are related to detection. The first is the
method’s ability to evade detection by
software. If the malicious code consumes CPU at high levels, uses special
system calls, or utilizes unique resources, it might be easier to detect by anti-virus or host intrusion detection products. The second aspect is the ability to
evade detection by humans (for example,
people in the room). Naturally, some
optical and thermal methods can be
sensed by people, and hence are more
likely to be noticed during the workday,
while electromagnetic and ultrasonic
methods are considered more covert.
Channel availability. Another characteristic is the communication channel’s
level of availability during the day. In
some methods, transmission or reception is available only when the computer
is idle or the workload is low. This is particularly relevant to EMc methods such
as AirHopper and SAVAT. Optical attacks
might, in practice, only be used when
there is no user in the room (for example,
data exfiltration via blinking LEDs).
Virtualization and cloud environment. Modern IT environments may
consist of personal workstations and
servers running on top of virtual machines (VMs). Electromagnetic methods
depend on precise timing of the CPU
and GPU, which may be disrupted when
multiple VMs are running on the same
physical machine. In addition, in situations in which malware is executed in a
VM, it may have no access to the system
resources enabling the covert-channel.
For instance, acoustic methods require
access to the audio system that can be
disabled in the VMs.
Hardware availability. Methods for
bridging the air-gap have been proposed
since the 1990s. Given this, some of the
attacks have been conducted on hardware that has since become outdated.
The TEMPEST-AM relay attack was conducted on CRT monitors and VGA connectors and is less relevant in today’s
environment. In contrast, other attacks
such as GSMem, Funtenna, and USBee
utilize components that are an indispensable component of modern systems. Ultrasonic channels require speakers and microphones, which might not
be available in all setups. Notably, thermal sensors, and CPUs and GPUs (heat
emitters) exist in every system, making
thermal attacks relevant to nearly all off-the-shelf computers.
rate that exceeds the visual perception
capabilities of humans. Note that some
LEDs (for example, routers and hard
drive LEDs) routinely flicker, and therefore the user may not be suspicious of
changes in their behavior.
Covert optical methods. A unique infiltration attack proposed in 2015 by
Shamir et al. demonstrated how to establish a covert channel with a malware
over the air-gap using a standard all-in-one printer.
36 In this case, a remote
beam of blue laser blinked information
in binary code; the laser was sent to the
target building (aimed at a room in the
building housing an all-in-one-printer)
from a distance greater than one kilometer away. Malware located within the
air-gapped network utilized the scanner sensors to receive the signals. The
malware could also send out signals by
turning the scanner lamp on and off to
encode binary data. The researchers
demonstrated how a drone with a laser
beam and camera positioned outside a
window could perform the transmission
and reception tasks successfully.
VisiSploit, which was introduced in
2016, is a stealthy optical covert channel.
15 This method exploits the limitations of human visual perception in
order to leak sensitive information
through the computer’s LCD screen. A
malware in the compromised computer
conceals sensitive information and embeds it on the screen image in a covert
manner (for example, by fast blinking),
invisible and unbeknownst to the user.
This research further demonstrated
that an attacker was able to reconstruct
the concealed data using a photo taken
by a hidden camera located a distance
of eight meters away. Table 4 provides
details about the various optical covert
Most of the air-gap related covert channels have been demonstrated in experimental environments in research
laboratories. However, in addition to
considering a method’s theoretical feasibility, it is important to examine its practical applicability and the likelihood that
it may occur in a real cyberattack. Here,
we examine six characteristics related to
the relevance of such covert channels in
realistic attack scenarios.
Stealth. There are two aspects regarding the stealth of the attack, and both
In addition to
the likelihood that it
may occur in a real