Computer security researchers have discovered a new way to steal data from supposedly highly-secure air-gapped computers using a low-end 2G mobile phone, the GSM network and radio frequency (RF) wireless electromagnetic waves.
Researchers from Ben-Gurion University of the Negev in Israel have devised a new method of stealing information that requires both the 2G mobile phone and the targeted computer to have malware installed on them.
Computers naturally emit electromagnetic radiation, and since mobile phones are designed to receive such RF signals, the malware can send passwords or encryption keys from the computer to the phone using electromagnetic waves.
Feature phones that only have SMS text messaging and voice call capabilities are typically the only phones allowed in sensitive environments, as there is no camera or way for malware to turn them into listening devices, the way iOS and Android devices can be manipulated.
However, the researchers found that even without a phone, if they could position a dedicated electromagnetic RF signal receiver about 30m away from the air-gapped computer, even if it were through a wall, the receiver would be able to extract data, and it would be much more information than the phone would be able to siphon off.
What is an air-gapped computer?
Air-gapped systems are computers deliberately isolated from connecting to the internet or any other computers in order to make sure they stay secure and data cannot be stolen from them.
These systems are routinely used by financial payment networks to process credit card transactions for retailers, classified military networks or industrial control systems that operate important infrastructure like a city's electrical grid.
Typically, the only way to remove data from an air-gapped computer is to physically access the machine, and this makes it much harder to infect it with malware, unless the malware had already been installed previously.
Nevertheless, the researchers say that their findings are a grave warning to defence companies and other firms trying to protect sensitive information, and these companies must prevent anyone who enters their premises from bringing in devices that can intercept RF signals.
"While there may not be a threat from the network, this does not mean air-gapped computers cannot be infected by other means. This really shows why a network-only security approach is no longer viable; endpoints themselves are increasingly the target of bold hackers intent on exfiltrating data," said David Flower, Managing Director Europe for security firm Bit9 + Carbon Black.
"Companies need continuous monitoring and recording on each and every endpoint device – including mobile devices – if they are to detect and respond to unusual activity and prevent these kinds of attacks."
Should we stop using air-gapped computers?
The researchers, whose work is detailed in the paper GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies, say that their work is a breakthrough in hacking air-gapped computers.
They will be presenting their research at the 24th Usenix Security Symposium in Washington DC on 12-14 August.
Security firm Tripwire agrees and is concerned that the growth of Internet of Things smart devices will "cause headaches for enterprises who require high levels of security":
"Indeed, this research is quite interesting. The important point here to me, however, is that we all need to recognise that air-gapped-ness is quickly becoming a thing of the past," said Lane Thames, security researcher at Tripwire.
"We currently have plenty of very powerful, small-footprint devices that, in theory, could be used to penetrate physically secure, air-gapped environments (think miniature drones and micro-robotics). Essentially, we in the security industry will need to devise new ways of handling this emerging threat scenario. The physical security problems and solutions of tomorrow will absolutely be different than what we have today."