CybersecurityResearchers demonstrate how data can be stolen from isolated “air-gapped” computers

Researchers at the Ben-Gurion University of the Negev (BGU) Cyber Security Research Center (CSRC) have demonstrated that an unmodified USB connected to a computer with malicious code can be used to steal data from infected and even “air-gapped” computers.

Air-gapped computers are isolated — separated both logically and physically from public networks — ostensibly to prevent their being hacked over the Internet or within company networks.

The American Associates, Ben Gurion University of the Negev (AABGU) says that the research team developed software it calls “USBee” to generate controlled radio frequency (RF) electromagnetic emissions from the data bus of a USB connector. They also reported in a paper that the emitted RF signals can be controlled and modulated with arbitrary binary data.

“Our evaluation shows that USBee can be used for transmitting binary data to a nearby receiver at a bandwidth of 80 bytes-per-second,” the researchers explain. “An RF antenna will capture electromagnetic waves from a USB to receive and exfiltrate small bits of data, such as security keys and passwords, up to 30 feet (10 meters) away from the air-gapped computer.”

“Unlike previous covert channels based on USB, our method doesn’t require firmware or modification of the USB’s hardware that creates an opportunity for attackers,” says Mordechai Guri, head of research and development at the CSRC and chief science officer at Morphisec Endpoint Security Solutions.

“Air-gap isolation is considered to be a hermetic security measure which can prevent data leakage,” Guri told Ars Technica. “Confidential data, personal information, financial records and other types of sensitive information are stored within isolated networks. We show that despite the degree of isolation, the data can be exfiltrated (for example, to a nearby smart phone).”

The researchers recommend that countermeasures to mitigate the issue use the “zone” approach: defining areas or zones around these computers where RF receivers are prohibited. Insulation of partition walls may help to lower signal reception distance if a dedicated hardware receiver is used.

This is the latest threat the BGU cyber team has uncovered related to what are supposed to be secure, air-gapped computers. Earlier this year, the researchers successfully collected data transmitted via noise from a computer fan as well as from acoustic signals emitted from a computer hard drive.

In addition to Mordechai Guri, other BGU researchers involved in this research include Matan Monitz, a BSc student in computer science and philosophy; and Prof. Yuval Elovici, director of the CSRC, member of BGU’s Department of Software and Information Systems Engineering and director of the Deutsche Telekom Innovation Laboratories at BGU.

— Read more in Mordechai Guri et al., “DiskFiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive Noise,” arXiv:1608.03431 [cs.CR] (11 August 2016); and click here to watch a video of the demonstration