Air gaps: Happy gas for infosec or a noble but inert idea?

Rube Goldberg machines?

It is difficult to say how many of the publicly reported air gap attacks will work outside a lab. Latter's attack and Sikorski's malware certainly did, as did the NSA which a year ago was found to have built systems capable of stealing data from air-gapped machines which had a malicious USB device attached. That thumb stick shouted out to an NSA spy some 13 kilometres away using a "covert radio frequency".

Yet some demonstrated attacks will fall over in messy real-world scenarios where conditions are imperfect and dynamic. "While this type of research excites a lot of interest, the realities are often impractical and rely on too many variables to yield viable results," says Symantec's John-Paul Power who recently reviewed the potential real-world impact of air gap attacks and found many to be largely complex and a preserve of dedicated criminals or cashed-up nation-states.

"Put simply, the fact that an organisation has an air-gapped network in place suggests that it's likely to represent a high-value target. As such, any organisation with an air-gapped network will probably be aware of the fact that there are ways to breach these gaps, however unlikely some of them are," Power says. "The main targets will be small pieces of data, such as login credentials and encryption keys that will allow hackers to breach confidential information."

Get physical

The art of air gap defence seems down to smart physical security that would keep unauthorised staff away from highly sensitive areas, and banish removable devices where these attack scenarios pose a sufficient risk.

Sikorski has clients who have poured glue into their USB device slots, a measure which he says is a reasonable, if not irreversible, idea. "That's pretty good defence if it your machine is unplugged from the internet and you can't plug things into it," he says. "If the slots are open then you can give the devices to the cleaning crew or whoever might plug these things in for you."

Physical security requirements become more difficult in remote office scenarios where systems such as closed circuit TV and security guards may be far weaker than at headquarters. Controls like door security checks, human guards, and war rooms were in place at high security entities and went some way to keeping air gap systems safe. But this consistency could be difficult when organisations had distributed offices that may not shell out for the same baseline of physical security.

"Effective physical controls will minimise attacks on air-gapped systems, and they don't need to be onerous," Latter says, adding that enterprises accordingly should move away from weak reactive legal, contractual and technical controls and reinstate physical security. "If I bleated out one DTMF tone per second for 20 minutes in the cube next to yours, wouldn't you tap me on the shoulder?"

Risk tolerance is critical, he says. Latter worked with his client organisations to articulate if there was an amount of data they were be prepared to lose before a proper security discussion could take place.

It isn't all physical, however. Organisations should implement security controls on air gap machines as if it were connected to the internet, a move Sokorski and Dudu say could help knock-out some of the laboratory attacks.

In 1973 MIT professor Butler Lampson conceded that the cost of consistently closing off covert channels like those a well-resourced attacker may use could be so high that data leakage was inevitable. That seems more true today than ever, and unless the threats to separated machines are fully understood and acted upon, security will remain as thin as a few feet of air. ®

The image at the top of the page is a piece of art called "Digital Montage Number 2" - a floppy disk painting by Nick Gentry. It's licensed under Creative Commons 3.0.