I knew this was Dr. Guri and his team [0] before I even opened the link. He's like a one-man factory for clever airgap traversal exploits, I don't know how he does it. I first ran into his work in a security class, covering a similar exploit using SIMD write instructions [1].
If he's smart enough, he's make a component of the AI hardwired into the air-gapped computer. Without it physically present on a system, the AI cannot operate.
(This is equivalent to making genetically engineered animals or plants dependent on a nutrient that is only supplied in the lab to make sure they can't survive in the wild.)
> (This is equivalent to making genetically engineered animals or plants dependent on a nutrient that is only supplied in the lab to make sure they can't survive in the wild.)
Well, I can think of two prior examples of this particular one:
* The first is fictional. In Person of Interest, one of the AIs does this in 4x22/5x01 (2015/2016) [0] to escape the other one.
* The second, which has existed in the real world for decades, I only remembered after starting to type a joking comment about the prior point: The X10 standard is for using existing power lines for controlling home automation equipment. [1]
Third, it becomes more obvious when you stop thinking that computers are magic black boxes of digital pixie dust and realize they're physical artifacts, bound by the laws of physics. Then you realize there's shit ton of side channels available - places where energy escapes, where that energy is correlated with the processing the machine is doing. From there you get all of TEMPEST.
BTW. great you mention Person of Interest; I highly recommend that show. IMO it's still, to date, the best and most realistic discussion of superhuman artificial intelligence in the popular media. Oh, and they predicted Snowden.
> ... Person of Interest; I highly recommend that show. IMO it's still, to date, the best and most realistic discussion of superhuman artificial intelligence in the popular media.
When did that happen in the show? I vaguely remember some kind of episode about slipping a question to an AI or something. Maybe I should give the show a second chance.
You definitely should. It starts as if it was a typical procedural, with a slight twist that it's a mysterious "machine" that gives tips to protagonists about people involved in crimes they need to prevent. It's very subtle at the beginning, but past the first season, the show very quickly turns into a full-blown exploration of surveillance state, impact of AI on society, and AI safety issues.
I love how its set up as almost a standard crime of the week show but in the first one or two episodes Finch says "oh turns out there's ways round Shannon's law"
Not just X10. There's powerline Ethernet adapters out there, I use them because I don't want to run a bunch of Cat-5 all over the place but I also don't really want to use the Xbox over wifi.
Van Eck phreaking came to mind immediately - which wouldn't require any remotely malicious code to be run. Anyone with more knowledge than myself know if Van Eck phreaking is still an attack vector on modern technology?
Markus Kuhn has since discovered that by tuning into the radio emissions produced by the cables running into a monitor, hackers can garner the pixels one at a time, and carefully stack them together to form a picture of someone else's screen. Reportedly, Markus was able to "see a PowerPoint presentation from a stand 25 meters away (pictured)," and he also noted that laptops with metal hinges were particularly good targets as they tended to broadcast the necessary signals quite well.
One of my favorite elements of The Laundry Files series, is the old spook who only uses a Memex machine because of van Eck phreaking.
> One of my favorite elements of The Laundry Files series, is the old spook who only uses a Memex machine because of van Eck phreaking.
There is a scene in Neal Stephensons novel Cryptonomicon (1999), where the protagonist accesses his laptops data by manipulating the scroll-lock LED using Morse-code, as he is fairly certain he is being van-eck phreaked.
When I read about Van Eck Phreaking in that book I thought for sure it was just some nonsense for the book. Couldn't believe it was real. That book was pretty amazing. It's hard to believe a book about cryptocurrency was released all the way back in 1999.
High pixel density of modern screens makes it very difficult to reconstruct the signal. That, combined with the fact that LCD displays are far less susceptible than CRT displays, makes it virtually irrelevant for many new displays. Exceptions may include TVs, which use much more power per pixel, and lower-resolution screens like those on netbooks, though now that even phones have >1080p screens these are much less common.
This is somewhat untrue and physical connections between laptop motherboard and display are often poorly shielded and broadcast your display (think of every physical connection as an antenna).
(I really was just trying to fill in the blanks for anyone who hadn't encountered "sauce" as internet slang for "source" aka "provenance" yet. Given the responses though it feels like I accidentally trolled. Please excuse me. ;-)
What are the odds that there isn't some other, easier way? It's not that it is necessarily impossible, but if it's really quite difficult, it might not ever happen just because there's always some other, easier way. Even if you have an effectively unlimited budget.
It’s likely that whomever exploits this would do both easier way and this way.
This one is particularly great because an air gap is assumed by default to be very secure.
So you may think things are fine and dandy cause you gotta fancy lil air gap but lo and behold your data has been exfiltrated through the power lines for years.
TEMPEST[1] / Van Eck threats are still prevalent. All EMF is going to leak information so sensitive devices have shielding when they are under elevated threat. See the government-grade shielding on Trump's monitor here: https://electrospaces.blogspot.com/2017/11/trumps-communicat...
This is very interesting! In fact, I think NSA TEMPEST standards already protect against this kind of attack. For example, here is a TEMPEST certified powerline filter that protects against conducted emissions that this paper relies on: http://apitech.com/products/tempest-sdip-27-level-b-6a-ac-in...
I would love to hear more about this from someone who has experience in this.
The name "PowerHammer" is also a bit of a mismatch. It's basically a covert channel via power consumption, which has been known. The transmission mechanism (write) is to idle the CPU for specific intervals of time in order to transmit bits.
Impressive engineering, impressive bitrate, but not so novel an idea, overall.
They had pilot BPL (broadband over power lines) projects (I think ibec comes to mind) back in the day, but the FCC doesn't like interference and the BRU (broadband regenerator units) that have to be installed every so often to fix signal degradation weren't cheap if I recall properly.
True, but I've never seen software open a physical hole to the machine. That is, air gap means there's no physical way to access the machine.
But this exploit would create, out of thin air, a physical connection to the outside world using the power outlet the machine is connect to.
So unless data centers become powered by solar panels or generators that are themselves under the same level of physical security as the server racks, then this is a pretty serious exploit.
TEMPEST shielding ranges from not at all cheap, to breathtakingly expensive, and what you’re describing is just one part of high level shielding. It’s not just the facilities that cost, but the fact that your electricians and janitors need clearance as much as your devs and analysts. Even if data centers wanted to go that route, it would have to pass the costs on to the customer, who would need to be s very particular kind of customer with deep pockets.
yeah but well-funded adversaries could easily exploit this and we're talking like a full-blown data leak so it might be worth it to protect against it.
You would need to be pretty close to the server/storage/etc to get a clean enough signal to be useful though. So physical security might be enough to protect against this type of attack. You probably can't just dig up the powerline outside and start tapping it thankfully.
Get a dirty pickup truck, a warning vest with the text "CONSTRUCTION" on the back and a pair of those laser device to measure out the land.
Then also put some shovels, pickaxes and other construction and digging gear into the back of the pickup truck.
Lastly, learn how to not behave like you're doing something forbidden or bad. You can try it out in less secured areas if you want to train up a bit.
Once you've mastered that you can drive up to any place and start digging. Nobody will question it.
The same is also true for IT security. Pentesters do that sometimes; walk into the bank, walk up to the manager office or similar, wait for a few minutes, then walk back. Everyone will now assume that you talked to the manager (provided they didn't see you standing there) and you can do things like "can I plug this USB stick in? I'm from IT and were updating the anti malware software in all branches." (that actually worked, there is a DEFCON talk somewhere)
So in conclusion; don't be confident someone won't dig up your powerline and start tapping it. Unless you have a habit of talking to the construction workers if they're allowed to do dig up the road.
I think you're stretching the definition (at least at a conceptual level) of "Air-Gapped" when your means of communication are connections that go through the air-gap.
I guess there are probably real systems referred to as "air-gapped" that don't have power isolation they could be addressing, but it still feels a little disingenuous.
It just goes to show that "sufficient paranoia" is something that should be evaluated relative to the value you are protecting and the estimated potential strength and persistence of adversaries.
Security measures (should be) a line item on a budget with a total. The details are something that might be reviewed by an expert in the field with the necessary clearance. Secrecy also has a cost (security by obscurity isn't a design feature, but security //plus// obscurity might have a worthwhile value).
I think at a site level a sufficiently sized dynamo, maybe per section, could be utilized as both an initial gaping measure and as a mux for different power sources (line, stopgap, and local generation). For high value sections one or more full re-regulation stages would help. (Off the shelf, a UPS that always AC > DC > AC converts comes to mind.)
Finally, at an OS level, it seems that the highest value targets should probably examine a feature similar to the 'constant time' style cryptographic / security response paths better algorithms and designs have; in this case always running the system within a constant performance (and power use) envelope. I had not previously considered that such ultra-high security environments might be harmed by /efficiency/ as a means of leaking data.
The last few years of research have driven the point home [1] that 'air-gapping' is to be interpreted in a quantum sense -- within the domain of information theory and physical observability -- instead of merely not punching any formal hardware interfaces through.
Whether your threat model actually needs to protect against these is an entire other question.
Quite a few sites have air-gapped networks that consist of employees having two computers (on the same desk), one in the secure network, and one connected to outside. Obviously there's no power isolation.
They are actually on separate power networks (red and black) at least the ones I’m familiar with.
There is also a minimum distance between the computers that must be adhered, in fact there is a minimum distance and shielding requirements for the in wall cabling between different networks including power.
And my guess is that since 2009ish the regulation have only become more strict.
I would agree with your assessment. If it's connected to _something_, then it's not air-gapped, right? I've never built an air-gapped system before but I imagine that I would want to start with a room lined with copper mesh and a big battery bank.
Outside of a military context (and often even there too) air-gaps don't mean nearly as much as programmers think they do. There are too many possible ways in / out.
A pretty robust secure room even from many decades ago would combine isolation tricks you would see in various single-purpose laboratory settings and in hollywood movies.
A room within a room with non-parallel walls for acoustic isolation over a wide frequency range. The inner room is hanging from a spring suspension system. A mesh layer for electromagnetic shielding. A power isolation system doing some elaborate AC-DC-AC conversion (mechanically and/or electrically). Also, separate air handling systems to avoid connected duct work.
And of course, there could be significant buffering and filtering via mass loading, shock absorbers, capacitor banks, chilled water tanks, etc.
I'll take it a step further and suggest that highly secure applications should be causality gapped - the system is only activated when more than 5 billion light years from Earth, so no data could make it back before the sun destroys the planet.
For critical applications, the system should be launched far enough from the edge of all observable matter, that it is causality gapped to the heat death of the universe.
Why? Just put a WiFi dongle on your machine; you control the hardware anyways. Or, put a cellular modem on it, and talk to it from anywhere in the world.
Yeah, but where does the listening device need to be in relation to that property's power lines? I'm sure you can't listen from, say, across a city...
If this is really what you want to do, you'd probably be better off siphoning power from properties that are within range of public WiFi (or semi-public, like Xfinity hotspots).
[0] https://www.researchgate.net/profile/Mordechai_Guri [1] https://www.usenix.org/node/190937