Air-Gap Covert Channels

Abstract

A fresh perspective on covert channels is presented in this work. A new class, air-gap covert channels, is defined as an unintentional communication channel established between systems that are physically and electronically isolated from one another. A specific class of air-gap covert channel is studied in depth, out-of-band covert channels (OOB-CCs), which are defined as policy-breaking communication channels established between isolated, physically unmodified systems. It is shown that OOB-CCs can be categorized by the physical channel that they communicate over: acoustic, light, seismic, magnetic, thermal, and radio-frequency, and the hardware that is required at the transmitter and receiver to make covert communication possible. In general, OOB-CCs are not as high-bandwidth as conventional radio-frequency channels; however, they are capable of leaking sensitive information that requires low data rates to communicate (e.g., text, recorded audio, cryptographic key material). The ability for malware to communicate information using a specific type of OOB-CC, the covert-acoustic channel, is also analyzed. It is empirically demonstrated that using physically unmodified, commodity systems (e.g., laptops, desktops, and mobile devices), covert-acoustic channels can be used to communicate at data rates of hundreds of bits per second, without being detected by humans in the environment, and data rates of thousands of bits per second when nobody is around to hear the communication. Defence mechanisms to counter covert-acoustic channels are also proposed and evaluated, and, as a result, best practices for the designers of secure systems and secure facilities are presented. Additionally, the covertness of OOB-CCs, i.e., the amount of data that can be leaked before the channel is detected, is also determined for classical communication channels as well as for covert-acoustic channels.