Air Gapped Computer: What Is It & How Do You Secure One?

Air Gapped Computer
Image credits: Softeco

If you are a cyber security enthusiast, you are bound to come across the term “air gapped computer.” As it relates to computer networking, air gapping is a security measure to ensure that a computer network is physically isolated from unsecured networks like the internet and local area networks.

Nowadays, cyber security is at high stake. Organizations constantly transmit sensitive data across networks and hence, cyberattacks are on the rise. Ransomware, for example, is one of the most common cyber threats these days. Cybersecurity Ventures predicts the global cost of ransomware attacks to increase to $265bn by 2031.

The rising number of cyber attacks is the main reason why tight security is paramount. In general, a secure infrastructure includes multiple layers of protection dispersed throughout computers, programs, and networks. The air gap concept is also believed to be a highly effective way to protect valuable information. But is it really secure enough? 

What is an Air Gap?

An air gap is a network security measure that implies a physical separation between a secure network and any other computer or network.

An air-gapped computer is isolated from unsecured networks, meaning that it is not directly connected to the internet, nor is it connected to any other system that is connected to the internet. A true air gapped computer is also physically isolated. This means the only way to pass data to it is physically (via USB, removable media, or a firewire with another machine).

The term “air gapping” refers to the idea that there is a gap of air between the computer and other networks. It isn’t connected to them and it can’t be attacked over the network. An attacker would have to “cross the air gap” and physically sit down in front of the computer to compromise it, as there’s no way to access it electronically over a network.

Air gapping also plays an important role in backup and recovery. For example with 3-2-1 backups, each backup has three copies. While two of the copies can be stored on the same network, the third copy has to be air-gapped and stored in a completely different physical location. This way, even if the network is attacked and the first two copies become compromised, storage administrators can use the air-gapped copy to restore data quickly.

Some companies will market that a network or computer is air gapped despite the fact that the systems are only separated with a software firewall. Be cautious of this, as firewalls can be breached as a result of both security failures and misconfiguration.

How to Air Gap a Computer

Air gapping a computer is actually pretty simple: Just disconnect it from the network.

Don’t connect it to the internet, and don’t connect it to a local network. Disconnect any physical Ethernet cables and disable the computer’s Wi-Fi and Bluetooth hardware. For maximum security, consider reinstalling the computer’s operating system from trusted installation media and using it entirely offline after that.

Don’t re-connect the computer to a network, even when you need to transfer files. If you need to download some software, for example, use a computer connected to the internet, transfer the software to something like a USB drive, and use that storage device to move the files back and forth.

This ensures that your air-gapped system can’t be compromised by an attacker over the network. It also ensures that, even if there is malware like a keylogger on your air-gapped computer, it can’t communicate any data over the network.

For better security, disable any wireless networking hardware on the air-gapped PC. For example, if you have a desktop PC with a Wi-Fi card, open the PC and remove the Wi-Fi hardware. If you can’t do that, you could at least go to the system’s BIOS or UEFI firmware and disable the Wi-Fi hardware.

Types of air gaps

There are three main types of the air gap concepts:

  • Total physical air gaps: Assumes complete physical separation of a system/device from the network. That means there are no network connections to the device and if you need to get or load the data onto it, you need to go to the storage place directly. You may also need to pass through the security since physical access to the environment where the device is stored is usually restricted. 
  • Logical air gaps: Not separated physically from the rest of the system but are isolated from it through encryption and hashing. 
  • Isolated air-gapped systems: Implies that systems/devices are not connected to a common network, but are in the same place (i.e. in one room).

More on Air Gapping a Computer

In theory, malware on your air-gapped PC could re-enable the Wi-Fi hardware and connect to a Wi-Fi network if a computer has functioning wireless networking hardware. So, for a nuclear power plant, you really want a computer system that has no wireless networking hardware inside it. At home, just disabling the Wi-Fi hardware may be good enough.

Also, you must bee careful about the software you download and bring to the air-gapped system. If you are constantly transferring data back and forth between an air-gapped system and a non-air-gapped system via a USB drive and both are infected with the same malware, the malware could exfiltrate data from your air-gapped system via the USB drive.

Finally, ensure the air gapped computer is physically secure, too—physical security is all you need to worry about. For example, if you have an air-gapped critical system with sensitive business data in an office, it should probably be in a secure area like a locked room rather than in the center of an office where various people are always walking back and forth.

If you have an air-gapped laptop with sensitive data, store it securely so it isn’t stolen or otherwise physically compromised.

Where are air-gapped computers used?

Air-gapped computers are often found in environments working with classified information or that control critical infrastructure. Below are examples.

  • Air traffic control systems
  • Automotive computer systems
  • Avionics or computer systems in planes
  • Financial computer systems (e.g., stock exchanges)
  • Government systems dealing with classified information
  • HVAC (heating, ventilation, and air conditioning) and thermostat systems
  • Military systems
  • Industrial control systems
  • Nuclear power plants
  • Oil and gas industrial systems
  • Sensitive or life-saving medical equipment

Some systems mentioned above may be remotely monitored or controlled in a controlled network. However, when remote access is granted to an air-gapped system, it’s considered a “closed system,” not air-gapped.

Gapped computers are typically located in secure places, such as in a separate server facility with tight security. As a precaution, air-gapped systems have restricted access, so only a few trusted users can access them.

Purpose of air gapping a computer

Air gapping protects critical computer systems or data from potential cyber-attacks. The purpose of an air gap is to eliminate any possibility that a threat actor can infiltrate the protected system through an external connection.

Companies also use gapping to create backups for their data. Implementation of an air gap backup can be a challenge though, as it requires a high level of security and planning. However, when managed properly, gapped networks can provide one of the highest levels of security.

Besides, with the help of air gap backups, companies can restore the data even if it was lost or corrupted due to a software glitch, a hardware failure, or a ransomware attack.

The 3-2-1 rule

Gapping plays an important role in the 3-2-1 backup strategy. This strategy ensures that you will always have access to your data since there will be at least 3 backups. And gapping is usually the preferred method of backing up the data in regard to the 3-2-1 rule.

Note: Although air gapping can defend your data from hackers, this method is not unbreakable. Seeing gaps as a single form of defense can cause significant damage and risks.

One way hackers are beating the air gap is through the use of USB malware. The Stuntex worm incident from 2010 is a good example of how network hardware can cause damage, as that strain of malware was spread to Iranian industrial and nuclear plants via USB drives. The key point in the Stuntex case is that a determined actor infiltrated a secure facility and delivered malware that ultimately found its target despite a gapped network. 

Are air gapped computers completely secure?

No. Air gapped computers can still be breached. Granted, it is a lot harder to do when a computer, but methods exist.

The easiest way to breach an air gapped computer is to find a human intermediary to breach the computer. To do this they will need to access the computer themselves and attach a USB device like a flash drive or a Wi-Fi dongle. Think Tom Cruise from Mission Impossible.

That’s the easy way.

Air-gapped computers aren’t immune from threats. People can use USB drives and other removable storage devices to move files between air-gapped computers and networked computers. For example, you might download an application on a networked computer, put it on a USB drive, take it to the air-gapped computer, and install it.

This opens up a vector of attack, and it’s not a theoretical one. The sophisticated Stuxnet worm worked in this way. It was designed to spread by infecting removable drives like USB drives, giving it the ability to cross an “air gap” when people plugged those USB drives into air-gapped computers. It then used other exploits to spread through air-gapped networks, since some air-gapped computers inside organizations are connected to each other but not to larger networks. The worm was designed to target specific industrial software applications.

The Stuxnet worm, allegedly from the USA and Israel, reportedly did a lot of damage to Iran’s nuclear program. However, the countries involved did not publicly confirm these facts. However, what we do know is that Stuxnet was sophisticated malware designed to attack air-gapped systems.

Other ways to breach air gapped computers

If you want to get a bit more scientific, there are other way channels to extract data from an air gapped computer, they include:

Electromagnetic

Electromagnetic channels are the oldest attack vectors of the group. These techniques include eavesdropping on EM radiation from the computer’s memory bus and monitoring leakage from USB ports and cables. Because electromagnetic channels have been widely studied, EM shielding has become a fairly common defensive measure.

Acoustic

Recently, acoustic channels have become a popular attack vector. This is due to the proliferation of hackable smartphones that are capable of picking up audio signals that the human ear can’t differentiate from background noise.

The most cutting-edge area involves the use of ultrasonic sound waves with higher frequencies that are both inaudible and provide greater bandwidth.

Thermal

Unlike the other categories, thermal hacks are more theoretical than anything at this point. While they have been demonstrated, the bandwidth is low, measuring in the low tens of bits per second over a very short distance. It’s unclear whether this will ever become a practical attack vector.

Optical Transmission

The most recent channel to be explored, optical transmission is bolstered by the advent and widespread availability of easily-hacked surveillance cameras. The cameras include LEDs on almost every system and can transmit substantial amounts of information.

How difficult is it to breach air gapped computers?

Extremely challenging. The common theme with all of these attacks is that they require physical proximity. This means being close enough to record Electromagnetic radiation, pick up inaudible sound waves, or rappel down from the ceiling.

Beyond that, most of them are proof-of-concept attacks. That means they’re all:

  • Difficult to execute
  • Contingent upon numerous conditions being met
  • Developed by security researchers for research purposes

That last point is especially salient. These exploits were pulled off primarily to raise awareness and not things you are likely to find in practice. On the flip side, most cybercriminals don’t provide proof of concept, so there could be other methods we don’t even know about.

Regardless, the best and most reliable method continues to be social engineering. Doing it the Tom Cruise way.

Is it possible for a virus to infect an air-gapped system?

Yes. For example, Stuxnet was able to attack and infect an air-gapped system through a USB (universal serial bus) thumb drive that was connected to a computer on its network.

If an air-gapped computer also had drives, USB ports, Bluetooth, and other ports disabled, it would be almost impossible for a virus or other malware to infect the computer. We say “almost” because, as mentioned above, scientists have demonstrated more sophisticated methods of attacking an air gap system using acoustic signaling. They also theorized FM (frequency modulation) signals, NFC (near-field communication), and cellular frequencies.

To prevent these types of attacks, an air-gapped computer would require a Faraday cage to block all forms of wireless communication.

How to enhance air gap security

As mentioned, a gapped system is not perfect and has its flaws and vulnerabilities. To enhance your air gap security, keep the following things in mind:

  • Encrypt the data: Air gap backups should be encrypted to protect sensitive data from being accessed by unauthorized users. It is a good measure in case the data is stolen, as it will become useless to thieves. 
  • Ban phones near gapped machines: Security experts have found that innovative acoustic channels employing ultrasonic and inaudible sound waves can be used as an attack vector against smartphones capable of picking up higher frequencies. The data can also be pumped through radio signals even when Bluetooth is turned off. So it is better not to use mobile phones near the most critical systems. 
  • Secure the location: Backups should be stored in a secure location that is not accessible to unauthorized personnel. Enforce strict policies about where air-gapped network hardware can physically go, who can use it outside of designated physical areas, and how it can be used.

References

0 Shares:
Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like