Air gap

In networking an air gap (also known as an air wall) is a security measure in which computers, computer systems, or networks are not connected in any way to any other devices or networks. Air gaps mean total isolation for a given system (electromagnetically, electronically, and physically) from other networks, especially those that may not be secure.

The typical configuration of an air gap is a “sneakernet,” named because a person has to walk to the system and connect a method of data transfer. The idea being that to breach an air-gapped computer, someone has to "cross the air gap" and physically access the system themselves, transferring data through the connection of a physical device (e.g. USB, external hard drive, or other removable media).

Air gaps serve two primary security use cases:

• They defend against intrusion into a network or system.
• They protect digital assets from being destroyed, accessed, or manipulated.

While these two goals often overlap, they are distinct. For example, storing physical backup tapes protects data from unauthorized access; there is no system to compromise. Data backup is a use case in which an air gap can be advantageous. If systems are compromised or destroyed, data can be restored from physically separated backups that have been kept safe in an air-gapped environment.

The phrase "air gap" is used in many instances. While a computer not connected to the internet could be considered an air-gapped system, a true air-gapped computer also requires physical isolation, meaning data can only be passed to it physically. Some companies market that a network or computer is air-gapped when the system is only separated with a software firewall.

Typical advantages of an air gap include the following:

• preventing data destruction or leakage caused by power fluctuations
• protecting the system from malware, keyloggers, ransomware, or other unwanted access circulating on the internet
• Foolproofing the securing files and information from hackers, thieves, or spies due to the lack of connectivity

It is important to consider that an air-gapped system is not 100% safe from malicious actors. Users may choose to implement additional security precautions:

• banning local wireless communications completely
• placing the system/device in a Faraday cage to block wireless transmissions and preventing electromagnetic (EM) leakage
• protecting the system from other attack vectors, such as optical, thermal, or acoustic

There are a number of down sides of air gaps:

• They are not 100% immune to attack.
• They are often expensive to implement and operate.
• They are difficult to manage and maintain.
• It is hard to scale air-gapped networks.
• It is slow to recover large volumes of data.
• The internal threat of compromised credentials remains.

While a lot of traditional electronic equipment (thermostats, home appliances, etc.) have been air-gapped due to their inherent limits, with the spread of IoT and "smart" devices, many are now being connected to the internet and are no longer air-gapped.

The name "air gap" comes from the conceptual air gap that exists due to physical separation. Air gaps exist in other fields:

• building codes mandate an air gap between sources of water and drains
• electrical engineering requires a space between moving parts in an electric motor

While there are many variations and implementations of an air-gapped system, there are three main types:

• physical air gap
• logical air gap
• segregated in the same environment

A total physical air gap involves completely isolating digital assets and locking them in a physical environment separate from any network-connected systems. Physically air-gapping a digital asset means it has no network connections, and accessing it means physically going to it and usually involves going through real-life security procedures. Making backup tapes and taking them off-site for safekeeping is an example of a physical air gap.

Logical air gaps refer to segregating and protecting a network-connected digital asset through logical processes, such as encryption and hashing, as well as role-based access controls. A logical air gap means even if a malicious actor accesses a digital asset, they cannot understand, steal, or modify it. A logical air gap creates immutable data that cannot be overwritten or deleted.

A user could consider disconnecting a device from a network or having the device segregated in the same environment, as a simple implementation of an air gap. Two servers on the same rack could be air-gapped from one another if one is not plugged into the network.

Air-gapped networks and computers are used for maximum security when the protection of a system or the data stored in it must be ensured. Examples include the following:

• military systems and networks
• government systems and networks
• Financial systems and networks
• industrial control systems (e.g. SCADA)
• nuclear power plant systems
• aviation computers (e.g. FADECs, Avionics)
• computerized medical equipment

Security policies in these types of organizations may mandate the use of air gaps. Other examples include journalists working with sensitive information.

With the growing threat of cybercrime, air gaps are moving from top-secret data or life-critical networks to mainstream enterprise. The cost and challenging implementation of air gap networks to store data backups mean they are typically a last resort and used to augment existing backup, recovery, and disaster recovery strategies.

It is still possible to breach an air-gapped system. There are a number of possible channels for a breach:

• human intermediary
• storage devices containing malware
• electromagnetic
• acoustic
• thermal
• optical

A human intermediary means using someone with access to knowingly or unknowingly breach the network. It is also possible to infect storage devices (i.e. USB drives) with malware that spread into the air-gapped system once plugged in. A famous example of this is Stuxnet, a virus/worm designed to sabotage centrifuges at a uranium enrichment plant in Iran. Outside contractors were targeted, becoming unwitting carriers of malware when they brought laptops to the plant and transferred data to air-gapped systems using a USB drive.

Electromagnetic channels include eavesdropping on electromagnetic radiation from the computer’s memory bus and monitoring leakage from USB ports and cables. Electromagnetic channels have been widely studied, and shielding has become a common defensive measure.

It is possible to siphon data through radio signals, even when Bluetooth is disabled. Researchers in Israel have demonstrated a technique of accessing data from an air-gapped machine using radio frequency signals and a nearby mobile phone. The proof-of-concept utilized radio signals are generated and transmitted from an infected machine's video card, which are used to send passwords and other data over the air to the FM radio receiver in a mobile phone.

In many high-security environments, mobile phones are not allowed in the vicinity of the most critical systems.

Acoustic channels are a possible attack vector, due to the proliferation of hackable smartphones capable of picking up audio signals that the human ear cannot differentiate from background noise. The most cutting-edge area involves using ultrasonic sound waves with higher frequencies that are both inaudible and provide greater bandwidth.

More theoretical than practical thermal attacks on air-gapped systems have been demonstrated but only for low bandwidth, measuring low tens of bits per second over a very short distance. It is unclear whether thermal attacks are a practical threat against air gaps.

A more recent channel exploited is optical transmission due to the widespread availability of easily-hacked surveillance cameras. On almost every system, these cameras include LEDs and can transmit substantial amounts of information.