Cyberattacks against air-gapped systems are on the rise. According to the 2022 Honeywell Industrial Cybersecurity USB Threat Report, removable devices such as USB drives and memory cards were responsible for 52% of cyberattacks, which is up from 32% in 2021. The removable disks were used as initial attack vectors to establish remote connectivity, exfiltrate data, and establish command and control. 

While removable media devices remain a go-to attack vector for cybercriminals, researchers have raised concerns as new threats continue to emerge.

Smartphone gyroscopes as a threat vector

  • Israeli researchers have demonstrated a new tactic to exfiltrate data from air-gapped systems using ultrasonic tones and smartphone gyroscopes. 
  • Dubbed GAIROSCOPE, the attack leverages advanced installed malware and smartphone located in the proximity of the system.
  • The malware installed in the system generates ultrasonic tones detectable by the microelectromechanical system (MEMS) gyroscope that is standard in many smartphones. 
  • This would allow attackers to gather sensitive data, including passwords and encryption keys, and later encode it using frequency-shift keying.  

LEDs attached to NIC devices also pose a threat

  • In another attack method demonstrated recently, researchers revealed that LEDs of integrated Network Interface Controller (NIC) of air-gapped devices can be exploited to exfiltrate data.
  • The devices include PCs, servers, printers, network cameras, and embedded controllers.
  • Named ETHERLED, the attack scenario involves gaining access to targeted devices via social engineering, malicious insiders, or a supply chain attack. This can allow threat actors to plant malware to collect sensitive data and use a covert channel to exfiltrate it.  
  • To transmit the data, the attacker can use several types of modulation, including on-off keying (OOK), blink frequency, and color modulation. 

USB-borne threats are on the rise

  • USB-borne malware is being leveraged in a large number of cyberattack campaigns against industrial targets.
  • Honeywell noted that USB storage drivers can be used to infect systems with malware or compromise sensitive information. Ultimately, this can lead to the compromise of hardware and software used for critical operations.

The bottom line

Air gapping is used widely in military and defense, government agencies, and financial and industrial systems. Therefore, attacks against such devices can be devastating. Restricting data transfer limits can block many of the impending attacks against these devices, whilst preventing attackers from reprogramming the software to an encoding scheme and adding random noise to modulate signals.
Cyware Publisher