How cellphones steal from air-gapped computers

Sensitive data can be leaked from isolated, non-networked computers using radio waves, according to new security research.

airhopper lead image
Credit: Cyber Security Labs at Ben-Gurion University of the Negev

The general consensus is that isolating a computer protects it, and the data contained within it, from leaking.

The idea is that by removing the external network, no one can attack the computer. This technique is referred to as air-gap security.

However, a couple of security experts from the Ben-Gurion University in Israel say they have developed phone-based decoder software that can read key-strokes from a compromised but air-gapped computer.

The mobile phone they use has no mobile network, Bluetooth or Wi-Fi enabled, and can receive the leaked data from up to seven meters away, they say.


They call their method AirHopper. It works by using the mobile phone’s integrated FM radio receiver to pick up radio signals emitted from the screen of the air-gapped, malware-loaded computer.

Many phones have FM radio receivers hidden away in them. They are considered a public safety tool—something goes down and the phone owner can listen to a news broadcast. So, even if you don’t use FM receiver, or even know it’s there, that receiver isn't likely going away anytime soon. It's there.

Computer screens, along with other computer parts, like keyboards, can emit electro-magnetic signals, or radio waves. Some government agencies use hardened keyboards for this very reason, as is pointed out by Aqua man, in a comment on the university’s project webpage. Indeed, the school’s website, at Cyber Security Labs at Ben-Gurion University of the Negev, has attracted some interesting comments:

Ben P. says the problem isn’t new and calls it a passive EM, or electro-magnetic, attack on a cellphone with FM hardware.


In AirHopper’s case, the researchers say that binary and textual data is extracted from a physically isolated computer with “hostile code” on it to phones located between one and seven meters away.

Bandwidth is 13-60 bytes per second. Slow, but enough to steal lines of text, like a password, they say.

Roughly speaking, the hack is dependent on the pixel clock, which is the frequency at which pixels are sent from the video card to the screen.


Commenter Ben P. says a solution to this awkward problem is to put all the computers in a “SCIF-like room” with soundproofing, including ultrasound; filters on the cables; and passive and active EMSEC, or emission security, shielding.

SCIF, or Sensitive Compartmentalized Information Facility, is a special, secure enclosed area.

He says users should then use TEMPEST-like clients to connect. TEMPEST is an NSA and NATO certification for this kind of thing, and addresses unintentional radio leaks.


Researchers Mordechai Guri and Professor Yuval Elovici, along with Dudu Mimran, CTO of the university’s cyber security labs, presented their findings and resulting software at MALCON 2014, the IEEE’s International Conference on Malicious and Unwanted Software, in order to start a discussion on how to mitigate the risk for this kind of siphon.

Collecting cellphones

Ben P., in his post, adds that he thinks cellphones should be collected at the door, as is indeed common in some secure locations.

My humble advice would be that even if the organization collects phones before visitors or workers enter the secure facility, just make sure, for now at least, that the depository is over seven meters from the computers. Another argument against BYOD, perhaps?

This article is published as part of the IDG Contributor Network. Want to Join?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10