Exactly. If we look at something like CIA headquarters it's a building in building with white noise being generated between the gaps for added security.
Most people I deal with seem to think it means not having an internet connection which is true, but that's simply not enough.
Maybe it is enough. What sort of market do you work in? And what sort of real attack is coming your way.
An internet air-gap is probably enough for a vast majority of use cases.
There's lots of talk about engineering here along the lines of "good engineering is knowing how to make a bridge barely stand up", but in Security, especially IT sec there's often little discussion about real risk and impact. And striking a reasonable balance.
Places I've worked consider their product and information high security whilst embargoed (mostly financial). The IT security at these companies matched that posture. But people all drank together, shared everything over drinks and had terrible personal security.
I'm not a security skeptic at all, I just think that the simple stuff goes a long way and that it's somewhat unhelpful to compare regular IT use to CIA style IT use.
That's right, businesses should have security controls in place commensurate with the size and extent of its threats and vulnerabilities. It is not pragmatic for most organisations to spend enough money to implement the most protective security possible. Traditionally we call this determining your risk appetite.
Overall, my experience from auditing the cyber security of many organisations is that they're not actually taking a risk based approach. They're not identifying their IT & Cyber Security risks and they're not identifying their specific threats and vulnerabilities. This leads to many organisations make poor security decisions by implementing technology controls that either aren't mitigating any of their risks or isn't reducing their residual risk to a comfortable level.
I even believe there is an attack which measures fluctuation in the AC current to the power supply. Might as well add power supply masking via a motor-generator set or inverter/on-line UPS that obfuscates/filters transients from the load to line.
Or highspeed cameras being used to discern the minute colour and luminance changes on a window or a material in the target room which occur due to vibrations in the glass or many other materials due to sound in the target room. This allows reproducing sound that occurs in the room without having access to any microphones.
Or using appropiate lenses to "look through" blinds or other materials that have tiny lensing gaps which the typical person regards as not see-through.
In my experience, all the racks going into the comms rooms on the Navy ships we worked in had TEMPEST filters on their power inputs. The term I believe comes from the name of a NSA program using those kind of techniques for spying.
It's not Wi-Fi. The article title is misleading clickbait. They are just using a simple script to exercise the RAM in a way that produces more or less radio noise, and then using a debug feature in an off the shelf Wi-Fi chipset to measure the channel noise and transfer data that way (at an extremely low rate of a few bits per second). At no point are Wi-Fi signals involved. Both sides need to collude to make this work. It only takes a few hours to put together this kind of demo.
He did the same thing with GSM a few years ago - the exact same concept with 800MHz RAM - but he's so bad at it that even though he was using an open source fully documented GSM stack as a base for his receiver (osmocombb), he couldn't get more than a few bits per second out of it, even though you could obviously get a lot more data through with access to the DSP hardware at the receiver like he did.
This guy basically runs a paper mill where every few months he comes up with a new side channel, builds the minimum viable PoC, and produces no research of value. He makes no attempt to measure theoretical maximum channel bandwidths, he doesn't optimize the data coding, nothing. He just picks a new random idea, like using screen brightness or network activity LEDs to encode information, and cranks out a paper. And he's really good at clickbaiting his way through news cycles, which I'm sure keeps the funding going.
You can implement a PoC at the same level of some of his papers in a one line shell script that blinks the camera LED on a machine to transfer a file bit by bit:
> The memory buses generate electromagnetic radiation at a frequency correlated to its clock frequency and harmonics. For example, DDR4-2400 emits electromagnetic radiation at around 2400 MHz,” researchers wrote.
The IO clock runs at 1.2GHz, and the data lines run at double that.
“Prior to designing the card, it is useful to decide how much of the timing budget to allocate to routing mismatch. This can be determined by thinking in terms of time or as a percentage of the clock period. For example, 1% (±0.5%) at 800 MHz clock is 6.25ps (1250ps/200). Typical flight times for FR4 PCB are near 6.5 ps/mm. So matching to ±1mm (±0.040 inch) allocates 1% of the clock period to route matching.”
A few months ago I read a comment lamenting about all of these "novel" airgap "attacks" that are just all variants on the same theme of "figure out a new side-channel to send data between two complicit devices over". You can use memory module busses, power/camera/keyboard LEDs, fan speeds, ultrasound emitted from speakers...it's not very interesting, at this point.
I bet that I can come up with a new one off the top of my head...alright, how about malware that imperceptibly dims/brightens the screen, which could be interpreted as a 1-bit symbol and picked up even when the screen is facing away from the receiver (by observing the reflection off of a nearby surface)?
See also https://news.ycombinator.com/item?id=28394826. These aren't "attacks" - these are methods of data exfiltration between two compromised devices. There are attacks that e.g. steal private RSA keys by capturing the EM radiation during cryptographic operations, but this is not that.
It’s also worth noting that the resolution of the receiver or level of sensitivity required for actually receiving the data from these mediums from any considerable distance (from within a metal computer chassis case) even if it exists, will not be something that is likely attainable by a non nation state.
Also the amount of man hours required to set up a working receiver that is outside of detectable range would be too expensive to consider using this tech against anything but an extremely valuable target. There are of course other possible methods of pulling this off such as if a nearby mobile device is compromised it could be used to listen and repeat the weak RF signal coming from the memory but that would be another level of complexity keeping this from being an efficient technique.
Also of note is that there would be no way for the listener to reliably communicate with the compromised airgapped device to update their code if there is a problem so the communication would be similar to one way UDP.
>You can use memory module busses, power/camera/keyboard LEDs, fan speeds, ultrasound emitted from speakers...it's not very interesting, at this point.
This is why classified information is typically handled in a SCIF (Sensitive Compartmentalized Information Facility, "skiff").
It's an implementation of defense-in-depth; the idea that an adversary must breach several layers of physical and digital security to compromise your secrets.
These attacks are of little use at the National Defense level because they would require installing e.g. a receiving antenna within 6 feet of a compromised machine. In other words, to leverage this attack you'd have to achieve a total collapse of your adversary's classified processing security posture.
Well, if you can effect that then you don't need this attack.
Is that particularly insightful? What other form would attacks take between computers that lack a traditional communication channel than to create another communication channel?
That has to be one of the more amazing attacks I've ever seen, but of course it only works in a really weak environment where someone is trying to use a single disconnected machine otherwise close to other machines with normal capabilities.
I'm actually curious if something like this is behind the logic of why a minimum 6-foot gap is required between classified and unclassified workstations in the same building. But actual SCIFs don't allow radio waves through the walls and don't allow any sort of radio-enabled devices that may be able to read this signal and send it back home inside. You definitely can't bring IOT devices anywhere remotely close to a high-security environment.
Funny anecdote. Back in 1999 or so, I noticed by happenstance that when I had the cover of my PC off during a HDD defrag (yeah, that was a Windows thing back then), that I could easily pick up the noise from the bus at exactly 100Mhz on a radio I had in the room. At first I suspected I was bugged, because the HDD made noise in the same rhythmic pattern as that data being transferred across the bus, which was creating the EM noise. Can you imagine tuning your radio and coming across the ambient sounds in your room? Kinda terrifying.
RTL SDR lets you mess about like this. I was able to figure out what was causing my wifi to be awful - an old wired Linksys was putting out hash and the cables attached were really long antennas, increasing the noise floor.
I also discovered that one of my ham radios leaked RF when my computer's keyboard started randomly hitting buttons, including windows key plus other buttons.
The stock RTL device only goes to 30mhz or so, and up to about 2ghz, so any older/low power computers will spray hash all over that bandwidth. Spread spectrum on the fsb or whatever actually reduces the noise floor as the noise is distributed across a wider bandwidth, necessarily reducing the perceived power.
Hardware wallets are essentially a kind of highly specialized air gapped computer, so I wouldn't be surprised if a similar exploit could be used for larger air gapped systems.
I'd like to see an attack that communicates in the infrared by loading and unloading the CPU (or any other heat generating component) and then the attacker reads with line-of-site thermal imaging. You'll get like 6bpm, but hey, it's somethin'.
Interesting. They estimate 8 bits per hour, and are only doing bidirectional. I bet it's more like 16 bits per hour for exfil only, and with a much better range with an infrared sensor (which, interestingly, can be created by carefully scraping off the microlenses from an ordinary CCD, I recently learned).
That's a much shorter wavelength part of the spectrum than thermal imagers operate in, even though it's also infrared. CCDs pick up the kind of infrared that IR remote controls use.
This is impressive, though would be even more so if they could figure out how to do the reverse and arbitrarily plant bits in the memory of an air-gapped, uncompromised machine.
Given that this was published by an Israeli research university, I imagine the answer for "how do you plant the bits in the first place" is spelled "Mossad." (The paper does note that a nation-state adversary could, entirely theoretically of course, plant the bits via a supply chain attack.)
https://www.dni.gov/files/NCSC/documents/Regulations/Technic...