December 02, 2013

The Air Gap That Isn't

Basic Assumptions At Risk

(This post migrated from my Medium trial).

In the field of computer security, “air gap” often refers to an impenetrable wall of guaranteed protection between 2 computers. For example, imagine a computer lab with 2 computers and no networking capability. No ethernet. No Wifi. No Bluetooth. Isolated from the world and each other. This lack of connectivity (wires or RF) is referred to as an air gap. Although 100% inconvenient, air gaps have always been the security experts’ solution to 100% secure. Got something you absolutely can’t afford to lose or compromise? Air gap it.

Sneaker Net

So how do you transfer files between gapped computers? At one time, the answer was the simple floppy disk. Today, we use the same solution, but the floppy disk has become more convenient with dramatically increased storage space (USB, Firewire, etc). The security of the sneaker net approach depends on the assumption that the “courier” media is completely passive in the process. Just a container of data.

The Brain

Of course, malware starts with such flawed assumptions. The Brain virus (and many others like it) attached itself to the boot sector of floppy disks. Such viruses could remain invisible on the disk, hide executable code on the disk, and spread themselves onto other computer systems and/or disks. So much for the safe air gap! It took years to discover these “unthinkable” threats, and it took even longer to effectively battle them.

The USB Jump

Today, the headlines are telling us about the ultimate air gap compromise on the International Space Station. This time, it appears the famous Stuxnet worm made its way onto ISS via a cosmonaut’s thumb drive. This seems unthinkable.

Yet the unthinkable happens. All the time.

The BIOS Jump

The ISS story is almost silly because we all know how it could have been prevented. We all know the assumptions for security have evolved. An air gap itself is not enough, but a sterilized air gap is enough (right?). Naturally, thumb drives can be allowed on ISS if they are brand new. In the shrink wrap. Price tag and all.

We trust our vendors. And the industry behind them. And the regulatory climate behind them. We have an “air gap” expectation that our interests are well-served here.

There’s a fun mystery floating around the web these days. I don’t know what to make of it, but I’ll be watching it. Check it out and see what it does to your air gap theories…

Gapping Your Life

Despite the fact that history is pretty brutal to air gaps, we still find security in them — not only in the world of computers, but in all areas of life. Yet we live in an age where technical gap breaches can represent major life breaches.


security privacy