Communications of the ACM

are related to detection. The first is the method’s ability to evade detection by software. If the malicious code consumes CPU at high levels, uses special system calls, or utilizes unique resources, it might be easier to detect by anti-virus or host intrusion detection products. The second aspect is the ability to evade detection by humans (for example, people in the room). Naturally, some optical and thermal methods can be sensed by people, and hence are more likely to be noticed during the workday, while electromagnetic and ultrasonic methods are considered more covert.

Channel availability. Another characteristic is the communication channel’s level of availability during the day. In some methods, transmission or reception is available only when the computer is idle or the workload is low. This is particularly relevant to EMc methods such as AirHopper and SAVAT. Optical attacks might, in practice, only be used when there is no user in the room (for example, data exfiltration via blinking LEDs).

Virtualization and cloud environment. Modern IT environments may consist of personal workstations and servers running on top of virtual machines (VMs). Electromagnetic methods depend on precise timing of the CPU and GPU, which may be disrupted when multiple VMs are running on the same physical machine. In addition, in situations in which malware is executed in a VM, it may have no access to the system resources enabling the covert-channel. For instance, acoustic methods require access to the audio system that can be disabled in the VMs.

Hardware availability. Methods for bridging the air-gap have been proposed since the 1990s. Given this, some of the attacks have been conducted on hardware that has since become outdated. The TEMPEST-AM relay attack was conducted on CRT monitors and VGA connectors and is less relevant in today’s environment. In contrast, other attacks such as GSMem, Funtenna, and USBee utilize components that are an indispensable component of modern systems. Ultrasonic channels require speakers and microphones, which might not be available in all setups. Notably, thermal sensors, and CPUs and GPUs (heat emitters) exist in every system, making thermal attacks relevant to nearly all off-the-shelf computers.

rate that exceeds the visual perception capabilities of humans. Note that some LEDs (for example, routers and hard drive LEDs) routinely flicker, and therefore the user may not be suspicious of changes in their behavior.

Covert optical methods. A unique infiltration attack proposed in 2015 by Shamir et al. demonstrated how to establish a covert channel with a malware over the air-gap using a standard all-in-one printer. 36 In this case, a remote beam of blue laser blinked information in binary code; the laser was sent to the target building (aimed at a room in the building housing an all-in-one-printer) from a distance greater than one kilometer away. Malware located within the air-gapped network utilized the scanner sensors to receive the signals. The malware could also send out signals by turning the scanner lamp on and off to encode binary data. The researchers demonstrated how a drone with a laser beam and camera positioned outside a window could perform the transmission and reception tasks successfully.

VisiSploit, which was introduced in 2016, is a stealthy optical covert channel. 15 This method exploits the limitations of human visual perception in order to leak sensitive information through the computer’s LCD screen. A malware in the compromised computer conceals sensitive information and embeds it on the screen image in a covert manner (for example, by fast blinking), invisible and unbeknownst to the user. This research further demonstrated that an attacker was able to reconstruct the concealed data using a photo taken by a hidden camera located a distance of eight meters away. Table 4 provides details about the various optical covert channels discussed.

Attack Metrics

Most of the air-gap related covert channels have been demonstrated in experimental environments in research laboratories. However, in addition to considering a method’s theoretical feasibility, it is important to examine its practical applicability and the likelihood that it may occur in a real cyberattack. Here, we examine six characteristics related to the relevance of such covert channels in realistic attack scenarios.

Stealth. There are two aspects regarding the stealth of the attack, and both

In addition to
considering
a method’s
theoretical
feasibility, it
is important
to examine
its practical
applicability and
the likelihood that it
may occur in a real
cyber attack.