Air-gapped computers that are isolated from the Internet and other computers are long considered to be the most secure and safest place for storing data in critical infrastructures such as industrial control systems, financial institutions, and classified military networks.
However, these systems have sometimes been targeted in the past, which proves that these isolated systems are not completely secure.
Previous techniques of hacking air gap computers include:AirHopper that turns a computer’s video card into an FM transmitter to capture keystrokes;
BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys;
Hacking air-gapped computer using a basic low-end mobile phone with GSM network; and
Stealing the secret cryptographic key from an air-gapped computer placed in another room using a Side-Channel Attack.
Now, researchers have devised a new method to steal data from an infected computer even if it has not been physically connected to the Internet for preventing the computer to leak sensitive information stored in it.
Primary Focus of the ‘DiskFiltration’ Research:
Ignoring the fact that how an air-gapped computer got infected with malware in the first place, the new research focused on, once infected, how the malware would be able to transfer data (passwords, cryptographic keys, keylogging data, etc.) stored on an air-gapped computer, without network, the Internet, USB port, Bluetooth, speakers, or any electronic device connected to it.
A team of researchers from Ben-Gurion University published their finding in a paper titled, "DiskFiltration: Data Exfiltration from Speakerless Air-Gapped Computers via Covert Hard Drive Noise," explaining a unique technique that uses acoustic signals (or sound signals) emitted from the hard disk drive (HDD) of the targeted air-gapped computer to transfer the stolen data.
How DiskFiltration Works?
You might have felt something spinning and generating weird noise while your computer reads or writes data on a storage hard drive.
That’s the voice coil "actuator" inside your hard drive, which moves on the disk plate while accessing specific parts/blocks of the storage.
As demonstrated, the researchers used their malware to manipulate the movements of the actuator in very specific way to generate acoustic noise (like morse code) that they interpreted into binary data using a smartphone app from six feets away, at a speed of 180 bits per minute, Ars reported.
"The idle acoustic noise emitted from disk rotation is static and cannot be controlled by software," the paper explains.
"In order to modulate binary data, we exploit the seek acoustic noise generated by the movements of the actuator. By regulating (starting and stopping) a sequence of seek operations, we control the acoustic signal emitted from the HDD, which in turn can be used to modulate binary 0 and 1."
According to the paper, this technique is fast enough to transmit a 4,096-bit key within 25 minutes through manipulated sound signals emitted from the hard disk drive.
It’s evident that in real-world situations, this technique is useless until we do not have an effective way to install malware remotely on an air-gapped computer at the first place, or an insider to help an attacker to get malware installed on the targeted computer using a USB.
How to Prevent against DiskFiltration-Style Threats?
As a workaround, researchers advised to replace the HDDs (Hard Disk Drives) with SSDs (Solid State Drives) to eliminate the DiskFiltration-style threat, since SSDs are not mechanical, thus generating virtually no noise.
Making use of a particularly quiet type of hard drives or installing the hard drives within special enclosures can also limit the range of emitted noise. Another countermeasure is to jam hard-drive signals by generating static noise in the background.
At the software and firmware level, making use of hard drives that includes automatic acoustic management (AAM) feature could also help in limiting the emitted acoustic noise.
Another solution is to ban smartphones and other types of recording devices nearby of the sensitive air-gapped computers.