Security and privacy experts – not to mention federal government agencies - are still reeling from the disclosure by WikiLeaks of the CIA’s cachet of hacking and surveillance technologies that was released a few weeks ago. Among those disclosures, however, was a particularly interesting finding: the existence of “HammerDrill 2.0,” a cross-platform security toolkit that can breach the air gap.
What, exactly, is the air gap? For decades, the traditional logic of security went something like this: “if a computer is not attached to a network, it cannot be compromised remotely.” The space between the computer and the network – the “air gap” – was considered impenetrable without physical access. That very much held true for both wired and wireless networks for a long time. However, that’s starting to change through a variety of new malware – some of it simple in design, others more exotic. While most examples of “jumping the air gap” are theoretical, the HammerDrill disclosure shows us that these exploits are now actually being weaponized, if not actually deployed.
In the case of HammerDrill, jumping the air gap is done through compromising CD/DVD writing software and recording the results of CD/DVD content as well as when the disc was used. While this is a simplistic version of breaching the air gap, there are many more advanced implementations as well. Last fall, researchers at Ben-Gurion University in Israel created a data exfiltration solution using USB devices to generate radio transmissions in rapid succession at two specific frequencies that corresponded to “0” and “1” binary signals. Essentially, it turns a USB devices into RF transmitters without any required modification, whose signals can be captured and interpreted. This is an improvement on a similar solution allegedly deployed by the NSA (as leaked by Edward Snowden) called “BadUSB.” This same Israeli team implemented a similar solution in 2015, when they implemented a two-step process of installing malware on a completely air-gapped computer, as well as a nearby cell phone, and transmitted data from the computer to the phone using RF signals. Similar solutions to circumvent the air gap have been developed that rely on generating sounds from speakers outside the human hearing range, as well as tones generated by adjusting the speed of CPU fans.
The potential damage that can be wrought by breaking the air gap is significant. First, one-way – and possibly two-way – communications are established between the air gapped system and another network (ostensibly the Internet). At a minimum, critical data on the system can be exfiltrated, although in most cases this will be a “slow drip” rather than a full, complete file copy, as many air gap scenarios today are based on solutions that can only transfer a few bytes of data per second. Another problem is physical damage to targeted systems through kinetic malware. In cases where these types of technologies use methods such as adjusting CPU fan speed, the repeated change in the speed of the fan can result in damage to the fan, and reduced heat dissipation, and eventual failure of the device.
So what can organizations and individuals do today to mitigate against exotic threats such as hacks that jump the air gap? While there are no specific toolkits out there today to mitigate these attacks, the fact is that the traditional disclosure-patch cycle is (at least today) the only real solution for prevention. As vendors discover that their technology products can be compromised in this manner, they’ll continue to release patches that alleviate the threat wherever possible. That means both organizations and home users need to ensure that their technologies – and especially highly-susceptible IoT devices, as we discussed last week – are properly patched. Of course, at some point, these technologies will leave a discernable footprint that will be captured in malware signatures, so ensuring that anti-malware is installed, running, and up to date also helps. Unless, of course, the CIA has implemented a solution to circumvent your antivirus, as was also indicated in the WikiLeaks disclosure. But that’s a blog post for another day.