23. Guri, M., Zadov, B. and Elovici, Y. LED-it-GO: Leaking (a
lot of) data from air-gapped computers via the (small)
hard drive LED. In Proceedings of the 14th International
Conference on Detection of Intrusions and Malware and
Vulnerability Assessment, (Bonn, 2017).
24. Hanspach, M. and Goetz, M. On covert acoustical mesh
networks in air. 2014; arXiv:1406.1213, 2014.
25. Kuhn, M. Optical time-domain eavesdropping risks of
CR T displays. In Proceedings of the IEEE Symposium
on Security and Privacy, 2002.
26. Kuhn, M.G. and Anderson, R.J. Soft TEMPEST: Hidden
data transmission using electromagnetic emanations.
Information Hiding, Springer-Verlag, 1998, 124–142.
27. Lee, E., Kim, H. and Yoon, J. W. Attack, various threat
models to circumvent air-gapped systems for
preventing network. Information Security Applications
9503 (2015), 187–199.
28. Loughry, J. and Umphress, D. A. Information leakage
from optical emanations. ACM Trans. Information and
System Security (2002), 262–289.
29. Madhavapeddy, A., Sharp, R., Scott, D. and Tse, A.
Audio networking: The forgotten wireless technology.
IEEE Pervasive Computing 4, 3 (2005), 55–60.
30. McAfee. Defending critical infrastructure without air
gaps and stopgap security, 2015; https://blogs.mcafee.
31. McNamara, J. The complete, unofficial TEMPES T
information page, 1999; http://www.jammed.
32. Mirsky, Y., Guri, M. and Elovic, Y. HVACKer: Bridging the
air-gap by manipulating the environment temperature.
33. National Computer Security Center. NCSC- TG-004
Glossary of Computer Security Terms, 1988; http://
34. NSA/CSS. NSA/CSS Regulation 90-6: Technical
Security Program. Fort George G. Meade, MD. Partially
declassified transcript, 1999; http://cryptome.org/
35. O’Malley, S.J. and Choo, K-K.R. Bridging the air gap:
Inaudible data exfiltration by insiders. In Proceedings of
the Americas Conference on Information Systems, 2014.
36. SC Magazine. Light-based printer attack overcomes
air-gapped computer security, 2014; http://www.
37. Schneier, B. Schneier on Security: COTTONMOUTH-III: NSA exploit of the day; https://www.schneier.
38. Securelist. Agent.btz: A Source of inspiration? 2014;
39. Sepetnitsky, V., Guri, M. and Elovici, Y. Exfiltration of
information from air-gapped machines using monitor’s
LED indicator. In Proceedings of the Intelligence and
Security Informatics Conference, (The Hague, The
40. Symantec. Mind the gap: Are air-gapped systems safe
from breaches? 2014; http://www.symantec.com/
41. Tempest for Eliza; http://www.erikyyy.de/tempest/.
42. van Eck, W. Electromagnetic radiation from video
display units, 1985; https://cryptome.org/emr.pdf.
43. The Washington Post. Powerful NSA hacking
tools have been revealed online; https://www.
44. Zander, S., Armitage, G. and Branch, P. A survey of
covert channels and countermeasures in computer
network protocols. IEEE Communications Surveys &
Tutorials 9, 3 (2007), 44–57.
Mordechai Guri ( email@example.com) is head of R&D
of the Cyber Security Research Labs at Ben-Gurion
University of the Negev, Beer-Sheva, Israel.
Yuval Elovici ( firstname.lastname@example.org) is a professor in the
Department of Information Systems Enginnering and
director of Deutsche Telekom Laboratories at Ben-Gurion
University of the Negev, Beer-Sheva, Israel.
Copyright held by authors/owners.
Publication rights licensed to ACM. $15.00.
at overriding electromagnetic or acoustic
signals at specified frequencies. In this
method, a specialized hardware transmitter continuously generates random
electromagnetic or acoustic noises that
overlay other transmissions in the area.
Anti-virus and behavioral detection techniques may be used to detect and block
covert channel activities. For example, it
is possible to monitor the program running in order to identify intentional electromagnetic, acoustic, thermal, or optic
transmissions. In this case, behavioral
analysis, machine learning, or anomaly
detection may be used to alert on suspicious processes. Kuhn and Anderson
proposed the “soft tempest” technique,
an interesting software-based solution
for electromagnetic attacks. The general idea is to filter out, at a software
level, the information that is causing the
component (for example, video cable) to
emanate RF signals. The different types
of countermeasures along with their relevancy to different types of covert channels and cost are provided in Table 6.
Conclusion and Outlook
Air-gap isolation is currently used in a
wide range of industries and organizations. Although the exfiltration of information from air-gapped networks is still
considered a challenging task, it is no
longer dismissed as a sensational anecdote, as the last decade has shown that
nothing is impossible for hackers. Over
the years, a wide range of covert channels
have been revealed that demonstrate the
feasibility of data leakage by malware, despite a lack of network connection. These
methods exploit the electromagnetic,
acoustic, thermal, and optical emanation
from various system components.
Three factors make air-gap isolation
vulnerable to attacks. RF technologies
have dramatically improved, allowing
attackers to acquire high-quality RF receivers, audio recording devices, and
remote cameras at affordable prices.
This, coupled with emerging trends of
multisensors, smartphones, HD camer-
as, versatile drones, and wearable de-
vices, make the modern IT environment
a source rich in potential covert com-
munication channels. Finally, cyber se-
curity threats continuously develop, with
hackers constantly raising the bar with
sophisticated attack campaigns and inno-
vative ways of achieving their goals. In the
future, we expect to see the emergence of
new types of covert channels that chal-
lenge air-gap security, making this threat
an interesting topic for academia and the
cyber security community.
1. Air Gap Computer Network Security;
2. Anderson, R.J. Emission security. Security Engineering,
2nd Ed. Wiley Publishing, 2008, 523–546.
3. Bartolini, D. B., Miedl, P. and Thiele, L. On the capacity
of thermal covert channels in multicores. EuroSys, 2016.
4. Black-Hat. Emanate like a boss: Generalized covert data
exfiltration with Funtenna. (2015); https://www.blackhat.
com/us15/ briefings.html#emanate-like-a-boss-generalized-covert-data-exfiltration-with -funtenna.
5. Bornstein, M. H. and Lamb, M. E. Cognitive Development:
An Advanced Textbook. Psychology Press, 2011.
6. Callan, R., Zajic, A. and Prvulovic, M. A practical
methodology for measuring the side-channel signal
available to the attacker for instruction-level events. In
Proceedings of the 47th Annual IEEE/ACM International
Symposium on Microarchitecture. IEEE, 2014, 242–254.
7. Carrara, B. And Adams, C. Out-of-band covert channels—
A survey. ACM Computing Surveys 49, 2, (2016).
8. Deshotels, L. Inaudible sound as a covert channel
in mobile devices. In Proceedings of the USENIX
Workshop for Offensive Technologies, 2014.
9. Do, Q., Martini, B. and Choo, K-K.R. Exfiltrating data from
Android devices. Computers & Security 48 (2015), 74–91.
10. Do, Q., Martini, B. and Choo, K-K.R. A data exfiltration
and remote exploitation attack on consumer 3D
printers. IEEE Trans. Information Forensics and
Security 11, 10 (2016), 2174–2186.
11. D’Orazio, C.J., Choo, K-K.R. and Yang, L. T. Data exfiltration
from Internet of Things devices: iOS devices as case
studies. IEEE Internet of Things J. 99, 2327–4662.
12. Federation of American Scientists. Joint Worldwide
Intelligence Communications System, 1999; http://
13. Goodin, D. Meet ‘badBIOS,’ the mysterious Mac and PC
malware that jumps airgaps. 2013; http://arstechnica.
14. Goodin, D. How ‘omnipotent’ hackers tied to NSA hid
for 14 years—and were found at last. 2015; https://
15. Guri, M., Hasson, O., Kedma, G. and Elovici, Y. An
optical covert-channel to leak data through an air-gap.
In Proceedings of the 14th Annual Conference on
Privacy, Security and Trust (Auckland, 2016).
16. Guri, M., Kachlon, A., Hasson, O., Kedma, G., Mirsky,
Y. and Elovici, Y. GSMem: Data exfiltration from
air-gapped computers over GSM frequencies. In
Proceedings of the USENIX Security Symposium,
(Washington, D. C., 2015).
17. Guri, M., Kedma, G., Kachlon, A. and Elovici, Y.
AirHopper: Bridging the air-gap between isolated
networks and mobile phones using radio frequencies.
In Proceedings of the 9th International Conference on
in Malicious and Unwanted Software: The Americas.
IEEE, 2014, 58–67.
18. Guri, M. Monitz, M. and Elovici, Y. USBee: Air-gap
covert-channel via electromagnetic emission from
USB. In Proceedings of the 14th Annual Conference on
Privacy, Security and Trust, (Auckland, 2016).
19. Guri, M. Monitz, M. and Elovici, Y. Bridging the air
gap between isolated networks and mobile phones
in a practical cyber-attack. ACM Trans. Intelligent
Systems and Technology 8, 4 (2017), 50.
20. Guri, M. Monitz, Mirski, M. and Elovici, Y. Bit Whisper:
Covert signaling channel between air-gapped
computers using thermal manipulations. In
Proceedings of the 28th IEEE Computer Security
Foundations Symposium, (Verona, 2015).
21. Guri, M., Solewicz, Y., Daidakulov, A. and Elovici,
Y. Fansmitter: Acoustic data exfiltration from
(speakerless) air-gapped computers. 2016,
22. Guri, M., Solewicz, Y., Daidakulov, A. and Elovici, Y.
Acoustic data exfiltration from speakerless air-gapped
computers via covert hard-drive noise (‘DiskFiltration’).
In Proceedings of the European Symposium on
Research in Computer Security, (Oslo, 2017).