computers, our method is applicable to other types of silent devices that are equipped with cooling fans (various types and sizes of fans), such as printers, control systems, embedded devices, IoT devices, and more.”
Tests conducted by the team show that the researchers are able to analyze the frequency and strength of the acoustic noise emitted by the fans, which depends on the revolutions per minute (RPM). The malware developed by the researchers is able to control the rotation of the fan producing specific sounds that are associated with binary digits (0,1).
The noise produced by the fan is in the range of 100-600 Hz. This range of noise is audible to humans, so to avoid detection, researchers can instruct malware to transmit data during hours when no one is in the room.
The experts used a regular Dell desktop computer with CPU and chassis fans for their test session, the sounds were captured by a Samsung Galaxy S4 smartphone. It is interesting to note that the experts performed the test in the presence of other background noises produced by other computers in their laboratory and the air conditioning system.
The results were very interesting, the experts transmitted 3 bits per minute using low frequencies (1000 RPM for “0” and 1600 RPM for “1”) over a distance of one meter, that is, each character of the password or encryption key could be sent in just three minutes
By increasing the frequency in the Fansmitter, it is possible to achieve a better transmission speed, for example, using a rotation range of 2000-2500 RPM, experts transmitted 10 bits per minute over a distance of four meters. At 4000-4250 RPM, the team transmitted 15 bits per minute over a distance of one meter.
July 2016 – DiskFiltration – Hacking air gaps using acoustic signals
DiskFiltration is a hacking technique invented by a group of researchers at Ben-Gurion University.
A team consisting of experts Mordechai Guri, Yosef Solewicz, Andrei Daidakulov and Yuval Elovici has devised a method to steal data from isolated networks based on acoustic signals emitted from computer hard drives.
The experts published a paper titled “Disk Filtering: Exfiltrating Data from Speakerless Computers Through Hidden Hard Drive Noise,” which provides a detailed analysis of the technique.
DiskFiltration uses when interpreting the sounds made by hard drives during the movements of an actuator, which is an arm that accesses specific parts of the drive and allows data to be read or written.
Actuator movements are called “lookup operations”, the noise produced when data is accessed can be analyzed to discover the contents being accessed on the hard drive, including passwords and cryptographic keys.
The researchers also released a Proof-of-Concept video of the method.
Experts conducted several tests to analyze the effectiveness of the DiskFiltration technique. They demonstrated that the attack method was effective at a range of six feet, it could be used to transmit 180 bits per minute, a rate that could allow a 4096-bit key to be exfiltrated in about 25 minutes.
The DiskFiltration technique is effective, tests have shown that it works even when the hard drive is using an acoustic noise reduction system. The unique problems noted by experts have been observed in the presence of occasional noise emissions from other running processes, in which scenario they can sometimes interfere with the exfiltration technique.
“Because our hidden channel is based on HDD activity, random file operations by other running processes can interfere with transfers and interrupt them.” the researchers wrote in their paper.
The following table lists countermeasures to mitigate a DiskFiltration attack (hardware, software, and procedural measures)
August 2015 – USBee Exfiltrates Data from Air-Gapped Networks Via Electromagnetic Emissions from USB
Mordechai Guri, head of R&D at Ben-Gurion’s Cyber Security Center and chief scientific officer at Morphisec Endpoint Security, and his team have devised a new technique called USBee for hacking air-gap networks and exfiltrating information.
Israeli researchers exploited a hidden channel through the electromagnetic emission from a USB. The USBee technique uses USB connectors implanted with RF transmitters to steal sensitive data.
In this scenario, the USBee application is installed on the affected computer. An attacker exploits a USB flash drive already connected to a computer and creates a high-frequency short-range data-modulated transmission. At the other end of the communication, the transmitted data is received by a nearby receiver and decoded.
“In recent years, researchers have shown how attackers could use USB connectors implanted with RF transmitters to exfiltrate data from secure, and even air-gapped, computers (eg COTTONMOUTH in the leaked NSA ANT catalog). Such methods require hardware modification of the USB connector or device , which has a dedicated RF transmitter built into it.” reads the introduction to the paper published by the experts. “In this paper, we present USBee, software that can use an unmodified USB device connected to a computer as an RF transmitter. We show how the software can intentionally generate controlled electromagnetic emissions from data bus of a USB connector. We also show that transmitted RF signals can be controlled and modulated with arbitrary binary data. We implement a USBee prototype and discuss its design and implementation details, including signal generation and modulation. We evaluate the transmitter by building a receiver and demodulator using GNU Radio. Our evaluation shows , that USBee can be used to transmit binary data to a nearby receiver e in a bandwidth of 20 to 80 BPS (bytes per second).
The researchers found that transmitting a sequence of “0” bits into a USB port generates a detectable emission between 240ℎ and 480ℎ. Researchers exploited this mechanism by sending data from a compromised computer to a USB device to create a controllable EMR that can transmit modulated data. The researcher used a nearby RF receiver to receive the EMR and decode the information.
Guri and his team were able to exfiltrate 80 bytes per second using this technique, a transfer rate that would allow an attacker to send a 4096-bit encryption key in less than 10 seconds, which is very interesting when hacking air-gap networks compared to other hacking techniques .
The experts explained that using this algorithm it is possible to create a basic carrier wave:
inline static void fill_buffer_freq
(u32 *buf, int size, double freq.)
int i = 0;
u32 x = 0;
double t = frequency / 4800 * 2;
for (i = 0, x = 0x00000000; i<size*8; i++)
x = x<1;
*(buf++) = x;
The transfer starts when the application writes fill_buffer_freq to any data block on the USB device, the application only requires permission to create a file on the device.
“The actual data transfer is done by writing the byte pattern generated by fill_buffer_freq to any data block or stream in the USB device. For our purposes, we used a temporary file in the file system of the USB flash drive. The transfer process does not require special permissions (eg root or admin). It only requires permission to create a file on a removable device.” reads the paper.
The researchers also released a PoC video of the attack that shows data being exfiltrated by a $30 laptop with a radio antenna from about 15 feet away.
An Air-gapped network still represents a strict security measure when it is necessary to isolate a system from the Internet to preserve it and the data it manages, typical applications being military networks and industrial control system architectures.
Unfortunately, a persistent attacker could bypass the security measures in various ways, by infecting the network with a USB key, as happened with the Stuxnet virus or the Fanny tool used by the Equation Group APT).
The exposed method showed that an attack against a system isolated from the Internet is possible.
Nothing is completely safe!