An air-gapped computer is the most secure way of storing sensitive data; a PC that has no internet connection and no removable storage or disk drives cannot be compromised by hackers or government surveillance, in theory. Well, it’s time to say goodbye to that theory, as not only have Israeli researchers managed to remotely hack into an air-gapped computer, but they did it with a nine-year-old mobile phone that has no GPRS, Wi-Fi, or mobile data capabilities.
Researchers warn that their findings should encourage companies attempting to protect data via air-gapped systems to “change their security guidelines and prohibit employees and visitors from bringing devices capable of intercepting RF signals,” so says Yuval Elovici, director of the Cyber Security Research Center at Ben-Gurion University of the Negev.
Since smartphones are often restricted in areas which house air-gapped computers, so the researchers from the Cyber Security Center chose to use an old mobile phone that could bypass any security restrictions.
“[U]nlike some other recent work in this field, [this attack] exploits components that are virtually guaranteed to be present on any desktop/server computer and cellular phone,” the researchers note in their paper.
The phone used, a Motorola C123, runs on a Calypso baseband chip from Texas Instruments, and supports 2G communication, but has none of the more advanced networking capacities of modern smartphones. Data was grabbed from air-gapped computers, running Microsoft Windows, Linux, and Ubuntu, at a rate of 1-2bps, allowing the researchers to obtain 256-bit encryption keys from the system via radio frequencies.
“This is not a scenario where you can leak out megabytes of documents, but today sensitive data is usually locked down by smaller amounts of data,” Dudu Mimran, CTO of the Cyber Security Research Center, said. “So if you can get the RSA private key, you’re breaking a lot of things.”
Thank you Wired for providing us with this information.
Image courtesy of Mobile Phones & Smartphones Info.