4

The Basic question is in the title there are more questions bellow but it is in context of the question in the title...hopefully

What i have read is that it can eavesdrop the Airgap PC via

  • acoustic
  • light
  • seismic
  • magnetic
  • thermal
  • radio-frequency
  • physical media

I also read that it can receiving data but only if it has already been infested with malicious code so it has an kinda receiver on it to communicate. https://arxiv.org/abs/1804.04014 (Powerhammer). "In this case, a malicious code running on a compromised computer"

But what if the Airgap PC has no malicious code on it and it is completly manufactory clean? Apart from trusting all the factorys that are involved in the whole process of building that PC, apart from sneakernet updates/patches (I probably have to do it at some point but that is irrelevant), apart from all physically attacks.

I mean it more like is it with an know airgap attack (excute code on victims air-gap PC via magnetic, thermal etc., not eavesdrop) possible even though, again, there is no receiver (malicious code) on it. If im not wrong to communicate there has to be always a transmitter and a receiver?

I am just wondering because of PC components like WLAN-cards, do it has to been removed at hardware, or can it still be there without worrys? Can code just jumping on the invisible WLAN signal even though there is theoretically no signal because software-wise everything is turned of or is not installed (Hardware WLAN card is there but its not used)?

net ist
  • 43
  • 4
  • There are many forms of input, so there are tons of ways of it 'receiving data'. Does the target machine ever receive patches/software updates? Are portable storage devices ever took onto site and plugged in? Can hardware be trusted (e.g. badusb-type attack)? Couldn't an attacker physically access the machine? Also, how 'airgap'd' is it? You mention a network, there could be some vulnerability somewhere that allows an attacker to intercept a request and response. –  Jun 06 '18 at 09:57
  • Just want to point out that an attack doesn't necessary involve code execution on your PC. Reading any data from your display via RF-channel is an attack as well. – Alice Jun 06 '18 at 14:04
  • The link you provided was a really interesting read. – Joss Bird Jun 07 '18 at 13:25
  • Seismic? That's... interesting. – forest Jun 08 '18 at 00:18

1 Answers1

6

Attacks on airgapped computers will only work after the computer is compromised. It is used to leak information from the infected computer, not as a covert channel to remote control the computer.

An airgapped computer without any communications device active (no wifi or bluetooth, no Ethernet cable connected) and without access to removable storage is pretty secure.

Code cannot magically jump inside the computer, it must be received somehow. If you exclude networking and removable storage, and no physical attack occurs (like someone typing malicious code by hand), the computer will continue clean.

I would remove wifi and bluetooth, as they could be used if there are any exploit capable of attacking the radio subsystem. The probability is low, but not impossible.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • `Attacks on airgapped computers will only work after the computer is compromised`. Not true. The OP, himself, gave examples of vulnerabilities along the lines of side-channels in his question that don't involve the compromise of a machine. –  Jun 07 '18 at 13:55
  • @JᴀʏMᴇᴇ Could you give any example of an attack on an airgapped computer without a malicious component installed on it? – ThoriumBR Jun 07 '18 at 15:01
  • Yes. Please look into 'side channel attack' whereby the computer inadvertently provides a listener, of sorts, with too much information as a result of performing a task. https://www.wired.com/2014/11/airhopper-hack/ –  Jun 07 '18 at 15:18
  • According to the article: "researchers in Israel have developed malware that exploits this vulnerability by generating radio signals". So, they had to create a malware. It won't work without previous compromise. – ThoriumBR Jun 07 '18 at 19:14
  • 1
    @JᴀʏMᴇᴇ OP is asking about running malicious code on an airgapped computer. Side-channel attacks are a different class of vulnerability. – forest Jun 08 '18 at 00:20