What is Air Gapping and is it Effective?

The continuous evolution of the world has resulted in man’s preference for technology as the default mode of automating processes. This, perhaps, accounts for why man is regarded as a technological being, given that most assets and information in our 21st-century world are stored in a digital format and secured with computer systems in what is known as air-gapped computer systems. These air-gapped computer systems that have been disconnected from other networks offer minimal access and a lot of security from unauthorized access.

This seeming paradox begs the question — what does air-gapping mean?

Air Gap Definition

Rubrik defines Air Gapping as a security countermeasure that creates an impenetrable barrier between a digital asset and malicious actors. Malicious actors can be hackers, viruses, natural disasters, and any force threatening a digital asset.

Air-gapped computer systems are used for systems or networks that require extra security fortifications. Such systems generally include classified military networks, financial networks such as payment networks that process retailers’ credit and debit card transactions, and industrial control systems that operate critical infrastructure such as nuclear power plants.

Benefits of Air gapping

Air gapping, if performed correctly, offers several benefits. Some of the advantages are:

  • The data cannot be updated to reflect the ongoing changes, so the risk becomes stale.
  • Air gapping offers a strong defense against intrusion into a network and system.
  • Air gapping protects digital assets from being destroyed.
  • Air gapping offers a fantastic way of securing critical infrastructure by providing greater security than architects.
  • Air gapping techniques limit the abilities of malware to spread.
  • Air gapping improves the odds of recovering from attacks since the computer or network is protected from any malware circulating the internet.
  • Air gapping is considered the most reliable way of securing information and data from hackers due to a lack of correction.

Limitations of Air gapping

As much as the benefits and potentials of Air gapping are intriguing, there are also setbacks to air gapping, and the major ones are outlined below:

  • Air gapping requires high implementation and maintenance costs: the physical isolation of sensitive networks from the internet comes with cost-standalone servers, routers, switches, and management tools needed for an air gap. Software maintenance for these standalone servers is also more time-consuming.
  • Air gapping is not 100 percent secure from attacks: Air gapping from the internet is not entirely foolproof. Being isolated from the internet means users cannot do mundane security tools like patches. The physical isolation of sensitive networks from the internet doesn’t guarantee 100% protection, for instance, from inside threats or malicious activity.
  • Air gapping causes organizations to miss out on vulnerable data: while air-gapped systems can minimize risks, organizations are not able to benefit from the highly valuable data these systems generate. Data analyzed in real-time can provide business intelligence to cut costs, reduce downtimes and improve efficiency. These opportunity costs outweigh Air gapping as a viable cyber security measure.

Threats to Air-gapped computer systems

Although, from the definition of Air gapping, it might seem that an air-gapped system is safe from external attacks. However, there are instances where a hacker can target a disconnected computer. Below are a few threats to air-gapped computer systems.

  • Insider exploitation: An insider threat comes from someone that is a member of the organization; since most disconnected systems are heavily secured, it will take an insider to infect it. However, an attacker does not have to be physically present to infect an air-gapped computer as they can easily infect a system connected to the organization’s network, possibly through an accessible USB port. Once the targeted victim uses a USB drive on the infected system, the malware will then be able to move and infect it. Attackers can even use simple worms that spread via removable drives to infect air-gapped computers.
  • Data exfiltration: compromising an air-gapped system could allow an attacker to steal data from the system via data exfiltration. One example of how this can be accomplished is through sound, which has been proven effective for data transmission. A determined cybercriminal can also use unconventional attack methods to infiltrate air-gapped systems via the infrared capabilities of compromised surveillance cameras.
  • Interdiction is when the attacker intervenes during the supply chain process and places the implant on the device before it gets delivered to the intended recipient. In the case of a secured computer system, a new system is procured by the organization or whenever a spare part is requested from the manufacturer to be delivered to the connected infrastructure. The attacker keeps a tab on every action by the target organization, might intervene in the supply chain process, with or without the manufacturer’s knowledge, and divert the product to the safe house. The implants are fitted in the safe house on the target system/parts, and then the supply chain process continues toward the intended recipient.

Tools and techniques for data extraction in air-gapped computer systems

Although the high level of security air gapping has created, cybercriminals use modern techniques and tools to extract data from computer systems. Some of them include:

  • Wi-fi signals (without wi-fi hardware): sensitive data could be exfiltrated through air-gapped systems using a technique that uses wi-fi signals as a covert channel without requiring the presence of wi-fi hardware on targeted systems. Air-gapped systems with no network interface are considered necessary in environments where critical data is involved in reducing the risk of data leakage.
  • MOSQUITO attack: Mosquito is a new technique that reverses connected speakers into the microphone by exploiting a certain audio chip feature. Since some headphones/speakers/earphones respond well to a near-ultrasonic range, such hardware can be reversed to work as a gateway to access the system.
  • Screen brightness: attackers can steal data from air-gapped systems without requiring physical connection or network connectivity with devices. Malware on a compromised system can get sensitive data, such as images, files, passwords, and encryption keys, modulating it with the screen brightness. In this technique, criminals use small modifications in the LCD screen brightness that remain invisible to the naked eye.
  • PowerHammer attack-power lines: Dubbed PowerHammer is the latest technique that controls CPU utilization of an air-gapped system through specially designed malware and causes fluctuations in the current flow in the morse-code-like patterns for transferring data hints in binary form. Attacks implant hardware to monitor the current flow and decode the exfiltrated data.
  • Air-Jumper Attack-IR CCTV cameras: this technique involves stealing information from the air-gapped system with the help of infrared-equipped CCTV cameras used for night vision. A new attack scenario, dubbed aIR-Jumper, includes a compromised air-gapped system and an infected CCTV network, assuming both are isolated and none are internet-connected. The aIR-Jumper malware installed on the air-gapped system and CCTV network blinked IR LEDs in the morse-code-like patterns for sending files into the binary data to read and transmit data.
  • USBee Attack-Radio frequency transmissions from USB connectors: Dubbed USBee technique comes with a significant improvement over the NSA-made USB exfiltration called cottonmouth. Unlike CottonMouth, USBee does not need an attacker to smuggle an altered USB device into the targeted air-gapped computer. Instead, it turns USB devices inside the facility into an RF transmitter with no change.
  • BitWhisper Attack-Heat: this new technique enables attackers to steal passwords or security keys from a secured computer and send sensitive information through internet-connected devices controlled nearby. They could also use their internet-connected devices to send malicious commands to the air-gapped system via the same heat and sensor methods to cause more damage to the secured infrastructure.
  • Side-channel Attack: this technique extracts the secret cryptographic keys from a computer by analyzing the pattern of electromagnetic outputs and memory utilization of the PC emitted during the decryption process.

These tools and techniques are primary exfiltration techniques to keep the system secure from attacks.

Is Air-gapping effective?

Air-gapping has proven quite effective over time in securing computer systems. However, cybercriminals have found ways to attack air-gapped computers. Sentinel.one affirms the most notorious example of the Stuxnet attack designed to target Iran’s nuclear program. Although it was discovered in 2010, it is thought to have been in development since 2005.

At the time of discovery, the Stuxnet worm was a 500kb program that infected the software of over 14 individual sites in Iran. It targeted Microsoft Windows machines and spread on its own through USB drives plugged into the air-gapped machines on the network. The result was Iran losing almost one-fifth of its nuclear centrifuges.

Likewise, the Stuxnet worm case from 2010 is a strong case of how network hardware can cause damage as that particular strain of malware spread to Iranian and nuclear plants in the USB drives.

Therefore, Air-gapped networks are only as effective as your networking and security policies are willing and able to make them. They can be nearly foolproof if strict network policies are implemented and constantly overseen by network administrators.

How can air-gapped systems be secured?

Air gapping used to be impossible to breach but now is no longer the case; here are some strategies organizations can use to ensure their air-gapped systems are never connected to the internet. Exposure can open up a system to compromise, and these systems most likely hold critical information, which can be disastrous.

  • Organizations should ensure that connected peripherals are limited to absolute necessities.
  • Employers must educate employees and users with access to their air-gapped system on proper security strategies.

In conclusion, it is important to note that our 21st-century world continues to battle data privacy concerns. Such concerns are typically exemplified by countermeasures deployed to safeguard data and digital assets and protect them from unauthorized access. One of such countermeasures that relate specifically to computers is Air gapping. Air gapping could potentially be adequate, but users and employers must take proper security measures to forestall incidents of computer system breaches.

Paweł Mączka Photo

text written by:

Pawel Maczka, CTO at Storware