that is not what an air gap is. if at any time there is an exchange of data between the air gapped hosts/network and a non air gapped one, there is no air gap anymore. and yes, that includes an analyst taking a sample to an internet-connected host.
side channel exfiltration techniques like "fansmitter"[1] and "diskfiltration"[2] or the well known TEMPEST attacks are more interesting challenges in air gapped designs than relying on a very basic security boundary violation. (and solved in very much the same way, by having the secure terminals be as dumb as bricks as possible, with extremely limited known inputs and outputs, preventing the insertion of unclassified electronics in the secure zone through policy, and enforcing it through physical searches, RF hardening the zone with a faraday cage, absence of windows, etc... the "Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities"[3] is a great ressource for those interested in such designs)
incidentally, there are awfully little true air gapped networks (which are not ICSes and/or assorted single purpose hosts/networks whose absence of network connectivity is not a primary design feature) in the wild. they're operationally heavy precisely because of their nature, and outside of very specific situations, their security is not perceived as cost efficient by management, for good reasons.
I think looking at operational issue with air gaps is much more interesting than TEMPEST attacks which require physical proximity to execute. If someone has gone to the trouble of air gapping their network, they almost certainly have physical security.
you'd be surprised.
when specifications get passed around in the endless maze of defense affiliated sub contractors and sub sub contractors, they may be implemented in all kind of creative ways.
and i entirely agree that the operational issues of enforcing the air gap are by far the most challenging cost in this kind of environment.
the culture of business environments is by and large ill suited to the kind of strict enforcement these environment require.
if RF leaks are part of your threat model, then i would definitely not class them as "proximity attacks". without adequate shielding, antenna black magic and a rented apartment on the other side of the street work perfectly well to capture signals of interest.
absolutely. raising the noise floor would make it harder for the adversary to pick up valuable signals. but why bother with complicated jamming setups that require you to cover a very wide spectrum, at high power, while taking care of not interfering with your own equipments, and still have signals going out that with sufficient means and motivation, a sophisticated attacker may still intercept (we're pretty good at extracting valuable signals from noise) when you can just put on your RFP to stick the lot in a faraday cage, use optical connectivity inside it, forbid wireless HIDs, buy shielded monitors and shielded phones, and put a couple of scary bald men in front of the door.
By that definition there's no such thing as an airgapped computer, unless you are talking about computers created by an alien civilization that arose in another galaxy from an independent origin of life. The useful definition of the term, the one that has a nonempty set as referent, is where there isn't a continuous network connection, and human intervention is required for physical transport of each sample of data.
air gapping removes connectivity to the wider world, and a computer system (as in, a system of computers) can totally have value without being connected to anything that is outside of the organization.
no need to resort to hyperbolic alien computers that are anyway easily hacked by plucky heroes with a taste for ascii skulls.
you're correct in that of course we may want to insert and retrieve data from a secure zone. but when those types of systems are necessary, "manual human intervention" is far too blurry. manual data entry/retrieval by vetted people ? a HUMINT problem the organizations that tend to require those systems are familiar with, and have adequate procedures to deal with. same with printouts and assorted "low tech" issues. inserting a USB key and ensuring that the whole chain doesn't compromise your very valuable system is a far more complex problem that you probably do not want to deal with if you can avoid it. there is a reason the "usb gadget give away" and "lost usb key in the parking lot" are a staple of flashy pentests demos. it works remarkably well, and is remarkably hard to defend against without enacting procedures that make the life very much harder on everyone. (try suggesting epoxying the USB ports of every single computer and servers in a medium to large company to its CISO)
like another commenter remarked. it is truly the operational challenges of ensuring your system says properly isolated from the rest of the world that are hard to deal with. cutting a cable is definitely not the end of it.
i'm sure people that deal with high assurance environments and are more qualified than i am to answer specifics have their share of stories of creatively compromised isolated environments.
19 comments
[ 1.9 ms ] story [ 49.9 ms ] threadside channel exfiltration techniques like "fansmitter"[1] and "diskfiltration"[2] or the well known TEMPEST attacks are more interesting challenges in air gapped designs than relying on a very basic security boundary violation. (and solved in very much the same way, by having the secure terminals be as dumb as bricks as possible, with extremely limited known inputs and outputs, preventing the insertion of unclassified electronics in the secure zone through policy, and enforcing it through physical searches, RF hardening the zone with a faraday cage, absence of windows, etc... the "Technical Specifications for Construction and Management of Sensitive Compartmented Information Facilities"[3] is a great ressource for those interested in such designs)
incidentally, there are awfully little true air gapped networks (which are not ICSes and/or assorted single purpose hosts/networks whose absence of network connectivity is not a primary design feature) in the wild. they're operationally heavy precisely because of their nature, and outside of very specific situations, their security is not perceived as cost efficient by management, for good reasons.
[1]https://arxiv.org/abs/1606.05915 [2]https://arxiv.org/abs/1608.03431 [3]https://fas.org/irp/dni/icd/ics-705-ts.pdf
Submitters: please read the HN guidelines, which ask you to use the original title, unless it is misleading or linkbait.
if RF leaks are part of your threat model, then i would definitely not class them as "proximity attacks". without adequate shielding, antenna black magic and a rented apartment on the other side of the street work perfectly well to capture signals of interest.
no need to resort to hyperbolic alien computers that are anyway easily hacked by plucky heroes with a taste for ascii skulls.
you're correct in that of course we may want to insert and retrieve data from a secure zone. but when those types of systems are necessary, "manual human intervention" is far too blurry. manual data entry/retrieval by vetted people ? a HUMINT problem the organizations that tend to require those systems are familiar with, and have adequate procedures to deal with. same with printouts and assorted "low tech" issues. inserting a USB key and ensuring that the whole chain doesn't compromise your very valuable system is a far more complex problem that you probably do not want to deal with if you can avoid it. there is a reason the "usb gadget give away" and "lost usb key in the parking lot" are a staple of flashy pentests demos. it works remarkably well, and is remarkably hard to defend against without enacting procedures that make the life very much harder on everyone. (try suggesting epoxying the USB ports of every single computer and servers in a medium to large company to its CISO)
like another commenter remarked. it is truly the operational challenges of ensuring your system says properly isolated from the rest of the world that are hard to deal with. cutting a cable is definitely not the end of it. i'm sure people that deal with high assurance environments and are more qualified than i am to answer specifics have their share of stories of creatively compromised isolated environments.
Leaking Data through Firewalls using Cloud AV.
Or original:
The Adventures of AV and the Leaky Sandbox
Mine is more descriptive.