How researchers hacked a computer that wasn’t connected to the Internet

Most modern hacking attacks follow a similar pattern: an attacker discovers a computer or Internet database that isn’t well-protected, and finds a way to gain access to information stored there. Maybe the attacker gains access by using stolen credentials, as was the case in 2014 when millions of credit card records were stolen from Target. Or maybe a device connected to the Internet, such as a baby monitor, sends out unencrypted communications or has an easy-to-guess default password.

To protect against these kinds of hacks, important computer networks such as military servers and power plant control systems are often isolated from the public Internet, and from other systems that are connected to the Internet.

This separation, known as an “air gap,” means that the network cannot be accessed by remote attackers. Data can only be removed from the secure network if someone with physical access to the server copies information onto a USB drive or other medium.

But even air-gapped networks can be infiltrated. In 2010, the Stuxnet worm targeted the software controlling nuclear centrifuges in Iran by infecting the USB drives used to access industrial networks. And this month, researchers at Tel Aviv University and Technion Research and Development in Israel reported that they were able to steal information off a computer that was sitting, disconnected from the Internet, in a different room from the attacker.

Even when a computer isn’t connected from the Internet, it still leaks electromagnetic radiation – radio waves – as it operates. The Tel Aviv researchers were able to measure those emanations using an antenna and an amplifier, and use the information to extract a cryptographic key from the target computer. The attack allowed the researchers “to extract the whole secret key by monitoring the target’s electromagnetic (EM) field for just a few seconds,” the team wrote in a recently published paper.

But this doesn’t mean that hackers can now simply pull data from devices that are turned off or otherwise disconnected from public networks. The air-gap attack performed by the researchers requires lab equipment that costs about $3,000, reports Motherboard, and the researchers still had to get within a few meters of the target computer. But the research shows that even if software vulnerabilities are patched, there may be other ways for attackers to gain access to a system.

This is important for government, military, and financial computer networks, portions of which are often air-gapped, to protect sensitive information from being reachable by, or even visible to, hackers. It also affects cars that can be unlocked by pressing a button on a key fob: those wireless communications are separate from the Internet, but criminals may still be able to capture them to gain access to the car.

To better protect air-gapped networks from attacks, policy makers may require limits on how much electromagnetic leakage is acceptable from a particular system. The National Security Agency’s TEMPEST specification, for example, outlines how much shielding must be placed in devices and even how far apart wires carrying classified data must be placed from wires carrying unclassified data. Other specifications limit variations in a computer’s power consumption and even the noise produced by typing, so as not to disclose any information about the system.