DeepSec 2015 Talk: Bridging the Air-Gap: Data Exfiltration from Air-Gap Networks – Mordechai Guri & Yisroel Mirsky

Air does not conduct electricity, usually. Using air gaps between parts transporting electric power by high voltages is a standard method in electrical engineering. Similar strategies are used in information security. Compartmentalisation can be done by network components, logical/physical separation, solid walls, and space filled with air. The only threat you have to worry about are wireless transmissions. Since mobile phone networks permeate our private and business life, access to wireless networks is everywhere. Unless you live in a cave, literally. Mordechai Guri and Yisroel Mirsky have found a way to use cellular frequencies as a carrier in order to transport data out of an air-gapped environment. They will present their results at DeepSec 2015.

Air-gapped networks are isolated, separated both logically and physically from public networks. Although the feasibility of invading such systems has been demonstrated in recent years, exfiltration of data from air-gapped networks is still a challenging task. In this talk we present GSMem, a malware that can exfiltrate data through an air-gap over cellular frequencies. Rogue software on an infected target computer modulates and transmits electromagnetic signals at cellular frequencies by invoking specific memory-related instructions and utilizing the multichannel memory architecture to amplify the transmission. Furthermore, we show that the transmitted signals can be received and demodulated by a rootkit placed in the baseband firmware of a nearby cellular phone. We present crucial design issues such as signal generation and reception, data modulation, and transmission detection. We implement a prototype of GSMem consisting of a transmitter and a receiver and evaluate its performance and limitations. Our current results demonstrate its efficacy and feasibility, achieving an effective transmission distance of 1-5.5 meters with a standard mobile phone. When using a dedicated, yet affordable hardware receiver, the effective distance reached over 30 meters. We will extend the discussion to other methods of bridging the air-gap (e.g., thermal covert-channels), countermeasures and future directions.

The wireless spectrum is the major blind spot of enterprises and organisations of all kind. In today’s environment closing the door and lowering the shutters won’t give you any extra protection. We recommend this talk for anyone dealing with defence and fighting against data leaks. The bandwidth of GSMem might not be broadband, but given enough time it will get the job done. Voyager 1 and 2 are still transmitting, and so might be the attacker in your network.


Guri_MordechaiMordechai Guri is an accomplished computer scientist and security expert with over 20 years of practical research experience. He earned his Bsc and Msc, Suma Cum Laude, from the computer science department at the Hebrew University of Jerusalem. Guri is a lead researcher and lab manager at the Ben Gurion Cyber Security Research Center and has been awarded with the prestigious IBM PhD International Fellowship (2015-2016). In the past few years Mordechai has led a number of breakthrough research projects in cyber-security, some of them have been published worldwide. His research topics include OS security, advanced malware, Moving Target Defense (MTD), mobile security and embedded systems. Mordechai is also the Chief Scientific Officer and Co-Founder of Morphisec start-up company.


mirsky_yisroelYisroel Mirsky received his B.Sc. in Communication Systems Engineering from the Jerusalem College of Technology in 2013. He is now a Ph.D. student at Ben-Gurion University in the Department of Information Systems Engineering. He is doing his Ph.D. under the supervision of Prof. Bracha Shapira and Prof. Yuval Elovici. His research interests include smartphone security, context-aware data leakage prevention, and covert channels. He is currently managing a research project at the BGU Cyber Security Research Center.

Tags: , , , , , ,

Comments are closed.