Air-gap malware explained

Air-gap malware is malware that is designed to defeat the air-gap isolation of secure computer systems using various air-gap covert channels.[1] [2]

Operation

Because most modern computers, especially laptops, have built-in microphones and speakers, air-gap malware can be designed to communicate secure information acoustically, at frequencies near or beyond the limit of human hearing. The technique is limited to computers in close physical proximity (about 65feet), and is also limited by the requirement that both the transmitting and receiving machines be infected with the proper malware to form the communication link.[3] The physical proximity limit can be overcome by creating an acoustically linked mesh network, but is only effective if the mesh network ultimately has a traditional Ethernet connection to the outside world by which the secure information can be removed from the secure facility. In 2014, researchers introduced ″AirHopper″, a bifurcated attack pattern showing the feasibility of data exfiltration from an isolated computer to a nearby mobile phone, using FM frequency signals.[4] [5]

In 2015, "BitWhisper", a covert signaling channel between air-gapped computers using thermal manipulations, was introduced. "BitWhisper" supports bidirectional communication and requires no additional dedicated peripheral hardware.[6] [7]

Later in 2015, researchers introduced "GSMem", a method for exfiltrating data from air-gapped computers over cellular frequencies. The transmission - generated by a standard internal bus - renders the computer into a small cellular transmitter antenna.[8] [9]

In 2016, researchers categorized various "out-of-band covert channels"[10] (OOB-CCs), which are malware communication channels that require no specialized hardware at the transmitter or receiver. OOB-CCs are not as high-bandwidth as conventional radio-frequency channels; however, they are capable of leaking sensitive information that require low data rates to communicate (e.g., text, recorded audio, cryptographic key material).

In 2020, researchers of ESET Research reported Ramsay Malware, a cyber espionage framework and toolkit that collects and steals sensitive documents like Word documents from systems on air-gapped networks.

In general, researchers demonstrated that air-gap covert channels can be realized over a number of different mediums, including:

See also

Further reading

Notes and References

  1. Carrara . Brent . September 2016 . Air-Gap Covert Channels . PhD . University of Ottawa.
  2. Book: Carrara. Brent. Adams. Carlisle. Proceedings of the 4th ACM Workshop on Information Hiding and Multimedia Security . A Survey and Taxonomy Aimed at the Detection and Measurement of Covert Channels . 2016-01-01. IH&MMSec '16. New York, NY, USA. ACM. 115–126. 10.1145/2909827.2930800. 9781450342902. 34896818 .
  3. Air-Gap Malware . Dr.P . Visu . S.Sibi . Chakkaravarthy . K.A.Varun . Kumar . A . Harish . S . Kanmani . Computer Engineers Technical Association News Letter . October 2014 . 1 . 2 . Vel Tech University . 21 March 2015 . dead . https://web.archive.org/web/20150322095128/http://www.veltechuniv.edu.in/Newsletter/cse_Oct2014_newsletter.pdf . 22 March 2015 .
  4. AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones using Radio Frequencies . Mordechai. Guri . Gabi. Kedma . Assaf. Kachlon . Yuval. Elovici . November 2014 . 1411.0237. cs.CR.
  5. How to leak sensitive data from an isolated computer (air-gap) to a near by mobile phone - AirHopper . Mordechai. Guri . Gabi. Kedma . Assaf. Kachlon . Yuval. Elovici . November 2014 . BGU Cyber Security Labs .
  6. BitWhisper: Covert Signaling Channel between Air-Gapped Computers using Thermal Manipulations . Mordechai. Guri . Matan. Monitz . Yisroel. Mirski . Yuval. Elovici . April 2015 . 1503.07919. cs.CR.
  7. BitWhisper: The Heat is on the Air-Gap . Mordechai. Guri . Matan. Monitz . Yisroel. Mirski . Yuval. Elovici . March 2015 . BGU Cyber Security Labs .
  8. GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies . Mordechai. Guri . Assaf. Kachlon . Ofer. Hasson . Gabi. Kedma . Yisroel. Mirsky . Yuval. Elovici . August 2015 . 24th USENIX Security Symposium (USENIX Security 15) . 849–864 . 9781939133113 .
  9. GSMem Breaking The Air-Gap . Mordechai. Guri . Assaf. Kachlon . Ofer. Hasson . Gabi. Kedma . Yisroel. Mirsky . Matan. Monitz . Yuval. Elovici . July 2015 . Cyber Security Labs @ Ben Gurion University .
  10. Carrara. Brent. Adams. Carlisle. 2016-06-01. Out-of-Band Covert Channels—A Survey. ACM Comput. Surv.. 49. 2. 23:1–23:36. 10.1145/2938370. 13902799 . 0360-0300.