Exposing The Myth of The Invulnerable Air Gapped System

Updated on: 12 July 2020
Updated on:12 July 2020

Saying that air gapping a system is anything but the most secure and invulnerable way to protect data is bound to burst some bubbles. After all, this is the gospel truth among IT professionals who live in a world of clean, sanitized, statistics that don’t always account for how dirty the real world can be.

The truth is that a corporate or personal data store doesn’t magically transform into an impenetrable fortress as soon as it’s air gapped.

What is air gapping?

If you’re not skipping this section, then you’re either unfamiliar with the term or don’t have anything better to do with your time. In short, an air gapped system is one that does not communicate with the outside world through a network.

Have you ever unplugged your computer from the internet to connect it to a new router or some other piece of networking gear? That system was air gapped the entire time it was disconnected.

A look at corporate air gapping

Often times, a company or individual will have air gapped systems to keep a cache of unadulterated data. Perhaps this is a database backup, a repository of sensitive information about clients, a collection of secret cat videos, et cetera.

The content of the data is not quite as important as why this data has to be stored in a computer completely disconnected from the internet. A good reason to air gap—often the most prevalent—is to protect the data from network intrusion.

A hacker trying to access sensitive data remotely is going to be met with a solid wall of air between himself and the destination of his attack, hence the choice to name this simple method thusly. At least for now, there isn’t a way to hack air…

Or is there?

Elegant solution, meet a simple flaw

Although the idea of air gapping is so simple that even a dog can accidentally execute it by chewing through cables, even the most elegant ideas have flaws that hit them like a train crashing into an oil truck.

While everyone’s laser-focused on James Bond-style vulnerabilities that use cellular communications or even the power lines themselves to transmit data between two air gapped systems, these are generally theoretical scenarios that would still be extremely difficult to apply to modern technology.

It’s absurd for a hacker to engage in a resource-intensive battle against so many points of failure just to get a sophisticated device hooked up that might be able to exfiltrate data without a hitch or corruption. If you want to beat an air gapped system, just find a way through the air.

Even air gapped systems cannot escape a simple truth: Your cybersecurity is only as resilient against attacks as the people you trust to manage it. To put it as succinctly and as abundantly clear as possible, air gapping is vulnerable to people.

The “people” vulnerability is a concept older than cybersecurity, or even computers. Protected ancient texts have been stolen in the past by the protectors themselves. Secrets have accidentally slipped the tongues of naive people.

It’s impossible to “people gap” a system; someone has to set it up, another person collects data from the source system, check it, transfer it, etc. If the thumb drive used for the transfer is infected with a trojan horse, then it’s just as easy—or, in many cases, even easier—to extract that data as if the system were connected to a network anyway.

Perhaps the goal is profit instead of espionage. Then the task for the hacker becomes even more straightforward. Just introduce some ransomware that installs itself quietly into every thumb drive it comes into contact with and you’re set!

All it takes is for one person in this whole chain of command to be compromised and the whole house of cards collapses in on itself. Social engineering is older than computers and it remains, to this day, the most effective way to infiltrate computer-based systems.

The problem with air gapping is that it becomes a sort of safety blanket that people clutch tightly to convince themselves that everything is good in the world and that removing networking equipment from the equation in one single step of a data transfer process is going to vastly reduce the chances of hackers getting what they want.

The intention of this little piece of discourse is to ensure that people avoid falling under that illusion.

What to do now?

Although I’ve just spent a pretty large amount of time doing what essentially can be interpreted as trashing air gapping as a data protection method, it would be misleading to go by that interpretation.

What I’m trying to say here is that it shouldn’t be used as the method to protect your data, but rather an extra step in the process. Air gapping should be only one cog in the machine that protects everything.

In essence, it simplifies and streamlines the process of ensuring that you have a robust system against hackers. However, the rest is up to how you manage the people handling that data.

Every other step in data storage should be set up in such a way that it prevents people from making the fatal mistakes that lead to various other vulnerabilities that can circumvent disconnection from a network. This involves the usual checks for viruses on all connected systems prior to transferring data from them to the air gapped system.

It also involves other preventative measures, such as:

  • Making sure that anyone handling the data is trustworthy, and that everyone has the understanding that only certain individuals can do this
  • Formatting USB thumb drives on a clean system after every transfer
  • Requiring face-to-face meetings to discuss any sensitive data and especially credentials (to prevent social engineering via impersonation), and
  • Restricting the number of individuals managing the air gap transfer

Access management and protections against possible sabotage are among the most key concepts in establishing the sanitized conditions that make air gapping work in the first place. Air is the final link in the chain, not the only one that should be focused on.

To put things as briefly as possible: Don’t let air gapping be the teddy bear you hug at night to sleep well. Be ceaselessly vigilant of security risks and the possibility that the data store may still be vulnerable.

Written by: Miguel Gomez

Connect with him:

Old-school programmer, cybersecurity expert, analyst. Miguel is a corporate consultant who often spends his time educating people and companies on cybersecurity-related subjects and breaking down complex themes into bite-sized and easily-digestible nibblets. He speaks with over 11 years of experience doing market and cybersecurity research, as well as nearly 15 years of experience developing software, behind him.

Leave a Reply

Your email address will not be published. Required fields are marked *