Research: Bridging the Air Gap

Way back in the old days, the unit I worked at in the US Air Force had a room with a lot of equipment used for processing classified information. Among this equipment was a Zenith Z-250 with an odd sort of keyboard and a very low resolution screen. A fine metal mesh embedded in a semi-clear substrate was glued to the surface of the monitor. This was our TEMPEST rated computer, on which we could type up classified memos, read classified email, and the like. We normally connected it to the STU-3 through a modem (remember those) to send and receive various kinds of classified information.

Elovici, Mordechai Guri, Yuval. “Bridgeware: The Air-Gap Malware.” Accessed May 13, 2018.

The idea of TEMPEST begins way back in 1985, when a Dutch researcher demonstrated “reading” the screen of a computer using some relatively cheap, and easy to assemble, equipment, from several feet away. The paper I’m looking at today provides a good overview of the many ways which have been discovered since this initial demonstration to transfer data from one computer to another across what should be an “air gap.” For instance, the TEMPEST rated computer described above was air gapped; the only time it was connected to any communications device was when it was connected to one of the STU-3’s, and then only once the secure connection had already been established.

The paper begins by defining the general problem of communication with air-gapped systems. In this initial section is a very helpful discussion of the difference between covert channels and side channels. A side channel is an unintended side effect of processing data that reveals something about the data itself; I covered these in a short take over at the Network Collective. A covert channel, however, is a communications channel set up between two systems intentionally designed to carry information between them, but without their owner or administrator knowing about the channel. Cover channels are, by their nature, often difficult to detect and block. With this definition in hand, the authors then consider various channels that can be created between two systems to transfer information.

Acoustic channels largely focus on ultrasonic sounds encoding information being transmitted through the system speakers. This is a method apparently employed by advertisers and marketing firms to carry information about the human attached to a particular computer, in order to correlate activity between multiple systems. For instance, when a cellphone is in “hearing range” of computer, some piece of software may send a noise which an application on the cellphone can use to determine the proximity of the two devices. This allows the tracking from one device to be correlated with the tracking from the second device, building a larger “picture” of the person’s activities. Speakerless computers are one common solution to this kind of problem, but bridging air gaps through the sounds made by a hard drive of the computer’s fan is also possible.

Electromagnetic attacks involve some form of antenna and some form of receiver. The easiest way to transmit something is, of course, to find some way to attach an antenna to a system; for instance, there is a physical attack where a small antenna is embedded into a USB connector, and used to transmit information to a locally configured receiver. In this way, keystrokes, information transferred onto and off the USB device, etc., can be transmitted off an air gapped system. Other ways have been discovered to use the monitor cable as an antenna, or simply injecting a complete cellular antenna system as a backdoor hardware channel.

Thermal and optical methods have been used, as well, such as through the sounds made by an air conditioning system.

While many of these methods might seem fantastic, the lesson of this research is that if you are going to air gap a computer for security, make certain you air gap it in the most complete way possible. Disconnecting the Ethernet cable, removing the WiFi antenna, and placing the system in a separate room may not be enough to prevent information from leaking.