8

I recently read over Bruce Schneier's article on setting up an air-gapped computer and am looking to improve my setup (compared to my current "use one Windows PC for everything" model). The main threat I want to protect against is getting hit with malware via a drive-by-download or e-mail attachment...and then having that malware send off sensitive data from my computer to hackers. I have a plan in my head and am hoping to get some feedback on it.

Note: I am looking only for security against remote attackers, not against people breaking into my house, attacking my WiFi network with a van full of antennas, etc. Also, anonymity is not a goal for me.

My plan is: Buy 2 new laptops. One will become the air-gapped machine and one will become the networked machine (used for web browsing, logging into e-mail servers, online banking, chat software, etc). Buy cheap ones that only have WiFi, and no cellular or bluetooth cards.

Air-gapped laptop setup:

  1. Before turning it on, open up the case and take out the WiFi card. Tape over the web cam.
  2. Install a linux distro via a DVD I've already burned (yes, I plan on going through the process of verifying the signature on the ISO and all that).
  3. Connect via ethernet to my router so I can get to the internet long enough to a) run the software updater and b) install gnupg2 and keepassx via apt-get.
  4. Disconnect it from ethernet and never connect to a network again.
  5. Generate a PGP key pair.
  6. Generate and store new strong passwords for my various web sites / e-mail accounts using keepassx.

Networked laptop setup:

  1. Tape up the web cam.
  2. Install the same linux distro via the DVD.
  3. Run the software updater.
  4. Install VirtualBox.
  5. Set up a linux VM and run the software updater on that.
  6. Try to harden the Firefox verison on the VM by tamping down the settings, installing NoScript, HTTPS Everywhere, etc.
  7. Take a snapshot of the VM.

Web browsing:

  1. Only browse the web using the VM (not the host OS).
  2. After each switch in context (from online banking to security research to personal e-mailing etc.) restore the VM to its last good snapshot.
  3. Run the software updater on the snapshot periodically and store that as the new good snapshot.

E-mailing:

  1. Use networked machine to retrieve people's public keys. Burn them to CD. Transfer CD to air-gapped machine. Compose and encrypt e-mails on air-gapped machine. Burn to CD and transfer to networked machine to send.
  2. When reading e-mails, use networked machine to retrieve the e-mails from servers and save them to text files. Burn the text files to CD and transfer to the air-gapped machine for decryption. Then repeat from step 1.

Important note: The only tasks that should be performed on the host OS on the networked machine would be:

  1. Running the software updater
  2. Running VirtualBox
  3. Transfering files to/from the virtual machine via the shared folder VirtualBox feature
  4. Burning CDs to be used by the air-gapped machine and reading CDs burned by the air-gapped machine.

My questions:

  1. Is there any particular linux distrubution that would be more resistant to malware coming from drive-by downloads or attachments?
  2. Are there known instances of malware tampering with the CD-burning process on a networked linux machine such that it can pass the infection to an airgapped linux machine? I realize that an infected air-gapped machine can burn extra data onto a CD (to be read later by malware on the networked machine). But my concern is specifically how malware might infect an air-gapped linux machine via a CD. Windows has its AutoRun vulnerabilities when a DVD or USB stick is inserted, but does linux have something simlar?
  3. In general, are there missing pieces to my plan or things that could be improved?

Thanks in advance!

Ralph P
  • 283
  • 1
  • 2
  • 8
  • 4
    You may wish to look at the [Qubes OS](https://en.wikipedia.org/wiki/Qubes_OS). It implements much of what you are looking to do on your networked laptop in a more user-friendly manner than having to always run VMs. – Neil Smithline May 22 '16 at 22:03
  • 5
    BTW, unless you know the NSA is after you, this is likely quite extreme – Neil Smithline May 22 '16 at 22:36
  • Thank you Neil, I actually have been playing around with Qubes but so far have been having lots of stability problems. – Ralph P May 22 '16 at 23:58
  • yeah Qubes is still rather young. That means that it's security hasn't been well tested. But I'm generally attracted to its design – Neil Smithline May 23 '16 at 00:00
  • 1
    @RalphP: I also believe that unless you are handling extremely important information, your setup is just too much. Complexity won't necessarily improve security. One suggestion is: Instead of the "air-gapped" laptop, I think it would be more convenient to get a Raspberry PI-like board. Most of them comes without Wifi and without camera (so you can skip those steps). Also remember that you need to keep updating both devices plus the VirtualBox or you are increasing your security risk by using outdated software. – lepe May 23 '16 at 01:04
  • 1
    Damn, you sure are paranoid. – nikhil May 23 '16 at 21:31
  • Additionally, Qubes uses Xen which is... not ideal. – forest Mar 31 '18 at 03:14

5 Answers5

11

I will focus only on some problems with your approach:

  • The insecure system writes the CD and thus can tamper with both the data on the CD but also with the format of the CD, i.e. the file system.
  • This CD is then read by the secure (air-gapped) system and mounted there. Mounting is done inside the kernel (i.e. system level access) and there were bugs in the past in this area.
  • It does not matter if there is existing malware which hijacks this process. With your setup you are aiming more in the area of defending aganst targeted attacks and there it only counts if such malware could be developed. And I think this should not be too hard.

Also, while you encrypt outgoing mails on the air-gapped machine you need to decrypt incoming mails on the insecure machines, because otherwise you could not transform these to plain text like you want. This means that the decrypted and probably sensitive information are available on the insecure machine. If you instead transfer the encrypted incoming mails to the air-gapped machine you then have to deal with (possible malicious) attachments there.

And, while product recommendations are off-topic (but you requested these): I would not recommend any general purpose Linux distribution. Go at least for something hardened with Grsecurity or just go with OpenBSD. They are more focused on security by design and on security in depth than Linux is.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • @Stephen: Thanks. 1. Despite the vulnerabilities, would you consider using CDs to transfer a security improvement over using USB sticks? I am thinking more people probably use USB to transfer now, and so there are more USB exploits already in the wild. Not saying the CD process is secure, just maybe more annoying to attack...causing an attacker to reevaluate expense versus benefit. 2) Could you recommend a more secure transfer process than USB or CD? 3) TAILS and Whonix are debian-based and Qubes uses Fedora as default template. Why do you think these "security" projects don't use OpenBSD? – Ralph P May 22 '16 at 23:53
  • @RalphP: 1.) Tricky, but with USB you would have at least no access to the file system layout from user space, unless the insecure system is more deeply compromised. But on the other hand USB-Sticks are too flexible ("Bad-USB"). 2.) With SD-Cards you would have at least not the problem of Bad-USB although they might still be programmed. Maybe old floppy disc? 3.) Platform support. Linux runs on most systems without much problems today, OpenBSD not or not optimal. – Steffen Ullrich May 23 '16 at 04:20
  • @ Steffen1. To me, USB is the least desirable for 2 reasons: a) "Bad-USB" exploits, b) USB is probably the most common way the "average Joe" transfers files to/from airgapped machines, and thus an attacker probably already has a number of exploits in his toolbox to target USB transfers. 2. Regarding decryption, that would always be done on the airgapped machine. I would never transfer my private key off that machine. 3. Would OpenBSD on the airgapped machine (instead of linux) better protect against the 2 attacks you mentioned: a) Malformed cdrom filesystem data, b) e-mail attachments? – Ralph P May 24 '16 at 02:03
  • @RalphP: it is not really clear what kind of attacker you want to prevent and what capabilities you assume. For an average attacker air-gapping is probably overkill and more comfortable solutions of separation exist (i.e. using multiple VM, Qubes...). But yet you assume that the attacker only uses common exploits. VM/Qubes with a tightly controlled data exchange have even the advantage that you don't need to care about all this CD vs. USB vs. whatever stuff. As for OpenBSD a) probably yes, b) maybe a bit but not much. – Steffen Ullrich May 24 '16 at 04:45
2

You can use amodem ( https://github.com/romanz/amodem ) in lieu of write-once media. It is quite fast on shielded audio cable. Works on RF too, but that's not your need. Only send from the gate computer, and only receive on the gapped computer. When necessary, switch this around.

Avoid file formats that can be naughty (most media files), and only use archives for which you have valid GPG/PGP signatures on the gapped computer. Don't run amodem as a privileged user, run it as a user specially created for that program only.

Amodem itself is manageable to compile with a few hardening tricks (I'm no expert), but at least static, PIE, and add some grsec/PaX and apparmor control. If really serious, drop it in a chroot with only the absolutely necessary devices in /dev. In simplex operation, it cannot leak data back to the sending computer.

user2497
  • 580
  • 2
  • 7
2

There is one major flaw in your system: Physical security. Your air-gapped machine is only secure as long as you have it in your sight. If you EVER leave it alone someone can break in, install whatever they like and leave again with you none the wiser. Air-gapped machines in alphabet soup agencies are under constant surveillance. The best thing you could do is NEVER let anyone know you had an air-gapped computer which you have already told to the whole world... sorry pal it's already over for you...

Todd Cunningham
  • 21
  • 1
0

Your method is quite secure, but if a directed attacker really wanted to get at your air gaped computer they might be able to. Assume that complete remote access is obtained on the Internet connected computer. Whatever you write to the optical media will be monitored by your attacker. Any executable files that you put on it could be infected with malware. If you don't put any executable files on it, then the attacker might be able to find an exploit for things like media files and other documents burned to the media. Exploiting a flaw in the filesystem used on the media may also be attempted. Any open source software that is to be compiled on the air gaped computer could have extra code added to it.

Once your air gaped computer becomes infected, an automated scanner would look for anything interesting and write it back to the optical media. So you would have to throw away the media after each use or use a read only drive and not plan on copying files off of that system. The nice thing is that in the extremely unlikely event that such a thing happened, you would have a permanent copy of the exploit used on the media.

There is really no need to cover up the webcam on the air gaped computer. Also, IrDA is a fairly secure way to transfer files if you're willing to compromise your air gap a little and you need bidirectional file transfers.

Alex Cannon
  • 402
  • 2
  • 7
-1

Back in the early days of compact disk media there was a strategy called WORM. Write Once Read Many. This is not exactly airgaped but as soon as you install an OS from a non-commercial entity or you start applying updates over a network, wired or wireless, the system is exposed.

Anyway this leads into off topic areas.

Richard
  • 137
  • 3