Elkins’ purpose was not to break any existing product, but to stimulate educational follow-up research. Though this research project takes a practical approach and promotes transparency, it is also a laboratory-confined proof of concept. That in our case has no impact on Fox DataDiode’s for the simple reason of how we developed and continue to build the Fox DataDiode since 2006. In other words our Fox DataDiode customers are protected as long as normal security target procedures are observed.
What was exactly researched?
The research project doesn’t necessarily aim to target a data diode hardware unit, but instead attempts to create a side channel using other computer systems around a data diode device. This project operates by installing and running specifically crafted malware on computers in both networks connected to a data diode.
In order to successfully create and use the side channel method as proposed by the research project, all of the following requirements must be met:
- Malware must be installed on computers in the networks on both sides of the data diode.
- The malware must be run on the compromised computers.
- The compromised computers must be in relative close proximity of each other.
- The compromised computers must not have electromagnetic shielding.
- The compromised computers must employ electrical conductor wired cables connected to a modulating interface that can be used as antennas by the malware.
Detailed analysis of the requirements
Data diode systems are deployed in environments with high security and sensitivity, and as such, always go hand in hand with a combination of other digital as well as physical security measures. Because, what good is a data diode when there are wireless connections in place? Or what good is a data diode when there is no physical access restriction to the site, allowing for sabotage? As explained in the Common Criteria security target documentation for the Fox DataDiode, there should be measures in place that effectively eliminate the applicability of the proposed bypass attack. Let’s take a closer look at the five requirements of the bypass research project that must all be met in order for it to succeed, and why it is highly infeasible to effectively leverage the attack method. (This analysis is written with the Fox DataDiode solution in mind at the heart of the air gap under attack.)
Requirement #1: Malware must be installed on computers in the networks on both sides of the data diode
Analysis: at the time of writing, there is no known method that allows malware to transport and install itself on a computer that is located on the other side of the Fox DataDiode. The only way to do so would be over an existing (illegal) bypass, meaning the network is physically compromised already. And that implies either sabotage or extreme carelessness and negligence.
Requirement #2: The malware must be run on the compromised computers
Analysis: Installing malware on a computer does not necessarily imply that the malware is run. Malware normally requires a method of transport onto a target computer, and then it must be run on that computer. Either by automated means such as exploiting a remote vulnerability, or by tricking a human into executing it. If it were successfully transported, but never executed, the data diode bypass will not be operational. Until now, exploiting a remote vulnerability has proven impossible through a Fox DataDiode system. So that leaves the human factor as the only method for activating the malware, which emphasizes the sabotage/carelessness/negligence scenario.
Requirement #3: The compromised computers must be in relative close proximity of each other
Analysis: The researcher indicated that the two compromised computers must be located in close proximity to each other. Even ideally integrated in one single enclosure, which is exactly what some of our competitors do. A full Fox DataDiode system on the other hand, consists of three separate hardware units residing in different security zones, interconnected with optical fiber cables. This combination reduces the practical applicability of the proposed bypass against a Fox DataDiode system even further.
Requirement #4: The compromised computers must not have electromagnetic shielding
Analysis: When the radio antennas are located inside the computer enclosure (which is typically where the main board would be, with all the wiring connecting up any internal peripherals such as the proposed analog-digital convertors or other digital I/O pin out). Any applied shielding such as TEMPEST will render the proposed bypass ineffective. Fox DataDiode customers that expect highly advanced remote radio eavesdrop attacks can have their DataDiode system TEMPEST shielded.
Requirement #5: The compromised computers must employ electrical conductor wired cables connected to a modulating interface that can be used as antennas by the malware
Analysis: When the targeted modulation hardware is either not present, not of a compatible type, or not connected with a properly dimensioned electrical wire, the bypass will simply not work.
The proposed research project demonstrates that attackers with physical access (or existing bypasses) and exact hardware requirements can create a radio connection to cross a very small air gap. Given the rather extreme requirements for success, proper Fox DataDiode deployments are unaffected. The only way to make the research project work in production deployments, is by sabotage or extreme carelessness. The research project serves to raise qualitative discussion on this topic. And it is a good heads-up for those organizations that operate data diode systems, stimulating them to reassess their physical environment.