Air Gap Attacks: Controlling Isolated Computers

TL;DR

Yes, attackers can sometimes send commands to and control computers that are physically isolated (air-gapped). This isn’t usually done directly. Instead, they use clever methods to sneak data in and out via things like sound waves, light, temperature changes, or exploiting supply chain vulnerabilities. Protecting against this requires a multi-layered approach beyond just physical disconnection.

How Attackers Control Air-Gapped Computers

1. Data Diode Exploitation: While designed for one-way communication, misconfigurations or flaws in data diode implementations can allow attackers to send commands back into the isolated network.
2. Supply Chain Attacks: Compromised hardware or software introduced during manufacturing or updates can contain hidden malicious code that allows remote control. This is a significant risk as it bypasses all security measures at runtime.
3. Side-Channel Attacks (Acoustic/Optical): Attackers exploit unintended information leakage from the computer.
   • Acoustic: Malicious software can modulate data into sound waves emitted by components like the CPU fan or hard drive. A nearby microphone picks up these signals, which are then decoded.
   • Optical: Data can be encoded in variations of light emissions from LEDs (e.g., power/activity lights) and captured with a camera.
4. Electromagnetic Radiation Attacks: Similar to acoustic attacks, attackers capture electromagnetic signals emitted by the computer’s components.
   • Specialized equipment is needed to detect and decode these signals.
5. Temperature Manipulation: Data can be encoded in subtle temperature changes of the CPU or other components, detected by sensors outside the air gap.
6. USB Drive Exploitation (Sneakernet): A seemingly innocuous USB drive infected with malware is physically inserted into the isolated computer.
   • This is a common attack vector despite physical isolation.
   • Malware can be designed to remain dormant until specific conditions are met.
7. Exploiting Firmware: Compromising the BIOS or UEFI firmware allows attackers persistent control, even if the operating system is reinstalled.
   • This requires physical access or a supply chain compromise.

Protecting Air-Gapped Systems

1. Strict Hardware and Software Control:
   • Maintain a detailed inventory of all hardware and software.
   • Verify the integrity of firmware before deployment using cryptographic hashes.
   • Implement secure boot processes to prevent unauthorized firmware from loading.
2. Regular Security Audits: Conduct thorough audits of both hardware and software configurations.
   • Look for unexpected or unusual components or code.
3. Physical Security Measures:
   • Control physical access to the isolated network.
   • Implement surveillance systems and intrusion detection mechanisms.
4. Data Diode Monitoring: If using data diodes, closely monitor their configuration and traffic patterns.
   • Ensure they are configured for strict one-way communication only.
5. Electromagnetic Shielding: Use shielded enclosures to reduce electromagnetic emissions.
   • This can help mitigate side-channel attacks.
6. USB Port Control: Disable or physically remove USB ports if not required.
   • If USB is necessary, implement strict controls over its use and scan all devices before allowing them to connect.
7. Air Gap Verification Tools: Use tools designed to detect unauthorized communication attempts.
   • These tools monitor for unusual acoustic, optical, or electromagnetic activity.
8. Network Segmentation: Even within the air-gapped network, segment critical systems from less sensitive ones.
   • This limits the impact of a successful attack.