• Home
  • /Learn
  • /Exfiltrating Data From Air-Gapped Systems
background image


Exfiltrating Data From Air-Gapped Systems


Did you know? "Air-gapped" refers to a computer system or network segment physically isolated from other networks and the internet, to prevent data from being transferred electronically to any other device. Air-gapping is typically used for data that requires the highest degree of security against unauthorized access.

Air-gapping is most often used in military, government, and financial organizations, to protect against sensitive data breaches and may also be used to protect essential backups from the worst  IT security threats such as ransomware and natural disasters.

However, several fascinating high-tech methods of exfiltrating data from air-gapped systems exist that IT security architects should be aware of when designing security controls for air-gapped systems to protect against data exfiltration.

Known as "covert channels", these techniques beg the question: is any data 100% safe? Let's explore:

Methods of Exfiltrating Data From an Air-Gapped System

A "covert channel" is an attack that hijacks a legitimate process, function, or feature of a device to enable an unauthorized data transfer. There have been numerous research studies that have successfully identified new covert channels for hacking air-gapped devices. Here are some highlights of those studies that can enlighten security architects about potential ways to exfiltrate data from an air-gapped system:

  • Audio signals: Researchers have developed a proof-of-concept attack named CASPER that can steal data from air-gapped at a rate of 20bits/sec by hijacking the target's speakers to send data in Morse code to a nearby smartphone that is interpreting the signal.

  • Monitor flicker: The study "VisiSploit: An Optical Covert-Channel to Leak Data through an Air-Gap" provides an example of using very low contrast LCD display flickering, invisible to the human eye to exfiltrate data from air-gapped systems.

  • Radio frequencies: Radio waves were emitted by a computer's video card and effectively decoded by a mobile phone's FM radio receiver.  The proof-of-concept attack was named Airhopper. Another example is the SATan attack, which turns SATA cables into a WiFi antenna, and generates electromagnetic radio waves that can travel up to 1.2 meters) and captured by a listening device. A Flipper Zero is an interesting new hacking tool that could be used to receive radio frequency data that's transmitted using the Airhopper or SATAn techniques.

  • Thermal signature: A technique named BitWhisper proposed a new method for exfiltrating data from air-gapped systems, which involves using heat generated by one computer to transmit data to another nearby computer using a thermal imaging camera.

  • LED flicker: ETHERLED is a proof-of-concept attack that used an ethernet port's LEDs to transmit data encoded as base64 using Morse code. ETHERLED technique could effectively use smartphone cameras, drones, and surveillance cameras to capture data from up to 50m away, and telescopes or superzoom cameras to transmit data 100 meters away.

Getting Malware Onto an Air-Gapped System

So, how might an attacker get malware onto an air-gapped system, and what other kinds of attacks might be useful against an air-gapped system? The most common initial access attacks are infeasible against air-gapped systems. 

For example, email-based phishing, the initial attack vector in 70% of cyber-breaches won't work since air-gapped systems don't receive email, and air-gapped systems can't be exploited through stolen passwords or vulnerabilities on exposed services - because they don't have any - removing another 15% of the attacks that are used to gain initial access.  Here are some ways to attack air-gapped systems:

  • Removable USB drive: A simple way to get data including malware that could enable some of the possible exfiltration techniques on an air-gapped system.  It's a wise idea to block access for USB removable storage devices if at all possible.

  • Keyboard emulators: But, an air-gapped system still needs a keyboard, right?  Keyboard emulators such as the USB Rubber Ducky, or the Flipper Zero could allow an attacker to get malware onto an air-gapped system by simply typing out the malware script into a text editor.  A keyboard emulator can send keystrokes at speeds ranging up to several thousand keystrokes per minute. Your best defense here is to ensure that air-gapped systems don't have a c-compiler or other scripting languages such as Python or Perl installed.

  • USB keystroke logger: A USB keystroke logger is a small device that could fit right between a USB keyboard and the computer, capturing all the transmitted keystrokes.  This attack could be enough to capture a username and password of an administrator to allow an attacker to log in to an account that's not theirs or see if the password is reused on the owner's other accounts.

  • Mouse jiggler: A mouse jiggler is a tiny device that sends a small undetectable mouse movement signal to a computer.  These devices are commonly used by law enforcement during a bust to prevent a screen lock from activating on a desktop or mobile device. Someone who casually expects that walking away from the computer expecting their screen lock to start and block access would be mistakenly leaving their log-in session wide open. 


Air-gapped systems are a security architect's extreme method in the face of vulnerabilities that could exploit exposed services on systems with highly sensitive data.  However, they don't provide bulletproof security. 

Known "covert channel" attacks can still allow exfiltration of data from an air-gapped system and are both scientifically fascinating and should keep CISOs up at night.  While there are additional security measures that can be applied to protect data on an air-gapped system from theft via covert channels, the number of potentially viable attacks shows that good old-fashioned trust still plays a critical role in high-stakes IT security scenarios.

Ready to take the next step in levelling up your cybersecurity? Reach out to our team today or download your complimentary Buyer's Guide today to determine the services best for you.

Download our Free Buyer's Guide

Whether you are looking to complete Penetration Testing to manage risk, protect your data, comply with regulatory compliance standards or as a requirement for cyber insurance, selecting the right company is crucial.

Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects.