Extracting data from air-gapped computers via mobile phones
A group of researchers from the Department of Information Systems Engineering at Ben-Gurion University in Israel have demonstrated and detailed a technique that can allow attackers to exfiltrate data from an “air-gapped” computer.
More often than not, computers housing sensitive data – whether it belongs to the government, a business, or any other type of organization – are kept off the Internet and internal networks and have their Bluetooth feature switched off in order to prevent attackers easily reaching and compromising them and the information they hold.
Often, even those individuals that are allowed to access or simply be in the vicinity of these computers are prohibited of having a mobile phone with them, which is usually left in a locker somewhere on the premises, but not very near to the place where these computers are located. Still, this security procedure can be violated, by accident or on purpose, and mobile phones might be brought close enough to be used in an attack.
The researchers dubbed their technique “AirHopper.” The premise for making it work is that the attacker has already compromised the computer containing the sensitive data, and is now looking for a way to exfiltrate it in without anyone noticing.
“While it is known that software can intentionally create radio emissions from a video display unit, this is the first time that mobile phones are considered in an attack model as the intended receivers of maliciously crafted radio signals,” they explained in their paper.
They proved that a mobile phone with an FM radio receiver – whether it belongs to the attacker or to an individual working in the organization, oblivious that his phone has been compromised – can be used to extract the data by collecting the radio signals emanating from the compromised computer.
Their research proved that textual and binary data can be exfiltrated from physically isolated computer to mobile phones at a distance of 1-7 meters- The transfer of the data is relatively slow – 13-60 Bps – but still fast enough to extract things like passwords.
It is widely believed what this type of attack is already being performed by intelligence agencies, and the US NSA in particular.
There are ways to prevent this type of attack. “Countermeasures of the technical kind include physical insulation, software-based reduction of information-bearing emission, and early encryption of signals. Procedural countermeasures include official practices and standards, along with legal or organizational sanctions,” the researchers noted.