Blog :: Security Operations

Trump’s Air Gap Strategy Already Compromised


Serious cyber threats, attacks and breaches are occurring every day and it is only a matter of time before some of these will have catastrophic results. From the OPM breach of government employee records to the attack on the Ukrainian power grid, it is clear securing government and critical infrastructure systems is a national emergency. With cyberattacks dynamically evolving, reverting back to a closed air-gapped system and unplugging government networks has been suggested as a way to ensure a measure of relief.

But the relief doesn’t last too long. Setting up an air gap, where every work desk has two computers—one for the internet and a second system that is cut off from the web—would be a considerable investment. The benefits for some may seem to outweigh the potential downside, but in truth, the security it provides is fairly easy to overcome.

Computers with air gap

For years, many of the world’s most critical information systems, such as Navy ships, have been air gapped from internet connectivity. With the risks being too great, some infrastructures cannot afford any type of compromise. However, it has been known that air gaps can be bridged, allowing data to transfer back and forth from systems thought to be 100% protected.

President Trump recently suggested that the best way to keep secrets from hackers is a huge air gap. Although there is some validity in his statement, “huge” is a relative term when it comes to air gaps.

Air gaps have been bridged using several technologies:

AirHopper: infects the computer’s graphics card and uses it to send FM signals. Data can be transmitted from the physically isolated device to a mobile phone up to 7 meters (23 feet) away at 13-60 bytes per second. The same researchers learned that light from a printer’s scanner can be used to transmit data from the isolated computer to a receiver. In their experiments, the researchers placed a drone at the window of the office in which the printer was located to capture the data.

Flame: uses Bluetooth and malware known as BeetleJuice, which can be used to upload contacts, text messages, photos, and other data stored on Bluetooth devices, or to bypass firewalls and other security mechanisms when exfiltrating sensitive information.

badBIOS: has the ability to target a computer’s Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI), and possibly other firmware standards. The malware can attack a wide variety of platforms, escape common forms of detection, and survive most attempts to eradicate it. It uses high-frequency transmissions passed between computer speakers and microphones to bridge air gaps.

For many companies, it is very difficult to detect these forms of malware, as they would have to monitor for odd wireless emissions or for strange blinking lights. This would require special hardware.

To make matters worse, these infection technologies are becoming incredibly cheap to engineer and deploy. If the potential benefits are significant, the costs are worth the risk as made obvious in 2013, when the Kremlin slipped spying gadgets into G20 summit gift bags. But don’t be too quick to sneer at the Russians; our own government has been pulling the covers off boxes, putting in new chips, then repackaging the units before they reach customers in foreign countries, all in an effort to gain a competitive edge.

Reverting to a bygone approach has been suggested by Senators Angus King, I-Maine, Jim Risch, R-Idaho, Martin Heinrich, D-N.M., and Susan Collins, R-Maine, where manual (i.e. non-SCADA) systems are left in place in preparation for a computing disaster.

“The United States is one of the most technologically advanced countries in the world, which also means we’re one of the most technologically vulnerable countries in the world,” Sen. King said after introducing the legislation. “By looking to the past, we may be able to develop ways to thwart the sophisticated cyberattacks of the future. Our legislation would re-engineer the last mile of the energy grid to isolate its most important systems and, in doing so, help defend it from a devastating blow that could cut off electricity to millions of people across the country.”

The general belief is that a cyber disaster is inevitable, so it just makes sense to put emergency response plans for computer networks in place. Before getting into an emergency situation, digital fire drills should be rehearsed, as flaws will surface. The new defense is investigation. By collecting flow technologies such as NetFlow and IPFIX, security teams can play back malware traffic patterns, similar to camera systems. Only then can they see how the malware got in, how it moved around the network, where it moved to and what else might be infected. SIEM and NetFlow collection are the only way to gain enterprise visibility so government agencies can purge cyberattacks and malware to recover systems.