Malware which can bridge air gaps

Question

The following statement is made on the Qubes website:

Malware which can bridge air gaps has existed for several years now and is becoming increasingly common.

Can someone provide an example of Malware that can bridge air gaps? Are they talking about a virus on a thumb-drive or something more insidious that I am as of yet unaware of?

Have there been any proof of instances where these practices have been used outside of a lab environment?

Seems to be a Wikipedia article on the subject: https://en.m.wikipedia.org/wiki/Air_gap_malware — Awn, Feb 15 '17 at 07:45
You know, I am rather ashamed I did not find that on my own ... but then again the idea of googling for malware didnt seem like a good idea at the time. — CaffeineAddiction, Feb 15 '17 at 07:56
"increasingly common" is a gross overstatement - new forms are being invented, sure, but *common*? [citation needed] — schroeder, Feb 15 '17 at 08:06
Chapter 5 of the thesis linked (ref 1) from the wikipedia article seems like a good place to start. — Chris H, Feb 15 '17 at 09:14
@ChrisH ok, but the question is if there have been instances outside the lab environment. Chapter 5 seems to be a theoretical survey, not a survey of things in the wild. — schroeder, Feb 15 '17 at 09:38
@schroeder, the question is only partly related to "instances outside the lab." The OP asks two other questions. — user2768, Feb 15 '17 at 09:39
@schroeder even accepting that the main question is the last question (which I don't) a literature survey of proofs-of-principle is a good place to *start* -- by introducing terminology and pointing to papers which have a good chance of leading to a citation trail — Chris H, Feb 15 '17 at 09:41
@ChrisH The crux of the Qubes quote is the "commonality" of the malware. So, the quote and the last question provide context for the other questions. — schroeder, Feb 15 '17 at 09:44

score 4 · Answer 1 · answered Feb 15 '17 at 08:11

There are many aspects of malware that may be considered to bridge air gaps. But it is important to note that it isn't very common 'in the wild'. There aren't many examples of this being done in the real world, and it is mostly an academic demonstration of concepts.

To name two:

Infection through physical access - Like you said, thumb-drives are a well known method to infect machines with malware. Also pretty common are HID attacks that can inject a malicious payload that loads malware to the machine, DMA attacks using DMA enabled physical devices and more...
Air gapped data exfiltration - see here and here for examples. These are methods of extracting data from air gapped machines using side channels.

Regarding number one, plugging devices into a machine violates the air gap. — forest, Jun 10 '18 at 05:18

score 3 · Answer 2 · answered Feb 15 '17 at 07:59

There exists quite a few such examples.

In all these cases, the airgapped machine must be infected beforehand, otherwise the "bridge" won't be built.

Some examples are using speakers to transmit signals via sound, or changing the speed of the fans (which produce a slightly different sound at different speeds). In such cases a "listening" machine must be present in a short range.

Those were demonstrated in controlled environments - I never heard of such "real" attacks, which are quite James-Bond-esque, but one could suppose they are indeed used by well-funded parties

Edit : you might be interested in the concept of Interdiction - this technique is a great candidate to ship a pre-infected airgapped machine, and some governments apparently like it ;)

I'm not sure about *all* such cases: Malware running [acoustic cryptanalysis](https://en.wikipedia.org/wiki/Acoustic_cryptanalysis) on a user's smartphone could be used to harvest typed text despite an airgap, for example. — Chris H, Feb 15 '17 at 09:16
The question is if there are examples outside the lab environment, not "what are the types?" — schroeder, Feb 15 '17 at 09:32

score -1 · Answer 3 · answered Feb 15 '17 at 09:26

-1

Mordechai Guri and Yuval Elovici showed how "two physically adjacent and compromised computers [can bridge the air-gap] using their heat emissions and built-in thermal sensors to communicate" (source: The Register). They presented their results at an academic conference. And posted a video demonstration on YouTube.

answered Feb 15 '17 at 09:26

user2768

117
3

The question was if there was evidence outside of a lab environment ... – schroeder Feb 15 '17 at 09:31
@schroeder, three questions were asked, not one. I have answered the first, that should be implicit from my answer. The second question is subjective. Nonetheless, the above links will probably provide the OP with sufficient information that enables them to derive a suitable answer. Finally, I hope that the references provided will provide sufficient information to answer the third question. Presumably the down vote is yours, I find it unjustified. (And it makes me wonder why I bother to "contribute".) – user2768 Feb 15 '17 at 09:36
The last question provides context for the first two, as does the Qubes quote. A downvote simply means "unhelpful". Without addressing the last question and the "commonality", a long list of possible, theoretical malware is "unhelpful". That's all. It's not a personal attack. – schroeder Feb 15 '17 at 09:42
I did not suggest you are personally attacking me. You have decided that the question is mainly about the last part. That decision is subjective. Only the OP knows what they really wanted to find out. Given that the OP explicitly requested "examples", presumably theoretical examples are useful. Especially as theory can be turned into practise. – user2768 Feb 15 '17 at 09:45
The last question was added after the comment by Eclipse regarding the wiki article of examples of such malware. That appears to support my claim that the question is weighted towards the examples outside the lab environment. He has examples of theoretical attacks. – schroeder Feb 15 '17 at 09:56

Malware which can bridge air gaps

3 Answers3