The idea of an “air gap” security attack, in which the gap of air between a pair of devices can be used to transmit a sound that controls a device, sounds like something out of science fiction. Yet this past week consulting firm Include Security publicly demonstrated a potential air gap attack at the SchmooCon conference.
Erik Cabetas, managing partner, Include Security, explained to eSecurity Planet that his group used a pair of commodity Dell notebook computers in an attempt to implement a proof-of-concept air gap type of attack. The idea was to see if it would be possible to demonstrate a form of high-frequency audio exfiltration attack.
In the demonstration, Cabetas sent an audio signal at 22 KHz out of the notebook’s regular speakers. That signal was then picked up by the microphone on the second notebook. The audio program that was sent from one device to the other was not a malicious one; it simply displayed a message on the receiving PC.
Cabetas said the proof of concept was written in the open-source Python language and is operating system agnostic, meaning it could potentially work on any system.
In one of the recent disclosures about NSA activities, it was revealed that the U.S. government has the ability to exfiltrate data over long distances via radio waves. Cabetas stressed that his research is somewhat different, in that he’s not using radio waves and is dealing with short range distances.
Data Center Implications
While Cabetas’ research is only a proof of concept, it presents a number of real implications for data center security. Since air gap attacks are theoretically possible, it should no longer be considered safe to physically locate a machine that has confidential content access next to a machine that does not have the same access.
Cabetas, who has done some contracting work for sensitive installations, said he has seen machines with top secret access next to those that have less access. Given the proven potential of an air gap attack, that type of deployment should not be considered safe today.
Network based defenses such as data loss prevention (DLP) technology might not be able to detect an air gap attack, since the attack is being sent as audio over a system’s speaker. Disabling speakers and microphones on systems in sensitive environments, however, is one possible simple solution that can limit the risk of an air gap attack.
Looking forward, Cabetas said that he’s looking at improving the demonstration and the tools to test for air gap weaknesses. He may also contribute code to the open-source Metasploit Project to enable others to test it as well.
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.