A piece of malware and a basic cell phone are all you need in order to steal data from an air-gapped computer, according to researchers.
Air-gap security is often used by organizations to protect their most valuable assets. The technique involves isolating computers that store sensitive information from the Internet and even from the organization’s internal network.
While it’s less likely for isolated computers to become infected with malware, it’s not impossible, as demonstrated by the case of the notorious Stuxnet worm which made its way onto air-gapped systems controlling the centrifuges at an Iranian nuclear facility via USB flash drives.
Researchers at ESET reported last year that the cyber espionage group Pawn Storm (also known as APT28, Tsar Team, Sednit and Fancy Bear) also used USB malware to steal data from air-gapped computers. Due to such threats, many organizations have banned workers from inserting USB sticks into computers.
A team of researchers from the Ben-Gurion University in Israel led by Mordechai Guri will demonstrate at the upcoming USENIX Security Symposium that there is a far more sophisticated method of exfiltrating data from air-gapped systems.
The experts have developed GSMem, a proof-of-concept (PoC) malware capable of sending data from an infected computer to a nearby mobile phone over GSM frequencies. The data is emitted through electromagnetic signals by a piece of malware installed on the computer, and it’s received and demodulated by a rootkit placed in the baseband firmware of a basic cell phone.
In their experiments, the researchers installed the malware on a Motorola C123. The phone doesn’t have a camera, Wi-Fi, Bluetooth or other connectivity capabilities, and during the tests it didn’t even have a SIM card.
This makes the attack method potentially dangerous because basic phones are allowed even by security-aware organizations that prohibit the use of phones with a camera and Wi-Fi on their premises.
The experts have pointed out that only the malware is needed to transmit the data from the air-gapped computer. The attack doesn’t require the installation of any additional components on the targeted workstation because the malware can modulate and transmit electromagnetic signals by using memory-related instructions. The transmission is then amplified by using the multi-channel memory architecture.
Researchers managed to transmit data from the infected computer to the cell phone over a distance of 1 - 1.5 meters (roughly 3-5 feet). However, if the phone is replaced with a dedicated hardware receiver the distance can increase to 30 meters (100 feet).
The signals transmitted by the malware can also be intercepted by an application running on an unmodified Android smartphone, but the distance is reduced to 10 centimeters (4 inches), which makes the attack less practical.
Three different workstations have been used to transmit data over cellular frequencies and researchers determined that the most efficient device was the one with quad-channel RAM because it employs wider data paths.
While transfer rates are low, experts say it’s enough to exfiltrate sensitive information such as passwords and encryption keys within several minutes.
Researchers have proposed a series of countermeasures to prevent potential attacks. The measures include defining zones where mobile phones (even basic devices) are prohibited, and the insulation of walls for mitigating attacks that might use more efficient hardware receivers.
This is not the first time Ben-Gurion University researchers defeat air-gap security. In October 2014, they presented a piece of malware (AirHopper) capable of stealing data from isolated computers using the electromagnetic signals emitted by the device’s graphics card.
More recently, experts unveiled BitWhisper, an attack method that relies on the fact that computers in close proximity to each other can communicate using heat emissions and built-in thermal sensors.
The complete research paper on GSMem is currently only available to USENIX attendees. The paper will be made generally available after the event.