A team of researchers in Israel showed they could use a feature phone (i.e. predecessor to the smart phone) to capture data through the electromagnetic waves generated from a desktop computer. As reported in by Kim Zetter in Wired, the implication is that “air-gapping”— the separation of networks from the Internet—may not be sufficient as a means to protect data, even in environments where smart phones are not allowed.
Once the targeted computer and mobile phone have the researcher’s malware installed on them, the malware “forces the computer’s memory bus to act as an antenna and transmit data wirelessly to a phone over cellular frequencies,” Zetter reports. “Though the attack permits only a small amount of data to be extracted to a nearby phone, it’s enough to allow to exfiltrate passwords or even encryption keys in a minute or two, depending on the length of the password.”
The finding also may mean that defense companies and organizations that require high levels of security have to “change their security guidelines and prohibit employees and visitors from bringing devices capable of intercepting RF signals,” says Yuval Elovici, director of the Cyber Security Research Center at Ben-Gurion University of the Negev.
Below is a video demonstrating this “air-gap hack”.
Photo Credit: Chris Favero, Air-Gapped R&D Computers