Mind the Gap
October 31, 2014 7:58 AM   Subscribe

We used to think that the ultimate in security was a stand-alone (that is, off the network) computer, sort of like a room with no doors. How can an attacker get in If there's no way to get in? Such computers are referred to as air-gapped. But as early as 1985, it became clear that we might be able to read the contents of a monitor screen from the next room using Van Eck phreaking (dramatized by Neal Stephenson in Cryptonomicon). Now it appears things are even worse.

It should be obvious that inserting any USB device into your ultra-secure air-gapped system is not a good idea. And it won't surprise anyone that the NSA can read what's on your computer using expensive radar equipment. But now a group of top Israeli cryptographers including Adi Shamir (the "S" in "RSA") have recently explained that it is possible to use a humble all-in-one printer with a built-in scanner (available for less than $100 at Walmart) to infiltrate an air-gapped system and steal sensitive data. PCWorld called it an "utterly crazy hack," but it will probably be administrators of such systems who will be going crazy.
posted by ubiquity (49 comments total) 31 users marked this as a favorite
 
But the researchers found that if a multifunction printer is attached to such a computer, attackers could issue commands to a malicious program running on it by flashing visible or infrared light at the scanner lid when open.

This is, indeed, an utterly crazy hack. I'm really intrigued and kind of tempted to blow off work for a month and try to reproduce it.

But why would your airgapped super-sensitive computer be (1) connected to a printer and (2) placed in line of sight of potential lasers?
posted by dis_integration at 8:06 AM on October 31, 2014 [9 favorites]


As a sysadmin who despises printers and MFPs, this really is the scariest,
craziest thing I expect to hear on this year's Halloween. :7(
posted by wenestvedt at 8:13 AM on October 31, 2014 [4 favorites]


Lots of MFPs will hold scans or spooled print jobs on their hard drives, so a direct-attached PC isn't necessary here if you can get the device to cough up data it is holding.
posted by wenestvedt at 8:15 AM on October 31, 2014 [1 favorite]


But why would your airgapped super-sensitive computer be (1) connected to a printer

Can't speak to the second point, but this makes sense. If we know that it's bad to put usb keys into an airgapped computer, and you want to use the computer to, say, type confidential reports (which is a pretty good reason), then you kind of need a printer. How else do you get the file from the computer to paper?
posted by Lemurrhea at 8:16 AM on October 31, 2014 [2 favorites]


This is because I use Wi-Fi, so the computer doesn't have any cords running to sensitive outlets.

I do this as well. The only thing I plug my iPhone or iPad into is the electrical outlet. As for sensitive information, I store all that in the cloud, which as the name indicates isn't attached to anything, it just floats around in the sky above my house.
posted by valkane at 8:27 AM on October 31, 2014 [29 favorites]


Couldn't you communicate to the computer using fluctuations in the power supply? Unless the computer is solar-powered, then you would only need to have COMPLETE CONTROL OVER THE OUTPUT OF THE SUN.
posted by blue_beetle at 8:28 AM on October 31, 2014 [7 favorites]


To keep myself safe from data leaks, I make life choices so that any identity thief would actually lose money. Have fun paying my student loans, hackers!
posted by mccarty.tim at 8:30 AM on October 31, 2014 [67 favorites]


See, that's why cloud storage is so superior. BECAUSE CLOUDS CAN BLOCK THE SUN.
posted by valkane at 8:30 AM on October 31, 2014 [12 favorites]


Or control of the window shade in the room.
posted by ardgedee at 8:30 AM on October 31, 2014 [1 favorite]


This is kinda almost pointless. This is about controlling an air gapped computer....that's already been infected by malware.
posted by I-baLL at 8:31 AM on October 31, 2014 [5 favorites]


And clouds are air gapped.
posted by Kabanos at 8:31 AM on October 31, 2014 [1 favorite]


The team used a blue laser that blinks malware in binary code, the data were sent by the researchers from a distance greater than 1 kilometer away, and according the experts the range could reach as high as 5 kilometers.

But....through walls and stuff? I'm sitting in an office that has no windows or doors to the outside, so if for some reason I had a super-secure air-gapped computer in here, the drone blinking malware from over at the SLAC campus would be doing so pointlessly, wouldn't it? Or do blue laser beams go through walls?
posted by rtha at 8:35 AM on October 31, 2014 [1 favorite]


This is kinda almost pointless. This is about controlling an air gapped computer....that's already been infected by malware.

This is remote C&C for a compromised sytem - kind of a big deal.
posted by Slap*Happy at 8:37 AM on October 31, 2014 [4 favorites]


There's a pretty cool presentation about how you can do some interesting RF-based surveillance stuff with a generic TV tuner dongle which actually has an SDR (software defined radio) chip inside it, from @0xabad1dea.

Video
Slides

The same dongles can also be used as a cheap shortwave radio, as well.
posted by mccarty.tim at 8:37 AM on October 31, 2014 [11 favorites]


I'm imagining a fictional past in the 80's, when spies would hack dot matrix printers to send morse code which could be heard in the next room. And then they would get bored and do this.
posted by Kabanos at 8:40 AM on October 31, 2014 [8 favorites]


Clouds are so incredibly air gapped they're made mostly of air.
posted by NoraReed at 8:41 AM on October 31, 2014 [5 favorites]


Well the Cylons are totally going to get us now.
posted by latkes at 8:45 AM on October 31, 2014 [2 favorites]


Get some curtains and close then
posted by Damienmce at 8:51 AM on October 31, 2014 [1 favorite]


I'm reminded of fictional future imagined in the 1960s where sentient machines would communicate through air gap and walls of steel, concrete, rubber and I think cork - but I won't spoil the ending of the story of doctor Diagoras.
posted by hat_eater at 8:53 AM on October 31, 2014


Just cover your scanner with zinc oxide ointment. It's been keeping lifeguards' noses safe from light-based attacks for years.
posted by mccarty.tim at 8:55 AM on October 31, 2014 [2 favorites]


Well the Cylons are totally going to get us now.

They have a plan. Which apparently involves Androids.
posted by a lungful of dragon at 9:02 AM on October 31, 2014 [2 favorites]


"This is remote C&C for a compromised sytem - kind of a big deal."

It's kinda ridiculous. I'll explain:

As this article points out:

http://www.bankinfosecurity.com/black-hat-europe-beware-air-gaps-a-7442/op-1:

This is for airgapped networks.


Okay, so, to use their method you need to first: install malware on a computer in the airgapped network and then install malware on an multifunction printer on the airgapped network.

The mfc must have its scanner facing the window and you must have clear line-of-sight to that window and scanner. So then you send laser pulses to the scanner and the scanner detecs it and sends commands to the infected pc.

But, like the PC World article points out, getting data out of the airgapped network is harder: the researchers had to fly a drone next to the window to record the pulses of light.

This is completely pointless. If you can get the initial computer and mfc infected while they're airgapped then you can also bridge the airgap especially if you're willing to fly drones right outside of their windows.
posted by I-baLL at 9:04 AM on October 31, 2014 [7 favorites]


They have a plan.

They really didn't. By season three, it was pretty obvious they were just pulling it out of their perfectly convincing asses.
posted by Naberius at 9:11 AM on October 31, 2014 [10 favorites]


This is completely pointless. If you can get the initial computer and mfc infected while they're airgapped then you can also bridge the airgap especially if you're willing to fly drones right outside of their windows.

Well, that and if you're going through the huge pain in the ass that is air gapping, then you're probably also in a windowless room. Because, you know, opsec.

This really seems sensationalized.
posted by indubitable at 9:14 AM on October 31, 2014 [5 favorites]


So, like...what do you even do with an air-gapped PC? No data ever gets on or off, save by typing and maybe printing?
posted by Steely-eyed Missile Man at 9:18 AM on October 31, 2014


To-do list item: light-blocking shades for the Faraday Cage.

No data ever gets on or off, save by typing and maybe printing?

Highly controlled data transfer via external eSata drives (you've already epoxied the USB ports -- good thing you saved the tube from when you used to epoxy the firewire ports.) And, yes, that poses risks. Everything poses risks, but along with care to sanitize the data, it would make for a really substantially reduced attack surface area compared to a machine being on the net.
posted by Zed at 9:32 AM on October 31, 2014 [3 favorites]


Or do blue laser beams go through walls?

If an infection was able to pass through the wall to device B from device A - say by way of an infected USB token - then odds are elevated that more data will pass from A to B and from B to A. So, over a sufficiently long time frame (days / weeks / months) you might have a sort of network between A and B.

If A happens to have a multifunction printer attached, and that printer happens to be by a window, then that printer becomes an access point for the "network" between A and B.

It would probably be very slow and unreliable. But if somebody cares enough about the security of B to air-gap it, then an attacker may care enough about B to be very patient.

Is this a plausible attack as described? Probably not. But its the sort of thing that makes ya think about other ways to do it.
posted by wotsac at 9:43 AM on October 31, 2014 [1 favorite]


So like...what do you even do with an air-gapped PC? No data ever gets on or off, save by typing and maybe printing?

From a position of someone who is in the business of knowing about these things but has very little understanding of IT terminology, this is how it works, as far as I can tell:

* If you need to transfer a piece of data off of an air-gapped PC, you need to write it to a physically removable piece of media like a CD or DVD-R.

* If you want to move a piece of data onto an air-gapped PC, first you need to transfer it to a secure network location so it can be analyzed by your (presumably in-house) IT security specialists, who will then move it over to the air-gapped PC using a unidirectional network connection or -- this is real -- printing it out and manually re-keying it onto the secured system. And of course, all of this is only done after the data goes through a lengthy series of checks and tests to verify that everything is nice and virus-free.

Air gaps are designed for use in highly controlled and classified environments, like those often found at military installations and defense contractors. It seems pretty clear that they're not nearly as secure as their designers intend them to be, but that's the basic gist.
posted by divined by radio at 9:55 AM on October 31, 2014 [7 favorites]


From the same team: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis

tl;dr: If you put a microphone (say, a smartphone) close to another computer, and you're able to control what it's encrypting/decrypting (say by sending it specially crafted emails) you can extract its secret keys just by listening to it for a couple of hours.
posted by RobotVoodooPower at 10:02 AM on October 31, 2014 [3 favorites]


Okay, so, to use their method you need to first: install malware on a computer in the airgapped network and then install malware on an multifunction printer on the airgapped network.

The original malware will have the compromised device driver as part of its payload. The laser and reader can be used through a window, sure - and they suggested a drone to get a better vantage point, but really. Anywhere line-of-sight with the printer will work. Lasers and optical cameras with network capability of some sort (cellular, wifi, private radio, another laser to the window) are very, very tiny these days.

Now, this isn't something you need to worry about if you work in a typical corporate environment - does anyone air-gap anything in the enterprise these days? - but if you work with incredibly sensitive data that needs to be run through analysis to support incredibly important decisions, like Billion-with-a-B investment decisions, or go-to-war-or-don't decisions, you may well have an air-gapped network. (Not many standalone computers doing this stuff - even mainframes need support systems).

Congratulations! You are now a target of APT. (Advanced, Persistent Threat - state actors and/or organized crime, usually) You just are, accept it. The attacks will be multi-pronged, concerted, and co-ordinated over many different iterations. First they will go after the software dev and systems integrator, so they know what the underlying system is, and what the application looks like and what kind of schema it's expecting and what kind of output it gives. They'll use this to craft the malware, and analyze the hygene of your air-gapped network, looking for an opportunity to plug a USB device in somewhere. Like, say, a PC with a multi-fucntion printer attached used for data entry and formatting reports. Fabulous! A bit of social engineering, and you can deliver the payload to one of the USB ports on the thing. (My favorite is the old "send what looks like an ordinary USB cable with the system integrators' logo and instructions to swap out the one between the PC and printer to prevent downtime, as the current one is from a bad batch" trick.)

Now, how to tell what's going on with the data you want to look at? How can you alter it to affect the outcome of that incredibly important decision? Is the administrative PC's printer near a window? Done.

More, this is interesting in the notion of other side-band attacks. Do fax-printers have built-in microphones? Some used to - maybe one still deployed in a sensitive application. Doesn't matter if there's no phone connection, a compromised system nearby, like a burner smartphone dropped in the room someplace, can use a compromised fax printer with a handset to send and receive data using ultrasonic communication.

Even if this particular attack is improbable, it opens up a wide vista of security concerns we didn't have to think about before, and new items to audit. What peripherals are associated with your airgapped network? Are any of them near a window or otherwise visible from an unsecured space? Yikes.
posted by Slap*Happy at 10:10 AM on October 31, 2014 [18 favorites]


Air gaps are designed for use in highly controlled and classified environments, like those often found at military installations and defense contractors

Well, that and if you're going through the huge pain in the ass that is air gapping, then you're probably also in a windowless room. Because, you know, opsec

Air gap doesn't have to mean super secure spook/defense stuff associated with other layers of security that makes this attack totally pointless. I've worked on air gapped systems containing assets from multiple movie studios. Our new office had big floor-to-ceiling windows covering about 180 degrees, and I found malware on the systems once (probably caught via USB stick).

There were also teams of people working to break into our systems, who were willing to spend 6 figures to do it. Something along the lines of this attack might have worked well for them.
posted by jjwiseman at 10:21 AM on October 31, 2014 [3 favorites]


This is kinda almost pointless. This is about controlling an air gapped computer....that's already been infected by malware.

Getting malware on an air-gapped machine doesn't give you the sensitive data. You still need to get the data out.
posted by jjwiseman at 10:23 AM on October 31, 2014 [2 favorites]


"Getting malware on an air-gapped machine doesn't give you the sensitive data. You still need to get the data out."

Exactly, and this method doesn't do it.
posted by I-baLL at 10:29 AM on October 31, 2014


I-baLL, taking the article at face value, it says "The syphoned data could be sent back to the attacker with the same scanner that has read the code, it could transform data in blinks of light which is captured by a small drone equipped with a video camera. According to the researchers it is possible to record the light representing the data from a height of 100 meters."
posted by jjwiseman at 10:34 AM on October 31, 2014


They have a plan. Which apparently involves Androids.

No probs babee, I'm running Cyanogenmod.
posted by Lentrohamsanin at 10:43 AM on October 31, 2014 [2 favorites]


Oh look, security researchers found a way to use grant money to buy a drone to play with.
posted by heathkit at 10:50 AM on October 31, 2014 [4 favorites]


jjwiseman: The PC World article goes a bit more into this:
    " The researchers also found a way for the malware to send data back to the attackers by using the light produced by the scanner itself. Since the malware can initiate and cancel scanning operations, attackers can derive information from the amount of time the scanner’s light is on and reflects off the opened lid. This is not as efficient as receiving commands, but can be used to exfiltrate a few bits of data at a time. The operation can be repeated to eventually exfiltrate critical information, like encryption keys, Shamir said. Detecting the light generated by the scanner from far away would require very sensitive equipment and if the computer is located in an office on a higher floor, the attacker would have a hard time getting good visibility. This can be solved by using a quadcopter drone to get closer and observing the scanner from a better angle, Shamir said. "
So basically it can output a few bits of data at a time to be captured by drone flying outside the window. This is not too useful. If you're going to use drones to get very close to the property you may as well break in and tap the line using a pwn plug or something to that effect.
posted by I-baLL at 10:50 AM on October 31, 2014


So basically it can output a few bits of data at a time to be captured by drone flying outside the window.

Or web camera on a non-airgapped system nearby. Or taped to the window by a soc-eng attack on the window cleaning crew. Look, it's all unlikely and improbable. Until it bites you in the ass, then people want to know why you had a multi-func scanner/printer attached to an airgapped network. Nobody in infosec ever got fired for having an overdeveloped sense of "what if...?"
posted by Slap*Happy at 11:21 AM on October 31, 2014 [4 favorites]


This is great in theory, but if an attacker is willing to spend the amount of money and effort to do something like this, the easiest vector for attack is still the human operator. Really, I'm with others thinking this is sensationalization. Good opsec processes and proceedures easily protect you from this type of attack at least.
posted by herda05 at 11:51 AM on October 31, 2014


So basically it can output a few bits of data at a time to be captured by drone flying outside the window. This is not too useful.

If you can get my encryption keys, even if it's at a very slow rate and it takes you a week, that's a very useful thing.

If you're going to use drones to get very close to the property you may as well break in

Breaking into a facility seems pretty different from looking through a window, in terms of difficulty and risk.
posted by jjwiseman at 11:55 AM on October 31, 2014 [2 favorites]


If you're flying a drone outside of a window and the scanner is suddenly scanning randomly by itself then you might be not caring about risk.

Also, if you're shining a laser that can damage human vision into a window while people are scanning then you also don't care about risk. If you're shining an infrared laser into a window from a drone close to the window then you also might not care about risk.

That's what it seems like to me, at least.

Also, most secure places will have their windows protected as lasers can be used to "listen" to the vibrations from a window to spy on conversations inside. The technology is cheap and a semi-effective version of this can be made using less than 10 dollars in parts (plus a laptop or a smartphone).
posted by I-baLL at 12:05 PM on October 31, 2014 [1 favorite]


"How to make a laser listener"
posted by I-baLL at 12:07 PM on October 31, 2014


I meant risk to the perpetrators. That is, the risk of getting caught, being shot, or getting prison time--which I would guess is at least an order of magnitude greater for breaking into an office vs. shining a laser into a window. And from the article, it doesn't seem that a laser is required--It's just for command & control of the malware, which could be designed to be totally autonomous.
posted by jjwiseman at 12:24 PM on October 31, 2014


This hack reduces to "with careful site preparation a scanner can be used as a low-bandwidth input device". A headset left plugged in would be a lot easier to exploit; low frequency noise carries very well through windows and can be disguised as something else, such as workmen operating heavy equipment.
posted by George_Spiggott at 3:45 PM on October 31, 2014


jjwiseman: Air gap doesn't have to mean super secure spook/defense stuff associated with other layers of security that makes this attack totally pointless. I've worked on air gapped systems containing assets from multiple movie studios.

My employer is a very large premedia vendor that has a secretive consumer electronics company as a client. I've been told that our people are sometimes required to work in an air-gapped studio to prevent product images and retail graphics from being leaked ahead of product launches. (Our office just knows what the new flavors of cereal will be.)
posted by nathan_teske at 4:29 PM on October 31, 2014 [1 favorite]


From a position of someone who is in the business of knowing about these things but has very little understanding of IT terminology, this is how it works, as far as I can tell:
You missed the bit where senior management get the data emailed to their fucking blackberries.
posted by fullerine at 6:41 PM on October 31, 2014 [7 favorites]


From the PCWorld link: "But the researchers found that if a multifunction printer is attached to such a computer, attackers could issue commands to a malicious program running on it by flashing visible or infrared light at the scanner lid when open. " (emphasis mine)

So close the damn lid on the scanner!
posted by InsertNiftyNameHere at 9:28 PM on October 31, 2014


If you have sufficient control over a system to connect to a printer and initiate a scan job, why wouldn't you just make the screen display the information you want? If you don't have line-of-sight to the screen, you could just make it flash in binary code. I bet that's easier than flying an effing drone up to the window to catch one bit transmitted per scan job.
posted by Joe in Australia at 5:41 AM on November 1, 2014


I don't even believe it.
(Eye of the Tiger) You can tell by the pixels. Autotune, obviously.
posted by glasseyes at 8:06 AM on November 1, 2014


« Older I scared people in Walmart and got popular. No...   |   About 55 000 Blue whales. (That’s quite a lot of... Newer »


This thread has been archived and is closed to new comments