0

The air-gap system in question is a cryptocurrency vault system that is responsible for generating addresses and signing transactions while it keeps the sensitive information air-gapped.

[ Vault app ]  <====[QR]====> [ Wallet app]

Data to protect: Private keys and similar sensitive string values stored in memory, on air-gapped system.

Vault's app architecture:

Once the vault app's OS is shutdown, the entire state of the OS is reset. This happens by ejecting of the bootable media once the OS boots itself and is ready to run completely from RAM. Only when there is no storage medium available, the vault app runs and keys are typed into the program. It has no storage media to write information to. And when powered off, the RAM contents fade away fast. So for a successful attack, the entire process must happen in the same boot cycle.

Communication:

Now the data that needs to be communicated with vault is infrequent and is essentially small JSON payloads, QR codes seem to be a valid medium to communicate between the air-gapped and hot (connected to internet) system. After decoding information in QR code, it will be presented to the user for confirmation before proceeding to act on it.

As far as the hot system goes, it could be a mobile or a desktop that can be assumed as infected. What are the attack vectors I need to consider in my approach?

Threat #1 - Remote Code Execution

Since the vault opens up the webcam feed to seek QR code, one possible vector attack that I can imagine is to trick the vault's webcam (system driver) to execute some arbitrary code. Either by showing a malicious QR code that I cover in next threat (#2) or by some other means (background? screen flickering to show data that's not easily caught by human eye?)

The screen and cameras are not kept continuously in line of sight, so I can imagine the bandwidth constraint to transfer data works in favor of keeping the security tight.

Threat #2 - Replacement of QR code with another QR code

  • If a lot of data is being encoded in QR code, then visual inspection of QR code will give out a visual hint for the cautious user towards the fact that QR contain a lot more data than usual.
  • If its a swap of recipient address to another address (essentially hijacking the crypto transaction) then that can be ruled out by manual confirmation required from user by vault app & the user gets a chance to inspecting details before indicating the approval for signing of transaction.
  • If its not a JSON payload meant to be consumed by the vault app, and some other information, parsing that into JSON would fail and system can act accordingly. It could be meant to exploit an issue with how I decode QR code and parse that into JSON. Essentially the ability to execute some arbitrary code only, right?

And once a malicious program does reach the air-gapped system, it has no easy means of getting out, other than relying on the wallet app to scan QR code from vault app's screen.

I am aware of some proof of concept air-gap attacks, but I am setting this air-gapped vault app on a Raspberry Pi, so no networking hardware is available, no fans & no speakers.

Even if a model of Raspberry Pi which has networking hardware (WiFi & Bluetooth) was used, absence of the drivers would eliminate the possibility of leak of information, right? Though I understand its better to use the models that don't even have the networking hardware, but they are super hard to find. I was only able to find one for myself. Others wanting to have the same setup won't be in the same boat as me.

Would love to hear your thoughts on how secure this setup is :)

Ashfame
  • 101
  • 3
  • 1
    As I asked before: ***what's your threat scenario?*** What do you want to protect from? That's still not clear. Someone with physical access to the device? Or are you trying to harden the air-gapping? It still sounds like you are creating a solution and trying to find a problem. – schroeder Jun 16 '20 at 19:09
  • 1
    And your title doesn't match what you end up asking. "QR codes" aren't special. It's just a quick way of typing. And once you have to get user interaction to confirm (why??) then you already give the operator a lot of control, which makes your Threat #1 oddly focused. As I mentioned in your other question, stop focusing on the QR code and work on the input as a concept, even if it turns out the operator types it all out, because the threats will end up the same. – schroeder Jun 16 '20 at 19:13
  • Is a QR code (or other 2D barcode) with gpg/pgp signed data not sufficient? You could potentially encrypt the data as well and have the barcode represent the binary as base64. From the sound of it, you are trying to build something like this: https://en.wikipedia.org/wiki/Tempest_(codename) – dark_st3alth Jun 16 '20 at 19:17
  • @schroeder Wow, I have literally wasted 6 hrs trying to be very precise & provide enough context with examples and you are still throwing technical jargon at me. I don't know what you wish to know from me & why you hate QR codes so much. Let me ask you this - Are you familiar with the cryptocurrency and what's the sensitive bit of information here? And you must be familiar with the only disadvantage of air-gapped systems i.e. communication. – Ashfame Jun 16 '20 at 19:19
  • @schroeder If an operator can essentially type in the information from one computer to another, its a perfect world. No malware is going to jump across the system, but that's not practical, so we resort to some or the other means, hopefully to reduce the attack vector. If I can expect a user to type in random strings of 300 chars from one PC to another, I have achieved the perfect system but that's not practical. Hence I am relying on QR codes to pass that info. I don't need these to be encrypted. This info is not sensitive. I just don't need a malware jumping the air-gap and stealing keys – Ashfame Jun 16 '20 at 19:21
  • And yet you have not answered the very simple question I have asked: what problem are you trying to solve? – schroeder Jun 16 '20 at 19:22
  • @dark_st3alth QR code is simply a data wrapper, the data being passed isn't sensitive. Its the malware I want to avoid that can jump air-gap, steal the keys somehow on air-gapped system and then manage to jump back the air-gap and broadcast info back to malicious actor. – Ashfame Jun 16 '20 at 19:23
  • @schroeder Its right there, in the comments & in the question with a bold heading. I don't know what you are trying to ask here or being so adamant about processes that the actual purpose of the platform is lost. – Ashfame Jun 16 '20 at 19:25
  • 1
    It might be clear to you, but it is not clear in anything you've written. The problem here is that the question is unanswerable. I'm trying to get you define the question so it can be answered. "What's the attack vector?" can't be answered without understanding the threats and the context. If ***all*** you want is to protect the device from malware, then you have completely over-engineered the thing. I'm trying to understand what all the extra "stuff" is for. – schroeder Jun 16 '20 at 19:30
  • I think you misunderstand what an airgap does. It doesn't provide fool proof security as patches and data have to traverse the security barrier (in at least 1 direction if not both). This question isn't narrow and will likely invite low quality answers. Next you might be proclaiming that operations have to be done inside a Faraday cage: https://thehackernews.com/2020/05/air-gap-malware-power-speaker.html – dark_st3alth Jun 16 '20 at 19:30
  • @dark_st3alth I think you will find the answers to your concerns in the question itself. The air-gap system doesn't need not be to patched often since its essentially air-gapped and when the case does warrant it, there are ways to move the data securely. Trade off between security & convenience applies. But like you said for data traversal, if I could copy over the data by typing it manually, there is no attack vector in communication channel. QR code is essentially the convenience for usage but it opens up less attack vector than just plugging in a lan wire. Also, no speakers as mentioned. – Ashfame Jun 16 '20 at 19:35
  • 1
    Let's re-think the whole thing. Let's have an old Windows XP PC as the vault. You don't put in a network card. It's air-gapped. You now want some automation in transferring digital data. You use a USB stick. The stick is so infected that there's barely room for data. What do you imagine malware can do? Worst case, the malware is so customised, and the vault OS is somehow triggered into running code from the USB stick, that it can automatically seek out and copy data to save back to the stick. Then it has to run again when back on an internet-connected device. – schroeder Jun 16 '20 at 19:37
  • @dark_st3alth And most of the air-gap attacks I read about are proof of concept attacks. They are not widely spread & have only been used for targeted attacks. I would love to know if any air-gap attack is a threat for my use-case provided there is no network available, no fans & no speakers. – Ashfame Jun 16 '20 at 19:38
  • @schroeder Agree, and thankfully my use case doesn't require that big of payloads to & fro. Simple small payloads of strings, which is why using QR code provides convenience & limitation in terms of how much data can be passed unnoticed. I don't see a possibility of remote code execution or any such attack, which is why I am posting here to find out. – Ashfame Jun 16 '20 at 19:41
  • If that's your question, you have not asked ***that*** yet. That's a simple question. "Can QR codes be used to exploit a system?" The answer is all in the vulnerabilities in the program used to read it. https://security.stackexchange.com/questions/232712/qr-code-security-testing But then you are left with the problem of the data getting out, which is not going to be possible in an air-gapped system – schroeder Jun 16 '20 at 19:44
  • @schroeder Question's heading itself poses QR code as a communication medium for air-gap system and air-gap systems have only 1 problem - safe data transfer. Anyway, now you have your question in a format you wished to have, do let me know if you have anything to add in regards to that. – Ashfame Jun 16 '20 at 19:48
  • @schroeder Yes, that's what I detailed in my question, if you read it again. I just wish to know if there are more attack vectors to consider here. Data is moved out of air-gap system via QR code again. – Ashfame Jun 16 '20 at 19:50
  • You are proposing such an unlikely scenario that the "attack vectors" are highly imaginative. If you are wanting to protect the transfer process via QR in case there is an exploit, then just display the text from the QR code before processing it for review (or if possible, run a validator on the text). As for "and what are all the ***other*** things that could go wrong?" that expands the question to be much broader than your stated scope. Please refine the question and include the threats you are concerned about. – schroeder Jun 17 '20 at 07:24

0 Answers0