Air gap (networking)

An air gap, air wall, air gapping^[1] or disconnected network is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network.^[2] It means a computer or network has no network interface controllers connected to other networks,^[3]^[4] with a physical or conceptual air gap, analogous to the air gap used in plumbing to maintain water quality.

Use in classified settings

An air-gapped computer or network is one that has no network interfaces, either wired or wireless, connected to outside networks.^[3]^[4] Many computers, even when they are not plugged into a wired network, have a wireless network interface controller (WiFi) and are connected to nearby wireless networks to access the Internet and update software. This represents a security vulnerability, so air-gapped computers have their wireless interface controller either permanently disabled or physically removed. To move data between the outside world and the air-gapped system, it is necessary to write data to a physical medium such as a thumbdrive, and physically move it between computers. Physical access has to be controlled (man identity and storage media itself). It is easier to control than a direct full network interface, which can be attacked from the exterior insecure system and, if malware infects the secure system, can be used to export secure data. That's why some new hardware technologies are also available like unidirectional data diodes or bidirectional diodes (also called electronic airgaps), that physically separate the network and transportation layers and copy and filter the application data.

In environments where networks or devices are rated to handle different levels of classified information, the two disconnected devices or networks are referred to as low side and high side, low being unclassified and high referring to classified, or classified at a higher level. This is also occasionally referred to as red (classified) and black (unclassified). Access policies are often based on the Bell–LaPadula confidentiality model, where data can be moved low-to-high with minimal security measures, while high-to-low requires much more stringent procedures to ensure protection of the data at a higher level of classification. In some cases (for instance industrial critical systems), the policy is different: data can be moved from high-to-low with minimal security measures, but low-to-high requires a high level of procedures to ensure integrity of the industrial safety system.

The concept represents nearly the maximum protection one network can have from another (save turning the device off). One way to transfer data between the outside world and the air-gapped system is to copy data on a removable storage medium such as a removable disk or USB flash drive and physically carry the storage to the other system. This access still has to be carefully controlled since USB drive may have vulnerabilities (see below). The upside to this is that such a network can generally be regarded as a closed system (in terms of information, signals, and emissions security), unable to be accessed from the outside world. The downside is that transferring information (from the outside world) to be analyzed by computers on the secure network is extraordinarily labor-intensive, often involving human security analysis of prospective programs or data to be entered onto air-gapped networks and possibly even human manual re-entry of the data following security analysis.^[5] That's why another way to transfer data, used in appropriate situations like critical industries, is to use data diodes and electronic airgaps, that assure a physical cut of the network by a specific hardware.

Sophisticated computer viruses for use in cyberwarfare, such as Stuxnet^[6] and Agent.BTZ have been designed to infect air-gapped systems by exploiting security holes related to the handling of removable media. The possibility of using acoustic communication has also been demonstrated by researchers.^[7] Researchers have also demonstrated the feasibility of data exfiltration using FM frequency signals.^[8]^[9]

Examples

Examples of the types of networks or systems that may be air gapped include:

Military/governmental computer networks/systems;^[10]
Financial computer systems, such as stock exchanges;^[11]
Industrial control systems, such as SCADA in Oil & Gas fields;^[12]
National and state lottery game machines or random number generators, which are required to be completely isolated from networks to prevent lottery fraud
Life-critical systems, such as:
- Controls of nuclear power plants;
- Computers used in aviation,^[13] such as FADECs, air traffic control systems, and avionics;
- Computerized medical equipment;
Very simple systems, where there is no need to compromise security in the first place, such as:
- The engine control unit and other devices on the CAN bus in an automobile;
- A digital thermostat for temperature and compressor regulation in home HVAC and refrigeration systems;
- Electronic sprinkler controls for watering of lawns.

Many of these systems have since added features that connect them during limited periods of time to the organisation's internet (for the need of surveillance or updates) or the public internet, and are no longer effectively and permanently air gapped, including thermostats with internet connections and automobiles with Bluetooth, Wi-Fi and cellular phone connectivity.

Limitations

Limitations imposed on devices used in these environments may include a ban on wireless connections to or from the secure network, or similar restrictions on EM leakage from the secure network through the use of TEMPEST or a Faraday cage.

Despite a lack of direct connection to other systems, air-gapped networks have been shown to be vulnerable to attack in various circumstances.

Scientists in 2013 demonstrated the viability of air gap malware designed to defeat air gap isolation using acoustic signaling.^{[citation needed]} Shortly after that, network security researcher Dragos Ruiu's BadBIOS received press attention.^[14]

In 2014, researchers introduced AirHopper, a bifurcated attack pattern showing the feasibility of data exfiltration from an isolated computer to a nearby mobile phone, using FM frequency signals.^[8]^[9]

In 2015, BitWhisper, a covert signaling channel between air-gapped computers using thermal manipulations was introduced. BitWhisper supports bidirectional communication and requires no additional dedicated peripheral hardware.^[15]^[16]

Later in 2015, researchers introduced GSMem, a method for exfiltrating data from air-gapped computers over cellular frequencies. The transmission - generated by a standard internal bus - renders the computer into a small cellular transmitter antenna.^[17]^[18]

ProjectSauron malware discovered in 2016 demonstrates how an infected USB device can be used to remotely leak data off of an air-gapped computer. The malware remained undetected for 5 years and relied on hidden partitions on a USB drive not visible to Windows as a transport channel between the air-gapped computer and a computer connected to the internet, presumably as a way to share files between the two systems.^[19]

NFCdrip was the name given to the discovery of stealthy data exfiltration through NFC (Near-field communication) radio abuse and signal detection in 2018. Although NFC enables devices to establish effective communication by bringing them within a few centimeters of each other,^[20] researchers showed that it can be abused to transmit information at a much longer range than expected - up to 100 meters.^[21]

In general, malware can exploit various hardware combinations to leak sensitive information from air-gapped systems using "air-gap covert channels".^[22] These hardware combinations use a number of different media to bridge the air-gap, including: acoustic, light, seismic, magnetic, thermal, and radio-frequency.^[23]^[24]^[25]

Software updates

From a security perspective, the main drawback of an air gapped network is the inability of software to automatically self update. Users and system administrators must instead download and install updates manually. If a strict update routine is not followed, this results in out-of-date software running on the network, which may contain known security vulnerabilities. If an adversary manages to gain access to the air gapped network (for instance by contacting a disgruntled employee or using social engineering) they may be able to quickly spread within the air gapped network using such vulnerabilities with a possibly higher success rate than on the public Internet.

System administrators may manage software updates in an air gapped network using dedicated solutions such as Windows Server Update Services or network logon scripts. Such mechanisms would allow all computers on the air gapped network to automatically install updates after the system administrator downloads the updates from the Internet once. The problem is not completely eliminated though, especially if users have administrative privileges on their local workstations and are therefore able to install software which is not centrally managed. The presence of IoT devices requiring firmware updates can also complicate matters, since often such updates cannot be centrally managed.

References

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

Search